October 2023 - openSUSE Security Announce

SUSE-SU-2023:4076-1: important: Security update for cni
by security＠lists.opensuse.org 13 Oct '23

13 Oct '23

# Security update for cni Announcement ID: SUSE-SU-2023:4076-1 Rating: important References: * #1212475 * #1216006 Affected Products: * Containers Module 15-SP5 * openSUSE Leap 15.5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 An update that has two security fixes can now be installed. ## Description: This update of cni fixes the following issues: * rebuild the package with the go 1.21 security release (bsc#1212475). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2023-4076=1 openSUSE-SLE-15.5-2023-4076=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2023-4076=1 * Containers Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Containers-15-SP5-2023-4076=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586) * cni-debuginfo-1.1.2-150500.3.2.1 * cni-1.1.2-150500.3.2.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64) * cni-debuginfo-1.1.2-150500.3.2.1 * cni-1.1.2-150500.3.2.1 * Containers Module 15-SP5 (aarch64 ppc64le s390x x86_64) * cni-debuginfo-1.1.2-150500.3.2.1 * cni-1.1.2-150500.3.2.1 ## References: * https://bugzilla.suse.com/show_bug.cgi?id=1212475 * https://bugzilla.suse.com/show_bug.cgi?id=1216006

1 0

openSUSE-SU-2023:0300-1: important: Security update for chromium
by opensuse-security＠opensuse.org 13 Oct '23

13 Oct '23

openSUSE Security Update: Security update for chromium ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0300-1 Rating: important References: #1216111 Cross-References: CVE-2023-5218 CVE-2023-5473 CVE-2023-5474 CVE-2023-5475 CVE-2023-5476 CVE-2023-5477 CVE-2023-5478 CVE-2023-5479 CVE-2023-5481 CVE-2023-5483 CVE-2023-5484 CVE-2023-5485 CVE-2023-5486 CVE-2023-5487 CVSS scores: CVE-2023-5218 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-5473 (NVD) : 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2023-5474 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-5475 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2023-5476 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-5477 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-5478 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2023-5479 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2023-5481 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2023-5483 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2023-5484 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2023-5485 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-5486 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-5487 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Affected Products: openSUSE Backports SLE-15-SP4 openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for chromium fixes the following issues: Chromium 118.0.5993.70 (boo#1216111) - CVE-2023-5218: Use after free in Site Isolation - CVE-2023-5487: Inappropriate implementation in Fullscreen - CVE-2023-5484: Inappropriate implementation in Navigation - CVE-2023-5475: Inappropriate implementation in DevTools - CVE-2023-5483: Inappropriate implementation in Intents - CVE-2023-5481: Inappropriate implementation in Downloads - CVE-2023-5476: Use after free in Blink History - CVE-2023-5474: Heap buffer overflow in PDF - CVE-2023-5479: Inappropriate implementation in Extensions API - CVE-2023-5485: Inappropriate implementation in Autofill - CVE-2023-5478: Inappropriate implementation in Autofill - CVE-2023-5477: Inappropriate implementation in Installer - CVE-2023-5486: Inappropriate implementation in Input - CVE-2023-5473: Use after free in Cast Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-300=1 - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-300=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 x86_64): chromedriver-118.0.5993.70-bp155.2.46.1 chromedriver-debuginfo-118.0.5993.70-bp155.2.46.1 chromium-118.0.5993.70-bp155.2.46.1 chromium-debuginfo-118.0.5993.70-bp155.2.46.1 - openSUSE Backports SLE-15-SP4 (aarch64 x86_64): chromedriver-118.0.5993.70-bp154.2.132.1 chromium-118.0.5993.70-bp154.2.132.1 References: https://www.suse.com/security/cve/CVE-2023-5218.html https://www.suse.com/security/cve/CVE-2023-5473.html https://www.suse.com/security/cve/CVE-2023-5474.html https://www.suse.com/security/cve/CVE-2023-5475.html https://www.suse.com/security/cve/CVE-2023-5476.html https://www.suse.com/security/cve/CVE-2023-5477.html https://www.suse.com/security/cve/CVE-2023-5478.html https://www.suse.com/security/cve/CVE-2023-5479.html https://www.suse.com/security/cve/CVE-2023-5481.html https://www.suse.com/security/cve/CVE-2023-5483.html https://www.suse.com/security/cve/CVE-2023-5484.html https://www.suse.com/security/cve/CVE-2023-5485.html https://www.suse.com/security/cve/CVE-2023-5486.html https://www.suse.com/security/cve/CVE-2023-5487.html https://bugzilla.suse.com/1216111

1 0

SUSE-SU-2023:4068-1: important: Security update for go1.20
by security＠lists.opensuse.org 13 Oct '23

13 Oct '23

# Security update for go1.20 Announcement ID: SUSE-SU-2023:4068-1 Rating: important References: * #1206346 * #1216109 Cross-References: * CVE-2023-39325 * CVE-2023-44487 CVSS scores: * CVE-2023-39325 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-44487 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Development Tools Module 15-SP4 * Development Tools Module 15-SP5 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves two vulnerabilities can now be installed. ## Description: This update for go1.20 fixes the following issues: * Update to go1.20.10 (bsc#1206346) * CVE-2023-39325: Fixed a flaw that can lead to a DoS due to a rapid stream resets causing excessive work. This is also known as CVE-2023-44487. (bsc#1216109) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4068=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4068=1 * Development Tools Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-4068=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-4068=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * go1.20-doc-1.20.10-150000.1.29.1 * go1.20-race-1.20.10-150000.1.29.1 * go1.20-1.20.10-150000.1.29.1 * go1.20-debuginfo-1.20.10-150000.1.29.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * go1.20-doc-1.20.10-150000.1.29.1 * go1.20-race-1.20.10-150000.1.29.1 * go1.20-1.20.10-150000.1.29.1 * go1.20-debuginfo-1.20.10-150000.1.29.1 * Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64) * go1.20-doc-1.20.10-150000.1.29.1 * go1.20-1.20.10-150000.1.29.1 * Development Tools Module 15-SP4 (aarch64 x86_64) * go1.20-race-1.20.10-150000.1.29.1 * Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64) * go1.20-doc-1.20.10-150000.1.29.1 * go1.20-race-1.20.10-150000.1.29.1 * go1.20-1.20.10-150000.1.29.1 * go1.20-debuginfo-1.20.10-150000.1.29.1 ## References: * https://www.suse.com/security/cve/CVE-2023-39325.html * https://www.suse.com/security/cve/CVE-2023-44487.html * https://bugzilla.suse.com/show_bug.cgi?id=1206346 * https://bugzilla.suse.com/show_bug.cgi?id=1216109

1 0

SUSE-SU-2023:4069-1: important: Security update for go1.21
by security＠lists.opensuse.org 13 Oct '23

13 Oct '23

# Security update for go1.21 Announcement ID: SUSE-SU-2023:4069-1 Rating: important References: * #1212475 * #1216109 Cross-References: * CVE-2023-39325 * CVE-2023-44487 CVSS scores: * CVE-2023-39325 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-44487 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Development Tools Module 15-SP4 * Development Tools Module 15-SP5 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves two vulnerabilities can now be installed. ## Description: This update for go1.21 fixes the following issues: * Update to go1.21.3 (bsc#1212475) * CVE-2023-39325: Fixed a flaw that can lead to a DoS due to a rapid stream resets causing excessive work. This is also known as CVE-2023-44487. (bsc#1216109) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4069=1 * Development Tools Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-4069=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-4069=1 * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4069=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * go1.21-doc-1.21.3-150000.1.12.1 * go1.21-race-1.21.3-150000.1.12.1 * go1.21-1.21.3-150000.1.12.1 * Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64) * go1.21-doc-1.21.3-150000.1.12.1 * go1.21-1.21.3-150000.1.12.1 * Development Tools Module 15-SP4 (aarch64 x86_64) * go1.21-race-1.21.3-150000.1.12.1 * Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64) * go1.21-doc-1.21.3-150000.1.12.1 * go1.21-race-1.21.3-150000.1.12.1 * go1.21-1.21.3-150000.1.12.1 * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * go1.21-doc-1.21.3-150000.1.12.1 * go1.21-race-1.21.3-150000.1.12.1 * go1.21-1.21.3-150000.1.12.1 ## References: * https://www.suse.com/security/cve/CVE-2023-39325.html * https://www.suse.com/security/cve/CVE-2023-44487.html * https://bugzilla.suse.com/show_bug.cgi?id=1212475 * https://bugzilla.suse.com/show_bug.cgi?id=1216109

1 0

SUSE-SU-2023:4071-1: important: Security update for the Linux Kernel
by security＠lists.opensuse.org 13 Oct '23

13 Oct '23

# Security update for the Linux Kernel Announcement ID: SUSE-SU-2023:4071-1 Rating: important References: * #1152472 * #1202845 * #1206453 * #1213808 * #1214928 * #1214942 * #1214943 * #1214944 * #1214950 * #1214951 * #1214954 * #1214957 * #1214986 * #1214988 * #1214992 * #1214993 * #1215322 * #1215877 * #1215894 * #1215895 * #1215896 * #1215911 * #1215915 * #1215916 * PED-2023 * PED-2025 Cross-References: * CVE-2023-1192 * CVE-2023-1206 * CVE-2023-1859 * CVE-2023-2177 * CVE-2023-39192 * CVE-2023-39193 * CVE-2023-39194 * CVE-2023-4155 * CVE-2023-42753 * CVE-2023-42754 * CVE-2023-4389 * CVE-2023-4622 * CVE-2023-4623 * CVE-2023-4881 * CVE-2023-4921 * CVE-2023-5345 CVSS scores: * CVE-2023-1192 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( NVD ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1859 ( SUSE ): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L * CVE-2023-1859 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39192 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H * CVE-2023-39192 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L * CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39193 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39194 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-39194 ( NVD ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-4155 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H * CVE-2023-4155 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H * CVE-2023-42753 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-42754 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-42754 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-4389 ( SUSE ): 5.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4389 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4622 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4622 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4881 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L * CVE-2023-4881 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H * CVE-2023-4921 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4921 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * Basesystem Module 15-SP5 * Development Tools Module 15-SP5 * Legacy Module 15-SP5 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Availability Extension 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Live Patching 15-SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Workstation Extension 15 SP5 An update that solves 16 vulnerabilities, contains two features and has eight security fixes can now be installed. ## Description: The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: * CVE-2023-39194: Fixed a flaw in the processing of state filters which could allow a local attackers to disclose sensitive information. (bsc#1215861) * CVE-2023-39193: Fixed a flaw in the processing of state filters which could allow a local attackers to disclose sensitive information. (bsc#1215860) * CVE-2023-39192: Fixed a flaw in the u32_match_it function which could allow a local attackers to disclose sensitive information. (bsc#1215858) * CVE-2023-42754: Fixed a null pointer dereference in ipv4_link_failure which could lead an authenticated attacker to trigger a DoS. (bsc#1215467) * CVE-2023-5345: fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. (bsc#1215899) * CVE-2023-4155: Fixed a flaw in KVM AMD Secure Encrypted Virtualization (SEV). An attacker can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages. (bsc#1214022) * CVE-2023-4389: Fixed a reference counting issue in the Btrfs filesystem that could be exploited in order to leak internal kernel information or crash the system (bsc#1214351). * CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges (bsc#1215150). * CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95% (bsc#1212703). * CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalatio (bsc#1215275). * CVE-2023-4622: Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation (bsc#1215117). * CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115). * CVE-2023-1859: Fixed a use-after-free flaw in Xen transport for 9pfs which could be exploited to crash the system (bsc#1210169). * CVE-2023-4881: Fixed a out-of-bounds write flaw in the netfilter subsystem that could lead to potential information disclosure or a denial of service (bsc#1215221). * CVE-2023-2177: Fixed a null pointer dereference issue in the sctp network protocol which could allow a user to crash the system (bsc#1210643). * CVE-2023-1192: Fixed use-after-free in cifs_demultiplex_thread() (bsc#1208995). The following non-security bugs were fixed: * ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs (git- fixes). * ALSA: hda/realtek: Splitting the UX3402 into two separate models (git- fixes). * ARM: pxa: remove use of symbol_get() (git-fixes). * arm64: csum: Fix OoB access in IP checksum code for negative lengths (git- fixes). * arm64: module-plts: inline linux/moduleloader.h (git-fixes) * arm64: module: Use module_init_layout_section() to spot init sections (git- fixes) * arm64: sdei: abort running SDEI handlers during crash (git-fixes) * arm64: tegra: Update AHUB clock parent and rate (git-fixes) * arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git- fixes) * arm64/hyperv: Use CPUHP_AP_HYPERV_ONLINE state to fix CPU online sequencing (bsc#1206453). * ASoC: amd: yc: Fix non-functional mic on Lenovo 82QF and 82UG (git-fixes). * ASoC: hdaudio.c: Add missing check for devm_kstrdup (git-fixes). * ASoC: imx-audmix: Fix return error with devm_clk_get() (git-fixes). * ASoC: meson: spdifin: start hw on dai probe (git-fixes). * ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode (git- fixes). * ASoC: rt5640: Fix sleep in atomic context (git-fixes). * ASoC: rt5640: Revert "Fix sleep in atomic context" (git-fixes). * ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol (git-fixes). * ASoC: SOF: core: Only call sof_ops_free() on remove if the probe was successful (git-fixes). * ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates (git-fixes). * ata: libata: disallow dev-initiated LPM transitions to unsupported states (git-fixes). * ata: pata_falcon: fix IO base selection for Q40 (git-fixes). * ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes). * ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes). * backlight: gpio_backlight: Drop output GPIO direction check for initial power state (git-fixes). * blk-iocost: fix divide by 0 error in calc_lcoefs() (bsc#1214986). * blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost (bsc#1214992). * block/mq-deadline: use correct way to throttling write requests (bsc#1214993). * Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition (git-fixes). * bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322). * bpf: Clear the probe_addr for uprobe (git-fixes). * btrfs: do not hold CPU for too long when defragging a file (bsc#1214988). * clocksource: hyper-v: Mark hyperv tsc page unencrypted in sev-snp enlightened guest (bsc#1206453). * drivers: hv: Mark percpu hvcall input arg page unencrypted in SEV-SNP enlightened guest (bsc#1206453). * Drivers: hv: vmbus: Bring the post_msg_page back for TDX VMs with the paravisor (bsc#1206453). * Drivers: hv: vmbus: Support >64 VPs for a fully enlightened TDX/SNP VM (bsc#1206453). * Drivers: hv: vmbus: Support fully enlightened TDX guests (bsc#1206453). * drm: gm12u320: Fix the timeout usage for usb_bulk_msg() (git-fixes). * drm/amd/display: Add smu write msg id fail retry process (git-fixes). * drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma (git- fixes). * drm/amd/display: fix the white screen issue when >= 64GB DRAM (git-fixes). * drm/amd/display: prevent potential division by zero errors (git-fixes). * drm/amd/display: register edp_backlight_control() for DCN301 (git-fixes). * drm/amd/display: Remove wait while locked (git-fixes). * drm/ast: Add BMC virtual connector (bsc#1152472) Backporting changes: * rename ast_device to ast_private * drm/ast: report connection status on Display Port. (bsc#1152472) Backporting changes: * rename ast_device to ast_private * context changes * drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808). * drm/i915: mark requests for GuC virtual engines to avoid use-after-free (git-fixes). * drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() (git-fixes). * drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn() (git- fixes). * drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct page" (git- fixes). * drm/meson: fix memory leak on ->hpd_notify callback (git-fixes). * drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling (git-fixes). * drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() (git-fixes). * ext4: avoid potential data overflow in next_linear_group (bsc#1214951). * ext4: correct inline offset when handling xattrs in inode body (bsc#1214950). * ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (bsc#1214954). * ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943). * ext4: fix wrong unit use in ext4_mb_new_blocks (bsc#1214944). * ext4: get block from bh in ext4_free_blocks for fast commit replay (bsc#1214942). * ext4: reflect error codes from ext4_multi_mount_protect() to its callers (bsc#1214941). * ext4: Remove ext4 locking of moved directory (bsc#1214957). * ext4: set goal start correctly in ext4_mb_normalize_request (bsc#1214940). * fs: do not update freeing inode i_io_list (bsc#1214813). * fs: Establish locking order for unrelated directories (bsc#1214958). * fs: Lock moved directories (bsc#1214959). * fs: lockd: avoid possible wrong NULL parameter (git-fixes). * fs: no need to check source (bsc#1215752). * fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE (bsc#1214813). * fuse: nlookup missing decrement in fuse_direntplus_link (bsc#1215581). * gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479). * gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479). * gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479). * gve: Changes to add new TX queues (bsc#1214479). * gve: Control path for DQO-QPL (bsc#1214479). * gve: fix frag_list chaining (bsc#1214479). * gve: Fix gve interrupt names (bsc#1214479). * gve: RX path for DQO-QPL (bsc#1214479). * gve: trivial spell fix Recive to Receive (bsc#1214479). * gve: Tx path for DQO-QPL (bsc#1214479). * gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479). * gve: use vmalloc_array and vcalloc (bsc#1214479). * gve: XDP support GQI-QPL: helper function changes (bsc#1214479). * hwrng: virtio - add an internal buffer (git-fixes). * hwrng: virtio - always add a pending request (git-fixes). * hwrng: virtio - do not wait on cleanup (git-fixes). * hwrng: virtio - do not waste entropy (git-fixes). * hwrng: virtio - Fix race on data_avail and actual data (git-fixes). * i2c: aspeed: Reset the i2c controller when timeout occurs (git-fixes). * i3c: master: svc: fix probe failure when no i3c device exist (git-fixes). * i915/pmu: Move execlist stats initialization to execlist specific setup (git-fixes). * idr: fix param name in idr_alloc_cyclic() doc (git-fixes). * Input: tca6416-keypad - fix interrupt enable disbalance (git-fixes). * iommu/virtio: Detach domain on endpoint release (git-fixes). * iommu/virtio: Return size mapped for a detached domain (git-fixes). * jbd2: check 'jh->b_transaction' before removing it from checkpoint (bsc#1214953). * jbd2: correct the end of the journal recovery scan range (bsc#1214955). * jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949). * jbd2: fix checkpoint cleanup performance regression (bsc#1214952). * jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948). * jbd2: recheck chechpointing non-dirty buffer (bsc#1214945). * jbd2: remove journal_clean_one_cp_list() (bsc#1214947). * jbd2: remove t_checkpoint_io_list (bsc#1214946). * jbd2: restore t_checkpoint_io_list to maintain kABI (bsc#1214946). * kabi: hide changes in enum ipl_type and struct sclp_info (jsc#PED-2023 jsc#PED-2025). * kabi/severities: ignore mlx4 internal symbols * kconfig: fix possible buffer overflow (git-fixes). * kernel-binary: Move build-time definitions together Move source list and build architecture to buildrequires to aid in future reorganization of the spec template. * kernel-binary: python3 is needed for build At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18 Other simimlar scripts may exist. * kselftest/runner.sh: Propagate SIGTERM to runner child (git-fixes). * KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes (git-fixes bsc#1215915). * KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896). * KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916). * KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894). * KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895). * KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911). * KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git- fixes). * KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes). * KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues (git-fixes). * KVM: x86/mmu: Include mmu.h in spte.h (git-fixes). * loop: Fix use-after-free issues (bsc#1214991). * loop: loop_set_status_from_info() check before assignment (bsc#1214990). * mlx4: Avoid resetting MLX4_INTFF_BONDING per driver (bsc#1187236). * mlx4: Connect the ethernet part to the auxiliary bus (bsc#1187236). * mlx4: Connect the infiniband part to the auxiliary bus (bsc#1187236). * mlx4: Delete custom device management logic (bsc#1187236). * mlx4: Get rid of the mlx4_interface.activate callback (bsc#1187236). * mlx4: Get rid of the mlx4_interface.get_dev callback (bsc#1187236). * mlx4: Move the bond work to the core driver (bsc#1187236). * mlx4: Register mlx4 devices to an auxiliary virtual bus (bsc#1187236). * mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236). * mlx4: Replace the mlx4_interface.event callback with a notifier (bsc#1187236). * mlx4: Use 'void *' as the event param of mlx4_dispatch_event() (bsc#1187236). * module: Expose module_init_layout_section() (git-fixes) * net: do not allow gso_size to be set to GSO_BY_FRAGS (git-fixes). * net: mana: Add page pool for RX buffers (bsc#1214040). * net: mana: Configure hwc timeout from hardware (bsc#1214037). * net: phy: micrel: Correct bit assignments for phy_device flags (git-fixes). * net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes). * net/mlx4: Remove many unnecessary NULL values (bsc#1187236). * NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git- fixes). * NFS/blocklayout: Use the passed in gfp flags (git-fixes). * NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes). * NFSD: da_addr_body field missing in some GETDEVICEINFO replies (git-fixes). * NFSD: fix change_info in NFSv4 RENAME replies (git-fixes). * NFSD: Fix race to FREE_STATEID and cl_revoked (git-fixes). * NFSv4: Fix dropped lock for racing OPEN and delegation return (git-fixes). * NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes). * NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes). * NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes). * NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info (git-fixes). * ntb: Clean up tx tail index on link down (git-fixes). * ntb: Drop packets when qp link is down (git-fixes). * ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes). * nvme-auth: use chap->s2 to indicate bidirectional authentication (bsc#1214543). * nvme-tcp: add recovery_delay to sysfs (bsc#1201284). * nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284). * nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284). * nvme-tcp: make 'err_work' a delayed work (bsc#1201284). * PCI: Free released resource after coalescing (git-fixes). * platform/mellanox: mlxbf-pmc: Fix potential buffer overflows (git-fixes). * platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events (git- fixes). * platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes). * platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors (git-fixes). * platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() (git- fixes). * platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() (git-fixes). * platform/x86: intel_scu_ipc: Do not override scu in intel_scu_ipc_dev_simple_command() (git-fixes). * platform/x86: intel_scu_ipc: Fail IPC send if still busy (git-fixes). * pNFS: Fix assignment of xprtdata.cred (git-fixes). * powerpc/fadump: make is_kdump_kernel() return false when fadump is active (bsc#1212639 ltc#202582). * powerpc/iommu: Fix notifiers being shared by PCI and VIO buses (bsc#1065729). * powerpc/xics: Remove unnecessary endian conversion (bsc#1065729). * printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875). * pwm: lpc32xx: Remove handling of PWM channels (git-fixes). * quota: add new helper dquot_active() (bsc#1214998). * quota: factor out dquot_write_dquot() (bsc#1214995). * quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963). * quota: fix warning in dqgrab() (bsc#1214962). * quota: Properly disable quotas when add_dquot_ref() fails (bsc#1214961). * quota: rename dquot_active() to inode_quota_active() (bsc#1214997). * RDMA/siw: Fabricate a GID on tun and loopback devices (git-fixes) * s390/dasd: fix command reject error on ESE devices (LTC#203630 bsc#1215123 git-fixes). * s390/dasd: fix hanging device after request requeue (git-fixes LTC#203629 bsc#1215124). * s390/ipl: add DEFINE_GENERIC_LOADPARM() (jsc#PED-2023). * s390/ipl: add eckd dump support (jsc#PED-2025). * s390/ipl: add eckd support (jsc#PED-2023). * s390/ipl: add loadparm parameter to eckd ipl/reipl data (jsc#PED-2023). * s390/ipl: use octal values instead of S_* macros (jsc#PED-2023). * s390/qeth: Do not call dev_close/dev_open (DOWN/UP) (bsc#1214873 git-fixes). * s390/zcrypt: do not leak memory if dev_set_name() fails (git-fixes bsc#1215148). * scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() (git-fixes). * scsi: 53c700: Check that command slot is not NULL (git-fixes). * scsi: core: Fix legacy /proc parsing buffer overflow (git-fixes). * scsi: core: Fix possible memory leak if device_add() fails (git-fixes). * scsi: fnic: Replace return codes in fnic_clean_pending_aborts() (git-fixes). * scsi: lpfc: Do not abuse UUID APIs and LPFC_COMPRESS_VMID_SIZE (git-fixes). * scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo (git-fixes). * scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git- fixes). * scsi: lpfc: Modify when a node should be put in device recovery mode during RSCN (git-fixes). * scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes). * scsi: lpfc: Remove reftag check in DIF paths (git-fixes). * scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). * scsi: qedf: Fix firmware halt over suspend and resume (git-fixes). * scsi: qedf: Fix NULL dereference in error handling (git-fixes). * scsi: qedi: Fix firmware halt over suspend and resume (git-fixes). * scsi: qla2xxx: Add logs for SFP temperature monitoring (bsc#1214928). * scsi: qla2xxx: Allow 32-byte CDBs (bsc#1214928). * scsi: qla2xxx: Error code did not return to upper layer (bsc#1214928). * scsi: qla2xxx: Fix firmware resource tracking (bsc#1214928). * scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() (git- fixes). * scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() (bsc#1214928). * scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1214928). * scsi: qla2xxx: Move resource to allow code reuse (bsc#1214928). * scsi: qla2xxx: Remove unsupported ql2xenabledif option (bsc#1214928). * scsi: qla2xxx: Remove unused declarations (bsc#1214928). * scsi: qla2xxx: Remove unused variables in qla24xx_build_scsi_type_6_iocbs() (bsc#1214928). * scsi: qla2xxx: Update version to 10.02.09.100-k (bsc#1214928). * scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() (git-fixes). * scsi: scsi_debug: Remove dead code (git-fixes). * scsi: snic: Fix double free in snic_tgt_create() (git-fixes). * scsi: snic: Fix possible memory leak if device_add() fails (git-fixes). * scsi: storvsc: Handle additional SRB status values (git-fixes). * scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes bsc#1215941). * selftests: mlxsw: Fix test failure on Spectrum-4 (jsc#PED-1549). * selftests: tracing: Fix to unmount tracefs for recovering environment (git- fixes). * spi: Add TPM HW flow flag (bsc#1213534) * spi: tegra210-quad: Enable TPM wait polling (bsc#1213534) * spi: tegra210-quad: set half duplex flag (bsc#1213534) * SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes). * tcpm: Avoid soft reset when partner does not support get_status (git-fixes). * tpm_tis_spi: Add hardware wait polling (bsc#1213534) * tracing: Fix race issue between cpu buffer write and swap (git-fixes). * tracing: Remove extra space at the end of hwlat_detector/mode (git-fixes). * tracing: Remove unnecessary copying of tr->current_trace (git-fixes). * uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes). * udf: Fix extension of the last extent in the file (bsc#1214964). * udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965). * udf: Fix off-by-one error when discarding preallocation (bsc#1214966). * udf: Fix uninitialized array access for some pathnames (bsc#1214967). * Update metadata * uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes). * usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes). * usb: ehci: move new member has_ci_pec_bug into hole (git-fixes). * usb: serial: option: add FOXCONN T99W368/T99W373 product (git-fixes). * usb: serial: option: add Quectel EM05G variant (0x030e) (git-fixes). * usb: typec: tcpci: clear the fault status bit (git-fixes). * usb: typec: tcpci: move tcpci.h to include/linux/usb/ (git-fixes). * vhost_vdpa: fix the crash in unmap a large memory (git-fixes). * vhost-scsi: unbreak any layout for response (git-fixes). * vhost: allow batching hint without size (git-fixes). * vhost: allow batching hint without size (git-fixes). * vhost: fix hung thread due to erroneous iotlb entries (git-fixes). * vhost: handle error while adding split ranges to iotlb (git-fixes). * virtio_net: add checking sq is full inside xdp xmit (git-fixes). * virtio_net: Fix probe failed when modprobe virtio_net (git-fixes). * virtio_net: reorder some funcs (git-fixes). * virtio_net: separate the logic of checking whether sq is full (git-fixes). * virtio_ring: fix avail_wrap_counter in virtqueue_add_packed (git-fixes). * virtio-blk: set req->state to MQ_RQ_COMPLETE after polling I/O is finished (git-fixes). * virtio-mmio: do not break lifecycle of vm_dev (git-fixes). * virtio-net: fix race between set queues and probe (git-fixes). * virtio-net: set queues after driver_ok (git-fixes). * virtio-rng: make device ready before making request (git-fixes). * virtio: acknowledge all features before access (git-fixes). * vmcore: remove dependency with is_kdump_kernel() for exporting vmcore (bsc#1212639 ltc#202582). * watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load (git-fixes). * word-at-a-time: use the same return type for has_zero regardless of endianness (bsc#1065729). * x86/alternative: Fix race in try_get_desc() (git-fixes). * x86/boot/e820: Fix typo in e820.c comment (git-fixes). * x86/bugs: Reset speculation control settings on init (git-fixes). * x86/coco: Allow CPU online/offline for a TDX VM with the paravisor on Hyper-V (bsc#1206453). * x86/coco: Export cc_vendor (bsc#1206453). * x86/cpu: Add Lunar Lake M (git-fixes). * x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes). * x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git- fixes). * x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git- fixes). * x86/hyperv: Add hv_isolation_type_tdx() to detect TDX guests (bsc#1206453). * x86/hyperv: Add hv_write_efer() for a TDX VM with the paravisor (bsc#1206453). * x86/hyperv: Add hyperv-specific handling for VMMCALL under SEV-ES (bsc#1206453). * x86/hyperv: Add missing 'inline' to hv_snp_boot_ap() stub (bsc#1206453). * x86/hyperv: Add sev-snp enlightened guest static key (bsc#1206453) * x86/hyperv: Add smp support for SEV-SNP guest (bsc#1206453). * x86/hyperv: Add VTL specific structs and hypercalls (bsc#1206453). * x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline (bsc#1206453). * x86/hyperv: Fix serial console interrupts for fully enlightened TDX guests (bsc#1206453). * x86/hyperv: Fix undefined reference to isolation_type_en_snp without CONFIG_HYPERV (bsc#1206453). * x86/hyperv: Introduce a global variable hyperv_paravisor_present (bsc#1206453). * x86/hyperv: Mark hv_ghcb_terminate() as noreturn (bsc#1206453). * x86/hyperv: Mark Hyper-V vp assist page unencrypted in SEV-SNP enlightened guest (bsc#1206453). * x86/hyperv: Move the code in ivm.c around to avoid unnecessary ifdef's (bsc#1206453). * x86/hyperv: Remove hv_isolation_type_en_snp (bsc#1206453). * x86/hyperv: Set Virtual Trust Level in VMBus init message (bsc#1206453). * x86/hyperv: Support hypercalls for fully enlightened TDX guests (bsc#1206453). * x86/hyperv: Use TDX GHCI to access some MSRs in a TDX VM with the paravisor (bsc#1206453). * x86/hyperv: Use vmmcall to implement Hyper-V hypercall in sev-snp enlightened guest (bsc#1206453). * x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes). * x86/ioapic: Do not return 0 from arch_dynirq_lower_bound() (git-fixes). * x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git- fixes). * x86/mce: Retrieve poison range from hardware (git-fixes). * x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes). * x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes). * x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes). * x86/purgatory: remove PGO flags (git-fixes). * x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git- fixes). * x86/reboot: Disable virtualization in an emergency if SVM is supported (git- fixes). * x86/resctl: fix scheduler confusion with 'current' (git-fixes). * x86/resctrl: Fix task CLOSID/RMID update race (git-fixes). * x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes). * x86/rtc: Remove __init for runtime functions (git-fixes). * x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635). * x86/sgx: Reduce delay and interference of enclave release (git-fixes). * x86/srso: Do not probe microcode in a guest (git-fixes). * x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). * x86/srso: Fix srso_show_state() side effect (git-fixes). * x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). * x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes). * xen: remove a confusing comment on auto-translated guest I/O (git-fixes). * xprtrdma: Remap Receive buffers after a reconnect (git-fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2023-4071=1 openSUSE-SLE-15.5-2023-4071=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2023-4071=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4071=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-4071=1 * Legacy Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Legacy-15-SP5-2023-4071=1 * SUSE Linux Enterprise Live Patching 15-SP5 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP5-2023-4071=1 Please note that this is the initial kernel livepatch without fixes itself, this package is later updated by separate standalone kernel livepatch updates. * SUSE Linux Enterprise High Availability Extension 15 SP5 zypper in -t patch SUSE-SLE-Product-HA-15-SP5-2023-4071=1 * SUSE Linux Enterprise Workstation Extension 15 SP5 zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2023-4071=1 ## Package List: * openSUSE Leap 15.5 (noarch nosrc) * kernel-docs-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (noarch) * kernel-macros-5.14.21-150500.55.31.1 * kernel-source-vanilla-5.14.21-150500.55.31.1 * kernel-source-5.14.21-150500.55.31.1 * kernel-devel-5.14.21-150500.55.31.1 * kernel-docs-html-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (nosrc ppc64le x86_64) * kernel-debug-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (ppc64le x86_64) * kernel-debug-debuginfo-5.14.21-150500.55.31.1 * kernel-debug-devel-debuginfo-5.14.21-150500.55.31.1 * kernel-debug-livepatch-devel-5.14.21-150500.55.31.1 * kernel-debug-devel-5.14.21-150500.55.31.1 * kernel-debug-debugsource-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (x86_64) * kernel-default-vdso-debuginfo-5.14.21-150500.55.31.1 * kernel-kvmsmall-vdso-debuginfo-5.14.21-150500.55.31.1 * kernel-debug-vdso-5.14.21-150500.55.31.1 * kernel-default-vdso-5.14.21-150500.55.31.1 * kernel-kvmsmall-vdso-5.14.21-150500.55.31.1 * kernel-debug-vdso-debuginfo-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (aarch64 ppc64le x86_64) * kernel-kvmsmall-debuginfo-5.14.21-150500.55.31.1 * kernel-default-base-5.14.21-150500.55.31.1.150500.6.13.1 * kernel-kvmsmall-livepatch-devel-5.14.21-150500.55.31.1 * kernel-kvmsmall-devel-debuginfo-5.14.21-150500.55.31.1 * kernel-kvmsmall-debugsource-5.14.21-150500.55.31.1 * kernel-kvmsmall-devel-5.14.21-150500.55.31.1 * kernel-default-base-rebuild-5.14.21-150500.55.31.1.150500.6.13.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * reiserfs-kmp-default-debuginfo-5.14.21-150500.55.31.1 * ocfs2-kmp-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-livepatch-devel-5.14.21-150500.55.31.1 * kernel-default-debugsource-5.14.21-150500.55.31.1 * kernel-syms-5.14.21-150500.55.31.1 * dlm-kmp-default-5.14.21-150500.55.31.1 * gfs2-kmp-default-5.14.21-150500.55.31.1 * kernel-default-extra-debuginfo-5.14.21-150500.55.31.1 * dlm-kmp-default-debuginfo-5.14.21-150500.55.31.1 * kselftests-kmp-default-debuginfo-5.14.21-150500.55.31.1 * kselftests-kmp-default-5.14.21-150500.55.31.1 * kernel-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-extra-5.14.21-150500.55.31.1 * reiserfs-kmp-default-5.14.21-150500.55.31.1 * kernel-default-optional-5.14.21-150500.55.31.1 * kernel-default-devel-debuginfo-5.14.21-150500.55.31.1 * kernel-obs-build-debugsource-5.14.21-150500.55.31.1 * cluster-md-kmp-default-5.14.21-150500.55.31.1 * kernel-obs-build-5.14.21-150500.55.31.1 * kernel-obs-qa-5.14.21-150500.55.31.1 * kernel-default-optional-debuginfo-5.14.21-150500.55.31.1 * cluster-md-kmp-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-livepatch-5.14.21-150500.55.31.1 * ocfs2-kmp-default-5.14.21-150500.55.31.1 * gfs2-kmp-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-devel-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 nosrc) * kernel-default-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (aarch64 nosrc ppc64le x86_64) * kernel-kvmsmall-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (ppc64le s390x x86_64) * kernel-livepatch-SLE15-SP5_Update_6-debugsource-1-150500.11.3.1 * kernel-livepatch-5_14_21-150500_55_31-default-debuginfo-1-150500.11.3.1 * kernel-livepatch-5_14_21-150500_55_31-default-1-150500.11.3.1 * openSUSE Leap 15.5 (nosrc s390x) * kernel-zfcpdump-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (s390x) * kernel-zfcpdump-debuginfo-5.14.21-150500.55.31.1 * kernel-zfcpdump-debugsource-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (nosrc) * dtb-aarch64-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (aarch64) * dtb-marvell-5.14.21-150500.55.31.1 * dlm-kmp-64kb-debuginfo-5.14.21-150500.55.31.1 * kselftests-kmp-64kb-debuginfo-5.14.21-150500.55.31.1 * dtb-amazon-5.14.21-150500.55.31.1 * dtb-lg-5.14.21-150500.55.31.1 * kernel-64kb-devel-debuginfo-5.14.21-150500.55.31.1 * kernel-64kb-devel-5.14.21-150500.55.31.1 * kernel-64kb-optional-5.14.21-150500.55.31.1 * dlm-kmp-64kb-5.14.21-150500.55.31.1 * kernel-64kb-debugsource-5.14.21-150500.55.31.1 * kselftests-kmp-64kb-5.14.21-150500.55.31.1 * dtb-apple-5.14.21-150500.55.31.1 * ocfs2-kmp-64kb-5.14.21-150500.55.31.1 * kernel-64kb-optional-debuginfo-5.14.21-150500.55.31.1 * reiserfs-kmp-64kb-debuginfo-5.14.21-150500.55.31.1 * reiserfs-kmp-64kb-5.14.21-150500.55.31.1 * dtb-qcom-5.14.21-150500.55.31.1 * cluster-md-kmp-64kb-5.14.21-150500.55.31.1 * gfs2-kmp-64kb-5.14.21-150500.55.31.1 * dtb-exynos-5.14.21-150500.55.31.1 * kernel-64kb-debuginfo-5.14.21-150500.55.31.1 * dtb-arm-5.14.21-150500.55.31.1 * kernel-64kb-extra-debuginfo-5.14.21-150500.55.31.1 * kernel-64kb-livepatch-devel-5.14.21-150500.55.31.1 * dtb-freescale-5.14.21-150500.55.31.1 * dtb-allwinner-5.14.21-150500.55.31.1 * dtb-xilinx-5.14.21-150500.55.31.1 * dtb-socionext-5.14.21-150500.55.31.1 * dtb-nvidia-5.14.21-150500.55.31.1 * dtb-amlogic-5.14.21-150500.55.31.1 * gfs2-kmp-64kb-debuginfo-5.14.21-150500.55.31.1 * ocfs2-kmp-64kb-debuginfo-5.14.21-150500.55.31.1 * dtb-apm-5.14.21-150500.55.31.1 * dtb-renesas-5.14.21-150500.55.31.1 * dtb-amd-5.14.21-150500.55.31.1 * dtb-cavium-5.14.21-150500.55.31.1 * dtb-mediatek-5.14.21-150500.55.31.1 * dtb-hisilicon-5.14.21-150500.55.31.1 * cluster-md-kmp-64kb-debuginfo-5.14.21-150500.55.31.1 * dtb-altera-5.14.21-150500.55.31.1 * kernel-64kb-extra-5.14.21-150500.55.31.1 * dtb-broadcom-5.14.21-150500.55.31.1 * dtb-sprd-5.14.21-150500.55.31.1 * dtb-rockchip-5.14.21-150500.55.31.1 * openSUSE Leap 15.5 (aarch64 nosrc) * kernel-64kb-5.14.21-150500.55.31.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 nosrc s390x x86_64) * kernel-default-5.14.21-150500.55.31.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 x86_64) * kernel-default-base-5.14.21-150500.55.31.1.150500.6.13.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64) * kernel-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-debugsource-5.14.21-150500.55.31.1 * Basesystem Module 15-SP5 (aarch64 nosrc) * kernel-64kb-5.14.21-150500.55.31.1 * Basesystem Module 15-SP5 (aarch64) * kernel-64kb-debugsource-5.14.21-150500.55.31.1 * kernel-64kb-devel-5.14.21-150500.55.31.1 * kernel-64kb-debuginfo-5.14.21-150500.55.31.1 * kernel-64kb-devel-debuginfo-5.14.21-150500.55.31.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64 nosrc) * kernel-default-5.14.21-150500.55.31.1 * Basesystem Module 15-SP5 (aarch64 ppc64le x86_64) * kernel-default-base-5.14.21-150500.55.31.1.150500.6.13.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * kernel-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-devel-5.14.21-150500.55.31.1 * kernel-default-debugsource-5.14.21-150500.55.31.1 * kernel-default-devel-debuginfo-5.14.21-150500.55.31.1 * Basesystem Module 15-SP5 (noarch) * kernel-macros-5.14.21-150500.55.31.1 * kernel-devel-5.14.21-150500.55.31.1 * Basesystem Module 15-SP5 (nosrc s390x) * kernel-zfcpdump-5.14.21-150500.55.31.1 * Basesystem Module 15-SP5 (s390x) * kernel-zfcpdump-debuginfo-5.14.21-150500.55.31.1 * kernel-zfcpdump-debugsource-5.14.21-150500.55.31.1 * Development Tools Module 15-SP5 (noarch nosrc) * kernel-docs-5.14.21-150500.55.31.1 * Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64) * kernel-obs-build-debugsource-5.14.21-150500.55.31.1 * kernel-syms-5.14.21-150500.55.31.1 * kernel-obs-build-5.14.21-150500.55.31.1 * Development Tools Module 15-SP5 (noarch) * kernel-source-5.14.21-150500.55.31.1 * Legacy Module 15-SP5 (nosrc) * kernel-default-5.14.21-150500.55.31.1 * Legacy Module 15-SP5 (aarch64 ppc64le s390x x86_64) * kernel-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-debugsource-5.14.21-150500.55.31.1 * reiserfs-kmp-default-5.14.21-150500.55.31.1 * reiserfs-kmp-default-debuginfo-5.14.21-150500.55.31.1 * SUSE Linux Enterprise Live Patching 15-SP5 (nosrc) * kernel-default-5.14.21-150500.55.31.1 * SUSE Linux Enterprise Live Patching 15-SP5 (ppc64le s390x x86_64) * kernel-livepatch-5_14_21-150500_55_31-default-1-150500.11.3.1 * kernel-livepatch-SLE15-SP5_Update_6-debugsource-1-150500.11.3.1 * kernel-default-livepatch-devel-5.14.21-150500.55.31.1 * kernel-livepatch-5_14_21-150500_55_31-default-debuginfo-1-150500.11.3.1 * kernel-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-debugsource-5.14.21-150500.55.31.1 * kernel-default-livepatch-5.14.21-150500.55.31.1 * SUSE Linux Enterprise High Availability Extension 15 SP5 (aarch64 ppc64le s390x x86_64) * cluster-md-kmp-default-5.14.21-150500.55.31.1 * ocfs2-kmp-default-debuginfo-5.14.21-150500.55.31.1 * dlm-kmp-default-debuginfo-5.14.21-150500.55.31.1 * ocfs2-kmp-default-5.14.21-150500.55.31.1 * kernel-default-debuginfo-5.14.21-150500.55.31.1 * gfs2-kmp-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-debugsource-5.14.21-150500.55.31.1 * cluster-md-kmp-default-debuginfo-5.14.21-150500.55.31.1 * dlm-kmp-default-5.14.21-150500.55.31.1 * gfs2-kmp-default-5.14.21-150500.55.31.1 * SUSE Linux Enterprise High Availability Extension 15 SP5 (nosrc) * kernel-default-5.14.21-150500.55.31.1 * SUSE Linux Enterprise Workstation Extension 15 SP5 (nosrc) * kernel-default-5.14.21-150500.55.31.1 * SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64) * kernel-default-debuginfo-5.14.21-150500.55.31.1 * kernel-default-extra-debuginfo-5.14.21-150500.55.31.1 * kernel-default-extra-5.14.21-150500.55.31.1 * kernel-default-debugsource-5.14.21-150500.55.31.1 ## References: * https://www.suse.com/security/cve/CVE-2023-1192.html * https://www.suse.com/security/cve/CVE-2023-1206.html * https://www.suse.com/security/cve/CVE-2023-1859.html * https://www.suse.com/security/cve/CVE-2023-2177.html * https://www.suse.com/security/cve/CVE-2023-39192.html * https://www.suse.com/security/cve/CVE-2023-39193.html * https://www.suse.com/security/cve/CVE-2023-39194.html * https://www.suse.com/security/cve/CVE-2023-4155.html * https://www.suse.com/security/cve/CVE-2023-42753.html * https://www.suse.com/security/cve/CVE-2023-42754.html * https://www.suse.com/security/cve/CVE-2023-4389.html * https://www.suse.com/security/cve/CVE-2023-4622.html * https://www.suse.com/security/cve/CVE-2023-4623.html * https://www.suse.com/security/cve/CVE-2023-4881.html * https://www.suse.com/security/cve/CVE-2023-4921.html * https://www.suse.com/security/cve/CVE-2023-5345.html * https://bugzilla.suse.com/show_bug.cgi?id=1152472 * https://bugzilla.suse.com/show_bug.cgi?id=1202845 * https://bugzilla.suse.com/show_bug.cgi?id=1206453 * https://bugzilla.suse.com/show_bug.cgi?id=1213808 * https://bugzilla.suse.com/show_bug.cgi?id=1214928 * https://bugzilla.suse.com/show_bug.cgi?id=1214942 * https://bugzilla.suse.com/show_bug.cgi?id=1214943 * https://bugzilla.suse.com/show_bug.cgi?id=1214944 * https://bugzilla.suse.com/show_bug.cgi?id=1214950 * https://bugzilla.suse.com/show_bug.cgi?id=1214951 * https://bugzilla.suse.com/show_bug.cgi?id=1214954 * https://bugzilla.suse.com/show_bug.cgi?id=1214957 * https://bugzilla.suse.com/show_bug.cgi?id=1214986 * https://bugzilla.suse.com/show_bug.cgi?id=1214988 * https://bugzilla.suse.com/show_bug.cgi?id=1214992 * https://bugzilla.suse.com/show_bug.cgi?id=1214993 * https://bugzilla.suse.com/show_bug.cgi?id=1215322 * https://bugzilla.suse.com/show_bug.cgi?id=1215877 * https://bugzilla.suse.com/show_bug.cgi?id=1215894 * https://bugzilla.suse.com/show_bug.cgi?id=1215895 * https://bugzilla.suse.com/show_bug.cgi?id=1215896 * https://bugzilla.suse.com/show_bug.cgi?id=1215911 * https://bugzilla.suse.com/show_bug.cgi?id=1215915 * https://bugzilla.suse.com/show_bug.cgi?id=1215916 * https://jira.suse.com/browse/PED-2023 * https://jira.suse.com/browse/PED-2025

1 0

SUSE-SU-2023:4072-1: important: Security update for the Linux Kernel
by security＠lists.opensuse.org 13 Oct '23

13 Oct '23

# Security update for the Linux Kernel Announcement ID: SUSE-SU-2023:4072-1 Rating: important References: * #1202845 * #1213808 * #1214928 * #1214940 * #1214941 * #1214942 * #1214943 * #1214944 * #1214950 * #1214951 * #1214954 * #1214957 * #1214986 * #1214988 * #1214992 * #1214993 * #1215322 * #1215877 * #1215894 * #1215895 * #1215896 * #1215911 * #1215915 * #1215916 Cross-References: * CVE-2023-1192 * CVE-2023-1206 * CVE-2023-1859 * CVE-2023-2177 * CVE-2023-39192 * CVE-2023-39193 * CVE-2023-39194 * CVE-2023-4155 * CVE-2023-42753 * CVE-2023-42754 * CVE-2023-4389 * CVE-2023-4563 * CVE-2023-4622 * CVE-2023-4623 * CVE-2023-4881 * CVE-2023-4921 * CVE-2023-5345 CVSS scores: * CVE-2023-1192 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( NVD ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1859 ( SUSE ): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L * CVE-2023-1859 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39192 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H * CVE-2023-39192 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L * CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39193 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39194 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-39194 ( NVD ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-4155 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H * CVE-2023-4155 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H * CVE-2023-42753 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-42754 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-42754 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-4389 ( SUSE ): 5.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4389 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4563 ( SUSE ): 0.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N * CVE-2023-4622 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4622 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4881 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L * CVE-2023-4881 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H * CVE-2023-4921 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4921 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * Basesystem Module 15-SP4 * Development Tools Module 15-SP4 * Legacy Module 15-SP4 * openSUSE Leap 15.4 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise High Availability Extension 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Live Patching 15-SP4 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Workstation Extension 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves 17 vulnerabilities and has seven security fixes can now be installed. ## Description: The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: * CVE-2023-4563: Fixed an use-after-free flaw in the nftables sub-component. This vulnerability could allow a local attacker to crash the system or lead to a kernel information leak problem. (bsc#1214727) * CVE-2023-39194: Fixed a flaw in the processing of state filters which could allow a local attackers to disclose sensitive information. (bsc#1215861) * CVE-2023-39193: Fixed a flaw in the processing of state filters which could allow a local attackers to disclose sensitive information. (bsc#1215860) * CVE-2023-39192: Fixed a flaw in the u32_match_it function which could allow a local attackers to disclose sensitive information. (bsc#1215858) * CVE-2023-42754: Fixed a null pointer dereference in ipv4_link_failure which could lead an authenticated attacker to trigger a DoS. (bsc#1215467) * CVE-2023-5345: fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. (bsc#1215899) * CVE-2023-4155: Fixed a flaw in KVM AMD Secure Encrypted Virtualization (SEV). An attacker can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages. (bsc#1214022) * CVE-2023-4389: Fixed a reference counting issue in the Btrfs filesystem that could be exploited in order to leak internal kernel information or crash the system (bsc#1214351). * CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges (bsc#1215150). * CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95% (bsc#1212703). * CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalatio (bsc#1215275). * CVE-2023-4622: Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation (bsc#1215117). * CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115). * CVE-2023-1859: Fixed a use-after-free flaw in Xen transport for 9pfs which could be exploited to crash the system (bsc#1210169). * CVE-2023-4881: Fixed a out-of-bounds write flaw in the netfilter subsystem that could lead to potential information disclosure or a denial of service (bsc#1215221). * CVE-2023-2177: Fixed a null pointer dereference issue in the sctp network protocol which could allow a user to crash the system (bsc#1210643). * CVE-2023-1192: Fixed use-after-free in cifs_demultiplex_thread() (bsc#1208995). The following non-security bugs were fixed: * ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs (git- fixes). * ALSA: hda/realtek: Splitting the UX3402 into two separate models (git- fixes). * ARM: pxa: remove use of symbol_get() (git-fixes). * arm64: csum: Fix OoB access in IP checksum code for negative lengths (git- fixes). * arm64: module-plts: inline linux/moduleloader.h (git-fixes) * arm64: module: Use module_init_layout_section() to spot init sections (git- fixes) * arm64: sdei: abort running SDEI handlers during crash (git-fixes) * arm64: tegra: Update AHUB clock parent and rate (git-fixes) * arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git- fixes) * ASoC: imx-audmix: Fix return error with devm_clk_get() (git-fixes). * ASoC: meson: spdifin: start hw on dai probe (git-fixes). * ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol (git-fixes). * ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates (git-fixes). * ata: libata: disallow dev-initiated LPM transitions to unsupported states (git-fixes). * ata: pata_falcon: fix IO base selection for Q40 (git-fixes). * ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes). * ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes). * backlight: gpio_backlight: Drop output GPIO direction check for initial power state (git-fixes). * blk-iocost: fix divide by 0 error in calc_lcoefs() (bsc#1214986). * blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost (bsc#1214992). * block/mq-deadline: use correct way to throttling write requests (bsc#1214993). * Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition (git-fixes). * bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322). * bpf: Clear the probe_addr for uprobe (git-fixes). * btrfs: do not hold CPU for too long when defragging a file (bsc#1214988). * drm: gm12u320: Fix the timeout usage for usb_bulk_msg() (git-fixes). * drm/amd/display: fix the white screen issue when >= 64GB DRAM (git-fixes). * drm/amd/display: prevent potential division by zero errors (git-fixes). * drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808). * drm/i915: mark requests for GuC virtual engines to avoid use-after-free (git-fixes). * drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() (git-fixes). * drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling (git-fixes). * drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() (git-fixes). * ext4: avoid potential data overflow in next_linear_group (bsc#1214951). * ext4: correct inline offset when handling xattrs in inode body (bsc#1214950). * ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (bsc#1214954). * ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943). * ext4: fix wrong unit use in ext4_mb_new_blocks (bsc#1214944). * ext4: get block from bh in ext4_free_blocks for fast commit replay (bsc#1214942). * ext4: reflect error codes from ext4_multi_mount_protect() to its callers (bsc#1214941). * ext4: Remove ext4 locking of moved directory (bsc#1214957). * ext4: set goal start correctly in ext4_mb_normalize_request (bsc#1214940). * fs: do not update freeing inode i_io_list (bsc#1214813). * fs: Establish locking order for unrelated directories (bsc#1214958). * fs: Lock moved directories (bsc#1214959). * fs: lockd: avoid possible wrong NULL parameter (git-fixes). * fs: no need to check source (bsc#1215752). * fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE (bsc#1214813). * fuse: nlookup missing decrement in fuse_direntplus_link (bsc#1215581). * gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479). * gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479). * gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479). * gve: Changes to add new TX queues (bsc#1214479). * gve: Control path for DQO-QPL (bsc#1214479). * gve: fix frag_list chaining (bsc#1214479). * gve: Fix gve interrupt names (bsc#1214479). * gve: RX path for DQO-QPL (bsc#1214479). * gve: trivial spell fix Recive to Receive (bsc#1214479). * gve: Tx path for DQO-QPL (bsc#1214479). * gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479). * gve: use vmalloc_array and vcalloc (bsc#1214479). * gve: XDP support GQI-QPL: helper function changes (bsc#1214479). * hwrng: virtio - add an internal buffer (git-fixes). * hwrng: virtio - always add a pending request (git-fixes). * hwrng: virtio - do not wait on cleanup (git-fixes). * hwrng: virtio - do not waste entropy (git-fixes). * hwrng: virtio - Fix race on data_avail and actual data (git-fixes). * i2c: aspeed: Reset the i2c controller when timeout occurs (git-fixes). * i3c: master: svc: fix probe failure when no i3c device exist (git-fixes). * idr: fix param name in idr_alloc_cyclic() doc (git-fixes). * Input: tca6416-keypad - fix interrupt enable disbalance (git-fixes). * iommu/virtio: Detach domain on endpoint release (git-fixes). * jbd2: check 'jh->b_transaction' before removing it from checkpoint (bsc#1214953). * jbd2: correct the end of the journal recovery scan range (bsc#1214955). * jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949). * jbd2: fix checkpoint cleanup performance regression (bsc#1214952). * jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948). * jbd2: recheck chechpointing non-dirty buffer (bsc#1214945). * jbd2: remove journal_clean_one_cp_list() (bsc#1214947). * jbd2: remove t_checkpoint_io_list (bsc#1214946). * jbd2: restore t_checkpoint_io_list to maintain kABI (bsc#1214946). * kabi/severities: ignore mlx4 internal symbols * kconfig: fix possible buffer overflow (git-fixes). * kernel-binary: Move build-time definitions together Move source list and build architecture to buildrequires to aid in future reorganization of the spec template. * kernel-binary: python3 is needed for build At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18 Other simimlar scripts may exist. * kselftest/runner.sh: Propagate SIGTERM to runner child (git-fixes). * KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes (git-fixes bsc#1215915). * KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896). * KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916). * KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894). * KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895). * KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911). * KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git- fixes). * KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes). * KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues (git-fixes). * KVM: x86/mmu: Include mmu.h in spte.h (git-fixes). * loop: Fix use-after-free issues (bsc#1214991). * loop: loop_set_status_from_info() check before assignment (bsc#1214990). * mlx4: Avoid resetting MLX4_INTFF_BONDING per driver (bsc#1187236). * mlx4: Connect the ethernet part to the auxiliary bus (bsc#1187236). * mlx4: Connect the infiniband part to the auxiliary bus (bsc#1187236). * mlx4: Delete custom device management logic (bsc#1187236). * mlx4: Get rid of the mlx4_interface.activate callback (bsc#1187236). * mlx4: Get rid of the mlx4_interface.get_dev callback (bsc#1187236). * mlx4: Move the bond work to the core driver (bsc#1187236). * mlx4: Register mlx4 devices to an auxiliary virtual bus (bsc#1187236). * mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236). * mlx4: Replace the mlx4_interface.event callback with a notifier (bsc#1187236). * mlx4: Use 'void *' as the event param of mlx4_dispatch_event() (bsc#1187236). * module: Expose module_init_layout_section() (git-fixes) * net: do not allow gso_size to be set to GSO_BY_FRAGS (git-fixes). * net: mana: Add page pool for RX buffers (bsc#1214040). * net: mana: Configure hwc timeout from hardware (bsc#1214037). * net: phy: micrel: Correct bit assignments for phy_device flags (git-fixes). * net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes). * net/mlx4: Remove many unnecessary NULL values (bsc#1187236). * NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git- fixes). * NFS/blocklayout: Use the passed in gfp flags (git-fixes). * NFS/pNFS: Fix assignment of xprtdata.cred (git-fixes). * NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes). * NFSD: da_addr_body field missing in some GETDEVICEINFO replies (git-fixes). * NFSD: fix change_info in NFSv4 RENAME replies (git-fixes). * NFSD: Fix race to FREE_STATEID and cl_revoked (git-fixes). * NFSv4: Fix dropped lock for racing OPEN and delegation return (git-fixes). * NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes). * NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes). * NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes). * NFSv4/pNFS: minor fix for cleanup path in nfs4_get_device_info (git-fixes). * ntb: Clean up tx tail index on link down (git-fixes). * ntb: Drop packets when qp link is down (git-fixes). * ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes). * nvme-auth: use chap->s2 to indicate bidirectional authentication (bsc#1214543). * nvme-tcp: add recovery_delay to sysfs (bsc#1201284). * nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284). * nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284). * nvme-tcp: make 'err_work' a delayed work (bsc#1201284). * PCI: Free released resource after coalescing (git-fixes). * platform/mellanox: mlxbf-pmc: Fix potential buffer overflows (git-fixes). * platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events (git- fixes). * platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes). * platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors (git-fixes). * platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() (git- fixes). * platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() (git-fixes). * platform/x86: intel_scu_ipc: Do not override scu in intel_scu_ipc_dev_simple_command() (git-fixes). * platform/x86: intel_scu_ipc: Fail IPC send if still busy (git-fixes). * powerpc/fadump: make is_kdump_kernel() return false when fadump is active (bsc#1212639 ltc#202582). * powerpc/iommu: Fix notifiers being shared by PCI and VIO buses (bsc#1065729). * powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051). * powerpc/xics: Remove unnecessary endian conversion (bsc#1065729). * printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875). * pwm: lpc32xx: Remove handling of PWM channels (git-fixes). * quota: add new helper dquot_active() (bsc#1214998). * quota: factor out dquot_write_dquot() (bsc#1214995). * quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963). * quota: fix warning in dqgrab() (bsc#1214962). * quota: Properly disable quotas when add_dquot_ref() fails (bsc#1214961). * quota: rename dquot_active() to inode_quota_active() (bsc#1214997). * s390/qeth: Do not call dev_close/dev_open (DOWN/UP) (bsc#1214873 git-fixes). * s390/zcrypt: do not leak memory if dev_set_name() fails (git-fixes bsc#1215148). * scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() (git-fixes). * scsi: 53c700: Check that command slot is not NULL (git-fixes). * scsi: core: Fix legacy /proc parsing buffer overflow (git-fixes). * scsi: core: Fix possible memory leak if device_add() fails (git-fixes). * scsi: fnic: Replace return codes in fnic_clean_pending_aborts() (git-fixes). * scsi: lpfc: Do not abuse UUID APIs and LPFC_COMPRESS_VMID_SIZE (git-fixes). * scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo (git-fixes). * scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git- fixes). * scsi: lpfc: Modify when a node should be put in device recovery mode during RSCN (git-fixes). * scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes). * scsi: lpfc: Remove reftag check in DIF paths (git-fixes). * scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). * scsi: qedf: Fix firmware halt over suspend and resume (git-fixes). * scsi: qedf: Fix NULL dereference in error handling (git-fixes). * scsi: qedi: Fix firmware halt over suspend and resume (git-fixes). * scsi: qla2xxx: Add logs for SFP temperature monitoring (bsc#1214928). * scsi: qla2xxx: Allow 32-byte CDBs (bsc#1214928). * scsi: qla2xxx: Error code did not return to upper layer (bsc#1214928). * scsi: qla2xxx: Fix firmware resource tracking (bsc#1214928). * scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() (git- fixes). * scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() (bsc#1214928). * scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1214928). * scsi: qla2xxx: Move resource to allow code reuse (bsc#1214928). * scsi: qla2xxx: Remove unsupported ql2xenabledif option (bsc#1214928). * scsi: qla2xxx: Remove unused declarations (bsc#1214928). * scsi: qla2xxx: Remove unused variables in qla24xx_build_scsi_type_6_iocbs() (bsc#1214928). * scsi: qla2xxx: Update version to 10.02.09.100-k (bsc#1214928). * scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() (git-fixes). * scsi: scsi_debug: Remove dead code (git-fixes). * scsi: snic: Fix double free in snic_tgt_create() (git-fixes). * scsi: snic: Fix possible memory leak if device_add() fails (git-fixes). * scsi: storvsc: Handle additional SRB status values (git-fixes). * scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes bsc#1215941). * selftests: tracing: Fix to unmount tracefs for recovering environment (git- fixes). * SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes). * tcpm: Avoid soft reset when partner does not support get_status (git-fixes). * tracing: Fix race issue between cpu buffer write and swap (git-fixes). * tracing: Remove extra space at the end of hwlat_detector/mode (git-fixes). * tracing: Remove unnecessary copying of tr->current_trace (git-fixes). * uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes). * udf: Fix extension of the last extent in the file (bsc#1214964). * udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965). * udf: Fix off-by-one error when discarding preallocation (bsc#1214966). * udf: Fix uninitialized array access for some pathnames (bsc#1214967). * uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes). * usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes). * usb: ehci: move new member has_ci_pec_bug into hole (git-fixes). * usb: serial: option: add FOXCONN T99W368/T99W373 product (git-fixes). * usb: serial: option: add Quectel EM05G variant (0x030e) (git-fixes). * usb: typec: tcpci: clear the fault status bit (git-fixes). * usb: typec: tcpci: move tcpci.h to include/linux/usb/ (git-fixes). * vhost_vdpa: fix the crash in unmap a large memory (git-fixes). * vhost-scsi: unbreak any layout for response (git-fixes). * vhost: allow batching hint without size (git-fixes). * vhost: fix hung thread due to erroneous iotlb entries (git-fixes). * vhost: handle error while adding split ranges to iotlb (git-fixes). * virtio_net: add checking sq is full inside xdp xmit (git-fixes). * virtio_net: Fix probe failed when modprobe virtio_net (git-fixes). * virtio_net: reorder some funcs (git-fixes). * virtio_net: separate the logic of checking whether sq is full (git-fixes). * virtio_ring: fix avail_wrap_counter in virtqueue_add_packed (git-fixes). * virtio-mmio: do not break lifecycle of vm_dev (git-fixes). * virtio-net: fix race between set queues and probe (git-fixes). * virtio-net: set queues after driver_ok (git-fixes). * virtio-rng: make device ready before making request (git-fixes). * virtio: acknowledge all features before access (git-fixes). * vmcore: remove dependency with is_kdump_kernel() for exporting vmcore (bsc#1212639 ltc#202582). * watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load (git-fixes). * word-at-a-time: use the same return type for has_zero regardless of endianness (bsc#1065729). * x86/alternative: Fix race in try_get_desc() (git-fixes). * x86/boot/e820: Fix typo in e820.c comment (git-fixes). * x86/bugs: Reset speculation control settings on init (git-fixes). * x86/cpu: Add Lunar Lake M (git-fixes). * x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes). * x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git- fixes). * x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git- fixes). * x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes). * x86/ioapic: Do not return 0 from arch_dynirq_lower_bound() (git-fixes). * x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git- fixes). * x86/mce: Retrieve poison range from hardware (git-fixes). * x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes). * x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes). * x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes). * x86/purgatory: remove PGO flags (git-fixes). * x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git- fixes). * x86/reboot: Disable virtualization in an emergency if SVM is supported (git- fixes). * x86/resctl: fix scheduler confusion with 'current' (git-fixes). * x86/resctrl: Fix task CLOSID/RMID update race (git-fixes). * x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes). * x86/rtc: Remove __init for runtime functions (git-fixes). * x86/sgx: Reduce delay and interference of enclave release (git-fixes). * x86/srso: Do not probe microcode in a guest (git-fixes). * x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). * x86/srso: Fix srso_show_state() side effect (git-fixes). * x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). * x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes). * xen: remove a confusing comment on auto-translated guest I/O (git-fixes). * xprtrdma: Remap Receive buffers after a reconnect (git-fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2023-4072=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4072=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4072=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4072=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4072=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4072=1 * Development Tools Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-4072=1 * Legacy Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Legacy-15-SP4-2023-4072=1 * SUSE Linux Enterprise Live Patching 15-SP4 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2023-4072=1 Please note that this is the initial kernel livepatch without fixes itself, this package is later updated by separate standalone kernel livepatch updates. * SUSE Linux Enterprise High Availability Extension 15 SP4 zypper in -t patch SUSE-SLE-Product-HA-15-SP4-2023-4072=1 * SUSE Linux Enterprise Workstation Extension 15 SP4 zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2023-4072=1 ## Package List: * openSUSE Leap 15.4 (noarch nosrc) * kernel-docs-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (noarch) * kernel-source-vanilla-5.14.21-150400.24.92.1 * kernel-macros-5.14.21-150400.24.92.1 * kernel-docs-html-5.14.21-150400.24.92.1 * kernel-devel-5.14.21-150400.24.92.1 * kernel-source-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (nosrc ppc64le x86_64) * kernel-debug-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (ppc64le x86_64) * kernel-debug-debugsource-5.14.21-150400.24.92.1 * kernel-debug-debuginfo-5.14.21-150400.24.92.1 * kernel-debug-devel-debuginfo-5.14.21-150400.24.92.1 * kernel-debug-livepatch-devel-5.14.21-150400.24.92.1 * kernel-debug-devel-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (aarch64 ppc64le x86_64) * kernel-kvmsmall-devel-5.14.21-150400.24.92.1 * kernel-kvmsmall-devel-debuginfo-5.14.21-150400.24.92.1 * kernel-kvmsmall-livepatch-devel-5.14.21-150400.24.92.1 * kernel-default-base-rebuild-5.14.21-150400.24.92.1.150400.24.42.1 * kernel-kvmsmall-debuginfo-5.14.21-150400.24.92.1 * kernel-kvmsmall-debugsource-5.14.21-150400.24.92.1 * kernel-default-base-5.14.21-150400.24.92.1.150400.24.42.1 * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * kernel-default-devel-5.14.21-150400.24.92.1 * kernel-default-livepatch-devel-5.14.21-150400.24.92.1 * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kselftests-kmp-default-5.14.21-150400.24.92.1 * gfs2-kmp-default-debuginfo-5.14.21-150400.24.92.1 * cluster-md-kmp-default-5.14.21-150400.24.92.1 * reiserfs-kmp-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-livepatch-5.14.21-150400.24.92.1 * dlm-kmp-default-5.14.21-150400.24.92.1 * kernel-syms-5.14.21-150400.24.92.1 * reiserfs-kmp-default-5.14.21-150400.24.92.1 * cluster-md-kmp-default-debuginfo-5.14.21-150400.24.92.1 * kselftests-kmp-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-devel-debuginfo-5.14.21-150400.24.92.1 * kernel-default-extra-5.14.21-150400.24.92.1 * kernel-obs-build-5.14.21-150400.24.92.1 * kernel-default-extra-debuginfo-5.14.21-150400.24.92.1 * ocfs2-kmp-default-5.14.21-150400.24.92.1 * kernel-obs-qa-5.14.21-150400.24.92.1 * dlm-kmp-default-debuginfo-5.14.21-150400.24.92.1 * gfs2-kmp-default-5.14.21-150400.24.92.1 * kernel-default-optional-debuginfo-5.14.21-150400.24.92.1 * ocfs2-kmp-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * kernel-obs-build-debugsource-5.14.21-150400.24.92.1 * kernel-default-optional-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 nosrc) * kernel-default-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (aarch64 nosrc ppc64le x86_64) * kernel-kvmsmall-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (ppc64le s390x x86_64) * kernel-livepatch-5_14_21-150400_24_92-default-debuginfo-1-150400.9.3.1 * kernel-livepatch-5_14_21-150400_24_92-default-1-150400.9.3.1 * kernel-livepatch-SLE15-SP4_Update_19-debugsource-1-150400.9.3.1 * openSUSE Leap 15.4 (nosrc s390x) * kernel-zfcpdump-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (s390x) * kernel-zfcpdump-debuginfo-5.14.21-150400.24.92.1 * kernel-zfcpdump-debugsource-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (nosrc) * dtb-aarch64-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (aarch64) * dtb-allwinner-5.14.21-150400.24.92.1 * kernel-64kb-optional-debuginfo-5.14.21-150400.24.92.1 * dtb-cavium-5.14.21-150400.24.92.1 * dtb-amd-5.14.21-150400.24.92.1 * dtb-exynos-5.14.21-150400.24.92.1 * dtb-lg-5.14.21-150400.24.92.1 * dtb-hisilicon-5.14.21-150400.24.92.1 * dtb-nvidia-5.14.21-150400.24.92.1 * cluster-md-kmp-64kb-5.14.21-150400.24.92.1 * kernel-64kb-extra-5.14.21-150400.24.92.1 * kernel-64kb-optional-5.14.21-150400.24.92.1 * dtb-amazon-5.14.21-150400.24.92.1 * ocfs2-kmp-64kb-5.14.21-150400.24.92.1 * dtb-freescale-5.14.21-150400.24.92.1 * dtb-rockchip-5.14.21-150400.24.92.1 * dtb-marvell-5.14.21-150400.24.92.1 * cluster-md-kmp-64kb-debuginfo-5.14.21-150400.24.92.1 * dtb-apm-5.14.21-150400.24.92.1 * gfs2-kmp-64kb-5.14.21-150400.24.92.1 * reiserfs-kmp-64kb-debuginfo-5.14.21-150400.24.92.1 * reiserfs-kmp-64kb-5.14.21-150400.24.92.1 * kselftests-kmp-64kb-debuginfo-5.14.21-150400.24.92.1 * dtb-renesas-5.14.21-150400.24.92.1 * dtb-broadcom-5.14.21-150400.24.92.1 * dtb-mediatek-5.14.21-150400.24.92.1 * kernel-64kb-debuginfo-5.14.21-150400.24.92.1 * kernel-64kb-livepatch-devel-5.14.21-150400.24.92.1 * ocfs2-kmp-64kb-debuginfo-5.14.21-150400.24.92.1 * dtb-qcom-5.14.21-150400.24.92.1 * dtb-amlogic-5.14.21-150400.24.92.1 * dtb-xilinx-5.14.21-150400.24.92.1 * dlm-kmp-64kb-5.14.21-150400.24.92.1 * gfs2-kmp-64kb-debuginfo-5.14.21-150400.24.92.1 * kernel-64kb-debugsource-5.14.21-150400.24.92.1 * dtb-altera-5.14.21-150400.24.92.1 * dtb-sprd-5.14.21-150400.24.92.1 * dtb-apple-5.14.21-150400.24.92.1 * dtb-arm-5.14.21-150400.24.92.1 * kselftests-kmp-64kb-5.14.21-150400.24.92.1 * dtb-socionext-5.14.21-150400.24.92.1 * dlm-kmp-64kb-debuginfo-5.14.21-150400.24.92.1 * kernel-64kb-devel-debuginfo-5.14.21-150400.24.92.1 * kernel-64kb-extra-debuginfo-5.14.21-150400.24.92.1 * kernel-64kb-devel-5.14.21-150400.24.92.1 * openSUSE Leap 15.4 (aarch64 nosrc) * kernel-64kb-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 nosrc s390x x86_64) * kernel-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 x86_64) * kernel-default-base-5.14.21-150400.24.92.1.150400.24.42.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 nosrc s390x x86_64) * kernel-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 x86_64) * kernel-default-base-5.14.21-150400.24.92.1.150400.24.42.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 nosrc s390x x86_64) * kernel-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 x86_64) * kernel-default-base-5.14.21-150400.24.92.1.150400.24.42.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 nosrc s390x x86_64) * kernel-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 x86_64) * kernel-default-base-5.14.21-150400.24.92.1.150400.24.42.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * Basesystem Module 15-SP4 (aarch64 nosrc) * kernel-64kb-5.14.21-150400.24.92.1 * Basesystem Module 15-SP4 (aarch64) * kernel-64kb-devel-debuginfo-5.14.21-150400.24.92.1 * kernel-64kb-devel-5.14.21-150400.24.92.1 * kernel-64kb-debugsource-5.14.21-150400.24.92.1 * kernel-64kb-debuginfo-5.14.21-150400.24.92.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64 nosrc) * kernel-default-5.14.21-150400.24.92.1 * Basesystem Module 15-SP4 (aarch64 ppc64le x86_64) * kernel-default-base-5.14.21-150400.24.92.1.150400.24.42.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * kernel-default-devel-5.14.21-150400.24.92.1 * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * kernel-default-devel-debuginfo-5.14.21-150400.24.92.1 * Basesystem Module 15-SP4 (noarch) * kernel-devel-5.14.21-150400.24.92.1 * kernel-macros-5.14.21-150400.24.92.1 * Basesystem Module 15-SP4 (nosrc s390x) * kernel-zfcpdump-5.14.21-150400.24.92.1 * Basesystem Module 15-SP4 (s390x) * kernel-zfcpdump-debuginfo-5.14.21-150400.24.92.1 * kernel-zfcpdump-debugsource-5.14.21-150400.24.92.1 * Development Tools Module 15-SP4 (noarch nosrc) * kernel-docs-5.14.21-150400.24.92.1 * Development Tools Module 15-SP4 (aarch64 ppc64le s390x x86_64) * kernel-syms-5.14.21-150400.24.92.1 * kernel-obs-build-5.14.21-150400.24.92.1 * kernel-obs-build-debugsource-5.14.21-150400.24.92.1 * Development Tools Module 15-SP4 (noarch) * kernel-source-5.14.21-150400.24.92.1 * Legacy Module 15-SP4 (nosrc) * kernel-default-5.14.21-150400.24.92.1 * Legacy Module 15-SP4 (aarch64 ppc64le s390x x86_64) * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * reiserfs-kmp-default-debuginfo-5.14.21-150400.24.92.1 * reiserfs-kmp-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Live Patching 15-SP4 (ppc64le s390x x86_64) * kernel-default-livepatch-devel-5.14.21-150400.24.92.1 * kernel-livepatch-SLE15-SP4_Update_19-debugsource-1-150400.9.3.1 * kernel-livepatch-5_14_21-150400_24_92-default-debuginfo-1-150400.9.3.1 * kernel-livepatch-5_14_21-150400_24_92-default-1-150400.9.3.1 * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-livepatch-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Live Patching 15-SP4 (nosrc) * kernel-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise High Availability Extension 15 SP4 (aarch64 ppc64le s390x x86_64) * cluster-md-kmp-default-debuginfo-5.14.21-150400.24.92.1 * ocfs2-kmp-default-5.14.21-150400.24.92.1 * dlm-kmp-default-debuginfo-5.14.21-150400.24.92.1 * gfs2-kmp-default-debuginfo-5.14.21-150400.24.92.1 * ocfs2-kmp-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debuginfo-5.14.21-150400.24.92.1 * cluster-md-kmp-default-5.14.21-150400.24.92.1 * dlm-kmp-default-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * gfs2-kmp-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise High Availability Extension 15 SP4 (nosrc) * kernel-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Workstation Extension 15 SP4 (nosrc) * kernel-default-5.14.21-150400.24.92.1 * SUSE Linux Enterprise Workstation Extension 15 SP4 (x86_64) * kernel-default-debuginfo-5.14.21-150400.24.92.1 * kernel-default-debugsource-5.14.21-150400.24.92.1 * kernel-default-extra-5.14.21-150400.24.92.1 * kernel-default-extra-debuginfo-5.14.21-150400.24.92.1 ## References: * https://www.suse.com/security/cve/CVE-2023-1192.html * https://www.suse.com/security/cve/CVE-2023-1206.html * https://www.suse.com/security/cve/CVE-2023-1859.html * https://www.suse.com/security/cve/CVE-2023-2177.html * https://www.suse.com/security/cve/CVE-2023-39192.html * https://www.suse.com/security/cve/CVE-2023-39193.html * https://www.suse.com/security/cve/CVE-2023-39194.html * https://www.suse.com/security/cve/CVE-2023-4155.html * https://www.suse.com/security/cve/CVE-2023-42753.html * https://www.suse.com/security/cve/CVE-2023-42754.html * https://www.suse.com/security/cve/CVE-2023-4389.html * https://www.suse.com/security/cve/CVE-2023-4563.html * https://www.suse.com/security/cve/CVE-2023-4622.html * https://www.suse.com/security/cve/CVE-2023-4623.html * https://www.suse.com/security/cve/CVE-2023-4881.html * https://www.suse.com/security/cve/CVE-2023-4921.html * https://www.suse.com/security/cve/CVE-2023-5345.html * https://bugzilla.suse.com/show_bug.cgi?id=1202845 * https://bugzilla.suse.com/show_bug.cgi?id=1213808 * https://bugzilla.suse.com/show_bug.cgi?id=1214928 * https://bugzilla.suse.com/show_bug.cgi?id=1214940 * https://bugzilla.suse.com/show_bug.cgi?id=1214941 * https://bugzilla.suse.com/show_bug.cgi?id=1214942 * https://bugzilla.suse.com/show_bug.cgi?id=1214943 * https://bugzilla.suse.com/show_bug.cgi?id=1214944 * https://bugzilla.suse.com/show_bug.cgi?id=1214950 * https://bugzilla.suse.com/show_bug.cgi?id=1214951 * https://bugzilla.suse.com/show_bug.cgi?id=1214954 * https://bugzilla.suse.com/show_bug.cgi?id=1214957 * https://bugzilla.suse.com/show_bug.cgi?id=1214986 * https://bugzilla.suse.com/show_bug.cgi?id=1214988 * https://bugzilla.suse.com/show_bug.cgi?id=1214992 * https://bugzilla.suse.com/show_bug.cgi?id=1214993 * https://bugzilla.suse.com/show_bug.cgi?id=1215322 * https://bugzilla.suse.com/show_bug.cgi?id=1215877 * https://bugzilla.suse.com/show_bug.cgi?id=1215894 * https://bugzilla.suse.com/show_bug.cgi?id=1215895 * https://bugzilla.suse.com/show_bug.cgi?id=1215896 * https://bugzilla.suse.com/show_bug.cgi?id=1215911 * https://bugzilla.suse.com/show_bug.cgi?id=1215915 * https://bugzilla.suse.com/show_bug.cgi?id=1215916

1 0

SUSE-SU-2023:4056-1: important: Security update for qemu
by security＠lists.opensuse.org 12 Oct '23

12 Oct '23

# Security update for qemu Announcement ID: SUSE-SU-2023:4056-1 Rating: important References: * #1179993 * #1181740 * #1188609 * #1190011 * #1207205 * #1212850 * #1213663 * #1213925 * #1215311 Cross-References: * CVE-2021-3638 * CVE-2021-3750 * CVE-2023-0330 * CVE-2023-3180 * CVE-2023-3354 CVSS scores: * CVE-2021-3638 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L * CVE-2021-3638 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H * CVE-2021-3750 ( SUSE ): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2021-3750 ( NVD ): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2023-0330 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H * CVE-2023-0330 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H * CVE-2023-3180 ( SUSE ): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2023-3180 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H * CVE-2023-3354 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-3354 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Basesystem Module 15-SP4 * openSUSE Leap 15.4 * Server Applications Module 15-SP4 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves five vulnerabilities and has four security fixes can now be installed. ## Description: This update for qemu fixes the following issues: * CVE-2023-3180: Fixed a buffer overflow in the virtio-crypto device (bsc#1213925). * CVE-2021-3750: Fixed a DMA reentrancy in the USB EHCI device that could lead to use-after-free (bsc#1190011). * CVE-2021-3638: Fixed a buffer overflow in the ati-vga device (bsc#1188609). * CVE-2023-3354: Fixed an issue when performing a TLS handshake that could lead to remote denial of service via VNC connection (bsc#1212850). * CVE-2023-0330: Fixed a DMA reentrancy issue in the lsi53c895a device that could lead to a stack overflow (bsc#1207205). Non-security fixes: * Fixed a potential build issue in the librm subcomponent (bsc#1215311). * Fixed a potential crash during VM migration (bsc#1213663). * Fixed potential issues during installation on a Xen host (bsc#1179993, bsc#1181740). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2023-4056=1 openSUSE-SLE-15.4-2023-4056=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4056=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4056=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4056=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4056=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4056=1 * Server Applications Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2023-4056=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * qemu-block-nfs-debuginfo-6.2.0-150400.37.23.1 * qemu-accel-tcg-x86-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-6.2.0-150400.37.23.1 * qemu-ksm-6.2.0-150400.37.23.1 * qemu-hw-usb-host-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-alsa-6.2.0-150400.37.23.1 * qemu-ivshmem-tools-6.2.0-150400.37.23.1 * qemu-ui-gtk-6.2.0-150400.37.23.1 * qemu-ppc-6.2.0-150400.37.23.1 * qemu-audio-oss-debuginfo-6.2.0-150400.37.23.1 * qemu-block-iscsi-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-alsa-debuginfo-6.2.0-150400.37.23.1 * qemu-linux-user-6.2.0-150400.37.23.1 * qemu-s390x-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-s390x-virtio-gpu-ccw-6.2.0-150400.37.23.1 * qemu-block-iscsi-6.2.0-150400.37.23.1 * qemu-block-gluster-6.2.0-150400.37.23.1 * qemu-block-dmg-debuginfo-6.2.0-150400.37.23.1 * qemu-arm-6.2.0-150400.37.23.1 * qemu-debugsource-6.2.0-150400.37.23.1 * qemu-x86-6.2.0-150400.37.23.1 * qemu-ui-spice-core-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-pa-6.2.0-150400.37.23.1 * qemu-accel-qtest-6.2.0-150400.37.23.1 * qemu-audio-spice-6.2.0-150400.37.23.1 * qemu-hw-s390x-virtio-gpu-ccw-debuginfo-6.2.0-150400.37.23.1 * qemu-s390x-6.2.0-150400.37.23.1 * qemu-ui-curses-debuginfo-6.2.0-150400.37.23.1 * qemu-guest-agent-6.2.0-150400.37.23.1 * qemu-ui-spice-app-debuginfo-6.2.0-150400.37.23.1 * qemu-vhost-user-gpu-6.2.0-150400.37.23.1 * qemu-guest-agent-debuginfo-6.2.0-150400.37.23.1 * qemu-ppc-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-debuginfo-6.2.0-150400.37.23.1 * qemu-block-ssh-6.2.0-150400.37.23.1 * qemu-linux-user-debuginfo-6.2.0-150400.37.23.1 * qemu-block-curl-6.2.0-150400.37.23.1 * qemu-extra-6.2.0-150400.37.23.1 * qemu-block-gluster-debuginfo-6.2.0-150400.37.23.1 * qemu-chardev-baum-debuginfo-6.2.0-150400.37.23.1 * qemu-chardev-spice-6.2.0-150400.37.23.1 * qemu-tools-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-debuginfo-6.2.0-150400.37.23.1 * qemu-linux-user-debugsource-6.2.0-150400.37.23.1 * qemu-ui-opengl-6.2.0-150400.37.23.1 * qemu-vhost-user-gpu-debuginfo-6.2.0-150400.37.23.1 * qemu-lang-6.2.0-150400.37.23.1 * qemu-audio-oss-6.2.0-150400.37.23.1 * qemu-debuginfo-6.2.0-150400.37.23.1 * qemu-block-ssh-debuginfo-6.2.0-150400.37.23.1 * qemu-arm-debuginfo-6.2.0-150400.37.23.1 * qemu-chardev-baum-6.2.0-150400.37.23.1 * qemu-accel-qtest-debuginfo-6.2.0-150400.37.23.1 * qemu-extra-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-spice-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-jack-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-pci-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-6.2.0-150400.37.23.1 * qemu-block-nfs-6.2.0-150400.37.23.1 * qemu-ui-spice-core-6.2.0-150400.37.23.1 * qemu-tools-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-pa-debuginfo-6.2.0-150400.37.23.1 * qemu-block-curl-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-6.2.0-150400.37.23.1 * qemu-ui-curses-6.2.0-150400.37.23.1 * qemu-ui-gtk-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-host-6.2.0-150400.37.23.1 * qemu-ui-spice-app-6.2.0-150400.37.23.1 * qemu-accel-tcg-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-smartcard-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-pci-6.2.0-150400.37.23.1 * qemu-hw-usb-smartcard-6.2.0-150400.37.23.1 * qemu-block-dmg-6.2.0-150400.37.23.1 * qemu-ivshmem-tools-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-jack-debuginfo-6.2.0-150400.37.23.1 * qemu-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-6.2.0-150400.37.23.1 * qemu-chardev-spice-debuginfo-6.2.0-150400.37.23.1 * openSUSE Leap 15.4 (s390x x86_64 i586) * qemu-kvm-6.2.0-150400.37.23.1 * openSUSE Leap 15.4 (noarch) * qemu-microvm-6.2.0-150400.37.23.1 * qemu-ipxe-1.0.0+-150400.37.23.1 * qemu-vgabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-skiboot-6.2.0-150400.37.23.1 * qemu-seabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-SLOF-6.2.0-150400.37.23.1 * qemu-sgabios-8-150400.37.23.1 * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * qemu-block-rbd-debuginfo-6.2.0-150400.37.23.1 * qemu-block-rbd-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * qemu-hw-display-virtio-gpu-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-debuginfo-6.2.0-150400.37.23.1 * qemu-debugsource-6.2.0-150400.37.23.1 * qemu-ui-spice-core-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-spice-6.2.0-150400.37.23.1 * qemu-guest-agent-6.2.0-150400.37.23.1 * qemu-guest-agent-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-debuginfo-6.2.0-150400.37.23.1 * qemu-chardev-spice-6.2.0-150400.37.23.1 * qemu-tools-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-6.2.0-150400.37.23.1 * qemu-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-spice-core-6.2.0-150400.37.23.1 * qemu-tools-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-6.2.0-150400.37.23.1 * qemu-audio-spice-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-6.2.0-150400.37.23.1 * qemu-6.2.0-150400.37.23.1 * qemu-chardev-spice-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64) * qemu-arm-6.2.0-150400.37.23.1 * qemu-arm-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (noarch) * qemu-vgabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-ipxe-1.0.0+-150400.37.23.1 * qemu-seabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-sgabios-8-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (s390x) * qemu-s390x-6.2.0-150400.37.23.1 * qemu-s390x-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (x86_64) * qemu-accel-tcg-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-accel-tcg-x86-6.2.0-150400.37.23.1 * qemu-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-x86-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * qemu-hw-display-virtio-gpu-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-debuginfo-6.2.0-150400.37.23.1 * qemu-debugsource-6.2.0-150400.37.23.1 * qemu-ui-spice-core-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-spice-6.2.0-150400.37.23.1 * qemu-guest-agent-6.2.0-150400.37.23.1 * qemu-guest-agent-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-debuginfo-6.2.0-150400.37.23.1 * qemu-chardev-spice-6.2.0-150400.37.23.1 * qemu-tools-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-6.2.0-150400.37.23.1 * qemu-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-spice-core-6.2.0-150400.37.23.1 * qemu-tools-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-6.2.0-150400.37.23.1 * qemu-audio-spice-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-6.2.0-150400.37.23.1 * qemu-6.2.0-150400.37.23.1 * qemu-chardev-spice-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro 5.3 (aarch64) * qemu-arm-6.2.0-150400.37.23.1 * qemu-arm-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro 5.3 (noarch) * qemu-vgabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-ipxe-1.0.0+-150400.37.23.1 * qemu-seabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-sgabios-8-150400.37.23.1 * SUSE Linux Enterprise Micro 5.3 (s390x) * qemu-s390x-6.2.0-150400.37.23.1 * qemu-s390x-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro 5.3 (x86_64) * qemu-accel-tcg-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-accel-tcg-x86-6.2.0-150400.37.23.1 * qemu-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-x86-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * qemu-hw-display-virtio-gpu-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-debuginfo-6.2.0-150400.37.23.1 * qemu-debugsource-6.2.0-150400.37.23.1 * qemu-ui-spice-core-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-spice-6.2.0-150400.37.23.1 * qemu-guest-agent-6.2.0-150400.37.23.1 * qemu-guest-agent-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-debuginfo-6.2.0-150400.37.23.1 * qemu-chardev-spice-6.2.0-150400.37.23.1 * qemu-tools-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-6.2.0-150400.37.23.1 * qemu-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-spice-core-6.2.0-150400.37.23.1 * qemu-tools-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-6.2.0-150400.37.23.1 * qemu-audio-spice-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-6.2.0-150400.37.23.1 * qemu-6.2.0-150400.37.23.1 * qemu-chardev-spice-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64) * qemu-arm-6.2.0-150400.37.23.1 * qemu-arm-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (noarch) * qemu-vgabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-ipxe-1.0.0+-150400.37.23.1 * qemu-seabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-sgabios-8-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (s390x) * qemu-s390x-6.2.0-150400.37.23.1 * qemu-s390x-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (x86_64) * qemu-accel-tcg-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-accel-tcg-x86-6.2.0-150400.37.23.1 * qemu-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-x86-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * qemu-hw-display-virtio-gpu-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-debuginfo-6.2.0-150400.37.23.1 * qemu-debugsource-6.2.0-150400.37.23.1 * qemu-ui-spice-core-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-spice-6.2.0-150400.37.23.1 * qemu-guest-agent-6.2.0-150400.37.23.1 * qemu-guest-agent-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-debuginfo-6.2.0-150400.37.23.1 * qemu-chardev-spice-6.2.0-150400.37.23.1 * qemu-tools-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-6.2.0-150400.37.23.1 * qemu-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-spice-core-6.2.0-150400.37.23.1 * qemu-tools-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-6.2.0-150400.37.23.1 * qemu-audio-spice-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-6.2.0-150400.37.23.1 * qemu-6.2.0-150400.37.23.1 * qemu-chardev-spice-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro 5.4 (aarch64) * qemu-arm-6.2.0-150400.37.23.1 * qemu-arm-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro 5.4 (noarch) * qemu-vgabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-ipxe-1.0.0+-150400.37.23.1 * qemu-seabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-sgabios-8-150400.37.23.1 * SUSE Linux Enterprise Micro 5.4 (s390x) * qemu-s390x-6.2.0-150400.37.23.1 * qemu-s390x-debuginfo-6.2.0-150400.37.23.1 * SUSE Linux Enterprise Micro 5.4 (x86_64) * qemu-accel-tcg-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-accel-tcg-x86-6.2.0-150400.37.23.1 * qemu-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-x86-6.2.0-150400.37.23.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * qemu-debuginfo-6.2.0-150400.37.23.1 * qemu-debugsource-6.2.0-150400.37.23.1 * qemu-tools-debuginfo-6.2.0-150400.37.23.1 * qemu-tools-6.2.0-150400.37.23.1 * Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64) * qemu-ksm-6.2.0-150400.37.23.1 * qemu-hw-usb-host-debuginfo-6.2.0-150400.37.23.1 * qemu-block-iscsi-debuginfo-6.2.0-150400.37.23.1 * qemu-block-iscsi-6.2.0-150400.37.23.1 * qemu-block-rbd-6.2.0-150400.37.23.1 * qemu-debugsource-6.2.0-150400.37.23.1 * qemu-ui-curses-debuginfo-6.2.0-150400.37.23.1 * qemu-guest-agent-6.2.0-150400.37.23.1 * qemu-guest-agent-debuginfo-6.2.0-150400.37.23.1 * qemu-block-ssh-6.2.0-150400.37.23.1 * qemu-block-curl-6.2.0-150400.37.23.1 * qemu-chardev-baum-debuginfo-6.2.0-150400.37.23.1 * qemu-debuginfo-6.2.0-150400.37.23.1 * qemu-lang-6.2.0-150400.37.23.1 * qemu-block-ssh-debuginfo-6.2.0-150400.37.23.1 * qemu-chardev-baum-6.2.0-150400.37.23.1 * qemu-block-curl-debuginfo-6.2.0-150400.37.23.1 * qemu-block-rbd-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-curses-6.2.0-150400.37.23.1 * qemu-hw-usb-host-6.2.0-150400.37.23.1 * qemu-6.2.0-150400.37.23.1 * Server Applications Module 15-SP4 (aarch64) * qemu-arm-6.2.0-150400.37.23.1 * qemu-arm-debuginfo-6.2.0-150400.37.23.1 * Server Applications Module 15-SP4 (aarch64 ppc64le x86_64) * qemu-hw-usb-redirect-6.2.0-150400.37.23.1 * qemu-chardev-spice-6.2.0-150400.37.23.1 * qemu-ui-gtk-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-spice-app-6.2.0-150400.37.23.1 * qemu-ui-spice-core-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-usb-redirect-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-gtk-6.2.0-150400.37.23.1 * qemu-ui-opengl-6.2.0-150400.37.23.1 * qemu-audio-spice-6.2.0-150400.37.23.1 * qemu-ui-spice-app-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-spice-core-6.2.0-150400.37.23.1 * qemu-hw-display-qxl-6.2.0-150400.37.23.1 * qemu-audio-spice-debuginfo-6.2.0-150400.37.23.1 * qemu-ui-opengl-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-vga-6.2.0-150400.37.23.1 * qemu-chardev-spice-debuginfo-6.2.0-150400.37.23.1 * Server Applications Module 15-SP4 (noarch) * qemu-ipxe-1.0.0+-150400.37.23.1 * qemu-vgabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-skiboot-6.2.0-150400.37.23.1 * qemu-seabios-1.15.0_0_g2dd4b9b-150400.37.23.1 * qemu-SLOF-6.2.0-150400.37.23.1 * qemu-sgabios-8-150400.37.23.1 * Server Applications Module 15-SP4 (ppc64le) * qemu-ppc-6.2.0-150400.37.23.1 * qemu-ppc-debuginfo-6.2.0-150400.37.23.1 * Server Applications Module 15-SP4 (s390x x86_64) * qemu-hw-display-virtio-gpu-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-pci-6.2.0-150400.37.23.1 * qemu-kvm-6.2.0-150400.37.23.1 * qemu-hw-display-virtio-gpu-pci-debuginfo-6.2.0-150400.37.23.1 * Server Applications Module 15-SP4 (s390x) * qemu-hw-s390x-virtio-gpu-ccw-debuginfo-6.2.0-150400.37.23.1 * qemu-s390x-debuginfo-6.2.0-150400.37.23.1 * qemu-hw-s390x-virtio-gpu-ccw-6.2.0-150400.37.23.1 * qemu-s390x-6.2.0-150400.37.23.1 * Server Applications Module 15-SP4 (x86_64) * qemu-audio-pa-debuginfo-6.2.0-150400.37.23.1 * qemu-accel-tcg-x86-6.2.0-150400.37.23.1 * qemu-accel-tcg-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-audio-pa-6.2.0-150400.37.23.1 * qemu-audio-alsa-6.2.0-150400.37.23.1 * qemu-audio-alsa-debuginfo-6.2.0-150400.37.23.1 * qemu-x86-debuginfo-6.2.0-150400.37.23.1 * qemu-x86-6.2.0-150400.37.23.1 ## References: * https://www.suse.com/security/cve/CVE-2021-3638.html * https://www.suse.com/security/cve/CVE-2021-3750.html * https://www.suse.com/security/cve/CVE-2023-0330.html * https://www.suse.com/security/cve/CVE-2023-3180.html * https://www.suse.com/security/cve/CVE-2023-3354.html * https://bugzilla.suse.com/show_bug.cgi?id=1179993 * https://bugzilla.suse.com/show_bug.cgi?id=1181740 * https://bugzilla.suse.com/show_bug.cgi?id=1188609 * https://bugzilla.suse.com/show_bug.cgi?id=1190011 * https://bugzilla.suse.com/show_bug.cgi?id=1207205 * https://bugzilla.suse.com/show_bug.cgi?id=1212850 * https://bugzilla.suse.com/show_bug.cgi?id=1213663 * https://bugzilla.suse.com/show_bug.cgi?id=1213925 * https://bugzilla.suse.com/show_bug.cgi?id=1215311

1 0

SUSE-SU-2023:4057-1: important: Security update for the Linux Kernel
by security＠lists.opensuse.org 12 Oct '23

12 Oct '23

# Security update for the Linux Kernel Announcement ID: SUSE-SU-2023:4057-1 Rating: important References: * #1202845 * #1213772 * #1213808 * #1214928 * #1214943 * #1214944 * #1214950 * #1214951 * #1214954 * #1214957 * #1214986 * #1214988 * #1214992 * #1214993 * #1215322 * #1215523 * #1215877 * #1215894 * #1215895 * #1215896 * #1215911 * #1215915 * #1215916 Cross-References: * CVE-2023-1192 * CVE-2023-1206 * CVE-2023-1859 * CVE-2023-2177 * CVE-2023-37453 * CVE-2023-39192 * CVE-2023-39193 * CVE-2023-39194 * CVE-2023-4155 * CVE-2023-42753 * CVE-2023-42754 * CVE-2023-4389 * CVE-2023-4563 * CVE-2023-4622 * CVE-2023-4623 * CVE-2023-4881 * CVE-2023-4921 * CVE-2023-5345 CVSS scores: * CVE-2023-1192 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( NVD ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1859 ( SUSE ): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L * CVE-2023-1859 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-37453 ( SUSE ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-37453 ( NVD ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39192 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H * CVE-2023-39192 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L * CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39193 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39194 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-39194 ( NVD ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-4155 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H * CVE-2023-4155 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H * CVE-2023-42753 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-42754 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-42754 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-4389 ( SUSE ): 5.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4389 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4563 ( SUSE ): 0.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N * CVE-2023-4622 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4622 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4881 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L * CVE-2023-4881 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H * CVE-2023-4921 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4921 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.4 * Public Cloud Module 15-SP4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves 18 vulnerabilities and has five security fixes can now be installed. ## Description: The SUSE Linux Enterprise 15 SP4 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: * CVE-2023-4563: Fixed an use-after-free flaw in the nftables sub-component. This vulnerability could allow a local attacker to crash the system or lead to a kernel information leak problem. (bsc#1214727) * CVE-2023-39194: Fixed a flaw in the processing of state filters which could allow a local attackers to disclose sensitive information. (bsc#1215861) * CVE-2023-39193: Fixed a flaw in the processing of state filters which could allow a local attackers to disclose sensitive information. (bsc#1215860) * CVE-2023-39192: Fixed a flaw in the u32_match_it function which could allow a local attackers to disclose sensitive information. (bsc#1215858) * CVE-2023-42754: Fixed a null pointer dereference in ipv4_link_failure which could lead an authenticated attacker to trigger a DoS. (bsc#1215467) * CVE-2023-5345: fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. (bsc#1215899) * CVE-2023-4155: Fixed a flaw in KVM AMD Secure Encrypted Virtualization (SEV). An attacker can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages. (bsc#1214022) * CVE-2023-4389: Fixed a reference counting issue in the Btrfs filesystem that could be exploited in order to leak internal kernel information or crash the system (bsc#1214351). * CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges (bsc#1215150). * CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95% (bsc#1212703). * CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalatio (bsc#1215275). * CVE-2023-37453: Fixed oversight in SuperSpeed initialization (bsc#1213123). * CVE-2023-4622: Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation (bsc#1215117). * CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115). * CVE-2023-1859: Fixed a use-after-free flaw in Xen transport for 9pfs which could be exploited to crash the system (bsc#1210169). * CVE-2023-4881: Fixed a out-of-bounds write flaw in the netfilter subsystem that could lead to potential information disclosure or a denial of service (bsc#1215221). * CVE-2023-2177: Fixed a null pointer dereference issue in the sctp network protocol which could allow a user to crash the system (bsc#1210643). * CVE-2023-1192: Fixed use-after-free in cifs_demultiplex_thread() (bsc#1208995). The following non-security bugs were fixed: * ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs (git- fixes). * ALSA: hda/realtek: Splitting the UX3402 into two separate models (git- fixes). * ARM: pxa: remove use of symbol_get() (git-fixes). * arm64: csum: Fix OoB access in IP checksum code for negative lengths (git- fixes). * arm64: module-plts: inline linux/moduleloader.h (git-fixes) * arm64: module: Use module_init_layout_section() to spot init sections (git- fixes) * arm64: sdei: abort running SDEI handlers during crash (git-fixes) * arm64: tegra: Update AHUB clock parent and rate (git-fixes) * arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git- fixes) * ASoC: imx-audmix: Fix return error with devm_clk_get() (git-fixes). * ASoC: meson: spdifin: start hw on dai probe (git-fixes). * ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol (git-fixes). * ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates (git-fixes). * ata: libata: disallow dev-initiated LPM transitions to unsupported states (git-fixes). * ata: pata_falcon: fix IO base selection for Q40 (git-fixes). * ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes). * ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes). * backlight: gpio_backlight: Drop output GPIO direction check for initial power state (git-fixes). * blk-iocost: fix divide by 0 error in calc_lcoefs() (bsc#1214986). * blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost (bsc#1214992). * block/mq-deadline: use correct way to throttling write requests (bsc#1214993). * Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition (git-fixes). * bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322). * bpf: Clear the probe_addr for uprobe (git-fixes). * btrfs: do not hold CPU for too long when defragging a file (bsc#1214988). * drm: gm12u320: Fix the timeout usage for usb_bulk_msg() (git-fixes). * drm/amd/display: fix the white screen issue when >= 64GB DRAM (git-fixes). * drm/amd/display: prevent potential division by zero errors (git-fixes). * drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808). * drm/i915: mark requests for GuC virtual engines to avoid use-after-free (git-fixes). * drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() (git-fixes). * drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling (git-fixes). * drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() (git-fixes). * ext4: avoid potential data overflow in next_linear_group (bsc#1214951). * ext4: correct inline offset when handling xattrs in inode body (bsc#1214950). * ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (bsc#1214954). * ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943). * ext4: fix wrong unit use in ext4_mb_new_blocks (bsc#1214944). * ext4: get block from bh in ext4_free_blocks for fast commit replay (bsc#1214942). * ext4: reflect error codes from ext4_multi_mount_protect() to its callers (bsc#1214941). * ext4: Remove ext4 locking of moved directory (bsc#1214957). * ext4: set goal start correctly in ext4_mb_normalize_request (bsc#1214940). * fs: do not update freeing inode i_io_list (bsc#1214813). * fs: Establish locking order for unrelated directories (bsc#1214958). * fs: Lock moved directories (bsc#1214959). * fs: lockd: avoid possible wrong NULL parameter (git-fixes). * fs: no need to check source (bsc#1215752). * fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE (bsc#1214813). * fuse: nlookup missing decrement in fuse_direntplus_link (bsc#1215581). * gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479). * gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479). * gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479). * gve: Changes to add new TX queues (bsc#1214479). * gve: Control path for DQO-QPL (bsc#1214479). * gve: fix frag_list chaining (bsc#1214479). * gve: Fix gve interrupt names (bsc#1214479). * gve: RX path for DQO-QPL (bsc#1214479). * gve: trivial spell fix Recive to Receive (bsc#1214479). * gve: Tx path for DQO-QPL (bsc#1214479). * gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479). * gve: use vmalloc_array and vcalloc (bsc#1214479). * gve: XDP support GQI-QPL: helper function changes (bsc#1214479). * hwrng: virtio - add an internal buffer (git-fixes). * hwrng: virtio - always add a pending request (git-fixes). * hwrng: virtio - do not wait on cleanup (git-fixes). * hwrng: virtio - do not waste entropy (git-fixes). * hwrng: virtio - Fix race on data_avail and actual data (git-fixes). * i2c: aspeed: Reset the i2c controller when timeout occurs (git-fixes). * i3c: master: svc: fix probe failure when no i3c device exist (git-fixes). * idr: fix param name in idr_alloc_cyclic() doc (git-fixes). * Input: tca6416-keypad - fix interrupt enable disbalance (git-fixes). * iommu/virtio: Detach domain on endpoint release (git-fixes). * jbd2: check 'jh->b_transaction' before removing it from checkpoint (bsc#1214953). * jbd2: correct the end of the journal recovery scan range (bsc#1214955). * jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949). * jbd2: fix checkpoint cleanup performance regression (bsc#1214952). * jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948). * jbd2: recheck chechpointing non-dirty buffer (bsc#1214945). * jbd2: remove journal_clean_one_cp_list() (bsc#1214947). * jbd2: remove t_checkpoint_io_list (bsc#1214946). * jbd2: restore t_checkpoint_io_list to maintain kABI (bsc#1214946). * kabi/severities: ignore mlx4 internal symbols * kconfig: fix possible buffer overflow (git-fixes). * KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes (git-fixes bsc#1215915). * KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896). * KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916). * KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894). * KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895). * KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911). * KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git- fixes). * KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes). * KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772). * KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes). * KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues (git-fixes). * KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772). * KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772). * KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772). * KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). * KVM: x86/mmu: Include mmu.h in spte.h (git-fixes). * loop: Fix use-after-free issues (bsc#1214991). * loop: loop_set_status_from_info() check before assignment (bsc#1214990). * mlx4: Avoid resetting MLX4_INTFF_BONDING per driver (bsc#1187236). * mlx4: Connect the ethernet part to the auxiliary bus (bsc#1187236). * mlx4: Connect the infiniband part to the auxiliary bus (bsc#1187236). * mlx4: Delete custom device management logic (bsc#1187236). * mlx4: Get rid of the mlx4_interface.activate callback (bsc#1187236). * mlx4: Get rid of the mlx4_interface.get_dev callback (bsc#1187236). * mlx4: Move the bond work to the core driver (bsc#1187236). * mlx4: Register mlx4 devices to an auxiliary virtual bus (bsc#1187236). * mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236). * mlx4: Replace the mlx4_interface.event callback with a notifier (bsc#1187236). * mlx4: Use 'void *' as the event param of mlx4_dispatch_event() (bsc#1187236). * module: Expose module_init_layout_section() (git-fixes) * net: do not allow gso_size to be set to GSO_BY_FRAGS (git-fixes). * net: mana: Add page pool for RX buffers (bsc#1214040). * net: mana: Configure hwc timeout from hardware (bsc#1214037). * net: phy: micrel: Correct bit assignments for phy_device flags (git-fixes). * net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes). * net/mlx4: Remove many unnecessary NULL values (bsc#1187236). * NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git- fixes). * nfs/blocklayout: Use the passed in gfp flags (git-fixes). * NFS/pNFS: Fix assignment of xprtdata.cred (git-fixes). * NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes). * NFSD: da_addr_body field missing in some GETDEVICEINFO replies (git-fixes). * NFSD: fix change_info in NFSv4 RENAME replies (git-fixes). * NFSD: Fix race to FREE_STATEID and cl_revoked (git-fixes). * NFSv4: Fix dropped lock for racing OPEN and delegation return (git-fixes). * NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes). * NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes). * NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes). * NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info (git-fixes). * ntb: Clean up tx tail index on link down (git-fixes). * ntb: Drop packets when qp link is down (git-fixes). * ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes). * nvme-auth: use chap->s2 to indicate bidirectional authentication (bsc#1214543). * nvme-tcp: add recovery_delay to sysfs (bsc#1201284). * nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284). * nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284). * nvme-tcp: make 'err_work' a delayed work (bsc#1201284). * PCI: Free released resource after coalescing (git-fixes). * platform/mellanox: mlxbf-pmc: Fix potential buffer overflows (git-fixes). * platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events (git- fixes). * platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes). * platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors (git-fixes). * platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() (git- fixes). * platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() (git-fixes). * platform/x86: intel_scu_ipc: Do not override scu in intel_scu_ipc_dev_simple_command() (git-fixes). * platform/x86: intel_scu_ipc: Fail IPC send if still busy (git-fixes). * powerpc/fadump: make is_kdump_kernel() return false when fadump is active (bsc#1212639 ltc#202582). * powerpc/iommu: Fix notifiers being shared by PCI and VIO buses (bsc#1065729). * powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051). * powerpc/xics: Remove unnecessary endian conversion (bsc#1065729). * printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875). * pwm: lpc32xx: Remove handling of PWM channels (git-fixes). * quota: add new helper dquot_active() (bsc#1214998). * quota: factor out dquot_write_dquot() (bsc#1214995). * quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963). * quota: fix warning in dqgrab() (bsc#1214962). * quota: Properly disable quotas when add_dquot_ref() fails (bsc#1214961). * quota: rename dquot_active() to inode_quota_active() (bsc#1214997). * s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956 LTC#203788 bsc#1215957). * s390/qeth: Do not call dev_close/dev_open (DOWN/UP) (bsc#1214873 git-fixes). * s390/zcrypt: do not leak memory if dev_set_name() fails (git-fixes bsc#1215148). * scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() (git-fixes). * scsi: 53c700: Check that command slot is not NULL (git-fixes). * scsi: core: Fix legacy /proc parsing buffer overflow (git-fixes). * scsi: core: Fix possible memory leak if device_add() fails (git-fixes). * scsi: fnic: Replace return codes in fnic_clean_pending_aborts() (git-fixes). * scsi: lpfc: Do not abuse UUID APIs and LPFC_COMPRESS_VMID_SIZE (git-fixes). * scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo (git-fixes). * scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git- fixes). * scsi: lpfc: Modify when a node should be put in device recovery mode during RSCN (git-fixes). * scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes). * scsi: lpfc: Remove reftag check in DIF paths (git-fixes). * scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). * scsi: qedf: Fix firmware halt over suspend and resume (git-fixes). * scsi: qedf: Fix NULL dereference in error handling (git-fixes). * scsi: qedi: Fix firmware halt over suspend and resume (git-fixes). * scsi: qla2xxx: Add logs for SFP temperature monitoring (bsc#1214928). * scsi: qla2xxx: Allow 32-byte CDBs (bsc#1214928). * scsi: qla2xxx: Error code did not return to upper layer (bsc#1214928). * scsi: qla2xxx: Fix firmware resource tracking (bsc#1214928). * scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() (git- fixes). * scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() (bsc#1214928). * scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1214928). * scsi: qla2xxx: Move resource to allow code reuse (bsc#1214928). * scsi: qla2xxx: Remove unsupported ql2xenabledif option (bsc#1214928). * scsi: qla2xxx: Remove unused declarations (bsc#1214928). * scsi: qla2xxx: Remove unused variables in qla24xx_build_scsi_type_6_iocbs() (bsc#1214928). * scsi: qla2xxx: Update version to 10.02.09.100-k (bsc#1214928). * scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() (git-fixes). * scsi: scsi_debug: Remove dead code (git-fixes). * scsi: snic: Fix double free in snic_tgt_create() (git-fixes). * scsi: snic: Fix possible memory leak if device_add() fails (git-fixes). * scsi: storvsc: Handle additional SRB status values (git-fixes). * scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes bsc#1215941). * selftests: tracing: Fix to unmount tracefs for recovering environment (git- fixes). * SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes). * tcpm: Avoid soft reset when partner does not support get_status (git-fixes). * tracing: Fix race issue between cpu buffer write and swap (git-fixes). * tracing: Remove extra space at the end of hwlat_detector/mode (git-fixes). * tracing: Remove unnecessary copying of tr->current_trace (git-fixes). * uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes). * udf: Fix extension of the last extent in the file (bsc#1214964). * udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965). * udf: Fix off-by-one error when discarding preallocation (bsc#1214966). * udf: Fix uninitialized array access for some pathnames (bsc#1214967). * uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes). * usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes). * usb: ehci: move new member has_ci_pec_bug into hole (git-fixes). * usb: serial: option: add FOXCONN T99W368/T99W373 product (git-fixes). * usb: serial: option: add Quectel EM05G variant (0x030e) (git-fixes). * usb: typec: tcpci: clear the fault status bit (git-fixes). * usb: typec: tcpci: move tcpci.h to include/linux/usb/ (git-fixes). * vhost_vdpa: fix the crash in unmap a large memory (git-fixes). * vhost-scsi: unbreak any layout for response (git-fixes). * vhost: allow batching hint without size (git-fixes). * vhost: fix hung thread due to erroneous iotlb entries (git-fixes). * vhost: handle error while adding split ranges to iotlb (git-fixes). * virtio_net: add checking sq is full inside xdp xmit (git-fixes). * virtio_net: Fix probe failed when modprobe virtio_net (git-fixes). * virtio_net: reorder some funcs (git-fixes). * virtio_net: separate the logic of checking whether sq is full (git-fixes). * virtio_ring: fix avail_wrap_counter in virtqueue_add_packed (git-fixes). * virtio-mmio: do not break lifecycle of vm_dev (git-fixes). * virtio-net: fix race between set queues and probe (git-fixes). * virtio-net: set queues after driver_ok (git-fixes). * virtio-rng: make device ready before making request (git-fixes). * virtio: acknowledge all features before access (git-fixes). * vmcore: remove dependency with is_kdump_kernel() for exporting vmcore (bsc#1212639 ltc#202582). * watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load (git-fixes). * word-at-a-time: use the same return type for has_zero regardless of endianness (bsc#1065729). * x86/alternative: Fix race in try_get_desc() (git-fixes). * x86/boot/e820: Fix typo in e820.c comment (git-fixes). * x86/bugs: Reset speculation control settings on init (git-fixes). * x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772). * x86/cpu, kvm: Add the Null Selector Clears Base feature (bsc#1213772). * x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772). * x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772). * x86/cpu: Add Lunar Lake M (git-fixes). * x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes). * x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772). * x86/cpu: Support AMD Automatic IBRS (bsc#1213772). * x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git- fixes). * x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git- fixes). * x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes). * x86/ioapic: Do not return 0 from arch_dynirq_lower_bound() (git-fixes). * x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git- fixes). * x86/mce: Retrieve poison range from hardware (git-fixes). * x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes). * x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes). * x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes). * x86/purgatory: remove PGO flags (git-fixes). * x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git- fixes). * x86/reboot: Disable virtualization in an emergency if SVM is supported (git- fixes). * x86/resctl: fix scheduler confusion with 'current' (git-fixes). * x86/resctrl: Fix task CLOSID/RMID update race (git-fixes). * x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes). * x86/rtc: Remove __init for runtime functions (git-fixes). * x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635). * x86/sgx: Reduce delay and interference of enclave release (git-fixes). * x86/srso: Do not probe microcode in a guest (git-fixes). * x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). * x86/srso: Fix srso_show_state() side effect (git-fixes). * x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). * x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes). * xen: remove a confusing comment on auto-translated guest I/O (git-fixes). * xprtrdma: Remap Receive buffers after a reconnect (git-fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2023-4057=1 openSUSE-SLE-15.4-2023-4057=1 * Public Cloud Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-4057=1 ## Package List: * openSUSE Leap 15.4 (aarch64 x86_64) * kernel-azure-optional-debuginfo-5.14.21-150400.14.69.1 * kernel-syms-azure-5.14.21-150400.14.69.1 * kernel-azure-debugsource-5.14.21-150400.14.69.1 * kernel-azure-optional-5.14.21-150400.14.69.1 * ocfs2-kmp-azure-5.14.21-150400.14.69.1 * cluster-md-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * ocfs2-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * dlm-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * kernel-azure-debuginfo-5.14.21-150400.14.69.1 * cluster-md-kmp-azure-5.14.21-150400.14.69.1 * kernel-azure-devel-debuginfo-5.14.21-150400.14.69.1 * kernel-azure-extra-debuginfo-5.14.21-150400.14.69.1 * gfs2-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * kselftests-kmp-azure-5.14.21-150400.14.69.1 * reiserfs-kmp-azure-5.14.21-150400.14.69.1 * kernel-azure-livepatch-devel-5.14.21-150400.14.69.1 * kernel-azure-extra-5.14.21-150400.14.69.1 * dlm-kmp-azure-5.14.21-150400.14.69.1 * kernel-azure-devel-5.14.21-150400.14.69.1 * gfs2-kmp-azure-5.14.21-150400.14.69.1 * kselftests-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * reiserfs-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * openSUSE Leap 15.4 (aarch64 nosrc x86_64) * kernel-azure-5.14.21-150400.14.69.1 * openSUSE Leap 15.4 (noarch) * kernel-devel-azure-5.14.21-150400.14.69.1 * kernel-source-azure-5.14.21-150400.14.69.1 * Public Cloud Module 15-SP4 (aarch64 nosrc x86_64) * kernel-azure-5.14.21-150400.14.69.1 * Public Cloud Module 15-SP4 (aarch64 x86_64) * kernel-azure-debugsource-5.14.21-150400.14.69.1 * kernel-azure-devel-debuginfo-5.14.21-150400.14.69.1 * kernel-azure-devel-5.14.21-150400.14.69.1 * kernel-syms-azure-5.14.21-150400.14.69.1 * kernel-azure-debuginfo-5.14.21-150400.14.69.1 * Public Cloud Module 15-SP4 (noarch) * kernel-devel-azure-5.14.21-150400.14.69.1 * kernel-source-azure-5.14.21-150400.14.69.1 ## References: * https://www.suse.com/security/cve/CVE-2023-1192.html * https://www.suse.com/security/cve/CVE-2023-1206.html * https://www.suse.com/security/cve/CVE-2023-1859.html * https://www.suse.com/security/cve/CVE-2023-2177.html * https://www.suse.com/security/cve/CVE-2023-37453.html * https://www.suse.com/security/cve/CVE-2023-39192.html * https://www.suse.com/security/cve/CVE-2023-39193.html * https://www.suse.com/security/cve/CVE-2023-39194.html * https://www.suse.com/security/cve/CVE-2023-4155.html * https://www.suse.com/security/cve/CVE-2023-42753.html * https://www.suse.com/security/cve/CVE-2023-42754.html * https://www.suse.com/security/cve/CVE-2023-4389.html * https://www.suse.com/security/cve/CVE-2023-4563.html * https://www.suse.com/security/cve/CVE-2023-4622.html * https://www.suse.com/security/cve/CVE-2023-4623.html * https://www.suse.com/security/cve/CVE-2023-4881.html * https://www.suse.com/security/cve/CVE-2023-4921.html * https://www.suse.com/security/cve/CVE-2023-5345.html * https://bugzilla.suse.com/show_bug.cgi?id=1202845 * https://bugzilla.suse.com/show_bug.cgi?id=1213772 * https://bugzilla.suse.com/show_bug.cgi?id=1213808 * https://bugzilla.suse.com/show_bug.cgi?id=1214928 * https://bugzilla.suse.com/show_bug.cgi?id=1214943 * https://bugzilla.suse.com/show_bug.cgi?id=1214944 * https://bugzilla.suse.com/show_bug.cgi?id=1214950 * https://bugzilla.suse.com/show_bug.cgi?id=1214951 * https://bugzilla.suse.com/show_bug.cgi?id=1214954 * https://bugzilla.suse.com/show_bug.cgi?id=1214957 * https://bugzilla.suse.com/show_bug.cgi?id=1214986 * https://bugzilla.suse.com/show_bug.cgi?id=1214988 * https://bugzilla.suse.com/show_bug.cgi?id=1214992 * https://bugzilla.suse.com/show_bug.cgi?id=1214993 * https://bugzilla.suse.com/show_bug.cgi?id=1215322 * https://bugzilla.suse.com/show_bug.cgi?id=1215523 * https://bugzilla.suse.com/show_bug.cgi?id=1215877 * https://bugzilla.suse.com/show_bug.cgi?id=1215894 * https://bugzilla.suse.com/show_bug.cgi?id=1215895 * https://bugzilla.suse.com/show_bug.cgi?id=1215896 * https://bugzilla.suse.com/show_bug.cgi?id=1215911 * https://bugzilla.suse.com/show_bug.cgi?id=1215915 * https://bugzilla.suse.com/show_bug.cgi?id=1215916

1 0

SUSE-SU-2023:4058-1: important: Security update for the Linux Kernel
by security＠lists.opensuse.org 12 Oct '23

12 Oct '23

# Security update for the Linux Kernel Announcement ID: SUSE-SU-2023:4058-1 Rating: important References: * #1065729 * #1152472 * #1187236 * #1201284 * #1202845 * #1206453 * #1208995 * #1210169 * #1210643 * #1210658 * #1212639 * #1212703 * #1213123 * #1213534 * #1213808 * #1214022 * #1214037 * #1214040 * #1214233 * #1214351 * #1214479 * #1214543 * #1214635 * #1214813 * #1214873 * #1214928 * #1214940 * #1214941 * #1214942 * #1214943 * #1214944 * #1214945 * #1214946 * #1214947 * #1214948 * #1214949 * #1214950 * #1214951 * #1214952 * #1214953 * #1214954 * #1214955 * #1214957 * #1214958 * #1214959 * #1214961 * #1214962 * #1214963 * #1214964 * #1214965 * #1214966 * #1214967 * #1214986 * #1214988 * #1214990 * #1214991 * #1214992 * #1214993 * #1214995 * #1214997 * #1214998 * #1215115 * #1215117 * #1215123 * #1215124 * #1215148 * #1215150 * #1215221 * #1215275 * #1215322 * #1215467 * #1215523 * #1215581 * #1215752 * #1215858 * #1215860 * #1215861 * #1215875 * #1215877 * #1215894 * #1215895 * #1215896 * #1215899 * #1215911 * #1215915 * #1215916 * #1215941 * #1215956 * #1215957 * PED-1549 * PED-2023 * PED-2025 Cross-References: * CVE-2023-1192 * CVE-2023-1206 * CVE-2023-1859 * CVE-2023-2177 * CVE-2023-37453 * CVE-2023-39192 * CVE-2023-39193 * CVE-2023-39194 * CVE-2023-40283 * CVE-2023-4155 * CVE-2023-42753 * CVE-2023-42754 * CVE-2023-4389 * CVE-2023-4622 * CVE-2023-4623 * CVE-2023-4881 * CVE-2023-4921 * CVE-2023-5345 CVSS scores: * CVE-2023-1192 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( NVD ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1859 ( SUSE ): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L * CVE-2023-1859 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-37453 ( SUSE ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-37453 ( NVD ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39192 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H * CVE-2023-39192 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L * CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39193 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39194 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-39194 ( NVD ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-40283 ( SUSE ): 5.7 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-40283 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4155 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H * CVE-2023-4155 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H * CVE-2023-42753 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-42754 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-42754 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-4389 ( SUSE ): 5.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4389 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4622 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4622 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4881 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L * CVE-2023-4881 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H * CVE-2023-4921 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4921 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.5 * Public Cloud Module 15-SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 An update that solves 18 vulnerabilities, contains three features and has 71 security fixes can now be installed. ## Description: The SUSE Linux Enterprise 15 SP5 Azure kernel was updated to receive various security bugfixes. The following security bugs were fixed: * CVE-2023-39192: Fixed an out of bounds read in the netfilter (bsc#1215858). * CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860). * CVE-2023-39194: Fixed an out of bounds read in the XFRM subsystem (bsc#1215861). * CVE-2023-42754: Fixed a NULL pointer dereference in the IPv4 stack that could lead to denial of service (bsc#1215467). * CVE-2023-4389: Fixed a reference counting issue in the Btrfs filesystem that could be exploited in order to leak internal kernel information or crash the system (bsc#1214351). * CVE-2023-5345: fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation (bsc#1215899). * CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges (bsc#1215150). * CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table which could be exploited by network adjacent attackers, increasing CPU usage by 95% (bsc#1212703). * CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalatio (bsc#1215275). * CVE-2023-37453: Fixed oversight in SuperSpeed initialization (bsc#1213123). * CVE-2023-4622: Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation (bsc#1215117). * CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115). * CVE-2023-4155: Fixed a flaw in KVM AMD Secure Encrypted Virtualization (SEV). An attacker can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (bsc#1214022). * CVE-2023-1859: Fixed a use-after-free flaw in Xen transport for 9pfs which could be exploited to crash the system (bsc#1210169). * CVE-2023-4881: Fixed a out-of-bounds write flaw in the netfilter subsystem that could lead to potential information disclosure or a denial of service (bsc#1215221). * CVE-2023-2177: Fixed a null pointer dereference issue in the sctp network protocol which could allow a user to crash the system (bsc#1210643). * CVE-2023-40283: Fixed use-after-free in l2cap_sock_ready_cb (bsc#1214233). * CVE-2023-1192: Fixed use-after-free in cifs_demultiplex_thread() (bsc#1208995). The following non-security bugs were fixed: * ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs (git- fixes). * ALSA: hda/realtek: Splitting the UX3402 into two separate models (git- fixes). * ARM: pxa: remove use of symbol_get() (git-fixes). * ASoC: SOF: core: Only call sof_ops_free() on remove if the probe was successful (git-fixes). * ASoC: amd: yc: Fix non-functional mic on Lenovo 82QF and 82UG (git-fixes). * ASoC: hdaudio.c: Add missing check for devm_kstrdup (git-fixes). * ASoC: imx-audmix: Fix return error with devm_clk_get() (git-fixes). * ASoC: meson: spdifin: start hw on dai probe (git-fixes). * ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode (git- fixes). * ASoC: rt5640: Fix sleep in atomic context (git-fixes). * ASoC: rt5640: Revert "Fix sleep in atomic context" (git-fixes). * ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol (git-fixes). * ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates (git-fixes). * Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition (git-fixes). * Drivers: hv: vmbus: Bring the post_msg_page back for TDX VMs with the paravisor (bsc#1206453). * Drivers: hv: vmbus: Support >64 VPs for a fully enlightened TDX/SNP VM (bsc#1206453). * Drivers: hv: vmbus: Support fully enlightened TDX guests (bsc#1206453). * Drop amdgpu patch causing spamming (bsc#1215523). * Input: tca6416-keypad - fix interrupt enable disbalance (git-fixes). * KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git- fixes). * KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes). * KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911). * KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes (git-fixes bsc#1215915). * KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896). * KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916). * KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894). * KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895). * KVM: x86/mmu: Include mmu.h in spte.h (git-fixes). * KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues (git-fixes). * NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes). * NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git- fixes). * NFSD: da_addr_body field missing in some GETDEVICEINFO replies (git-fixes). * NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes). * NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes). * NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info (git-fixes). * NFSv4: Fix dropped lock for racing OPEN and delegation return (git-fixes). * NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes). * PCI: Free released resource after coalescing (git-fixes). * RDMA/siw: Fabricate a GID on tun and loopback devices (git-fixes) * Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset" (git-fixes). * Revert "scsi: qla2xxx: Fix buffer overrun" (bsc#1214928). * SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes). * USB: serial: option: add FOXCONN T99W368/T99W373 product (git-fixes). * USB: serial: option: add Quectel EM05G variant (0x030e) (git-fixes). * arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git- fixes) * arm64/hyperv: Use CPUHP_AP_HYPERV_ONLINE state to fix CPU online sequencing (bsc#1206453). * arm64: csum: Fix OoB access in IP checksum code for negative lengths (git- fixes). * arm64: module-plts: inline linux/moduleloader.h (git-fixes) * arm64: module: Use module_init_layout_section() to spot init sections (git- fixes) * arm64: sdei: abort running SDEI handlers during crash (git-fixes) * arm64: tegra: Update AHUB clock parent and rate (git-fixes) * ata: libata: disallow dev-initiated LPM transitions to unsupported states (git-fixes). * ata: pata_falcon: fix IO base selection for Q40 (git-fixes). * ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes). * ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes). * backlight: gpio_backlight: Drop output GPIO direction check for initial power state (git-fixes). * blacklist.conf: workqueue: compiler warning on 32-bit systems with Clang (bsc#1215877) * blk-iocost: fix divide by 0 error in calc_lcoefs() (bsc#1214986). * blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost (bsc#1214992). * block/mq-deadline: use correct way to throttling write requests (bsc#1214993). * bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322). * bpf: Clear the probe_addr for uprobe (git-fixes). * btrfs: do not hold CPU for too long when defragging a file (bsc#1214988). * clocksource: hyper-v: Mark hyperv tsc page unencrypted in sev-snp enlightened guest (bsc#1206453). * drivers: hv: Mark percpu hvcall input arg page unencrypted in SEV-SNP enlightened guest (bsc#1206453). * drm/amd/display: Add smu write msg id fail retry process (git-fixes). * drm/amd/display: Remove wait while locked (git-fixes). * drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma (git- fixes). * drm/amd/display: fix the white screen issue when >= 64GB DRAM (git-fixes). * drm/amd/display: prevent potential division by zero errors (git-fixes). * drm/amd/display: register edp_backlight_control() for DCN301 (git-fixes). * drm/ast: Add BMC virtual connector (bsc#1152472) Backporting changes: * rename ast_device to ast_private * drm/ast: report connection status on Display Port. (bsc#1152472) Backporting changes: * rename ast_device to ast_private * context changes * drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808). * drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() (git-fixes). * drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn() (git- fixes). * drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct page" (git- fixes). * drm/i915: mark requests for GuC virtual engines to avoid use-after-free (git-fixes). * drm/meson: fix memory leak on ->hpd_notify callback (git-fixes). * drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling (git-fixes). * drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() (git-fixes). * drm: gm12u320: Fix the timeout usage for usb_bulk_msg() (git-fixes). * ext4: Remove ext4 locking of moved directory (bsc#1214957). * ext4: avoid potential data overflow in next_linear_group (bsc#1214951). * ext4: correct inline offset when handling xattrs in inode body (bsc#1214950). * ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (bsc#1214954). * ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943). * ext4: fix wrong unit use in ext4_mb_new_blocks (bsc#1214944). * ext4: get block from bh in ext4_free_blocks for fast commit replay (bsc#1214942). * ext4: reflect error codes from ext4_multi_mount_protect() to its callers (bsc#1214941). * ext4: set goal start correctly in ext4_mb_normalize_request (bsc#1214940). * fs: Establish locking order for unrelated directories (bsc#1214958). * fs: Lock moved directories (bsc#1214959). * fs: do not update freeing inode i_io_list (bsc#1214813). * fs: lockd: avoid possible wrong NULL parameter (git-fixes). * fs: no need to check source (bsc#1215752). * fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE (bsc#1214813). * fuse: nlookup missing decrement in fuse_direntplus_link (bsc#1215581). * gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479). * gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479). * gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479). * gve: Changes to add new TX queues (bsc#1214479). * gve: Control path for DQO-QPL (bsc#1214479). * gve: Fix gve interrupt names (bsc#1214479). * gve: RX path for DQO-QPL (bsc#1214479). * gve: Tx path for DQO-QPL (bsc#1214479). * gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479). * gve: XDP support GQI-QPL: helper function changes (bsc#1214479). * gve: fix frag_list chaining (bsc#1214479). * gve: trivial spell fix Recive to Receive (bsc#1214479). * gve: use vmalloc_array and vcalloc (bsc#1214479). * hwrng: virtio - Fix race on data_avail and actual data (git-fixes). * hwrng: virtio - add an internal buffer (git-fixes). * hwrng: virtio - always add a pending request (git-fixes). * hwrng: virtio - do not wait on cleanup (git-fixes). * hwrng: virtio - do not waste entropy (git-fixes). * i2c: aspeed: Reset the i2c controller when timeout occurs (git-fixes). * i3c: master: svc: fix probe failure when no i3c device exist (git-fixes). * i915/pmu: Move execlist stats initialization to execlist specific setup (git-fixes). * idr: fix param name in idr_alloc_cyclic() doc (git-fixes). * iommu/virtio: Detach domain on endpoint release (git-fixes). * iommu/virtio: Return size mapped for a detached domain (git-fixes). * jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948). * jbd2: check 'jh->b_transaction' before removing it from checkpoint (bsc#1214953). * jbd2: correct the end of the journal recovery scan range (bsc#1214955). * jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949). * jbd2: fix checkpoint cleanup performance regression (bsc#1214952). * jbd2: recheck chechpointing non-dirty buffer (bsc#1214945). * jbd2: remove journal_clean_one_cp_list() (bsc#1214947). * jbd2: remove t_checkpoint_io_list (bsc#1214946). * jbd2: restore t_checkpoint_io_list to maintain kABI (bsc#1214946). * kabi/severities: ignore mlx4 internal symbols * s390/ipl: add support for List-Directed dump from ECKD DASD (jsc#PED-2023, jsc#PED-2025). * kconfig: fix possible buffer overflow (git-fixes). * kernel-binary: Move build-time definitions together Move source list and build architecture to buildrequires to aid in future reorganization of the spec template. * kernel-binary: python3 is needed for build At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18 Other simimlar scripts may exist. * kselftest/runner.sh: Propagate SIGTERM to runner child (git-fixes). * loop: Fix use-after-free issues (bsc#1214991). * loop: loop_set_status_from_info() check before assignment (bsc#1214990). * mlx4: Avoid resetting MLX4_INTFF_BONDING per driver (bsc#1187236). * mlx4: Connect the ethernet part to the auxiliary bus (bsc#1187236). * mlx4: Connect the infiniband part to the auxiliary bus (bsc#1187236). * mlx4: Delete custom device management logic (bsc#1187236). * mlx4: Get rid of the mlx4_interface.activate callback (bsc#1187236). * mlx4: Get rid of the mlx4_interface.get_dev callback (bsc#1187236). * mlx4: Move the bond work to the core driver (bsc#1187236). * mlx4: Register mlx4 devices to an auxiliary virtual bus (bsc#1187236). * mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236). * mlx4: Replace the mlx4_interface.event callback with a notifier (bsc#1187236). * mlx4: Use 'void *' as the event param of mlx4_dispatch_event() (bsc#1187236). * module: Expose module_init_layout_section() (git-fixes) * net/mlx4: Remove many unnecessary NULL values (bsc#1187236). * net: do not allow gso_size to be set to GSO_BY_FRAGS (git-fixes). * net: mana: Add page pool for RX buffers (bsc#1214040). * net: mana: Configure hwc timeout from hardware (bsc#1214037). * net: phy: micrel: Correct bit assignments for phy_device flags (git-fixes). * net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes). * nfs/blocklayout: Use the passed in gfp flags (git-fixes). * nfsd: Fix race to FREE_STATEID and cl_revoked (git-fixes). * nfsd: fix change_info in NFSv4 RENAME replies (git-fixes). * ntb: Clean up tx tail index on link down (git-fixes). * ntb: Drop packets when qp link is down (git-fixes). * ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes). * nvme-auth: use chap->s2 to indicate bidirectional authentication (bsc#1214543). * nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284). * nvme-tcp: add recovery_delay to sysfs (bsc#1201284). * nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284). * nvme-tcp: make 'err_work' a delayed work (bsc#1201284). * pNFS: Fix assignment of xprtdata.cred (git-fixes). * platform/mellanox: mlxbf-pmc: Fix potential buffer overflows (git-fixes). * platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events (git- fixes). * platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes). * platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors (git-fixes). * platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() (git- fixes). * platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() (git-fixes). * platform/x86: intel_scu_ipc: Do not override scu in intel_scu_ipc_dev_simple_command() (git-fixes). * platform/x86: intel_scu_ipc: Fail IPC send if still busy (git-fixes). * powerpc/fadump: make is_kdump_kernel() return false when fadump is active (bsc#1212639 ltc#202582). * powerpc/iommu: Fix notifiers being shared by PCI and VIO buses (bsc#1065729). * powerpc/xics: Remove unnecessary endian conversion (bsc#1065729). * printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875). * pwm: lpc32xx: Remove handling of PWM channels (git-fixes). * quota: Properly disable quotas when add_dquot_ref() fails (bsc#1214961). * quota: add new helper dquot_active() (bsc#1214998). * quota: factor out dquot_write_dquot() (bsc#1214995). * quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963). * quota: fix warning in dqgrab() (bsc#1214962). * quota: rename dquot_active() to inode_quota_active() (bsc#1214997). * s390/dasd: fix hanging device after request requeue (git-fixes bsc#1215124). * s390/qeth: Do not call dev_close/dev_open (DOWN/UP) (bsc#1214873 git-fixes). * s390/zcrypt: do not leak memory if dev_set_name() fails (git-fixes bsc#1215148). * s390: add z16 elf platform (git-fixes bsc#1215956, bsc#1215957). * scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() (git-fixes). * scsi: 53c700: Check that command slot is not NULL (git-fixes). * scsi: core: Fix legacy /proc parsing buffer overflow (git-fixes). * scsi: core: Fix possible memory leak if device_add() fails (git-fixes). * scsi: fnic: Replace return codes in fnic_clean_pending_aborts() (git-fixes). * scsi: lpfc: Do not abuse UUID APIs and LPFC_COMPRESS_VMID_SIZE (git-fixes). * scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo (git-fixes). * scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git- fixes). * scsi: lpfc: Modify when a node should be put in device recovery mode during RSCN (git-fixes). * scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes). * scsi: lpfc: Remove reftag check in DIF paths (git-fixes). * scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). * scsi: qedf: Fix NULL dereference in error handling (git-fixes). * scsi: qedf: Fix firmware halt over suspend and resume (git-fixes). * scsi: qedi: Fix firmware halt over suspend and resume (git-fixes). * scsi: qla2xxx: Add logs for SFP temperature monitoring (bsc#1214928). * scsi: qla2xxx: Allow 32-byte CDBs (bsc#1214928). * scsi: qla2xxx: Error code did not return to upper layer (bsc#1214928). * scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() (git- fixes). * scsi: qla2xxx: Fix firmware resource tracking (bsc#1214928). * scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() (bsc#1214928). * scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1214928). * scsi: qla2xxx: Move resource to allow code reuse (bsc#1214928). * scsi: qla2xxx: Remove unsupported ql2xenabledif option (bsc#1214928). * scsi: qla2xxx: Remove unused declarations (bsc#1214928). * scsi: qla2xxx: Remove unused variables in qla24xx_build_scsi_type_6_iocbs() (bsc#1214928). * scsi: qla2xxx: Update version to 10.02.09.100-k (bsc#1214928). * scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() (git-fixes). * scsi: scsi_debug: Remove dead code (git-fixes). * scsi: snic: Fix double free in snic_tgt_create() (git-fixes). * scsi: snic: Fix possible memory leak if device_add() fails (git-fixes). * scsi: storvsc: Handle additional SRB status values (git-fixes). * scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes bsc#1215941). * selftests: mlxsw: Fix test failure on Spectrum-4 (jsc#PED-1549). * selftests: tracing: Fix to unmount tracefs for recovering environment (git- fixes). * spi: Add TPM HW flow flag (bsc#1213534) * spi: tegra210-quad: Enable TPM wait polling (bsc#1213534) * spi: tegra210-quad: set half duplex flag (bsc#1213534) * tcpm: Avoid soft reset when partner does not support get_status (git-fixes). * tpm_tis_spi: Add hardware wait polling (bsc#1213534) * tracing: Fix race issue between cpu buffer write and swap (git-fixes). * tracing: Remove extra space at the end of hwlat_detector/mode (git-fixes). * tracing: Remove unnecessary copying of tr->current_trace (git-fixes). * uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes). * udf: Fix extension of the last extent in the file (bsc#1214964). * udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965). * udf: Fix off-by-one error when discarding preallocation (bsc#1214966). * udf: Fix uninitialized array access for some pathnames (bsc#1214967). * uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes). * usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes). * usb: ehci: move new member has_ci_pec_bug into hole (git-fixes). * usb: typec: tcpci: clear the fault status bit (git-fixes). * usb: typec: tcpci: move tcpci.h to include/linux/usb/ (git-fixes). * vhost-scsi: unbreak any layout for response (git-fixes). * vhost: allow batching hint without size (git-fixes). * vhost: fix hung thread due to erroneous iotlb entries (git-fixes). * vhost: handle error while adding split ranges to iotlb (git-fixes). * vhost_vdpa: fix the crash in unmap a large memory (git-fixes). * virtio-blk: set req->state to MQ_RQ_COMPLETE after polling I/O is finished (git-fixes). * virtio-mmio: do not break lifecycle of vm_dev (git-fixes). * virtio-net: fix race between set queues and probe (git-fixes). * virtio-net: set queues after driver_ok (git-fixes). * virtio-rng: make device ready before making request (git-fixes). * virtio: acknowledge all features before access (git-fixes). * virtio_net: Fix probe failed when modprobe virtio_net (git-fixes). * virtio_net: add checking sq is full inside xdp xmit (git-fixes). * virtio_net: reorder some funcs (git-fixes). * virtio_net: separate the logic of checking whether sq is full (git-fixes). * virtio_ring: fix avail_wrap_counter in virtqueue_add_packed (git-fixes). * vmcore: remove dependency with is_kdump_kernel() for exporting vmcore (bsc#1212639 ltc#202582). * watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load (git-fixes). * word-at-a-time: use the same return type for has_zero regardless of endianness (bsc#1065729). * x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git- fixes). * x86/alternative: Fix race in try_get_desc() (git-fixes). * x86/boot/e820: Fix typo in e820.c comment (git-fixes). * x86/bugs: Reset speculation control settings on init (git-fixes). * x86/coco: Allow CPU online/offline for a TDX VM with the paravisor on Hyper-V (bsc#1206453). * x86/coco: Export cc_vendor (bsc#1206453). * x86/cpu: Add Lunar Lake M (git-fixes). * x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes). * x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git- fixes). * x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git- fixes). * x86/hyperv: Add VTL specific structs and hypercalls (bsc#1206453). * x86/hyperv: Add hv_isolation_type_tdx() to detect TDX guests (bsc#1206453). * x86/hyperv: Add hv_write_efer() for a TDX VM with the paravisor (bsc#1206453). * x86/hyperv: Add hyperv-specific handling for VMMCALL under SEV-ES (bsc#1206453). * x86/hyperv: Add missing 'inline' to hv_snp_boot_ap() stub (bsc#1206453). * x86/hyperv: Add sev-snp enlightened guest static key (bsc#1206453) * x86/hyperv: Add smp support for SEV-SNP guest (bsc#1206453). * x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline (bsc#1206453). * x86/hyperv: Fix serial console interrupts for fully enlightened TDX guests (bsc#1206453). * x86/hyperv: Fix undefined reference to isolation_type_en_snp without CONFIG_HYPERV (bsc#1206453). * x86/hyperv: Introduce a global variable hyperv_paravisor_present (bsc#1206453). * x86/hyperv: Mark Hyper-V vp assist page unencrypted in SEV-SNP enlightened guest (bsc#1206453). * x86/hyperv: Mark hv_ghcb_terminate() as noreturn (bsc#1206453). * x86/hyperv: Move the code in ivm.c around to avoid unnecessary ifdef's (bsc#1206453). * x86/hyperv: Remove hv_isolation_type_en_snp (bsc#1206453). * x86/hyperv: Set Virtual Trust Level in VMBus init message (bsc#1206453). * x86/hyperv: Support hypercalls for fully enlightened TDX guests (bsc#1206453). * x86/hyperv: Use TDX GHCI to access some MSRs in a TDX VM with the paravisor (bsc#1206453). * x86/hyperv: Use vmmcall to implement Hyper-V hypercall in sev-snp enlightened guest (bsc#1206453). * x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes). * x86/ioapic: Do not return 0 from arch_dynirq_lower_bound() (git-fixes). * x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git- fixes). * x86/mce: Retrieve poison range from hardware (git-fixes). * x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes). * x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes). * x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes). * x86/purgatory: remove PGO flags (git-fixes). * x86/reboot: Disable virtualization in an emergency if SVM is supported (git- fixes). * x86/resctl: fix scheduler confusion with 'current' (git-fixes). * x86/resctrl: Fix task CLOSID/RMID update race (git-fixes). * x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes). * x86/rtc: Remove __init for runtime functions (git-fixes). * x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635). * x86/sgx: Reduce delay and interference of enclave release (git-fixes). * x86/srso: Do not probe microcode in a guest (git-fixes). * x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). * x86/srso: Fix srso_show_state() side effect (git-fixes). * x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). * x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes). * xen: remove a confusing comment on auto-translated guest I/O (git-fixes). * xprtrdma: Remap Receive buffers after a reconnect (git-fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4058=1 SUSE-2023-4058=1 * Public Cloud Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-4058=1 ## Package List: * openSUSE Leap 15.5 (aarch64 x86_64) * kselftests-kmp-azure-debuginfo-5.14.21-150500.33.20.1 * kernel-azure-debugsource-5.14.21-150500.33.20.1 * dlm-kmp-azure-5.14.21-150500.33.20.1 * reiserfs-kmp-azure-5.14.21-150500.33.20.1 * kernel-azure-devel-5.14.21-150500.33.20.1 * ocfs2-kmp-azure-debuginfo-5.14.21-150500.33.20.1 * kernel-azure-extra-debuginfo-5.14.21-150500.33.20.1 * ocfs2-kmp-azure-5.14.21-150500.33.20.1 * kernel-azure-devel-debuginfo-5.14.21-150500.33.20.1 * cluster-md-kmp-azure-debuginfo-5.14.21-150500.33.20.1 * kernel-azure-livepatch-devel-5.14.21-150500.33.20.1 * kselftests-kmp-azure-5.14.21-150500.33.20.1 * gfs2-kmp-azure-5.14.21-150500.33.20.1 * reiserfs-kmp-azure-debuginfo-5.14.21-150500.33.20.1 * gfs2-kmp-azure-debuginfo-5.14.21-150500.33.20.1 * cluster-md-kmp-azure-5.14.21-150500.33.20.1 * kernel-azure-optional-debuginfo-5.14.21-150500.33.20.1 * kernel-azure-optional-5.14.21-150500.33.20.1 * kernel-syms-azure-5.14.21-150500.33.20.1 * dlm-kmp-azure-debuginfo-5.14.21-150500.33.20.1 * kernel-azure-extra-5.14.21-150500.33.20.1 * kernel-azure-debuginfo-5.14.21-150500.33.20.1 * openSUSE Leap 15.5 (aarch64 nosrc x86_64) * kernel-azure-5.14.21-150500.33.20.1 * openSUSE Leap 15.5 (x86_64) * kernel-azure-vdso-debuginfo-5.14.21-150500.33.20.1 * kernel-azure-vdso-5.14.21-150500.33.20.1 * openSUSE Leap 15.5 (noarch) * kernel-source-azure-5.14.21-150500.33.20.1 * kernel-devel-azure-5.14.21-150500.33.20.1 * Public Cloud Module 15-SP5 (aarch64 nosrc x86_64) * kernel-azure-5.14.21-150500.33.20.1 * Public Cloud Module 15-SP5 (aarch64 x86_64) * kernel-azure-debugsource-5.14.21-150500.33.20.1 * kernel-azure-devel-debuginfo-5.14.21-150500.33.20.1 * kernel-azure-devel-5.14.21-150500.33.20.1 * kernel-syms-azure-5.14.21-150500.33.20.1 * kernel-azure-debuginfo-5.14.21-150500.33.20.1 * Public Cloud Module 15-SP5 (noarch) * kernel-source-azure-5.14.21-150500.33.20.1 * kernel-devel-azure-5.14.21-150500.33.20.1 ## References: * https://www.suse.com/security/cve/CVE-2023-1192.html * https://www.suse.com/security/cve/CVE-2023-1206.html * https://www.suse.com/security/cve/CVE-2023-1859.html * https://www.suse.com/security/cve/CVE-2023-2177.html * https://www.suse.com/security/cve/CVE-2023-37453.html * https://www.suse.com/security/cve/CVE-2023-39192.html * https://www.suse.com/security/cve/CVE-2023-39193.html * https://www.suse.com/security/cve/CVE-2023-39194.html * https://www.suse.com/security/cve/CVE-2023-40283.html * https://www.suse.com/security/cve/CVE-2023-4155.html * https://www.suse.com/security/cve/CVE-2023-42753.html * https://www.suse.com/security/cve/CVE-2023-42754.html * https://www.suse.com/security/cve/CVE-2023-4389.html * https://www.suse.com/security/cve/CVE-2023-4622.html * https://www.suse.com/security/cve/CVE-2023-4623.html * https://www.suse.com/security/cve/CVE-2023-4881.html * https://www.suse.com/security/cve/CVE-2023-4921.html * https://www.suse.com/security/cve/CVE-2023-5345.html * https://bugzilla.suse.com/show_bug.cgi?id=1065729 * https://bugzilla.suse.com/show_bug.cgi?id=1152472 * https://bugzilla.suse.com/show_bug.cgi?id=1187236 * https://bugzilla.suse.com/show_bug.cgi?id=1201284 * https://bugzilla.suse.com/show_bug.cgi?id=1202845 * https://bugzilla.suse.com/show_bug.cgi?id=1206453 * https://bugzilla.suse.com/show_bug.cgi?id=1208995 * https://bugzilla.suse.com/show_bug.cgi?id=1210169 * https://bugzilla.suse.com/show_bug.cgi?id=1210643 * https://bugzilla.suse.com/show_bug.cgi?id=1210658 * https://bugzilla.suse.com/show_bug.cgi?id=1212639 * https://bugzilla.suse.com/show_bug.cgi?id=1212703 * https://bugzilla.suse.com/show_bug.cgi?id=1213123 * https://bugzilla.suse.com/show_bug.cgi?id=1213534 * https://bugzilla.suse.com/show_bug.cgi?id=1213808 * https://bugzilla.suse.com/show_bug.cgi?id=1214022 * https://bugzilla.suse.com/show_bug.cgi?id=1214037 * https://bugzilla.suse.com/show_bug.cgi?id=1214040 * https://bugzilla.suse.com/show_bug.cgi?id=1214233 * https://bugzilla.suse.com/show_bug.cgi?id=1214351 * https://bugzilla.suse.com/show_bug.cgi?id=1214479 * https://bugzilla.suse.com/show_bug.cgi?id=1214543 * https://bugzilla.suse.com/show_bug.cgi?id=1214635 * https://bugzilla.suse.com/show_bug.cgi?id=1214813 * https://bugzilla.suse.com/show_bug.cgi?id=1214873 * https://bugzilla.suse.com/show_bug.cgi?id=1214928 * https://bugzilla.suse.com/show_bug.cgi?id=1214940 * https://bugzilla.suse.com/show_bug.cgi?id=1214941 * https://bugzilla.suse.com/show_bug.cgi?id=1214942 * https://bugzilla.suse.com/show_bug.cgi?id=1214943 * https://bugzilla.suse.com/show_bug.cgi?id=1214944 * https://bugzilla.suse.com/show_bug.cgi?id=1214945 * https://bugzilla.suse.com/show_bug.cgi?id=1214946 * https://bugzilla.suse.com/show_bug.cgi?id=1214947 * https://bugzilla.suse.com/show_bug.cgi?id=1214948 * https://bugzilla.suse.com/show_bug.cgi?id=1214949 * https://bugzilla.suse.com/show_bug.cgi?id=1214950 * https://bugzilla.suse.com/show_bug.cgi?id=1214951 * https://bugzilla.suse.com/show_bug.cgi?id=1214952 * https://bugzilla.suse.com/show_bug.cgi?id=1214953 * https://bugzilla.suse.com/show_bug.cgi?id=1214954 * https://bugzilla.suse.com/show_bug.cgi?id=1214955 * https://bugzilla.suse.com/show_bug.cgi?id=1214957 * https://bugzilla.suse.com/show_bug.cgi?id=1214958 * https://bugzilla.suse.com/show_bug.cgi?id=1214959 * https://bugzilla.suse.com/show_bug.cgi?id=1214961 * https://bugzilla.suse.com/show_bug.cgi?id=1214962 * https://bugzilla.suse.com/show_bug.cgi?id=1214963 * https://bugzilla.suse.com/show_bug.cgi?id=1214964 * https://bugzilla.suse.com/show_bug.cgi?id=1214965 * https://bugzilla.suse.com/show_bug.cgi?id=1214966 * https://bugzilla.suse.com/show_bug.cgi?id=1214967 * https://bugzilla.suse.com/show_bug.cgi?id=1214986 * https://bugzilla.suse.com/show_bug.cgi?id=1214988 * https://bugzilla.suse.com/show_bug.cgi?id=1214990 * https://bugzilla.suse.com/show_bug.cgi?id=1214991 * https://bugzilla.suse.com/show_bug.cgi?id=1214992 * https://bugzilla.suse.com/show_bug.cgi?id=1214993 * https://bugzilla.suse.com/show_bug.cgi?id=1214995 * https://bugzilla.suse.com/show_bug.cgi?id=1214997 * https://bugzilla.suse.com/show_bug.cgi?id=1214998 * https://bugzilla.suse.com/show_bug.cgi?id=1215115 * https://bugzilla.suse.com/show_bug.cgi?id=1215117 * https://bugzilla.suse.com/show_bug.cgi?id=1215123 * https://bugzilla.suse.com/show_bug.cgi?id=1215124 * https://bugzilla.suse.com/show_bug.cgi?id=1215148 * https://bugzilla.suse.com/show_bug.cgi?id=1215150 * https://bugzilla.suse.com/show_bug.cgi?id=1215221 * https://bugzilla.suse.com/show_bug.cgi?id=1215275 * https://bugzilla.suse.com/show_bug.cgi?id=1215322 * https://bugzilla.suse.com/show_bug.cgi?id=1215467 * https://bugzilla.suse.com/show_bug.cgi?id=1215523 * https://bugzilla.suse.com/show_bug.cgi?id=1215581 * https://bugzilla.suse.com/show_bug.cgi?id=1215752 * https://bugzilla.suse.com/show_bug.cgi?id=1215858 * https://bugzilla.suse.com/show_bug.cgi?id=1215860 * https://bugzilla.suse.com/show_bug.cgi?id=1215861 * https://bugzilla.suse.com/show_bug.cgi?id=1215875 * https://bugzilla.suse.com/show_bug.cgi?id=1215877 * https://bugzilla.suse.com/show_bug.cgi?id=1215894 * https://bugzilla.suse.com/show_bug.cgi?id=1215895 * https://bugzilla.suse.com/show_bug.cgi?id=1215896 * https://bugzilla.suse.com/show_bug.cgi?id=1215899 * https://bugzilla.suse.com/show_bug.cgi?id=1215911 * https://bugzilla.suse.com/show_bug.cgi?id=1215915 * https://bugzilla.suse.com/show_bug.cgi?id=1215916 * https://bugzilla.suse.com/show_bug.cgi?id=1215941 * https://bugzilla.suse.com/show_bug.cgi?id=1215956 * https://bugzilla.suse.com/show_bug.cgi?id=1215957 * https://jira.suse.com/browse/PED-1549 * https://jira.suse.com/browse/PED-2023 * https://jira.suse.com/browse/PED-2025

1 0

SUSE-SU-2023:4059-1: important: Security update for samba
by security＠lists.opensuse.org 12 Oct '23

12 Oct '23

# Security update for samba Announcement ID: SUSE-SU-2023:4059-1 Rating: important References: * #1213940 * #1215904 * #1215905 * #1215908 Cross-References: * CVE-2023-4091 * CVE-2023-4154 * CVE-2023-42669 CVSS scores: * CVE-2023-4091 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2023-4154 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-42669 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: * Basesystem Module 15-SP4 * openSUSE Leap 15.4 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise High Availability Extension 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves three vulnerabilities and has one security fix can now be installed. ## Description: This update for samba fixes the following issues: * CVE-2023-4091: Fixed a bug where a client can truncate file with read-only permissions. (bsc#1215904) * CVE-2023-42669: Fixed a bug in "rpcecho" development server which allows Denial of Service via sleep() call on AD DC. (bso#1215905) * CVE-2023-4154: Fixed a bug in dirsync which allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right. (bsc#1215908) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2023-4059=1 openSUSE-SLE-15.4-2023-4059=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4059=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4059=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4059=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4059=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4059=1 * SUSE Linux Enterprise High Availability Extension 15 SP4 zypper in -t patch SUSE-SLE-Product-HA-15-SP4-2023-4059=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * samba-ad-dc-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-python3-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy0-python3-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-tool-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ldb-ldap-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-gpupdate-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-test-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ldb-ldap-4.15.13+git.691.3d3cea0641-150400.3.31.1 * ctdb-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-dsdb-modules-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy0-python3-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy-python3-devel-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-python3-4.15.13+git.691.3d3cea0641-150400.3.31.1 * ctdb-pcp-pmda-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-devel-4.15.13+git.691.3d3cea0641-150400.3.31.1 * ctdb-pcp-pmda-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-dsdb-modules-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-python3-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-test-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy-devel-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-4.15.13+git.691.3d3cea0641-150400.3.31.1 * ctdb-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-python3-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debugsource-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * openSUSE Leap 15.4 (x86_64) * samba-winbind-libs-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy0-python3-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy0-python3-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-python3-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-python3-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-devel-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-libs-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * openSUSE Leap 15.4 (noarch) * samba-doc-4.15.13+git.691.3d3cea0641-150400.3.31.1 * openSUSE Leap 15.4 (aarch64 x86_64) * samba-ceph-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ceph-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * openSUSE Leap 15.4 (aarch64_ilp32) * libsamba-policy0-python3-64bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy0-python3-64bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-64bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-64bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-libs-64bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-devel-64bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-64bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-64bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-python3-64bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-libs-64bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-python3-64bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-64bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-64bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-64bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-64bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * samba-client-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debugsource-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * samba-client-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debugsource-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * samba-client-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debugsource-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * samba-client-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debugsource-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * samba-ad-dc-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-python3-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy0-python3-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-tool-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ldb-ldap-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-gpupdate-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ldb-ldap-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-dsdb-modules-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy0-python3-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy-python3-devel-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-python3-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-devel-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-dsdb-modules-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-python3-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-4.15.13+git.691.3d3cea0641-150400.3.31.1 * libsamba-policy-devel-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-python3-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debugsource-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * Basesystem Module 15-SP4 (aarch64 x86_64) * samba-ceph-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ceph-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * Basesystem Module 15-SP4 (x86_64) * samba-winbind-libs-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-devel-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-ad-dc-libs-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-32bit-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-libs-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-client-libs-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-winbind-libs-32bit-4.15.13+git.691.3d3cea0641-150400.3.31.1 * SUSE Linux Enterprise High Availability Extension 15 SP4 (aarch64 ppc64le s390x x86_64) * ctdb-4.15.13+git.691.3d3cea0641-150400.3.31.1 * ctdb-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debuginfo-4.15.13+git.691.3d3cea0641-150400.3.31.1 * samba-debugsource-4.15.13+git.691.3d3cea0641-150400.3.31.1 ## References: * https://www.suse.com/security/cve/CVE-2023-4091.html * https://www.suse.com/security/cve/CVE-2023-4154.html * https://www.suse.com/security/cve/CVE-2023-42669.html * https://bugzilla.suse.com/show_bug.cgi?id=1213940 * https://bugzilla.suse.com/show_bug.cgi?id=1215904 * https://bugzilla.suse.com/show_bug.cgi?id=1215905 * https://bugzilla.suse.com/show_bug.cgi?id=1215908

1 0