November 2020 - openSUSE Security Announce

[opensuse-security-announce] openSUSE-SU-2020:2126-1: moderate: Security update for libssh2_org
by opensuse-security＠opensuse.org 30 Nov '20

30 Nov '20

openSUSE Security Update: Security update for libssh2_org ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2126-1 Rating: moderate References: #1130103 #1178083 Cross-References: CVE-2019-17498 CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for libssh2_org fixes the following issues: - Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922] Enhancements and bugfixes: * adds ECDSA keys and host key support when using OpenSSL * adds ED25519 key and host key support when using OpenSSL 1.1.1 * adds OpenSSH style key file reading * adds AES CTR mode support when using WinCNG * adds PEM passphrase protected file support for Libgcrypt and WinCNG * adds SHA256 hostkey fingerprint * adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() * adds explicit zeroing of sensitive data in memory * adds additional bounds checks to network buffer reads * adds the ability to use the server default permissions when creating sftp directories * adds support for building with OpenSSL no engine flag * adds support for building with LibreSSL * increased sftp packet size to 256k * fixed oversized packet handling in sftp * fixed building with OpenSSL 1.1 * fixed a possible crash if sftp stat gets an unexpected response * fixed incorrect parsing of the KEX preference string value * fixed conditional RSA and AES-CTR support * fixed a small memory leak during the key exchange process * fixed a possible memory leak of the ssh banner string * fixed various small memory leaks in the backends * fixed possible out of bounds read when parsing public keys from the server * fixed possible out of bounds read when parsing invalid PEM files * no longer null terminates the scp remote exec command * now handle errors when diffie hellman key pair generation fails * improved building instructions * improved unit tests - Version update to 1.8.2: [bsc#1130103] Bug fixes: * Fixed the misapplied userauth patch that broke 1.8.1 * moved the MAX size declarations from the public header This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-2126=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): libssh2-1-1.9.0-lp151.6.6.1 libssh2-1-debuginfo-1.9.0-lp151.6.6.1 libssh2-devel-1.9.0-lp151.6.6.1 libssh2_org-debugsource-1.9.0-lp151.6.6.1 - openSUSE Leap 15.1 (x86_64): libssh2-1-32bit-1.9.0-lp151.6.6.1 libssh2-1-32bit-debuginfo-1.9.0-lp151.6.6.1 References: https://www.suse.com/security/cve/CVE-2019-17498.html https://www.suse.com/security/cve/CVE-2019-3855.html https://www.suse.com/security/cve/CVE-2019-3856.html https://www.suse.com/security/cve/CVE-2019-3857.html https://www.suse.com/security/cve/CVE-2019-3858.html https://www.suse.com/security/cve/CVE-2019-3859.html https://www.suse.com/security/cve/CVE-2019-3860.html https://www.suse.com/security/cve/CVE-2019-3861.html https://www.suse.com/security/cve/CVE-2019-3862.html https://www.suse.com/security/cve/CVE-2019-3863.html https://bugzilla.suse.com/1130103 https://bugzilla.suse.com/1178083

1 0

[opensuse-security-announce] openSUSE-SU-2020:2127-1: moderate: Security update for neomutt
by opensuse-security＠opensuse.org 30 Nov '20

30 Nov '20

openSUSE Security Update: Security update for neomutt ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2127-1 Rating: moderate References: #1172906 #1172935 #1173197 #1179035 #1179113 Cross-References: CVE-2020-14093 CVE-2020-14154 CVE-2020-14954 CVE-2020-28896 Affected Products: openSUSE Leap 15.2 openSUSE Leap 15.1 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for neomutt fixes the following issues: Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896. * Security - imap: close connection on all failures * Features - alias: add function to Alias/Query dialogs - config: add validators for {imap,smtp,pop}_authenticators - config: warn when signature file is missing or not readable - smtp: support for native SMTP LOGIN auth mech - notmuch: show originating folder in index * Bug Fixes - sidebar: prevent the divider colour bleeding out - sidebar: fix <sidebar-{next,prev}-new> - notmuch: fix query for current email - restore shutdown-hook functionality - crash in reply-to - user-after-free in folder-hook - fix some leaks - fix application of limits to modified mailboxes - write Date header when postponing * Translations - 100% Lithuanian - 100% Czech - 70% Turkish * Docs - Document that $sort_alias affects the query menu * Build - improve ASAN flags - add SASL and S/MIME to --everything - fix contrib (un)install * Code - my_hdr compose screen notifications - add contracts to the MXAPI - maildir refactoring - further reduce the use of global variables * Upstream - Add $count_alternatives to count attachments inside alternatives - Changes from 20200925 * Features - Compose: display user-defined headers - Address Book / Query: live sorting - Address Book / Query: patterns for searching - Config: Add '+=' and '-=' operators for String Lists - Config: Add '+=' operator for Strings - Allow postfix query ':setenv NAME?' for env vars * Bug Fixes - Fix crash when searching with invalid regexes - Compose: Prevent infinite loop of send2-hooks - Fix sidebar on new/removed mailboxes - Restore indentation for named mailboxes - Prevent half-parsing an alias - Remove folder creation prompt for POP path - Show error if $message_cachedir doesn't point to a valid directory - Fix tracking LastDir in case of IMAP paths with Unicode characters - Make sure all mail gets applied the index limit - Add warnings to -Q query CLI option - Fix index tracking functionality * Changed Config - Add $compose_show_user_headers (yes) * Translations - 100% Czech - 100% Lithuanian - Split up usage strings * Build - Run shellcheck on hcachever.sh - Add the Address Sanitizer - Move compose files to lib under compose/ - Move address config into libaddress - Update to latest acutest - fixes a memory leak in the unit tests * Code - Implement ARRAY API - Deglobalised the Config Sort functions - Refactor the Sidebar to be Event-Driven - Refactor the Color Event - Refactor the Commands list - Make ctx_update_tables private - Reduce the scope/deps of some Validator functions - Use the Email's IMAP UID instead of an increasing number as index - debug: log window focus - Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch. No longer needed. - Update to 20200821: * Bug Fixes - fix maildir flag generation - fix query notmuch if file is missing - notmuch: don't abort sync on error - fix type checking for send config variables * Changed Config - $sidebar_format - Use %D rather than %B for named mailboxes * Translations - 96% Lithuanian - 90% Polish - fix(sidebar): abbreviate/shorten what user sees - Fix sidebar mailbox name display problem. - Update to 20200814: * Notes - Add one-liner docs to config items See: neomutt -O -Q smart_wrap - Remove the built-in editor A large unused and unusable feature * Security - Add mitigation against DoS from thousands of parts boo#1179113 * Features - Allow index-style searching in postpone menu - Open NeoMutt using a mailbox name - Add cd command to change the current working directory - Add tab-completion menu for patterns - Allow renaming existing mailboxes - Check for missing attachments in alternative parts - Add one-liner docs to config items * Bug Fixes - Fix logic in checking an empty From address - Fix Imap crash in cmd_parse_expunge() - Fix setting attributes with S-Lang - Fix: redrawing of $pager_index_lines - Fix progress percentage for syncing large mboxes - Fix sidebar drawing in presence of indentation + named mailboxes - Fix retrieval of drafts when "postponed" is not in the mailboxes list - Do not add comments to address group terminators - Fix alias sorting for degenerate addresses - Fix attaching emails - Create directories for nonexistent file hcache case - Avoid creating mailboxes for failed subscribes - Fix crash if rejecting cert * Changed Config - Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed - Change default of $crypt_protected_headers_subject to "..." - Add default keybindings to history-up/down * Translations - 100% Czech - 100% Spanish * Build - Allow building against Lua 5.4 - Fix when sqlite3.h is missing * Docs - Add a brief section on stty to the manual - Update section "Terminal Keybindings" in the manual - Clarify PGP Pseudo-header S<id> duration * Code - Clean up String API - Make the Sidebar more independent - De-centralise the Config Variables - Refactor dialogs - Refactor: Help Bar generation - Make more APIs Context-free - Adjust the edata use in Maildir and Notmuch - Window refactoring - Convert libsend to use Config functions - Refactor notifications to reduce noise - Convert Keymaps to use STAILQ - Track currently selected email by msgid - Config: no backing global variable - Add events for key binding * Upstream - Fix imap postponed mailbox use-after-free error - Speed up thread sort when many long threads exist - Fix ~v tagging when switching to non-threaded sorting - Add message/global to the list of known "message" types - Print progress meter when copying/saving tagged messages - Remove ansi formatting from autoview generated quoted replies - Change postpone mode to write Date header too - Unstuff format=flowed - Update to 20200626: * Bug Fixes - Avoid opening the same hcache file twice - Re-open Mailbox after folder-hook - Fix the matching of the spoolfile Mailbox - Fix link-thread to link all tagged emails * Changed Config - Add $tunnel_is_secure config, defaulting to true * Upstream - Don't check IMAP PREAUTH encryption if $tunnel is in use - Add recommendation to use $ssl_force_tls - Changes from 20200501: * Security - Abort GnuTLS certificate check if a cert in the chain is rejected CVE-2020-14154 boo#1172906 - TLS: clear data after a starttls acknowledgement CVE-2020-14954 boo#1173197 - Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093 boo#1172935 * Features - add config operations +=/-= for number,long - Address book has a comment field - Query menu has a comment field * Contrib sample.neomuttrc-starter: Do not echo prompted password * Bug Fixes - make "news://" and "nntp://" schemes interchangeable - Fix CRLF to LF conversion in base64 decoding - Double comma in query - compose: fix redraw after history - Crash inside empty query menu - mmdf: fix creating new mailbox - mh: fix creating new mailbox - mbox: error out when an mbox/mmdf is a pipe - Fix list-reply by correct parsing of List-Post headers - Decode references according to RFC2047 - fix tagged message count - hcache: fix keylen not being considered when building the full key - sidebar: fix path comparison - Don't mess with the original pattern when running IMAP searches - Handle IMAP "NO" resps by issuing a msg instead of failing badly - imap: use the connection delimiter if provided - Memory leaks * Changed Config - $alias_format default changed to include %c comment - $query_format default changed to include %e extra info * Translations - 100% Lithuanian - 84% French - Log the translation in use * Docs - Add missing commands unbind, unmacro to man pages * Build - Check size of long using LONG_MAX instead of __WORDSIZE - Allow ./configure to not record cflags - fix out-of-tree build - Avoid locating gdbm symbols in qdbm library * Code - Refactor unsafe TAILQ returns - add window notifications - flip negative ifs - Update to latest acutest.h - test: add store tests - test: add compression tests - graphviz: email - make more opcode info available - refactor: main_change_folder() - refactor: mutt_mailbox_next() - refactor: generate_body() - compress: add {min,max}_level to ComprOps - emphasise empty loops: "// do nothing" - prex: convert is_from() to use regex - Refactor IMAP's search routines - Update to 20200501: * Bug Fixes - Make sure buffers are initialized on error - fix(sidebar): use abbreviated path if possible * Translations - 100% Lithuanian * Docs - make header cache config more explicit - Changes from 20200424: * Bug Fixes - Fix history corruption - Handle pretty much anything in a URL query part - Correctly parse escaped characters in header phrases - Fix crash reading received header - Fix sidebar indentation - Avoid crashing on failure to parse an IMAP mailbox - Maildir: handle deleted emails correctly - Ensure OP_NULL is always first * Translations - 100% Czech * Build - cirrus: enable pcre2, make pkgconf a special case - Fix finding pcre2 w/o pkgconf - build: tdb.h needs size_t, bring it in with stddef.h - Changes from 20200417: * Features - Fluid layout for Compose Screen, see: vimeo.com/407231157 - Trivial Database (TDB) header cache backend - RocksDB header cache backend - Add <sidebar-first> and <sidebar-last> functions * Bug Fixes - add error for CLI empty emails - Allow spaces and square brackets in paths - browser: fix hidden mailboxes - fix initial email display - notmuch: fix time window search. - fix resize bugs - notmuch: fix entire-thread: update current email pointer - sidebar: support indenting and shortening of names - Handle variables inside backticks in sidebar_whitelist - browser: fix mask regex error reporting * Translations - 100% Lithuanian - 99% Chinese (simplified) * Build - Use regexes for common parsing tasks: urls, dates - Add configure option --pcre2 -- Enable PCRE2 regular expressions - Add configure option --tdb -- Use TDB for the header cache - Add configure option --rocksdb -- Use RocksDB for the header cache - Create libstore (key/value backends) - Update to latest autosetup - Update to latest acutest.h - Rename doc/ directory to docs/ - make: fix location of .Po dependency files - Change libcompress to be more universal - Fix test fails on ��32 - fix uidvalidity to unsigned 32-bit int * Code - Increase test coverage - Fix memory leaks - Fix null checks * Upstream - Buffer refactoring - Fix use-after-free in mutt_str_replace() - Clarify PGP Pseudo-header S<id> duration - Try to respect MUTT_QUIET for IMAP contexts too - Limit recurse depth when parsing mime messages - Update to 20200320: * Bug Fixes - Fix COLUMNS env var - Fix sync after delete - Fix crash in notmuch - Fix sidebar indent - Fix emptying trash - Fix command line sending - Fix reading large address lists - Resolve symlinks only when necessary * Translations - lithuania 100% Lithuanian - es 96% Spanish * Docs - Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output - Fix case of GPGME and SQLite * Build - Create libcompress (lz4, zlib, zstd) - Create libhistory - Create libbcache - Move zstrm to libconn * Code - Add more test coverage - Rename magic to type - Use mutt_file_fopen() on config variables - Change commands to use intptr_t for data - Update to 20200313: * Window layout - Sidebar is only visible when it's usable. * Features - UI: add number of old messages to sidebar_format - UI: support ISO 8601 calendar date - UI: fix commands that don��t need to have a non-empty mailbox to be valid - PGP: inform about successful decryption of inline PGP messages - PGP: try to infer the signing key from the From address - PGP: enable GPGMe by default - Notmuch: use query as name for vfolder-from-query - IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978) - Header cache: add support for generic header cache compression * Bug Fixes - Fix uncollapse_jump - Only try to perform entire-thread on maildir/mh mailboxes - Fix crash in pager - Avoid logging single new lines at the end of header fields - Fix listing mailboxes - Do not recurse a non-threaded message - Fix initial window order - Fix leaks on IMAP error paths - Notmuch: compose(attach-message): support notmuch backend - Fix IMAP flag comparison code - Fix $move for IMAP mailboxes - Maildir: maildir_mbox_check_stats should only update mailbox stats if requested - Fix unmailboxes for virtual mailboxes - Maildir: sanitize filename before hashing - OAuth: if 'login' name isn't available use 'user' - Add error message on failed encryption - Fix a bunch of crashes - Force C locale for email date - Abort if run without a terminal * Changed Config - $crypt_use_gpgme - Now defaults to 'yes' (enabled) - $abort_backspace - Hitting backspace against an empty prompt aborts the prompt - $abort_key - String representation of key to abort prompts - $arrow_string - Use an custom string for arrow_cursor - $crypt_opportunistic_encrypt_strong_keys - Enable encryption only when strong a key is available - $header_cache_compress_dictionary - Filepath to dictionary for zstd compression - $header_cache_compress_level - Level of compression for method - $header_cache_compress_method - Enable generic hcache database compression - $imap_deflate - Compress network traffic - $smtp_user - Username for the SMTP server * Translations - 100% Lithuanian - 81% Spanish - 78% Russian * Build - Add libdebug - Rename public headers to lib.h - Create libcompress for compressed folders code * Code - Refactor Windows and Dialogs - Lots of code tidying - Refactor: mutt_addrlist_{search,write} - Lots of improvements to the Config code - Use Buffers more pervasively - Unify API function naming - Rename library shared headers - Refactor libconn gui dependencies - Refactor: init.[ch] - Refactor config to use subsets - Config: add path type - Remove backend deps from the connection code * Upstream - Allow ~b ~B ~h patterns in send2-hook - Rename smime oppenc mode parameter to get_keys_by_addr() - Add $crypt_opportunistic_encrypt_strong_keys config var - Fix crash when polling a closed ssl connection - Turn off auto-clear outside of autocrypt initialization - Add protected-headers="v1" to Content-Type when protecting headers - Fix segv in IMAP postponed menu caused by reopen_allow - Adding ISO 8601 calendar date - Fix $fcc_attach to not prompt in batch mode - Convert remaining mutt_encode_path() call to use struct Buffer - Fix rendering of replacement_char when Charset_is_utf8 - Update to latest acutest.h - Update to 20191207: * Features: - compose: draw status bar with highlights * Bug Fixes: - crash opening notmuch mailbox - crash in mutt_autocrypt_ui_recommendation - Avoid negative allocation - Mbox new mail - Setting of DT_MAILBOX type variables from Lua - imap: empty cmdbuf before connecting - imap: select the mailbox on reconnect - compose: fix attach message * Build: - make files conditional * Code: - enum-ify log levels - fix function prototypes - refactor virtual email lookups - factor out global Context - Changes from 20191129: * Features: - Add raw mailsize expando (%cr) * Bug Fixes: - Avoid double question marks in bounce confirmation msg - Fix bounce confirmation - fix new-mail flags and behaviour - fix: browser <descend-directory> - fix ssl crash - fix move to trash - fix flickering - Do not check hidden mailboxes for new mail - Fix new_mail_command notifications - fix crash in examine_mailboxes() - fix crash in mutt_sort_threads() - fix: crash after sending - Fix crash in tunnel's conn_close - fix fcc for deep dirs - imap: fix crash when new mail arrives - fix colour 'quoted9' - quieten messages on exit - fix: crash after failed mbox_check - browser: default to a file/dir view when attaching a file * Changed Config: - Change $write_bcc to default off * Docs: - Add a bit more documentation about sending - Clarify $write_bcc documentation. - Update documentation for raw size expando - docbook: set generate.consistent.ids to make generated html reproducible * Build: - fix build/tests for 32-bit arches - tests: fix test that would fail soon - tests: fix context for failing idna tests - Update to 20191111: Bug fixes: * browser: fix directory view * fix crash in mutt_extract_token() * force a screen refresh * fix crash sending message from command line * notmuch: use nm_default_uri if no mailbox data * fix forward attachments * fix: vfprintf undefined behaviour in body_handler * Fix relative symlink resolution * fix: trash to non-existent file/dir * fix re-opening of mbox Mailboxes * close logging as late as possible * log unknown mailboxes * fix crash in command line postpone * fix memory leaks * fix icommand parsing * fix new mail interaction with mail_check_recent Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2127=1 - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-2127=1 Package List: - openSUSE Leap 15.2 (x86_64): neomutt-20201120-lp152.2.3.1 neomutt-debuginfo-20201120-lp152.2.3.1 neomutt-debugsource-20201120-lp152.2.3.1 - openSUSE Leap 15.2 (noarch): neomutt-doc-20201120-lp152.2.3.1 neomutt-lang-20201120-lp152.2.3.1 - openSUSE Leap 15.1 (x86_64): neomutt-20201120-lp151.2.3.1 neomutt-debuginfo-20201120-lp151.2.3.1 neomutt-debugsource-20201120-lp151.2.3.1 - openSUSE Leap 15.1 (noarch): neomutt-doc-20201120-lp151.2.3.1 neomutt-lang-20201120-lp151.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-14093.html https://www.suse.com/security/cve/CVE-2020-14154.html https://www.suse.com/security/cve/CVE-2020-14954.html https://www.suse.com/security/cve/CVE-2020-28896.html https://bugzilla.suse.com/1172906 https://bugzilla.suse.com/1172935 https://bugzilla.suse.com/1173197 https://bugzilla.suse.com/1179035 https://bugzilla.suse.com/1179113

1 0

[opensuse-security-announce] openSUSE-SU-2020:2111-1: moderate: Security update for fontforge
by opensuse-security＠opensuse.org 29 Nov '20

29 Nov '20

openSUSE Security Update: Security update for fontforge ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2111-1 Rating: moderate References: #1160220 #1178308 Cross-References: CVE-2020-25690 CVE-2020-5395 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for fontforge fixes the following issues: - fix for Use-after-free (heap) in the SFD_GetFontMetaData() function and the crash (bsc#1178308 CVE-2020-25690). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-2111=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): fontforge-20170731-lp151.4.6.1 fontforge-debuginfo-20170731-lp151.4.6.1 fontforge-debugsource-20170731-lp151.4.6.1 fontforge-devel-20170731-lp151.4.6.1 - openSUSE Leap 15.1 (noarch): fontforge-doc-20170731-lp151.4.6.1 References: https://www.suse.com/security/cve/CVE-2020-25690.html https://www.suse.com/security/cve/CVE-2020-5395.html https://bugzilla.suse.com/1160220 https://bugzilla.suse.com/1178308

1 0

[opensuse-security-announce] openSUSE-SU-2020:2112-1: important: Security update for the Linux Kernel
by opensuse-security＠opensuse.org 29 Nov '20

29 Nov '20

openSUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2112-1 Rating: important References: #1055014 #1055186 #1061843 #1065600 #1065729 #1066382 #1077428 #1129923 #1134760 #1149032 #1152489 #1155798 #1163592 #1164648 #1165692 #1166146 #1166166 #1167030 #1168468 #1170415 #1171675 #1171688 #1174003 #1174098 #1174748 #1174969 #1175052 #1175306 #1175599 #1175621 #1175718 #1175721 #1175749 #1175807 #1175898 #1176019 #1176354 #1176381 #1176400 #1176485 #1176588 #1176713 #1176907 #1176979 #1177086 #1177090 #1177109 #1177121 #1177193 #1177194 #1177206 #1177258 #1177271 #1177281 #1177283 #1177284 #1177285 #1177286 #1177297 #1177353 #1177384 #1177410 #1177411 #1177470 #1177511 #1177617 #1177681 #1177683 #1177687 #1177694 #1177697 #1177719 #1177724 #1177725 #1177726 #1177739 #1177749 #1177750 #1177754 #1177755 #1177765 #1177766 #1177799 #1177801 #1177814 #1177817 #1177854 #1177855 #1177856 #1177861 #1178002 #1178079 #1178123 #1178166 #1178173 #1178175 #1178176 #1178177 #1178183 #1178184 #1178185 #1178186 #1178190 #1178191 #1178246 #1178255 #1178307 #1178330 #1178393 #1178395 #1178461 #1178579 #1178581 #1178584 #1178585 #802154 #954532 Cross-References: CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-16120 CVE-2020-24490 CVE-2020-25212 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-8694 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves 15 vulnerabilities and has 102 fixes is now available. Description: The openSUSE Leap 15.2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724). - CVE-2020-24490: Fixed a heap buffer overflow when processing extended advertising report events aka "BleedingTooth" aka "BadVibes" (bsc#1177726). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" aka "BadChoice" (bsc#1177725). - CVE-2020-25212: A TOCTOU mismatch in the NFS client code in the Linux kernel could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452 (bnc#1176381). - CVE-2020-25645: Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality (bnc#1177511). - CVE-2020-25643: Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (bnc#1177206). - CVE-2020-25641: A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allowed a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability (bnc#1177121). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Make FONTX ioctl use the tty pointer they were actually passed (bsc#1178123). - CVE-2020-25656: Extend func_buf_lock to readers (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812 (bnc#1176485). - CVE-2020-14351: Fixed race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-8694: Restrict energy meter to root access (bsc#1170415). - CVE-2020-16120: Check permission to open real file in overlayfs (bsc#1177470). - CVE-2020-25705: A ICMP global rate limiting side-channel was removed which could lead to e.g. the SADDNS attack (bsc#1175721) The following non-security bugs were fixed: - 9p: Fix memory leak in v9fs_mount (git-fixes). - ACPI: Always build evged in (git-fixes). - ACPI: button: fix handling lid state changes when input device closed (git-fixes). - ACPI: configfs: Add missing config_item_put() to fix refcount leak (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: EC: Reference count query handlers under lock (git-fixes). - ACPI / extlog: Check for RDMSR failure (git-fixes). - ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes). - act_ife: load meta modules before tcf_idr_check_alloc() (networking-stable-20_09_24). - Add CONFIG_CHECK_CODESIGN_EKU - airo: Fix read overflows sending packets (git-fixes). - ALSA: ac97: (cosmetic) align argument names (git-fixes). - ALSA: aoa: i2sbus: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: asihpi: fix spellint typo in comments (git-fixes). - ALSA: atmel: ac97: clarify operator precedence (git-fixes). - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: fireworks: use semicolons rather than commas to separate statements (git-fixes). - ALSA: fix kernel-doc markups (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda: (cosmetic) align function parameters (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close (git-fixes). - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda/realtek - Enable headphone for ASUS TM420 (git-fixes). - ALSA: hda/realtek - Fixed HP headset Mic can't be detected (git-fixes). - ALSA: hda/realtek - set mic to auto detect on a HP AIO machine (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: hdspm: Fix typo arbitary (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: portman2x4: fix repeated word 'if' (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: sparc: dbri: fix repeated word 'the' (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for MODX (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for Qu-16 (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for Zoom UAC-2 (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: add usb vendor id as DSD-capable for Khadas devices (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake "Frequence" -> "Frequency" (git-fixes). - ALSA: usb-audio: Line6 Pod Go interface requires static clock rate quirk (git-fixes). - ALSA: usb: scarless_gen2: fix endianness issue (git-fixes). - ALSA: vx: vx_core: clarify operator precedence (git-fixes). - ALSA: vx: vx_pcm: remove redundant assignment (git-fixes). - ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes). - arm64: Enable PCI write-combine resources under sysfs (bsc#1175807). - ASoC: codecs: wcd9335: Set digital gain range correctly (git-fixes). - ASoC: cs42l51: manage mclk shutdown delay (git-fixes). - ASoC: fsl: imx-es8328: add missing put_device() call in imx_es8328_probe() (git-fixes). - ASoC: fsl_sai: Instantiate snd_soc_dai_driver (git-fixes). - ASoC: img-i2s-out: Fix runtime PM imbalance on error (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 (git-fixes). - ASoC: Intel: kbl_rt5663_max98927: Fix kabylake_ssp_fixup function (git-fixes). - ASoC: kirkwood: fix IRQ error handling (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ASoC: qcom: sdm845: set driver name correctly (git-fixes). - ASoC: sun50i-codec-analog: Fix duplicate use of ADC enable bits (git-fixes). - ASoC: tlv320aic32x4: Fix bdiv clock rate derivation (git-fixes). - ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions (git-fixes). - ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 (git-fixes). - ata: ahci: mvebu: Make SATA PHY optional for Armada 3720 (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: fix array out-of-bounds access (git-fixes). - ath10k: fix memory leak for tpc_stats_final (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath10k: start recovery process when payload length exceeds max htc length for sdio (git-fixes). - ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - ath9k_htc: Use appropriate rs_datalen type (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - block: Fix page_is_mergeable() for compound pages (bsc#1177814). - block: Set same_page to false in __bio_try_merge_page if ret is false (git-fixes). - Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb (git-fixes). - Bluetooth: Fix refcount use-after-free issue (git-fixes). - Bluetooth: guard against controllers sending zero'd events (git-fixes). - Bluetooth: Handle Inquiry Cancel error after Inquiry Complete (git-fixes). - Bluetooth: hci_uart: Cancel init work before unregistering (git-fixes). - Bluetooth: L2CAP: handle l2cap config request during open state (git-fixes). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - Bluetooth: prefetch channel before killing sock (git-fixes). - bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (git-fixes). - bonding: show saner speed for broadcast mode (networking-stable-20_08_24). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmfmac: Fix double freeing in the fmac usb data path (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: Account for merged patches upstream Move below patches to sorted section. - btrfs: add owner and fs_info to alloc_state io_tree (bsc#1177854). - btrfs: allocate scrub workqueues outside of locks (bsc#1178183). - btrfs: block-group: do not set the wrong READA flag for btrfs_read_block_groups() (bsc#1176019). - btrfs: block-group: fix free-space bitmap threshold (bsc#1176019). - btrfs: block-group: refactor how we delete one block group item (bsc#1176019). - btrfs: block-group: refactor how we insert a block group item (bsc#1176019). - btrfs: block-group: refactor how we read one block group item (bsc#1176019). - btrfs: block-group: rename write_one_cache_group() (bsc#1176019). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: cleanup cow block on error (bsc#1178584). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: do not take an extra root ref at allocation time (bsc#1176019). - btrfs: drop logs when we've aborted a transaction (bsc#1176019). - btrfs: drop path before adding new uuid tree entry (bsc#1178176). - btrfs: fix a race between scrub and block group removal/allocation (bsc#1176019). - Btrfs: fix crash during unmount due to race with delayed inode workers (bsc#1176019). - btrfs: fix filesystem corruption after a device replace (bsc#1178395). - btrfs: fix NULL pointer dereference after failure to create snapshot (bsc#1178190). - btrfs: fix overflow when copying corrupt csums for a message (bsc#1178191). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: fix space cache memory leak after transaction abort (bsc#1178173). - btrfs: free block groups after free'ing fs trees (bsc#1176019). - btrfs: hold a ref on the root on the dead roots list (bsc#1176019). - btrfs: kill the subvol_srcu (bsc#1176019). - btrfs: make btrfs_cleanup_fs_roots use the radix tree lock (bsc#1176019). - btrfs: make inodes hold a ref on their roots (bsc#1176019). - btrfs: make the extent buffer leak check per fs info (bsc#1176019). - btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks (bsc#1178395). - btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing (bsc#1178395). - btrfs: move ino_cache_inode dropping out of btrfs_free_fs_root (bsc#1176019). - btrfs: move the block group freeze/unfreeze helpers into block-group.c (bsc#1176019). - btrfs: move the root freeing stuff into btrfs_put_root (bsc#1176019). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer necessary chunk mutex locking cases (bsc#1176019). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: rename member 'trimming' of block group to a more generic name (bsc#1176019). - btrfs: reschedule if necessary when logging directory items (bsc#1178585). - btrfs: scrub, only lookup for csums if we are dealing with a data extent (bsc#1176019). - btrfs: send, orphanize first all conflicting inodes when processing references (bsc#1178579). - btrfs: send, recompute reference path after orphanization of a directory (bsc#1178581). - btrfs: set the correct lockdep class for new nodes (bsc#1178184). - btrfs: set the lockdep class for log tree extent buffers (bsc#1178186). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal (git-fixes). - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes). - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: flexcan: flexcan_remove(): disable wakeup completely (git-fixes). - can: flexcan: remove ack_grp and ack_bit handling from driver (git-fixes). - can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A (git-fixes). - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes). - can: peak_usb: add range checking in decode operations (git-fixes). - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes). - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: promote to unsigned long long before shifting (bsc#1178175). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - clk: keystone: sci-clk: fix parsing assigned-clock data during probe (git-fixes). - clk: meson: g12a: mark fclk_div2 as critical (git-fixes). - clk: qcom: gcc-sdm660: Fix wrong parent_map (git-fixes). - clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED (git-fixes). - clk: socfpga: stratix10: fix the divider for the emac_ptp_free_clk (git-fixes). - clk: tegra: Always program PLL_E when enabled (git-fixes). - clk/ti/adpll: allocate room for terminating null (git-fixes). - clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() (git-fixes). - clocksource/drivers/timer-gx6605s: Fixup counter reload (git-fixes). - cpuidle: Poll for a minimum of 30ns and poll for a tick if lower c-states are disabled (bnc#1176588). - create Storage / NVMe subsection - crypto: algif_aead - Do not set MAY_BACKLOG on the async path (git-fixes). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: dh - check validity of Z before export (bsc#1175718). - crypto: dh - SP800-56A rev 3 local public key validation (bsc#1175718). - crypto: ecc - SP800-56A rev 3 local public key validation (bsc#1175718). - crypto: ecdh - check validity of Z before export (bsc#1175718). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - crypto: picoxcell - Fix potential race condition bug (git-fixes). - crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA (git-fixes). - cxgb4: fix memory leak during module unload (networking-stable-20_09_24). - cxgb4: Fix offset when clearing filter byte counters (networking-stable-20_09_24). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - dax: Fix compilation for CONFIG_DAX && !CONFIG_FS_DAX (bsc#1177817). - Disable module compression on SLE15 SP2 (bsc#1178307) - dma-direct: add missing set_memory_decrypted() for coherent mapping (bsc#1175898, ECO-2743). - dma-direct: always align allocation size in dma_direct_alloc_pages() (bsc#1175898, ECO-2743). - dma-direct: atomic allocations must come from atomic coherent pools (bsc#1175898, ECO-2743). - dma-direct: check return value when encrypting or decrypting memory (bsc#1175898, ECO-2743). - dma-direct: consolidate the error handling in dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dma-direct: make uncached_kernel_address more general (bsc#1175898, ECO-2743). - dma-direct: provide function to check physical memory area validity (bsc#1175898, ECO-2743). - dma-direct: provide mmap and get_sgtable method overrides (bsc#1175898, ECO-2743). - dma-direct: re-encrypt memory if dma_direct_alloc_pages() fails (bsc#1175898, ECO-2743). - dma-direct: remove __dma_direct_free_pages (bsc#1175898, ECO-2743). - dma-direct: remove the dma_handle argument to __dma_direct_alloc_pages (bsc#1175898, ECO-2743). - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - dmaengine: dmatest: Check list for emptiness before access its last entry (git-fixes). - dmaengine: dw: Activate FIFO-mode for memory peripherals only (git-fixes). - dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails (git-fixes). - dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all (git-fixes). - dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all (git-fixes). - dmaengine: tegra-apb: Prevent race conditions on channel's freeing (git-fixes). - dmaengine: zynqmp_dma: fix burst length configuration (git-fixes). - dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) (git-fixes). - dma-mapping: add a dma_can_mmap helper (bsc#1175898, ECO-2743). - dma-mapping: always use VM_DMA_COHERENT for generic DMA remap (bsc#1175898, ECO-2743). - dma-mapping: DMA_COHERENT_POOL should select GENERIC_ALLOCATOR (bsc#1175898, ECO-2743). - dma-mapping: make dma_atomic_pool_init self-contained (bsc#1175898, ECO-2743). - dma-mapping: merge the generic remapping helpers into dma-direct (bsc#1175898, ECO-2743). - dma-mapping: remove arch_dma_mmap_pgprot (bsc#1175898, ECO-2743). - dma-mapping: warn when coherent pool is depleted (bsc#1175898, ECO-2743). - dma-pool: add additional coherent pools to map to gfp mask (bsc#1175898, ECO-2743). - dma-pool: add pool sizes to debugfs (bsc#1175898, ECO-2743). - dma-pool: decouple DMA_REMAP from DMA_COHERENT_POOL (bsc#1175898, ECO-2743). - dma-pool: do not allocate pool memory from CMA (bsc#1175898, ECO-2743). - dma-pool: dynamically expanding atomic pools (bsc#1175898, ECO-2743). - dma-pool: Fix an uninitialized variable bug in atomic_pool_expand() (bsc#1175898, ECO-2743). - dma-pool: fix coherent pool allocations for IOMMU mappings (bsc#1175898, ECO-2743). - dma-pool: fix too large DMA pools on medium memory size systems (bsc#1175898, ECO-2743). - dma-pool: get rid of dma_in_atomic_pool() (bsc#1175898, ECO-2743). - dma-pool: introduce dma_guess_pool() (bsc#1175898, ECO-2743). - dma-pool: make sure atomic pool suits device (bsc#1175898, ECO-2743). - dma-pool: Only allocate from CMA when in same memory zone (bsc#1175898, ECO-2743). - dma-pool: scale the default DMA coherent pool size with memory capacity (bsc#1175898, ECO-2743). - dma-remap: separate DMA atomic pools from direct remap code (bsc#1175898, ECO-2743). - dm: Call proper helper to determine dax support (bsc#1177817). - dm/dax: Fix table reference counts (bsc#1178246). - docs: driver-api: remove a duplicated index entry (git-fixes). - drivers: char: tlclk.c: Avoid data race between init and interrupt handler (git-fixes). - drivers: watchdog: rdc321x_wdt: Fix race condition bugs (git-fixes). - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config (git-fixes). - drm/radeon: revert "Prefer lower feedback dividers" (bsc#1177384). - drop Storage / bsc#1171688 subsection No effect on expanded tree. - e1000: Do not perform reset in reset_task if we are already down (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1152489). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - exfat: fix name_hash computation on big endian systems (git-fixes). - exfat: fix overflow issue in exfat_cluster_to_sector() (git-fixes). - exfat: fix possible memory leak in exfat_find() (git-fixes). - exfat: fix use of uninitialized spinlock on error path (git-fixes). - exfat: fix wrong hint_stat initialization in exfat_find_dir_entry() (git-fixes). - exfat: fix wrong size update of stream entry by typo (git-fixes). - extcon: ptn5150: Fix usage of atomic GPIO with sleeping GPIO chips (git-fixes). - ftrace: Move RCU is watching check after recursion check (git-fixes). - fuse: do not ignore errors from fuse_writepages_fill() (bsc#1177193). - futex: Adjust absolute futex timeouts with per time namespace offset (bsc#1164648). - futex: Consistently use fshared as boolean (bsc#1149032). - futex: Fix incorrect should_fail_futex() handling (bsc#1149032). - futex: Remove put_futex_key() (bsc#1149032). - futex: Remove unused or redundant includes (bsc#1149032). - gpio: mockup: fix resource leak in error path (git-fixes). - gpio: rcar: Fix runtime PM imbalance on error (git-fixes). - gpio: siox: explicitly support only threaded irqs (git-fixes). - gpio: sprd: Clear interrupt when setting the type as edge (git-fixes). - gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: hid-input: fix stylus battery reporting (git-fixes). - HID: ite: Add USB id match for Acer One S1003 keyboard dock (git-fixes). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - hwmon: (applesmc) check status earlier (git-fixes). - hwmon: (mlxreg-fan) Fix double "Mellanox" (git-fixes). - hwmon: (pmbus/max34440) Fix status register reads for MAX344{51,60,61} (git-fixes). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - i2c: aspeed: Mask IRQ status to relevant bits (git-fixes). - i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() (git-fixes). - i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs (git-fixes). - i2c: cpm: Fix i2c_ram structure (git-fixes). - i2c: i801: Exclude device from suspend direct complete optimization (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - i2c: meson: fix clock setting overwrite (git-fixes). - i2c: meson: fixup rate calculation with filter delay (git-fixes). - i2c: owl: Clear NACK and BUS error bits (git-fixes). - i2c: rcar: Auto select RESET_CONTROLLER (git-fixes). - i2c: tegra: Prevent interrupt triggering after transfer timeout (git-fixes). - i2c: tegra: Restore pinmux on system resume (git-fixes). - i3c: master add i3c_master_attach_boardinfo to preserve boardinfo (git-fixes). - i3c: master: Fix error return in cdns_i3c_master_probe() (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - ibmvnic: set up 200GBPS speed (bsc#1129923 git-fixes). - icmp: randomize the global rate limiter (git-fixes). - ida: Free allocated bitmap in error path (git-fixes). - ieee802154/adf7242: check status of adf7242_read_reg (git-fixes). - ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio: adc: gyroadc: fix leak of device node iterator (git-fixes). - iio: adc: qcom-spmi-adc5: fix driver name (git-fixes). - iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Do not ignore errors from crypto_shash_update() (git-fixes). - ima: extend boot_aggregate with kernel measurements (bsc#1177617). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - Input: ati_remote2 - add missing newlines when printing module parameters (git-fixes). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (bsc#954532). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: stmfts - fix a & vs && typo (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: trackpoint - enable Synaptics trackpoints (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE (bsc#1177297). - iommu/amd: Fix potential @entry null deref (bsc#1177283). - iommu/amd: Re-factor guest virtual APIC (de-)activation code (bsc#1177284). - iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (bsc#1177285). - iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() (bsc#1177286). - iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400). - iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1177739). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipmi_si: Fix wrong return value in try_smi_init() (git-fixes). - ipv4: Initialize flowi4_multipath_hash in data path (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - ipv4: Update exception handling for multipath routes via same device (networking-stable-20_09_24). - ipv6: avoid lockdep issue in fib6_del() (networking-stable-20_09_24). - ipv6: Fix sysctl max for fib_multipath_hash_policy (networking-stable-20_09_11). - ipvlan: fix device features (networking-stable-20_08_24). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kabi fix for NFS: Fix flexfiles read failover (git-fixes). - kABI: Fix kABI after add CodeSigning extended key usage (bsc#1177353). - kABI: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - kabi/severities: ignore kABI for target_core_rbd Match behaviour for all other Ceph specific modules. - kallsyms: Refactor kallsyms_show_value() to take cred (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - kernel-binary.spec.in: Exclude .config.old from kernel-devel - use tar excludes for .kernel-binary.spec.buildenv - kernel-binary.spec.in: Package the obj_install_dir as explicit filelist. - KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (git-fixes). - leds: bcm6328, bcm6358: use devres LED registering function (git-fixes). - leds: mlxreg: Fix possible buffer overflow (git-fixes). - leds: mt6323: move period calculation (git-fixes). - libceph-add-support-for-CMPEXT-compare-extent-reques.patch: (bsc#1177090). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178177). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - lib/mpi: Add mpi_sub_ui() (bsc#1175718). - locking/rwsem: Disable reader optimistic spinning (bnc#1176588). - mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes). - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mac80211: skip mpath lookup also for control port tx (git-fixes). - mac802154: tx: fix use-after-free (git-fixes). - macsec: avoid use-after-free in macsec_handle_frame() (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: camss: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: i2c: ov5640: Enable data pins on poweron for DVP mode (git-fixes). - media: i2c: ov5640: Remain in power down for DVP mode unless streaming (git-fixes). - media: i2c: ov5640: Separate out mipi configuration from s_power (git-fixes). - media: imx274: fix frame interval handling (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: mc-device.c: fix memleak in media_device_register_entity (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: mx2_emmaprp: Fix memleak in emmaprp_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: ov5640: Correct Bit Div register in clock tree diagram (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: Improve queue set up flow for bug fixing (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: rcar-csi2: Allocate v4l2_async_subdev dynamically (git-fixes). - media: rcar_drif: Allocate v4l2_async_subdev dynamically (git-fixes). - media: rcar_drif: Fix fwnode reference leak when parsing DT (git-fixes). - media: rcar-vin: Fix a reference count leak (git-fixes). - media: rc: do not access device via sysfs after rc_unregister_device() (git-fixes). - media: rc: uevent sysfs file races with rc_unregister_device() (git-fixes). - media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" (git-fixes). - media: rockchip/rga: Fix a reference count leak (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: smiapp: Fix error handling at NVM reading (git-fixes). - media: staging/intel-ipu3: css: Correctly reset some memory (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: stm32-dcmi: Fix a reference count leak (git-fixes). - media: tc358743: cleanup tc358743_cec_isr (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: tw5864: check status of tw5864_frameinterval_get (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: uvcvideo: Fix dereference of out-of-bound list iterator (git-fixes). - media: uvcvideo: Fix uvc_ctrl_fixup_xu_info() not having any effect (git-fixes). - media: uvcvideo: Set media controller entity functions (git-fixes). - media: uvcvideo: Silence shift-out-of-bounds warning (git-fixes). - media: v4l2-async: Document asd allocation requirements (git-fixes). - media: venus: core: Fix runtime PM imbalance in venus_probe (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - memory: omap-gpmc: Fix build error without CONFIG_OF (git-fixes). - mfd: mfd-core: Protect against NULL call-back function pointer (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mm: call cond_resched() from deferred_init_memmap() (git fixes (mm/init), bsc#1177697). - mmc: core: do not set limits.discard_granularity as 0 (git-fixes). - mmc: core: Rework wp-gpio handling (git-fixes). - mm, compaction: fully assume capture is not NULL in compact_zone_order() (git fixes (mm/compaction), bsc#1177681). - mm, compaction: make capture control handling safe wrt interrupts (git fixes (mm/compaction), bsc#1177681). - mmc: sdhci-acpi: AMDI0040: Set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes). - mmc: sdhci: Add LTR support for some Intel BYT based controllers (git-fixes). - mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models (git-fixes). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - mm/debug.c: always print flags in dump_page() (git fixes (mm/debug)). - mm: do not panic when links can't be created in sysfs (bsc#1178002). - mm: do not rely on system state to detect hot-plug operations (bsc#1178002). - mm: fix a race during THP splitting (bsc#1178255). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm: initialize deferred pages with interrupts enabled (git fixes (mm/init), bsc#1177697). - mm: madvise: fix vma user-after-free (git-fixes). - mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps() (bsc#1177694). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/migrate.c: also overwrite error when it is bigger than zero (git fixes (mm/move_pages), bsc#1177683). - mm: move_pages: report the number of non-attempted pages (git fixes (mm/move_pages), bsc#1177683). - mm: move_pages: return valid node id in status if the page is already on the target node (git fixes (mm/move_pages), bsc#1177683). - mm/pagealloc.c: call touch_nmi_watchdog() on max order boundaries in deferred init (git fixes (mm/init), bsc#1177697). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm: replace memmap_context by meminit_context (bsc#1178002). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm, slab/slub: improve error reporting and overhead of cache_from_obj() (mm/slub bsc#1165692). - mm, slab/slub: move and improve cache_from_obj() (mm/slub bsc#1165692). - mm, slub: extend checks guarded by slub_debug static key (mm/slub bsc#1165692). - mm, slub: extend slub_debug syntax for multiple blocks (mm/slub bsc#1165692). - mm, slub: introduce kmem_cache_debug_flags() (mm/slub bsc#1165692). - mm, slub: introduce static key for slub_debug() (mm/slub bsc#1165692). - mm, slub: make reclaim_account attribute read-only (mm/slub bsc#1165692). - mm, slub: make remaining slub_debug related attributes read-only (mm/slub bsc#1165692). - mm, slub: make some slub_debug related attributes read-only (mm/slub bsc#1165692). - mm, slub: remove runtime allocation order changes (mm/slub bsc#1165692). - mm, slub: restore initial kmem_cache flags (mm/slub bsc#1165692). - mm/swapfile.c: fix potential memory leak in sys_swapon (git-fixes). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - module: Correctly truncate sysfs sections output (git-fixes). - module: Do not expose section addresses to non-CAP_SYSLOG (git-fixes). - module: Refactor section attr into bin attribute (git-fixes). - module: statically initialize init section freeing data (git-fixes). - Move upstreamed BT patch into sorted section - Move upstreamed intel-vbtn patch into sorted section - mt76: add missing locking around ampdu action (git-fixes). - mt76: clear skb pointers from rx aggregation reorder buffer during cleanup (git-fixes). - mt76: do not use devm API for led classdev (git-fixes). - mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw (git-fixes). - mt76: fix LED link time failure (git-fixes). - mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of cfi_amdstd_setup() (git-fixes). - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mtd: rawnand: gpmi: Fix runtime PM imbalance on error (git-fixes). - mtd: rawnand: omap_elm: Fix runtime PM imbalance on error (git-fixes). - mtd: rawnand: stm32_fmc2: fix a buffer overflow (git-fixes). - mtd: rawnand: vf610: disable clk on error handling path in probe (git-fixes). - mtd: spinand: gigadevice: Add QE Bit (git-fixes). - mtd: spinand: gigadevice: Only one dummy byte in QUADIO (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU (networking-stable-20_09_24). - net/core: check length before updating Ethertype in skb_mpls_{push,pop} (git-fixes). - net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (networking-stable-20_09_24). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: dsa: b53: check for timeout (networking-stable-20_08_24). - net: dsa: rtl8366: Properly clear member config (networking-stable-20_09_24). - net: fec: correct the error path for regulator disable in probe (networking-stable-20_08_24). - net: Fix bridge enslavement failure (networking-stable-20_09_24). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - net: lantiq: Disable IRQs only if NAPI gets scheduled (networking-stable-20_09_24). - net: lantiq: Use napi_complete_done() (networking-stable-20_09_24). - net: lantiq: use netif_tx_napi_add() for TX NAPI (networking-stable-20_09_24). - net: lantiq: Wake TX queue again (networking-stable-20_09_24). - net/mlx5e: Enable adding peer miss rules only if merged eswitch is supported (networking-stable-20_09_24). - net/mlx5e: TLS, Do not expose FPGA TLS counter if not supported (networking-stable-20_09_24). - net/mlx5: Fix FTE cleanup (networking-stable-20_09_24). - net: mscc: ocelot: fix race condition with TX timestamping (bsc#1178461). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: phy: Do not warn in phy_stop() on PHY_DOWN (networking-stable-20_09_24). - net: phy: realtek: fix rtl8211e rx/tx delay config (git-fixes). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow (networking-stable-20_08_24). - net: sctp: Fix IPv6 ancestor_size calc in sctp_copy_descendant (networking-stable-20_09_24). - net: sctp: Fix negotiation of the number of data streams (networking-stable-20_08_24). - net/smc: Prevent kernel-infoleak in __smc_diag_dump() (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nfp: use correct define to return NONE fec (networking-stable-20_09_24). - nfsd4: fix NULL dereference in nfsd/clients display code (git-fixes). - NFS: Do not move layouts to plh_return_segs list while in use (git-fixes). - NFS: Do not return layout segments that are in use (git-fixes). - nfs: ensure correct writeback errors are returned on close() (git-fixes). - NFS: Fix flexfiles read failover (git-fixes). - nfs: Fix security label length not being reset (bsc#1176381). - nfs: nfs_file_write() should check for writeback errors (git-fixes). - NFSv4.2: fix client's attribute cache management for copy_file_range (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - ntb: intel: Fix memleak in intel_ntb_pci_probe (git-fixes). - nvme-multipath: retry commands for dying queues (bsc#1171688). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - overflow: Include header file with SIZE_MAX declaration (git-fixes). - p54: avoid accessing the data mapped to streaming DMA (git-fixes). - PCI: aardvark: Check for errors from pci_bridge_emul_init() call (git-fixes). - PCI/ACPI: Whitelist hotplug ports for D3 if power managed by ACPI (git-fixes). - PCI: Avoid double hpmemsize MMIO window assignment (git-fixes). - PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - PCI: tegra194: Fix runtime PM imbalance on error (git-fixes). - PCI: tegra: Fix runtime PM imbalance on error (git-fixes). - percpu: fix first chunk size calculation for populated bitmap (git-fixes (mm/percpu)). - perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1152489). - perf/x86: Fix n_pair for cancelled txn (bsc#1152489). - phy: ti: am654: Fix a leak in serdes_am654_probe() (git-fixes). - pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB (git-fixes). - pinctrl: mcp23s08: Fix mcp23x17 precious range (git-fixes). - pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser (git-fixes). - pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes). - PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification. - PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification (bsc#1177353). - Platform: OLPC: Fix memleak in olpc_ec_probe (git-fixes). - platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP (git-fixes). - platform/x86: fix kconfig dependency warning for LG_LAPTOP (git-fixes). - platform/x86: intel_pmc_core: do not create a static struct device (git-fixes). - platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting (bsc#1175599). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - platform/x86: thinkpad_acpi: initialize tp_nvram_state variable (git-fixes). - platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse (git-fixes). - PM: hibernate: Batch hibernate and resume IO requests (bsc#1178079). - PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes). - PM: runtime: Drop runtime PM references to supplier on link removal (git-fixes). - pNFS/flexfiles: Ensure we initialise the mirror bsizes correctly on read (git-fixes). - powerpc/book3s64/radix: Make radix_mem_block_size 64bit (bsc#1055186 ltc#153436 git-fixes). - powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/papr_scm: Fix warning triggered by perf_stats_show() (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: Avoid using addr_to_pfn in real mode (jsc#SLE-9246 git-fixes). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - power: supply: bq27xxx: report "not charging" on all types (git-fixes). - power: supply: max17040: Correct voltage reading (git-fixes). - power: supply: test_power: add missing newlines when printing parameters by sysfs (git-fixes). - pwm: img: Fix null pointer access in probe (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - qla2xxx: Return EBUSY on fcport deletion (bsc#1171688). - qtnfmac: fix resource leaks on unsupported iftype error return path (git-fixes). - r8169: fix data corruption issue on RTL8402 (bsc#1174098). - r8169: fix issue with forced threading in combination with shared interrupts (git-fixes). - r8169: fix operation under forced interrupt threading (git-fixes). - rapidio: fix the missed put_device() for rio_mport_add_riodev (git-fixes). - rbd-add-rbd_img_fill_cmp_and_write_from_bvecs.patch: (bsc#1177090). - rbd-add-support-for-COMPARE_AND_WRITE-CMPEXT.patch: (bsc#1177090). - RDMA/hfi1: Correct an interlock issue for TID RDMA WRITE request (bsc#1175621). - Refresh patches.suse/fnic-to-not-call-scsi_done-for-unhandled-commands.patch (bsc#1168468, bsc#1171675). - regulator: axp20x: fix LDO2/4 description (git-fixes). - regulator: defer probe when trying to get voltage from unresolved supply (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - rename Other drivers / Intel IOMMU subsection to IOMMU - reset: sti: reset-syscfg: fix struct description warnings (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rtc: ds1374: fix possible race condition (git-fixes). - rtc: rx8010: do not modify the global rtc ops (git-fixes). - rtc: sa1100: fix possible race condition (git-fixes). - rtl8xxxu: prevent potential memory leak (git-fixes). - rtw88: increse the size of rx buffer size (git-fixes). - s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177799 LTC#188733). - s390/dasd: Fix zero write for FBA devices (bsc#1177801 LTC#188735). - s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY (bsc#1176979). - sched/fair: Ignore cache hotness for SMT migration (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: Use dst group while checking imbalance for NUMA balancer (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/numa: Avoid creating large imbalances at task creation time (bnc#1176588). - sched/numa: Check numa balancing information only when enabled (bnc#1176588). - sched/numa: Use runnable_avg to classify node (bnc#1155798 (CPU scheduler functional and performance backports)). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258). - scsi: mptfusion: Do not use GFP_ATOMIC for larger DMA allocations (bsc#1175898, ECO-2743). - scsi: qla2xxx: Add IOCB resource tracking (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Add rport fields in debugfs (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Add SLER and PI control support (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix memory size truncation (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix MPI reset needed message (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Fix reset of MPI firmware (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Performance tweak (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1171688 bsc#1174003). - scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1171688 bsc#1174003). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - selftests/timers: Turn off timeout setting (git-fixes). - serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout (git-fixes). - serial: 8250_mtk: Fix uart_get_baud_rate warning (git-fixes). - serial: 8250_omap: Fix sleeping function called from invalid context during probe (git-fixes). - serial: 8250_port: Do not service RX FIFO if throttled (git-fixes). - serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init (git-fixes). - serial: uartps: Wait for tx_empty in console setup (git-fixes). - slimbus: core: check get_addr before removing laddr ida (git-fixes). - slimbus: core: do not enter to clock pause mode in core (git-fixes). - slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback (git-fixes). - soc: fsl: qbman: Fix return value on success (git-fixes). - spi: dw-pci: free previously allocated IRQs if desc->setup() fails (git-fixes). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - spi: omap2-mcspi: Improve performance waiting for CHSTAT (git-fixes). - spi: spi-s3c64xx: Check return values (git-fixes). - spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and s3c64xx_enable_datapath() (git-fixes). - spi: sprd: Release DMA channel also on probe deferral (git-fixes). - spi: stm32: Rate-limit the 'Communication suspended' message (git-fixes). - staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice (git-fixes). - staging: comedi: check validity of wMaxPacketSize of usb endpoints found (git-fixes). - staging: octeon: Drop on uncorrectable alignment or FCS error (git-fixes). - staging: octeon: repair "fixed-link" support (git-fixes). - staging:r8188eu: avoid skb_clone for amsdu to msdu conversion (git-fixes). - staging: rtl8192u: Do not use GFP_KERNEL in atomic context (git-fixes). - SUNRPC: Revert 241b1f419f0e ("SUNRPC: Remove xdr_buf_trim()") (git-fixes). - svcrdma: Fix page leak in svc_rdma_recv_read_chunk() (git-fixes). - taprio: Fix allowing too small intervals (networking-stable-20_09_24). - target-compare-and-write-backend-driver-sense-handli.patch: (bsc#1177719). - target-rbd-add-emulate_legacy_capacity-dev-attribute.patch: (bsc#1177109). - target-rbd-add-WRITE-SAME-support.patch: (bsc#1177090). - target-rbd-conditionally-fix-off-by-one-bug-in-get_b.patch: (bsc#1177109). - target-rbd-detect-stripe_unit-SCSI-block-size-misali.patch: (bsc#1177090). - target-rbd-fix-unmap-discard-block-size-conversion.patch: (bsc#1177271). - target-rbd-fix-unmap-handling-with-unmap_zeroes_data.patch: (bsc#1177271). - target-rbd-support-COMPARE_AND_WRITE.patch: (bsc#1177090). - thermal: rcar_thermal: Handle probe error gracefully (git-fixes). - time: Prevent undefined behaviour in timespec64_to_ns() (bsc#1164648). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: Fix memory leak in tipc_group_create_member() (networking-stable-20_09_24). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tracing: Check return value of __create_val_fields() before using its result (git-fixes). - tracing: Save normal string variables (git-fixes). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - uio: free uio id after uio file node is freed (git-fixes). - Update config files. Enable ACPI_PCI_SLOT and HOTPLUG_PCI_ACPI (bsc#1177194). - Update patches.suse/target-add-rbd-backend.patch: (). (simplify block to byte calculations and use consistent error paths) - USB: adutux: fix debugging (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: fix cooldown mechanism (git-fixes). - USB: cdc-acm: handle broken union descriptors (git-fixes). - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: dwc3: gadget: Resume pending requests after CLEAR_STALL (git-fixes). - usb: dwc3: Increase timeout for CmdAct cleared by device controller (git-fixes). - usb: dwc3: pci: Allow Elkhart Lake to utilize DSM method for PM functionality (git-fixes). - usb: dwc3: simple: add support for Hikey 970 (git-fixes). - USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes). - USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usblp: fix race between disconnect() and read() (git-fixes). - usb: mtu3: fix panic in mtu3_gadget_stop() (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - USB: serial: cyberjack: fix write-URB completion race (git-fixes). - USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes). - USB: serial: option: add Cellient MPL200 card (git-fixes). - USB: serial: option: Add Telit FT980-KS composition (git-fixes). - USB: serial: pl2303: add device-id for HP GC device (git-fixes). - USB: serial: qcserial: fix altsetting probing (git-fixes). - usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart (git-fixes). - usb: xhci-mtk: Fix typo (git-fixes). - usb: xhci: omit duplicate actions when suspending a runtime suspended host (git-fixes). - vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn (bsc#1176979). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - virtio-net: do not disable guest csum when disable LRO (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - vmxnet3: fix cksum offload issues for non-udp tunnels (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: Fix memleak in watchdog_cdev_register (git-fixes). - watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 (git-fixes). - watchdog: Use put_device on error (git-fixes). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - wlcore: fix runtime pm imbalance in wl1271_tx_work (git-fixes). - wlcore: fix runtime pm imbalance in wlcore_regdomain_config (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - X.509: Add CodeSigning extended key usage parsing (bsc#1177353). - x86/alternative: Do not call text_poke() in lazy TLB mode (bsc#1175749). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1152489). - x86/ioapic: Unbreak check_timer() (bsc#1152489). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1177765). - x86/mm: unencrypted non-blocking DMA allocations use coherent pools (bsc#1175898, ECO-2743). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1176907). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pvcallsback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xfs: complain if anyone tries to create a too-large buffer log item (bsc#1166146). - xfs: do not update mtime on COW faults (bsc#1167030). - xfs: fix high key handling in the rt allocator's query_range function (git-fixes). - xfs: fix scrub flagging rtinherit even if there is no rt device (git-fixes). - xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files (git-fixes). - xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes). - xfs: force the log after remapping a synchronous-writes file (git-fixes). - xfs: introduce XFS_MAX_FILEOFF (bsc#1166166). - xfs: limit entries returned when counting fsmap records (git-fixes). - xfs: remove unused variable 'done' (bsc#1166166). - xfs: set xefi_discard when creating a deferred agfl free log intent item (git-fixes). - xfs: truncate should remove all blocks, not just to the end of the page cache (bsc#1166166). - xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes). - xprtrdma: fix incorrect header size calculations (git-fixes). - yam: fix possible memory leak in yam_init_driver (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2112=1 Package List: - openSUSE Leap 15.2 (x86_64): kernel-default-base-5.3.18-lp152.50.1.lp152.8.10.1 kernel-default-base-rebuild-5.3.18-lp152.50.1.lp152.8.10.1 References: https://www.suse.com/security/cve/CVE-2020-12351.html https://www.suse.com/security/cve/CVE-2020-12352.html https://www.suse.com/security/cve/CVE-2020-14351.html https://www.suse.com/security/cve/CVE-2020-16120.html https://www.suse.com/security/cve/CVE-2020-24490.html https://www.suse.com/security/cve/CVE-2020-25212.html https://www.suse.com/security/cve/CVE-2020-25285.html https://www.suse.com/security/cve/CVE-2020-25641.html https://www.suse.com/security/cve/CVE-2020-25643.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-25656.html https://www.suse.com/security/cve/CVE-2020-25668.html https://www.suse.com/security/cve/CVE-2020-25704.html https://www.suse.com/security/cve/CVE-2020-25705.html https://www.suse.com/security/cve/CVE-2020-8694.html https://bugzilla.suse.com/1055014 https://bugzilla.suse.com/1055186 https://bugzilla.suse.com/1061843 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1066382 https://bugzilla.suse.com/1077428 https://bugzilla.suse.com/1129923 https://bugzilla.suse.com/1134760 https://bugzilla.suse.com/1149032 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1155798 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1165692 https://bugzilla.suse.com/1166146 https://bugzilla.suse.com/1166166 https://bugzilla.suse.com/1167030 https://bugzilla.suse.com/1168468 https://bugzilla.suse.com/1170415 https://bugzilla.suse.com/1171675 https://bugzilla.suse.com/1171688 https://bugzilla.suse.com/1174003 https://bugzilla.suse.com/1174098 https://bugzilla.suse.com/1174748 https://bugzilla.suse.com/1174969 https://bugzilla.suse.com/1175052 https://bugzilla.suse.com/1175306 https://bugzilla.suse.com/1175599 https://bugzilla.suse.com/1175621 https://bugzilla.suse.com/1175718 https://bugzilla.suse.com/1175721 https://bugzilla.suse.com/1175749 https://bugzilla.suse.com/1175807 https://bugzilla.suse.com/1175898 https://bugzilla.suse.com/1176019 https://bugzilla.suse.com/1176354 https://bugzilla.suse.com/1176381 https://bugzilla.suse.com/1176400 https://bugzilla.suse.com/1176485 https://bugzilla.suse.com/1176588 https://bugzilla.suse.com/1176713 https://bugzilla.suse.com/1176907 https://bugzilla.suse.com/1176979 https://bugzilla.suse.com/1177086 https://bugzilla.suse.com/1177090 https://bugzilla.suse.com/1177109 https://bugzilla.suse.com/1177121 https://bugzilla.suse.com/1177193 https://bugzilla.suse.com/1177194 https://bugzilla.suse.com/1177206 https://bugzilla.suse.com/1177258 https://bugzilla.suse.com/1177271 https://bugzilla.suse.com/1177281 https://bugzilla.suse.com/1177283 https://bugzilla.suse.com/1177284 https://bugzilla.suse.com/1177285 https://bugzilla.suse.com/1177286 https://bugzilla.suse.com/1177297 https://bugzilla.suse.com/1177353 https://bugzilla.suse.com/1177384 https://bugzilla.suse.com/1177410 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177470 https://bugzilla.suse.com/1177511 https://bugzilla.suse.com/1177617 https://bugzilla.suse.com/1177681 https://bugzilla.suse.com/1177683 https://bugzilla.suse.com/1177687 https://bugzilla.suse.com/1177694 https://bugzilla.suse.com/1177697 https://bugzilla.suse.com/1177719 https://bugzilla.suse.com/1177724 https://bugzilla.suse.com/1177725 https://bugzilla.suse.com/1177726 https://bugzilla.suse.com/1177739 https://bugzilla.suse.com/1177749 https://bugzilla.suse.com/1177750 https://bugzilla.suse.com/1177754 https://bugzilla.suse.com/1177755 https://bugzilla.suse.com/1177765 https://bugzilla.suse.com/1177766 https://bugzilla.suse.com/1177799 https://bugzilla.suse.com/1177801 https://bugzilla.suse.com/1177814 https://bugzilla.suse.com/1177817 https://bugzilla.suse.com/1177854 https://bugzilla.suse.com/1177855 https://bugzilla.suse.com/1177856 https://bugzilla.suse.com/1177861 https://bugzilla.suse.com/1178002 https://bugzilla.suse.com/1178079 https://bugzilla.suse.com/1178123 https://bugzilla.suse.com/1178166 https://bugzilla.suse.com/1178173 https://bugzilla.suse.com/1178175 https://bugzilla.suse.com/1178176 https://bugzilla.suse.com/1178177 https://bugzilla.suse.com/1178183 https://bugzilla.suse.com/1178184 https://bugzilla.suse.com/1178185 https://bugzilla.suse.com/1178186 https://bugzilla.suse.com/1178190 https://bugzilla.suse.com/1178191 https://bugzilla.suse.com/1178246 https://bugzilla.suse.com/1178255 https://bugzilla.suse.com/1178307 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178393 https://bugzilla.suse.com/1178395 https://bugzilla.suse.com/1178461 https://bugzilla.suse.com/1178579 https://bugzilla.suse.com/1178581 https://bugzilla.suse.com/1178584 https://bugzilla.suse.com/1178585 https://bugzilla.suse.com/802154 https://bugzilla.suse.com/954532

1 0

[opensuse-security-announce] openSUSE-SU-2020:2106-1: moderate: Security update for buildah
by opensuse-security＠opensuse.org 29 Nov '20

29 Nov '20

openSUSE Security Update: Security update for buildah ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2106-1 Rating: moderate References: #1165184 #1167864 Cross-References: CVE-2019-10214 CVE-2020-10696 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for buildah fixes the following issues: buildah was updated to v1.17.0 (bsc#1165184): * Handle cases where other tools mount/unmount containers * overlay.MountReadOnly: support RO overlay mounts * overlay: use fusermount for rootless umounts * overlay: fix umount * Switch default log level of Buildah to Warn. Users need to see these messages * Drop error messages about OCI/Docker format to Warning level * build(deps): bump github.com/containers/common from 0.26.0 to 0.26.2 * tests/testreport: adjust for API break in storage v1.23.6 * build(deps): bump github.com/containers/storage from 1.23.5 to 1.23.7 * build(deps): bump github.com/fsouza/go-dockerclient from 1.6.5 to 1.6.6 * copier: put: ignore Typeflag="g" * Use curl to get repo file (fix #2714) * build(deps): bump github.com/containers/common from 0.25.0 to 0.26.0 * build(deps): bump github.com/spf13/cobra from 1.0.0 to 1.1.1 * Remove docs that refer to bors, since we're not using it * Buildah bud should not use stdin by default * bump containerd, docker, and golang.org/x/sys * Makefile: cross: remove windows.386 target * copier.copierHandlerPut: don't check length when there are errors * Stop excessive wrapping * CI: require that conformance tests pass * bump(github.com/openshift/imagebuilder) to v1.1.8 * Skip tlsVerify insecure BUILD_REGISTRY_SOURCES * Fix build path wrong containers/podman#7993 * refactor pullpolicy to avoid deps * build(deps): bump github.com/containers/common from 0.24.0 to 0.25.0 * CI: run gating tasks with a lot more memory * ADD and COPY: descend into excluded directories, sometimes * copier: add more context to a couple of error messages * copier: check an error earlier * copier: log stderr output as debug on success * Update nix pin with make nixpkgs * Set directory ownership when copied with ID mapping * build(deps): bump github.com/sirupsen/logrus from 1.6.0 to 1.7.0 * build(deps): bump github.com/containers/common from 0.23.0 to 0.24.0 * Cirrus: Remove bors artifacts * Sort build flag definitions alphabetically * ADD: only expand archives at the right time * Remove configuration for bors * Shell Completion for podman build flags * Bump c/common to v0.24.0 * New CI check: xref --help vs man pages * CI: re-enable several linters * Move --userns-uid-map/--userns-gid-map description into buildah man page * add: preserve ownerships and permissions on ADDed archives * Makefile: tweak the cross-compile target * Bump containers/common to v0.23.0 * chroot: create bind mount targets 0755 instead of 0700 * Change call to Split() to safer SplitN() * chroot: fix handling of errno seccomp rules * build(deps): bump github.com/containers/image/v5 from 5.5.2 to 5.6.0 * Add In Progress section to contributing * integration tests: make sure tests run in ${topdir}/tests * Run(): ignore containers.conf's environment configuration * Warn when setting healthcheck in OCI format * Cirrus: Skip git-validate on branches * tools: update git-validation to the latest commit * tools: update golangci-lint to v1.18.0 * Add a few tests of push command * Add(): fix handling of relative paths with no ContextDir * build(deps): bump github.com/containers/common from 0.21.0 to 0.22.0 * Lint: Use same linters as podman * Validate: reference HEAD * Fix buildah mount to display container names not ids * Update nix pin with make nixpkgs * Add missing --format option in buildah from man page * Fix up code based on codespell * build(deps): bump github.com/openshift/imagebuilder from 1.1.6 to 1.1.7 * build(deps): bump github.com/containers/storage from 1.23.4 to 1.23.5 * Improve buildah completions * Cirrus: Fix validate commit epoch * Fix bash completion of manifest flags * Uniform some man pages * Update Buildah Tutorial to address BZ1867426 * Update bash completion of manifest add sub command * copier.Get(): hard link targets shouldn't be relative paths * build(deps): bump github.com/onsi/gomega from 1.10.1 to 1.10.2 * Pass timestamp down to history lines * Timestamp gets updated everytime you inspect an image * bud.bats: use absolute paths in newly-added tests * contrib/cirrus/lib.sh: don't use CN for the hostname * tests: Add some tests * Update manifest add man page * Extend flags of manifest add * build(deps): bump github.com/containers/storage from 1.23.3 to 1.23.4 * build(deps): bump github.com/onsi/ginkgo from 1.14.0 to 1.14.1 * CI: expand cross-compile checks Update to v1.16.2: * fix build on 32bit arches * containerImageRef.NewImageSource(): don't always force timestamps * Add fuse module warning to image readme * Heed our retry delay option values when retrying commit/pull/push * Switch to containers/common for seccomp * Use --timestamp rather then --omit-timestamp * docs: remove outdated notice * docs: remove outdated notice * build-using-dockerfile: add a hidden --log-rusage flag * build(deps): bump github.com/containers/image/v5 from 5.5.1 to 5.5.2 * Discard ReportWriter if user sets options.Quiet * build(deps): bump github.com/containers/common from 0.19.0 to 0.20.3 * Fix ownership of content copied using COPY --from * newTarDigester: zero out timestamps in tar headers * Update nix pin with `make nixpkgs` * bud.bats: correct .dockerignore integration tests * Use pipes for copying * run: include stdout in error message * run: use the correct error for errors.Wrapf * copier: un-export internal types * copier: add Mkdir() * in_podman: don't get tripped up by $CIRRUS_CHANGE_TITLE * docs/buildah-commit.md: tweak some wording, add a --rm example * imagebuildah: don��t blank out destination names when COPYing * Replace retry functions with common/pkg/retry * StageExecutor.historyMatches: compare timestamps using .Equal * Update vendor of containers/common * Fix errors found in coverity scan * Change namespace handling flags to better match podman commands * conformance testing: ignore buildah.BuilderIdentityAnnotation labels * Vendor in containers/storage v1.23.0 * Add buildah.IsContainer interface * Avoid feeding run_buildah to pipe * fix(buildahimage): add xz dependency in buildah image * Bump github.com/containers/common from 0.15.2 to 0.18.0 * Howto for rootless image building from OpenShift * Add --omit-timestamp flag to buildah bud * Update nix pin with `make nixpkgs` * Shutdown storage on failures * Handle COPY --from when an argument is used * Bump github.com/seccomp/containers-golang from 0.5.0 to 0.6.0 * Cirrus: Use newly built VM images * Bump github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc92 * Enhance the .dockerignore man pages * conformance: add a test for COPY from subdirectory * fix bug manifest inspct * Add documentation for .dockerignore * Add BuilderIdentityAnnotation to identify buildah version * DOC: Add quay.io/containers/buildah image to README.md * Update buildahimages readme * fix spelling mistake in "info" command result display * Don't bind /etc/host and /etc/resolv.conf if network is not present * blobcache: avoid an unnecessary NewImage() * Build static binary with `buildGoModule` * copier: split StripSetidBits into StripSetuidBit/StripSetgidBit/StripStickyBit * tarFilterer: handle multiple archives * Fix a race we hit during conformance tests * Rework conformance testing * Update 02-registries-repositories.md * test-unit: invoke cmd/buildah tests with --flags * parse: fix a type mismatch in a test * Fix compilation of tests/testreport/testreport * build.sh: log the version of Go that we're using * test-unit: increase the test timeout to 40/45 minutes * Add the "copier" package * Fix & add notes regarding problematic language in codebase * Add dependency on github.com/stretchr/testify/require * CompositeDigester: add the ability to filter tar streams * BATS tests: make more robust * vendor golang.org/x/text@v0.3.3 * Switch golang 1.12 to golang 1.13 * imagebuildah: wait for stages that might not have even started yet * chroot, run: not fail on bind mounts from /sys * chroot: do not use setgroups if it is blocked * Set engine env from containers.conf * imagebuildah: return the right stage's image as the "final" image * Fix a help string * Deduplicate environment variables * switch containers/libpod to containers/podman * Bump github.com/containers/ocicrypt from 1.0.2 to 1.0.3 * Bump github.com/opencontainers/selinux from 1.5.2 to 1.6.0 * Mask out /sys/dev to prevent information leak * linux: skip errors from the runtime kill * Mask over the /sys/fs/selinux in mask branch * Add VFS additional image store to container * tests: add auth tests * Allow "readonly" as alias to "ro" in mount options * Ignore OS X specific consistency mount option * Bump github.com/onsi/ginkgo from 1.13.0 to 1.14.0 * Bump github.com/containers/common from 0.14.0 to 0.15.2 * Rootless Buildah should default to IsolationOCIRootless * imagebuildah: fix inheriting multi-stage builds * Make imagebuildah.BuildOptions.Architecture/OS optional * Make imagebuildah.BuildOptions.Jobs optional * Resolve a possible race in imagebuildah.Executor.startStage() * Switch scripts to use containers.conf * Bump openshift/imagebuilder to v1.1.6 * Bump go.etcd.io/bbolt from 1.3.4 to 1.3.5 * buildah, bud: support --jobs=N for parallel execution * executor: refactor build code inside new function * Add bud regression tests * Cirrus: Fix missing htpasswd in registry img * docs: clarify the 'triples' format * CHANGELOG.md: Fix markdown formatting * Add nix derivation for static builds * Bump to v1.16.0-dev - Update to v1.15.1 * Mask over the /sys/fs/selinux in mask branch * chroot: do not use setgroups if it is blocked * chroot, run: not fail on bind mounts from /sys * Allow "readonly" as alias to "ro" in mount options * Add VFS additional image store to container * vendor golang.org/x/text@v0.3.3 * Make imagebuildah.BuildOptions.Architecture/OS optional Update to v1.15.0: * Add CVE-2020-10696 to CHANGELOG.md and changelog.txt * fix lighttpd example * remove dependency on openshift struct * Warn on unset build arguments * vendor: update seccomp/containers-golang to v0.4.1 * Updated docs * clean up comments * update exit code for tests * Implement commit for encryption * implementation of encrypt/decrypt push/pull/bud/from * fix resolve docker image name as transport * Add preliminary profiling support to the CLI * Evaluate symlinks in build context directory * fix error info about get signatures for containerImageSource * Add Security Policy * Cirrus: Fixes from review feedback * imagebuildah: stages shouldn't count as their base images * Update containers/common v0.10.0 * Add registry to buildahimage Dockerfiles * Cirrus: Use pre-installed VM packages + F32 * Cirrus: Re-enable all distro versions * Cirrus: Update to F31 + Use cache images * golangci-lint: Disable gosimple * Lower number of golangci-lint threads * Fix permissions on containers.conf * Don't force tests to use runc * Return exit code from failed containers * cgroup_manager should be under [engine] * Use c/common/pkg/auth in login/logout * Cirrus: Temporarily disable Ubuntu 19 testing * Add containers.conf to stablebyhand build * Update gitignore to exclude test Dockerfiles * Remove warning for systemd inside of container Update to v1.14.6: * Make image history work correctly with new args handling * Don't add args to the RUN environment from the Builder Update to v1.14.5: * Revert FIPS mode change Update to v1.14.4: * Update unshare man page to fix script example * Fix compilation errors on non linux platforms * Preserve volume uid and gid through subsequent commands * Fix potential CVE in tarfile w/ symlink * Fix .dockerignore with globs and ! commands Update to v1.14.2: * Search for local runtime per values in containers.conf * Set correct ownership on working directory * Improve remote manifest retrieval * Correct a couple of incorrect format specifiers * manifest push --format: force an image type, not a list type * run: adjust the order in which elements are added to $ * getDateAndDigestAndSize(): handle creation time not being set * Make the commit id clear like Docker * Show error on copied file above context directory in build * pull/from/commit/push: retry on most failures * Repair buildah so it can use containers.conf on the server side * Fixing formatting & build instructions * Fix XDG_RUNTIME_DIR for authfile * Show validation command-line Update to v1.14.0: * getDateAndDigestAndSize(): use manifest.Digest * Touch up os/arch doc * chroot: handle slightly broken seccomp defaults * buildahimage: specify fuse-overlayfs mount options * parse: don't complain about not being able to rename something to itself * Fix build for 32bit platforms * Allow users to set OS and architecture on bud * Fix COPY in containerfile with envvar * Add --sign-by to bud/commit/push, --remove-signatures for pull/push * Add support for containers.conf * manifest push: add --format option Update to v1.13.1: * copyFileWithTar: close source files at the right time * copy: don't digest files that we ignore * Check for .dockerignore specifically * Don't setup excludes, if their is only one pattern to match * set HOME env to /root on chroot-isolation by default * docs: fix references to containers-*.5 * fix bug Add check .dockerignore COPY file * buildah bud --volume: run from tmpdir, not source dir * Fix imageNamePrefix to give consistent names in buildah-from * cpp: use -traditional and -undef flags * discard outputs coming from onbuild command on buildah-from --quiet * make --format columnizing consistent with buildah images * Fix option handling for volumes in build * Rework overlay pkg for use with libpod * Fix buildahimage builds for buildah * Add support for FIPS-Mode backends * Set the TMPDIR for pulling/pushing image to $TMPDIR Update to v1.12.0: * Allow ADD to use http src * imgtype: reset storage opts if driver overridden * Start using containers/common * overlay.bats typo: fuse-overlays should be fuse-overlayfs * chroot: Unmount with MNT_DETACH instead of UnmountMountpoints() * bind: don't complain about missing mountpoints * imgtype: check earlier for expected manifest type * Add history names support Update to v1.11.6: * Handle missing equal sign in --from and --chown flags for COPY/ADD * bud COPY does not download URL * Fix .dockerignore exclude regression * commit(docker): always set ContainerID and ContainerConfig * Touch up commit man page image parameter * Add builder identity annotations. Update to v1.11.5: * buildah: add "manifest" command * pkg/supplemented: add a package for grouping images together * pkg/manifests: add a manifest list build/manipulation API * Update for ErrUnauthorizedForCredentials API change in containers/image * Update for manifest-lists API changes in containers/image * version: also note the version of containers/image * Move to containers/image v5.0.0 * Enable --device directory as src device * Add clarification to the Tutorial for new users * Silence "using cache" to ensure -q is fully quiet * Move runtime flag to bud from common * Commit: check for storage.ErrImageUnknown using errors.Cause() * Fix crash when invalid COPY --from flag is specified. Update to v1.11.4: * buildah: add a "manifest" command * pkg/manifests: add a manifest list build/manipulation API * Update for ErrUnauthorizedForCredentials API change in containers/image * Update for manifest-lists API changes in containers/image * Move to containers/image v5.0.0 * Enable --device directory as src device * Add clarification to the Tutorial for new users * Silence "using cache" to ensure -q is fully quiet * Move runtime flag to bud from common * Commit: check for storage.ErrImageUnknown using errors.Cause() * Fix crash when invalid COPY --from flag is specified. Update to v1.11.3: * Add cgroups2 * Add support for retrieving context from stdin "-" * Added tutorial on how to include Buildah as library * Fix --build-args handling * Print build 'STEP' line to stdout, not stderr * Use Containerfile by default Update to v1.11.2: * Add some cleanup code * Move devices code to unit specific directory. Update to v1.11.1: * Add --devices flag to bud and from * Add support for /run/.containerenv * Allow mounts.conf entries for equal source and destination paths * Fix label and annotation for 1-line Dockerfiles * Preserve file and directory mount permissions * Replace --debug=false with --log-level=error * Set TMPDIR to /var/tmp by default * Truncate output of too long image names * Ignore EmptyLayer if Squash is set Update to v1.11.0: * Add --digestfile and Re-add push statement as debug * Add --log-level command line option and deprecate --debug * Add security-related volume options to validator * Allow buildah bud to be called without arguments * Allow to override build date with SOURCE_DATE_EPOCH * Correctly detect ExitError values from Run() * Disable empty logrus timestamps to reduce logger noise * Fix directory pull image names * Fix handling of /dev/null masked devices * Fix possible runtime panic on bud * Update bud/from help to contain indicator for --dns=none * Update documentation about bud * Update shebangs to take env into consideration * Use content digests in ADD/COPY history entries * add support for cgroupsV2 * add: add a DryRun flag to AddAndCopyOptions * add: handle hard links when copying with .dockerignore * add: teach copyFileWithTar() about symlinks and directories * imagebuilder: fix detection of referenced stage roots * pull/commit/push: pay attention to $BUILD_REGISTRY_SOURCES * run_linux: fix mounting /sys in a userns Update to v1.10.1: * Add automatic apparmor tag discovery * Add overlayfs to fuse-overlayfs tip * Bug fix for volume minus syntax * Bump container/storage v1.13.1 and containers/image v3.0.1 * Bump containers/image to v3.0.2 to fix keyring issue * Fix bug whereby --get-login has no effect * Bump github.com/containernetworking/cni to v0.7.1 - Add appamor-pattern requirement - Update build process to match the latest repository architecture - Update to v1.10.0 * vendor github.com/containers/image@v3.0.0 * Remove GO111MODULE in favor of -mod=vendor * Vendor in containers/storage v1.12.16 * Add '-' minus syntax for removal of config values * tests: enable overlay tests for rootless * rootless, overlay: use fuse-overlayfs * vendor github.com/containers/image@v2.0.1 * Added '-' syntax to remove volume config option * delete successfully pushed message * Add golint linter and apply fixes * vendor github.com/containers/storage@v1.12.15 * Change wait to sleep in buildahimage readme * Handle ReadOnly images when deleting images * Add support for listing read/only images * from/import: record the base image's digest, if it has one * Fix CNI version retrieval to not require network connection * Add misspell linter and apply fixes * Add goimports linter and apply fixes * Add stylecheck linter and apply fixes * Add unconvert linter and apply fixes * image: make sure we don't try to use zstd compression * run.bats: skip the "z" flag when testing --mount * Update to runc v1.0.0-rc8 * Update to match updated runtime-tools API * bump github.com/opencontainers/runtime-tools to v0.9.0 * Build e2e tests using the proper build tags * Add unparam linter and apply fixes * Run: correct a typo in the --cap-add help text * unshare: add a --mount flag * fix push check image name is not empty * add: fix slow copy with no excludes * Add errcheck linter and fix missing error check * Improve tests/tools/Makefile parallelism and abstraction * Fix response body not closed resource leak * Switch to golangci-lint * Add gomod instructions and mailing list links * On Masked path, check if /dev/null already mounted before mounting * Update to containers/storage v1.12.13 * Refactor code in package imagebuildah * Add rootless podman with NFS issue in documentation * Add --mount for buildah run * import method ValidateVolumeOpts from libpod * Fix typo * Makefile: set GO111MODULE=off * rootless: add the built-in slirp DNS server * Update docker/libnetwork to get rid of outdated sctp package * Update buildah-login.md * migrate to go modules * install.md: mention go modules * tests/tools: go module for test binaries * fix --volume splits comma delimited option * Add bud test for RUN with a priv'd command * vendor logrus v1.4.2 * pkg/cli: panic when flags can't be hidden * pkg/unshare: check all errors * pull: check error during report write * run_linux.go: ignore unchecked errors * conformance test: catch copy error * chroot/run_test.go: export funcs to actually be executed * tests/imgtype: ignore error when shutting down the store * testreport: check json error * bind/util.go: remove unused func * rm chroot/util.go * imagebuildah: remove unused dedupeStringSlice * StageExecutor: EnsureContainerPath: catch error from SecureJoin() * imagebuildah/build.go: return instead of branching * rmi: avoid redundant branching * conformance tests: nilness: allocate map * imagebuildah/build.go: avoid redundant filepath.Join() * imagebuildah/build.go: avoid redundant os.Stat() * imagebuildah: omit comparison to bool * fix "ineffectual assignment" lint errors * docker: ignore "repeats json tag" lint error * pkg/unshare: use ... instead of iterating a slice * conformance: bud test: use raw strings for regexes * conformance suite: remove unused func/var * buildah test suite: remove unused vars/funcs * testreport: fix golangci-lint errors * util: remove redundant return statement * chroot: only log clean-up errors * images_test: ignore golangci-lint error * blobcache: log error when draining the pipe * imagebuildah: check errors in deferred calls * chroot: fix error handling in deferred funcs * cmd: check all errors * chroot/run_test.go: check errors * chroot/run.go: check errors in deferred calls * imagebuildah.Executor: remove unused onbuild field * docker/types.go: remove unused struct fields * util: use strings.ContainsRune instead of index check * Cirrus: Initial implementation * buildah-run: fix-out-of-range panic (2) * Update containers/image to v2.0.0 * run: fix hang with run and --isolation=chroot * run: fix hang when using run * chroot: drop unused function call * remove --> before imgageID on build * Always close stdin pipe * Write deny to setgroups when doing single user mapping * Avoid including linux/memfd.h * Add a test for the symlink pointing to a directory * Add missing continue * Fix the handling of symlinks to absolute paths * Only set default network sysctls if not rootless * Support --dns=none like podman * fix bug --cpu-shares parsing typo * Fix validate complaint * Update vendor on containers/storage to v1.12.10 * Create directory paths for COPY thereby ensuring correct perms * imagebuildah: use a stable sort for comparing build args * imagebuildah: tighten up cache checking * bud.bats: add a test verying the order of --build-args * add -t to podman run * imagebuildah: simplify screening by top layers * imagebuildah: handle ID mappings for COPY --from * imagebuildah: apply additionalTags ourselves * bud.bats: test additional tags with cached images * bud.bats: add a test for WORKDIR and COPY with absolute destinations * Cleanup Overlay Mounts content * Add support for file secret mounts * Add ability to skip secrets in mounts file * allow 32bit builds * fix tutorial instructions * imagebuilder: pass the right contextDir to Add() * add: use fileutils.PatternMatcher for .dockerignore * bud.bats: add another .dockerignore test * unshare: fallback to single usermapping * addHelperSymlink: clear the destination on os.IsExist errors * bud.bats: test replacing symbolic links * imagebuildah: fix handling of destinations that end with '/' * bud.bats: test COPY with a final "/" in the destination * linux: add check for sysctl before using it * unshare: set _CONTAINERS_ROOTLESS_GID * Rework buildahimamges * build context: support https git repos * Add a test for ENV special chars behaviour * Check in new Dockerfiles * Apply custom SHELL during build time * config: expand variables only at the command line * SetEnv: we only need to expand v once * Add default /root if empty on chroot iso * Add support for Overlay volumes into the container. * Export buildah validate volume functions so it can share code with libpod * Bump baseline test to F30 * Fix rootless handling of /dev/shm size * Avoid fmt.Printf() in the library * imagebuildah: tighten cache checking back up * Handle WORKDIR with dangling target * Default Authfile to proper path * Make buildah run --isolation follow BUILDAH_ISOLATION environment * Vendor in latest containers/storage and containers/image * getParent/getChildren: handle layerless images * imagebuildah: recognize cache images for layerless images * bud.bats: test scratch images with --layers caching * Get CHANGELOG.md updates * Add some symlinks to test our .dockerignore logic * imagebuildah: addHelper: handle symbolic links * commit/push: use an everything-allowed policy * Correct manpage formatting in files section * Remove must be root statement from buildah doc * Change image names to stable, testing and upstream * Don't create directory on container * Replace kubernetes/pause in tests with k8s.gcr.io/pause * imagebuildah: don't remove intermediate images if we need them * Rework buildahimagegit to buildahimageupstream * Fix Transient Mounts * Handle WORKDIRs that are symlinks * allow podman to build a client for windows * Touch up 1.9-dev to 1.9.0-dev * Resolve symlink when checking container path * commit: commit on every instruction, but not always with layers * CommitOptions: drop the unused OnBuild field * makeImageRef: pass in the whole CommitOptions structure * cmd: API cleanup: stores before images * run: check if SELinux is enabled * Fix buildahimages Dockerfiles to include support for additionalimages mounted from host. * Detect changes in rootdir * Fix typo in buildah-pull(1) * Vendor in latest containers/storage * Keep track of any build-args used during buildah bud --layers * commit: always set a parent ID * imagebuildah: rework unused-argument detection * fix bug dest path when COPY .dockerignore * Move Host IDMAppings code from util to unshare * Add BUILDAH_ISOLATION rootless back * Travis CI: fail fast, upon error in any step * imagebuildah: only commit images for intermediate stages if we have to * Use errors.Cause() when checking for IsNotExist errors * auto pass http_proxy to container * imagebuildah: don't leak image structs * Add Dockerfiles for buildahimages * Bump to Replace golang 1.10 with 1.12 * add --dns* flags to buildah bud * Add hack/build_speed.sh test speeds on building container images * Create buildahimage Dockerfile for Quay * rename 'is' to 'expect_output' * squash.bats: test squashing in multi-layered builds * bud.bats: test COPY --from in a Dockerfile while using the cache * commit: make target image names optional * Fix bud-args to allow comma separation * oops, missed some tests in commit.bats * new helper: expect_line_count * New tests for #1467 (string slices in cmdline opts) * Workarounds for dealing with travis; review feedback * BATS tests - extensive but minor cleanup * imagebuildah: defer pulling images for COPY --from * imagebuildah: centralize COMMIT and image ID output * Travis: do not use traviswait * imagebuildah: only initialize imagebuilder configuration once per stage * Make cleaner error on Dockerfile build errors * unshare: move to pkg/ * unshare: move some code from cmd/buildah/unshare * Fix handling of Slices versus Arrays * imagebuildah: reorganize stage and per-stage logic * imagebuildah: add empty layers for instructions * Add missing step in installing into Ubuntu * fix bug in .dockerignore support * imagebuildah: deduplicate prepended "FROM" instructions * Touch up intro * commit: set created-by to the shell if it isn't set * commit: check that we always set a "created-by" * docs/buildah.md: add "containers-" prefixes under "SEE ALSO" Update to v1.7.2 * Updates vendored containers/storage to latest version * rootless: by default use the host network namespace - Full changelog: https://github.com/containers/buildah/releases/tag/v1.6 This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-2106=1 Package List: - openSUSE Leap 15.1 (x86_64): buildah-1.17.0-lp151.2.6.1 References: https://www.suse.com/security/cve/CVE-2019-10214.html https://www.suse.com/security/cve/CVE-2020-10696.html https://bugzilla.suse.com/1165184 https://bugzilla.suse.com/1167864

1 0

[opensuse-security-announce] openSUSE-SU-2020:2107-1: moderate: Security update for wireshark
by opensuse-security＠opensuse.org 29 Nov '20

29 Nov '20

openSUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2107-1 Rating: moderate References: #1177406 #1178291 Cross-References: CVE-2020-26575 CVE-2020-28030 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for wireshark fixes the following issues: - wireshark was updated to 3.2.8: - CVE-2020-26575: Fixed an issue where FBZERO dissector was entering in infinite loop (bsc#1177406) - CVE-2020-28030: Fixed an issue where GQUIC dissector was crashing (bsc#1178291) * Infinite memory allocation while parsing this tcp packet This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-2107=1 Package List: - openSUSE Leap 15.1 (x86_64): libwireshark13-3.2.8-lp151.2.18.1 libwireshark13-debuginfo-3.2.8-lp151.2.18.1 libwiretap10-3.2.8-lp151.2.18.1 libwiretap10-debuginfo-3.2.8-lp151.2.18.1 libwsutil11-3.2.8-lp151.2.18.1 libwsutil11-debuginfo-3.2.8-lp151.2.18.1 wireshark-3.2.8-lp151.2.18.1 wireshark-debuginfo-3.2.8-lp151.2.18.1 wireshark-debugsource-3.2.8-lp151.2.18.1 wireshark-devel-3.2.8-lp151.2.18.1 wireshark-ui-qt-3.2.8-lp151.2.18.1 wireshark-ui-qt-debuginfo-3.2.8-lp151.2.18.1 References: https://www.suse.com/security/cve/CVE-2020-26575.html https://www.suse.com/security/cve/CVE-2020-28030.html https://bugzilla.suse.com/1177406 https://bugzilla.suse.com/1178291

1 0

[opensuse-security-announce] openSUSE-SU-2020:2097-1: important: Security update for LibVNCServer
by opensuse-security＠opensuse.org 28 Nov '20

28 Nov '20

openSUSE Security Update: Security update for LibVNCServer ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2097-1 Rating: important References: #1178682 Cross-References: CVE-2020-25708 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for LibVNCServer fixes the following issues: - CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-2097=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): LibVNCServer-debugsource-0.9.10-lp151.7.12.1 LibVNCServer-devel-0.9.10-lp151.7.12.1 libvncclient0-0.9.10-lp151.7.12.1 libvncclient0-debuginfo-0.9.10-lp151.7.12.1 libvncserver0-0.9.10-lp151.7.12.1 libvncserver0-debuginfo-0.9.10-lp151.7.12.1 References: https://www.suse.com/security/cve/CVE-2020-25708.html https://bugzilla.suse.com/1178682

1 0

[opensuse-security-announce] openSUSE-SU-2020:2098-1: important: Security update for ucode-intel
by opensuse-security＠opensuse.org 28 Nov '20

28 Nov '20

openSUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2098-1 Rating: important References: #1170446 #1173592 #1173594 #1178971 Cross-References: CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971) - Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms. - Updated Intel CPU Microcode to 20201110 official release. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel�� Xeon�� Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel�� Xeon�� Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel�� Xeon�� Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel�� Core�� Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel�� Core�� Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel�� Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel�� Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel�� Xeon�� E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel�� Xeon�� E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-2098=1 Package List: - openSUSE Leap 15.1 (x86_64): ucode-intel-20201118-lp151.2.33.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8696.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173592 https://bugzilla.suse.com/1173594 https://bugzilla.suse.com/1178971

1 0

[opensuse-security-announce] openSUSE-SU-2020:2096-1: important: Security update for MozillaThunderbird
by opensuse-security＠opensuse.org 28 Nov '20

28 Nov '20

openSUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2096-1 Rating: important References: #1178894 Cross-References: CVE-2020-15999 CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26966 CVE-2020-26968 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: TODO - Mozilla Thunderbird 78.5.0 * new: OpenPGP: Added option to disable attaching the public key to a signed message (bmo#1654950) * new: MailExtensions: "compose_attachments" context added to Menus API (bmo#1670822) * new: MailExtensions: Menus API now available on displayed messages (bmo#1670825) * changed: MailExtensions: browser.tabs.create will now wait for "mail-delayed-startup-finished" event (bmo#1674407) * fixed: OpenPGP: Support for inline PGP messages improved (bmo#1672851) * fixed: OpenPGP: Message security dialog showed unverified keys as unavailable (bmo#1675285) * fixed: Chat: New chat contact menu item did not function (bmo#1663321) * fixed: Various theme and usability improvements (bmo#1673861) * fixed: Various security fixes MFSA 2020-52 (bsc#1178894) * CVE-2020-26951 (bmo#1667113) Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code * CVE-2020-16012 (bmo#1642028) Variable time processing of cross-origin images during drawImage calls * CVE-2020-26953 (bmo#1656741) Fullscreen could be enabled without displaying the security UI * CVE-2020-26956 (bmo#1666300) XSS through paste (manual and clipboard API) * CVE-2020-26958 (bmo#1669355) Requests intercepted through ServiceWorkers lacked MIME type restrictions * CVE-2020-26959 (bmo#1669466) Use-after-free in WebRequestService * CVE-2020-26960 (bmo#1670358) Potential use-after-free in uses of nsTArray * CVE-2020-15999 (bmo#1672223) Heap buffer overflow in freetype * CVE-2020-26961 (bmo#1672528) DoH did not filter IPv4 mapped IP Addresses * CVE-2020-26965 (bmo#1661617) Software keyboards may have remembered typed passwords * CVE-2020-26966 (bmo#1663571) Single-word search queries were also broadcast to local network * CVE-2020-26968 (bmo#1551615, bmo#1607762, bmo#1656697, bmo#1657739, bmo#1660236, bmo#1667912, bmo#1671479, bmo#1671923) Memory safety bugs fixed in Thunderbird 78.5 - Mozilla Thunderbird 78.4.3 * fixed: User interface was inconsistent when switching from the default theme to the dark theme and back to the default theme (bmo#1659282) * fixed: Email subject would disappear when hovering over it with the mouse when using Windows 7 Classic theme (bmo#1675970) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2096=1 Package List: - openSUSE Leap 15.2 (x86_64): MozillaThunderbird-78.5.0-lp152.2.19.1 MozillaThunderbird-debuginfo-78.5.0-lp152.2.19.1 MozillaThunderbird-debugsource-78.5.0-lp152.2.19.1 MozillaThunderbird-translations-common-78.5.0-lp152.2.19.1 MozillaThunderbird-translations-other-78.5.0-lp152.2.19.1 References: https://www.suse.com/security/cve/CVE-2020-15999.html https://www.suse.com/security/cve/CVE-2020-16012.html https://www.suse.com/security/cve/CVE-2020-26951.html https://www.suse.com/security/cve/CVE-2020-26953.html https://www.suse.com/security/cve/CVE-2020-26956.html https://www.suse.com/security/cve/CVE-2020-26958.html https://www.suse.com/security/cve/CVE-2020-26959.html https://www.suse.com/security/cve/CVE-2020-26960.html https://www.suse.com/security/cve/CVE-2020-26961.html https://www.suse.com/security/cve/CVE-2020-26965.html https://www.suse.com/security/cve/CVE-2020-26966.html https://www.suse.com/security/cve/CVE-2020-26968.html https://bugzilla.suse.com/1178894

1 0

[opensuse-security-announce] openSUSE-SU-2020:2092-1: moderate: Security update for c-ares
by opensuse-security＠opensuse.org 28 Nov '20

28 Nov '20

openSUSE Security Update: Security update for c-ares ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2092-1 Rating: moderate References: #1178882 Cross-References: CVE-2020-8277 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for c-ares fixes the following issues: Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.haxx.se/changelog.html This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2092=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): c-ares-debugsource-1.17.0-lp152.2.3.1 c-ares-devel-1.17.0-lp152.2.3.1 c-ares-utils-1.17.0-lp152.2.3.1 c-ares-utils-debuginfo-1.17.0-lp152.2.3.1 libcares2-1.17.0-lp152.2.3.1 libcares2-debuginfo-1.17.0-lp152.2.3.1 - openSUSE Leap 15.2 (x86_64): libcares2-32bit-1.17.0-lp152.2.3.1 libcares2-32bit-debuginfo-1.17.0-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-8277.html https://bugzilla.suse.com/1178882

1 0