November 2023 - openSUSE Security Announce

openSUSE-SU-2023:0363-1: moderate: Security update for mupdf
by opensuse-security＠opensuse.org 11 Nov '23

11 Nov '23

openSUSE Security Update: Security update for mupdf ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0363-1 Rating: moderate References: #1216728 Cross-References: CVE-2023-31794 CVSS scores: CVE-2023-31794 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mupdf fixes the following issues: - CVE-2023-31794: Fixed denial of service via crafted pdf in pdf_mark_list_push() (boo#1216728) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-363=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): mupdf-1.21.1-bp155.3.3.1 mupdf-devel-static-1.21.1-bp155.3.3.1 References: https://www.suse.com/security/cve/CVE-2023-31794.html https://bugzilla.suse.com/1216728

1 0

SUSE-SU-2023:4414-1: important: Security update for the Linux Kernel
by security＠lists.opensuse.org 10 Nov '23

10 Nov '23

# Security update for the Linux Kernel Announcement ID: SUSE-SU-2023:4414-1 Rating: important References: * bsc#1208788 * bsc#1211162 * bsc#1211307 * bsc#1212423 * bsc#1213705 * bsc#1213772 * bsc#1214754 * bsc#1214874 * bsc#1215104 * bsc#1215523 * bsc#1215545 * bsc#1215921 * bsc#1215955 * bsc#1215986 * bsc#1216062 * bsc#1216202 * bsc#1216322 * bsc#1216323 * bsc#1216324 * bsc#1216333 * bsc#1216345 * bsc#1216512 Cross-References: * CVE-2023-2163 * CVE-2023-2860 * CVE-2023-31085 * CVE-2023-34324 * CVE-2023-3777 * CVE-2023-39189 * CVE-2023-39191 * CVE-2023-39193 * CVE-2023-45862 * CVE-2023-46813 * CVE-2023-5178 CVSS scores: * CVE-2023-2163 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2023-2163 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2023-2860 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N * CVE-2023-2860 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N * CVE-2023-31085 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-31085 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-34324 ( SUSE ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-3777 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-3777 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-39189 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N * CVE-2023-39189 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39191 ( SUSE ): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2023-39191 ( NVD ): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39193 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L * CVE-2023-45862 ( SUSE ): 6.4 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2023-45862 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-46813 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-46813 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5178 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5178 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.5 * Public Cloud Module 15-SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 An update that solves 11 vulnerabilities and has 11 security fixes can now be installed. ## Description: The SUSE Linux Enterprise 15 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: * CVE-2023-3777: Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. (bsc#1215095) * CVE-2023-46813: Fixed a local privilege escalation with user-space programs that have access to MMIO regions (bsc#1212649). * CVE-2023-31085: Fixed a divide-by-zero error in do_div(sz,mtd->erasesize) that could cause a local DoS. (bsc#1210778) * CVE-2023-45862: Fixed an issue in the ENE UB6250 reader driver whwere an object could potentially extend beyond the end of an allocation causing. (bsc#1216051) * CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860). * CVE-2023-5178: Fixed an UAF in queue intialization setup. (bsc#1215768) * CVE-2023-2163: Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (bsc#1215518) * CVE-2023-34324: Fixed a possible deadlock in Linux kernel event handling. (bsc#1215745). * CVE-2023-39189: Fixed a flaw in the Netfilter subsystem that could allow a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (bsc#1216046) * CVE-2023-39191: Fixed a lack of validation of dynamic pointers within user- supplied eBPF programs that may have allowed an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code. (bsc#1215863) * CVE-2023-2860: Fixed an out-of-bounds read vulnerability in the processing of seg6 attributes. This flaw allowed a privileged local user to disclose sensitive information. (bsc#1211592) The following non-security bugs were fixed: * 9p: virtio: make sure 'offs' is initialized in zc_request (git-fixes). * ACPI: irq: Fix incorrect return value in acpi_register_gsi() (git-fixes). * ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA (git-fixes). * ALSA: hda/realtek - ALC287 I2S speaker platform support (git-fixes). * ALSA: hda/realtek - ALC287 merge RTK codec with CS CS35L41 AMP (git-fixes). * ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (git-fixes). * ALSA: hda/realtek - Fixed two speaker platform (git-fixes). * ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV (git-fixes). * ALSA: hda/realtek: Change model for Intel RVP board (git-fixes). * ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx (git-fixes). * ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q (git-fixes). * ALSA: hda: intel-dsp-cfg: add LunarLake support (git-fixes). * ALSA: hda: intel-sdw-acpi: Use u8 type for link index (git-fixes). * ALSA: usb-audio: Fix microphone sound on Nexigo webcam (git-fixes). * ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset (git-fixes). * ASoC: amd: yc: Fix non-functional mic on Lenovo 82YM (git-fixes). * ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors (git- fixes). * ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind (git-fixes). * ASoC: codecs: wcd938x: drop bogus bind error handling (git-fixes). * ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes). * ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag (git-fixes). * ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link (git-fixes). * ASoC: pxa: fix a memory leak in probe() (git-fixes). * Bluetooth: Avoid redundant authentication (git-fixes). * Bluetooth: Fix a refcnt underflow problem for hci_conn (git-fixes). * Bluetooth: ISO: Fix handling of listen for unicast (git-fixes). * Bluetooth: Reject connection with the device which has same BD_ADDR (git- fixes). * Bluetooth: avoid memcmp() out of bounds warning (git-fixes). * Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes). * Bluetooth: hci_codec: Fix leaking content of local_codecs (git-fixes). * Bluetooth: hci_event: Fix coding style (git-fixes). * Bluetooth: hci_event: Fix using memcmp when comparing keys (git-fixes). * Bluetooth: hci_event: Ignore NULL link key (git-fixes). * Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name (git-fixes). * Bluetooth: hci_sock: fix slab oob read in create_monitor_event (git-fixes). * Bluetooth: vhci: Fix race when opening vhci device (git-fixes). * Documentation: qat: change kernel version (PED-6401). * Documentation: qat: rewrite description (PED-6401). * Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails (git- fixes). * Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs (git- fixes). * Drop amdgpu patch causing spamming (bsc#1215523). * HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event (git- fixes). * HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit (git-fixes). * HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (git- fixes). * HID: multitouch: Add required quirk for Synaptics 0xcd7e device (git-fixes). * HID: sony: Fix a potential memory leak in sony_probe() (git-fixes). * HID: sony: remove duplicate NULL check before calling usb_free_urb() (git- fixes). * IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes) * Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case (git-fixes). * Input: powermate - fix use-after-free in powermate_config_complete (git- fixes). * Input: psmouse - fix fast_reconnect function for PS/2 mode (git-fixes). * Input: xpad - add PXN V900 support (git-fixes). * KVM: SVM: Do not kill SEV guest if SMAP erratum triggers in usermode (git- fixes). * KVM: SVM: INTERCEPT_RDTSCP is never intercepted anyway (git-fixes). * KVM: s390: fix gisa destroy operation might lead to cpu stalls (git-fixes bsc#1216512). * KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs is changed (git-fixes). * KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes). * KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772). * KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772). * KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772). * KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772). * KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). * NFS: Fix O_DIRECT locking issues (bsc#1211162). * NFS: Fix a few more clear_bit() instances that need release semantics (bsc#1211162). * NFS: Fix a potential data corruption (bsc#1211162). * NFS: Fix a use after free in nfs_direct_join_group() (bsc#1211162). * NFS: Fix error handling for O_DIRECT write scheduling (bsc#1211162). * NFS: More O_DIRECT accounting fixes for error paths (bsc#1211162). * NFS: More fixes for nfs_direct_write_reschedule_io() (bsc#1211162). * NFS: Use the correct commit info in nfs_join_page_group() (bsc#1211162). * NFSD: Never call nfsd_file_gc() in foreground paths (bsc#1215545). * RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes) * RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes) * RDMA/core: Require admin capabilities to set system parameters (git-fixes) * RDMA/cxgb4: Check skb value for failure to allocate (git-fixes) * RDMA/mlx5: Fix NULL string error (git-fixes) * RDMA/mlx5: Fix mutex unlocking on error flow for steering anchor creation (git-fixes) * RDMA/siw: Fix connection failure handling (git-fixes) * RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes) * RDMA/uverbs: Fix typo of sizeof argument (git-fixes) * Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" (git-fixes). * Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" (git-fixes). * USB: serial: option: add Fibocom to DELL custom modem FM101R-GL (git-fixes). * USB: serial: option: add Telit LE910C4-WWX 0x1035 composition (git-fixes). * USB: serial: option: add entry for Sierra EM9191 with new firmware (git- fixes). * arm64/smmu: use TLBI ASID when invalidating entire range (bsc#1215921) * ata: libata-core: Do not register PM operations for SAS ports (git-fixes). * ata: libata-core: Fix ata_port_request_pm() locking (git-fixes). * ata: libata-core: Fix port and device removal (git-fixes). * ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes). * ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES (git-fixes). * blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init (bsc#1216062). * blk-cgroup: support to track if policy is online (bsc#1216062). * bonding: Fix extraction of ports from the packet headers (bsc#1214754). * bonding: Return pointer to data after pull on skb (bsc#1214754). * bonding: do not assume skb mac_header is set (bsc#1214754). * bpf: Add copy_map_value_long to copy to remote percpu memory (git-fixes). * bpf: Add missing btf_put to register_btf_id_dtor_kfuncs (git-fixes). * bpf: Add override check to kprobe multi link attach (git-fixes). * bpf: Add zero_map_value to zero map value with special fields (git-fixes). * bpf: Cleanup check_refcount_ok (git-fixes). * bpf: Fix max stack depth check for async callbacks (git-fixes). * bpf: Fix offset calculation error in __copy_map_value and zero_map_value (git-fixes). * bpf: Fix ref_obj_id for dynptr data slices in verifier (git-fixes). * bpf: Fix resetting logic for unreferenced kptrs (git-fixes). * bpf: Fix subprog idx logic in check_max_stack_depth (git-fixes). * bpf: Gate dynptr API behind CAP_BPF (git-fixes). * bpf: Prevent decl_tag from being referenced in func_proto arg (git-fixes). * bpf: Repeat check_max_stack_depth for async callbacks (git-fixes). * bpf: Tighten ptr_to_btf_id checks (git-fixes). * bpf: fix precision propagation verbose logging (git-fixes). * bpf: prevent decl_tag from being referenced in func_proto (git-fixes). * bpf: propagate precision across all frames, not just the last one (git- fixes). * bpf: propagate precision in ALU/ALU64 operations (git-fixes). * btf: Export bpf_dynptr definition (git-fixes). * btrfs: do not start transaction for scrub if the fs is mounted read-only (bsc#1214874). * bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes). * bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() (git- fixes). * ceph: add base64 endcoding routines for encrypted names (jsc#SES-1880). * ceph: add encryption support to writepage and writepages (jsc#SES-1880). * ceph: add fscrypt ioctls and ceph.fscrypt.auth vxattr (jsc#SES-1880). * ceph: add helpers for converting names for userland presentation (jsc#SES-1880). * ceph: add infrastructure for file encryption and decryption (jsc#SES-1880). * ceph: add new mount option to enable sparse reads (jsc#SES-1880). * ceph: add object version support for sync read (jsc#SES-1880). * ceph: add read/modify/write to ceph_sync_write (jsc#SES-1880). * ceph: add some fscrypt guardrails (jsc#SES-1880). * ceph: add support for encrypted snapshot names (jsc#SES-1880). * ceph: add support to readdir for encrypted names (jsc#SES-1880). * ceph: add truncate size handling support for fscrypt (jsc#SES-1880). * ceph: align data in pages in ceph_sync_write (jsc#SES-1880). * ceph: allow encrypting a directory while not having Ax caps (jsc#SES-1880). * ceph: create symlinks with encrypted and base64-encoded targets (jsc#SES-1880). * ceph: decode alternate_name in lease info (jsc#SES-1880). * ceph: do not use special DIO path for encrypted inodes (jsc#SES-1880). * ceph: drop messages from MDS when unmounting (jsc#SES-1880). * ceph: encode encrypted name in ceph_mdsc_build_path and dentry release (jsc#SES-1880). * ceph: fix incorrect revoked caps assert in ceph_fill_file_size() (bsc#1216322). * ceph: fix type promotion bug on 32bit systems (bsc#1216324). * ceph: fix updating i_truncate_pagecache_size for fscrypt (jsc#SES-1880). * ceph: fscrypt_auth handling for ceph (jsc#SES-1880). * ceph: handle fscrypt fields in cap messages from MDS (jsc#SES-1880). * ceph: implement -o test_dummy_encryption mount option (jsc#SES-1880). * ceph: invalidate pages when doing direct/sync writes (jsc#SES-1880). * ceph: make ceph_fill_trace and ceph_get_name decrypt names (jsc#SES-1880). * ceph: make ceph_msdc_build_path use ref-walk (jsc#SES-1880). * ceph: make d_revalidate call fscrypt revalidator for encrypted dentries (jsc#SES-1880). * ceph: make ioctl cmds more readable in debug log (jsc#SES-1880). * ceph: make num_fwd and num_retry to __u32 (jsc#SES-1880). * ceph: mark directory as non-complete after loading key (jsc#SES-1880). * ceph: pass the request to parse_reply_info_readdir() (jsc#SES-1880). * ceph: plumb in decryption during reads (jsc#SES-1880). * ceph: preallocate inode for ops that may create one (jsc#SES-1880). * ceph: prevent snapshot creation in encrypted locked directories (jsc#SES-1880). * ceph: remove unnecessary check for NULL in parse_longname() (bsc#1216333). * ceph: send alternate_name in MClientRequest (jsc#SES-1880). * ceph: set DCACHE_NOKEY_NAME flag in ceph_lookup/atomic_open() (jsc#SES-1880). * ceph: size handling in MClientRequest, cap updates and inode traces (jsc#SES-1880). * ceph: switch ceph_lookup/atomic_open() to use new fscrypt helper (jsc#SES-1880). * ceph: use osd_req_op_extent_osd_iter for netfs reads (jsc#SES-1880). * ceph: voluntarily drop Xx caps for requests those touch parent mtime (jsc#SES-1880). * ceph: wait for OSD requests' callbacks to finish when unmounting (jsc#SES-1880). * cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem (bsc#1215955). * cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307). * clk: tegra: fix error return case for recalc_rate (git-fixes). * counter: microchip-tcb-capture: Fix the use of internal GCLK logic (git- fixes). * crypto: qat - Include algapi.h for low-level Crypto API (PED-6401). * crypto: qat - Remove unused function declarations (PED-6401). * crypto: qat - add fw_counters debugfs file (PED-6401). * crypto: qat - add heartbeat counters check (PED-6401). * crypto: qat - add heartbeat feature (PED-6401). * crypto: qat - add internal timer for qat 4xxx (PED-6401). * crypto: qat - add measure clock frequency (PED-6401). * crypto: qat - add missing function declaration in adf_dbgfs.h (PED-6401). * crypto: qat - add qat_zlib_deflate (PED-6401). * crypto: qat - add support for 402xx devices (PED-6401). * crypto: qat - change value of default idle filter (PED-6401). * crypto: qat - delay sysfs initialization (PED-6401). * crypto: qat - do not export adf_init_admin_pm() (PED-6401). * crypto: qat - drop log level of msg in get_instance_node() (PED-6401). * crypto: qat - drop obsolete heartbeat interface (PED-6401). * crypto: qat - drop redundant adf_enable_aer() (PED-6401). * crypto: qat - expose pm_idle_enabled through sysfs (PED-6401). * crypto: qat - extend buffer list logic interface (PED-6401). * crypto: qat - extend configuration for 4xxx (PED-6401). * crypto: qat - fix apply custom thread-service mapping for dc service (PED-6401). * crypto: qat - fix concurrency issue when device state changes (PED-6401). * crypto: qat - fix crypto capability detection for 4xxx (PED-6401). * crypto: qat - fix spelling mistakes from 'bufer' to 'buffer' (PED-6401). * crypto: qat - make fw images name constant (PED-6401). * crypto: qat - make state machine functions static (PED-6401). * crypto: qat - move dbgfs init to separate file (PED-6401). * crypto: qat - move returns to default case (PED-6401). * crypto: qat - refactor device restart logic (PED-6401). * crypto: qat - refactor fw config logic for 4xxx (PED-6401). * crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe (PED-6401). * crypto: qat - replace state machine calls (PED-6401). * crypto: qat - replace the if statement with min() (PED-6401). * crypto: qat - set deprecated capabilities as reserved (PED-6401). * crypto: qat - unmap buffer before free for DH (PED-6401). * crypto: qat - unmap buffers before free for RSA (PED-6401). * crypto: qat - update slice mask for 4xxx devices (PED-6401). * crypto: qat - use kfree_sensitive instead of memset/kfree() (PED-6401). * dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq (git- fixes). * dmaengine: mediatek: Fix deadlock caused by synchronize_irq() (git-fixes). * dmaengine: stm32-mdma: abort resume if no ongoing transfer (git-fixes). * drm/amd/display: Do not check registers, if using AUX BL control (git- fixes). * drm/amd/display: Do not set dpms_off for seamless boot (git-fixes). * drm/amd/pm: add unique_id for gc 11.0.3 (git-fixes). * drm/amd: Fix detection of _PR3 on the PCIe root port (git-fixes). * drm/amdgpu/nbio4.3: set proper rmmio_remap.reg_offset for SR-IOV (git- fixes). * drm/amdgpu/soc21: do not remap HDP registers for SR-IOV (git-fixes). * drm/amdgpu: Handle null atom context in VBIOS info ioctl (git-fixes). * drm/amdgpu: add missing NULL check (git-fixes). * drm/amdkfd: Flush TLB after unmapping for GFX v9.4.3 (git-fixes). * drm/amdkfd: Insert missing TLB flush on GFX10 and later (git-fixes). * drm/amdkfd: Use gpu_offset for user queue's wptr (git-fixes). * drm/atomic-helper: relax unregistered connector check (git-fixes). * drm/bridge: ti-sn65dsi83: Do not generate HFP/HBP/HSA and EOT packet (git- fixes). * drm/i915/gt: Fix reservation address in ggtt_reserve_guc_top (git-fixes). * drm/i915: Retry gtt fault when out of fence registers (git-fixes). * drm/mediatek: Correctly free sg_table in gem prime vmap (git-fixes). * drm/msm/dp: do not reinitialize phy unless retry during link training (git- fixes). * drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow (git- fixes). * drm/msm/dsi: fix irq_of_parse_and_map() error checking (git-fixes). * drm/msm/dsi: skip the wait for video mode done if not applicable (git- fixes). * drm/vmwgfx: fix typo of sizeof argument (git-fixes). * drm: panel-orientation-quirks: Add quirk for One Mix 2S (git-fixes). * firmware: arm_ffa: Do not set the memory region attributes for MEM_LEND (git-fixes). * firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels() (git-fixes). * fprobe: Ensure running fprobe_exit_handler() finished before calling rethook_free() (git-fixes). * fscrypt: new helper function - fscrypt_prepare_lookup_partial() (jsc#SES-1880). * gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() (git- fixes). * gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip (git-fixes). * gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes). * gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() (git-fixes). * gpio: timberdale: Fix potential deadlock on &tgpio->lock (git-fixes). * gpio: vf610: set value before the direction to avoid a glitch (git-fixes). * gve: Do not fully free QPL pages on prefill errors (git-fixes). * i2c: i801: unregister tco_pdev in i801_probe() error path (git-fixes). * i2c: mux: Avoid potential false error message in i2c_mux_add_adapter (git- fixes). * i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() (git- fixes). * i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes). * i2c: mux: gpio:Â Replace custom acpi_get_local_address() (git-fixes). * i2c: npcm7xx: Fix callback completion ordering (git-fixes). * ieee802154: ca8210: Fix a potential UAF in ca8210_probe (git-fixes). * iio: pressure: bmp280: Fix NULL pointer exception (git-fixes). * iio: pressure: dps310: Adjust Timeout Settings (git-fixes). * iio: pressure: ms5611: ms5611_prom_is_valid false negative bug (git-fixes). * intel x86 platform vsec kABI workaround (bsc#1216202). * io_uring/fs: remove sqe->rw_flags checking from LINKAT (git-fixes). * io_uring/rw: defer fsnotify calls to task context (git-fixes). * io_uring/rw: ensure kiocb_end_write() is always called (git-fixes). * io_uring/rw: remove leftover debug statement (git-fixes). * io_uring: Replace 0-length array with flexible array (git-fixes). * io_uring: ensure REQ_F_ISREG is set async offload (git-fixes). * io_uring: fix fdinfo sqe offsets calculation (git-fixes). * io_uring: fix memory leak when removing provided buffers (git-fixes). * iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops callback (bsc#1212423). * iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops callback (bsc#1212423). * iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support (bsc#1212423). * iommu/arm-smmu-v3: Fix soft lockup triggered by (bsc#1215921) * kABI: fix bpf Tighten-ptr_to_btf_id checks (git-fixes). * kabi: blkcg_policy_data fix KABI (bsc#1216062). * kabi: workaround for enum nft_trans_phase (bsc#1215104). * kprobes: Prohibit probing on CFI preamble symbol (git-fixes). * leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes). * libceph: add CEPH_OSD_OP_ASSERT_VER support (jsc#SES-1880). * libceph: add new iov_iter-based ceph_msg_data_type and ceph_osd_data_type (jsc#SES-1880). * libceph: add sparse read support to OSD client (jsc#SES-1880). * libceph: add sparse read support to msgr1 (jsc#SES-1880). * libceph: add spinlock around osd->o_requests (jsc#SES-1880). * libceph: allow ceph_osdc_new_request to accept a multi-op read (jsc#SES-1880). * libceph: define struct ceph_sparse_extent and add some helpers (jsc#SES-1880). * libceph: new sparse_read op, support sparse reads on msgr2 crc codepath (jsc#SES-1880). * libceph: support sparse reads on msgr2 secure codepath (jsc#SES-1880). * libceph: use kernel_connect() (bsc#1216323). * mm, memcg: reconsider kmem.limit_in_bytes deprecation (bsc#1208788 bsc#1213705). * mmc: core: Capture correct oemid-bits for eMMC cards (git-fixes). * mmc: core: sdio: hold retuning if sdio in 1-bit mode (git-fixes). * mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw (git-fixes). * mtd: physmap-core: Restore map_rom fallback (git-fixes). * mtd: rawnand: arasan: Ensure program page operations are successful (git- fixes). * mtd: rawnand: marvell: Ensure program page operations are successful (git- fixes). * mtd: rawnand: pl353: Ensure program page operations are successful (git- fixes). * mtd: rawnand: qcom: Unmap the right resource upon probe failure (git-fixes). * mtd: spinand: micron: correct bitmask for ecc status (git-fixes). * net/sched: fix netdevice reference leaks in attach_default_qdiscs() (git- fixes). * net: mana: Fix TX CQE error handling (bsc#1215986). * net: mana: Fix oversized sge0 for GSO packets (bsc#1215986). * net: nfc: llcp: Add lock when modifying device list (git-fixes). * net: rfkill: gpio: prevent value glitch during probe (git-fixes). * net: sched: add barrier to fix packet stuck problem for lockless qdisc (bsc#1216345). * net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog (bsc#1216345). * net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read (git- fixes). * net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git- fixes). * net: usb: smsc95xx: Fix an error code in smsc95xx_reset() (git-fixes). * net: use sk_is_tcp() in more places (git-fixes). * netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain (git-fixes). * netfilter: nf_tables: unbind non-anonymous set if rule construction fails (git-fixes). * nfc: nci: assert requested protocol is valid (git-fixes). * nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (git- fixes). * nfs: only issue commit in DIO codepath if we have uncommitted data (bsc#1211162). * nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() (git-fixes). * nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() (bsc#1214842). * phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins (git-fixes). * phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes). * phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes). * pinctrl: avoid unsafe code pattern in find_pinctrl() (git-fixes). * pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes). * platform/surface: platform_profile: Propagate error if profile registration fails (git-fixes). * platform/x86/intel/pmt: Ignore uninitialized entries (bsc#1216202). * platform/x86/intel/pmt: telemetry: Fix fixed region handling (bsc#1216202). * platform/x86/intel/vsec: Rework early hardware code (bsc#1216202). * platform/x86/intel: Fix 'rmmod pmt_telemetry' panic (bsc#1216202). * platform/x86/intel: Fix pmt_crashlog array reference (bsc#1216202). * platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e (git-fixes). * platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events (git- fixes). * platform/x86: think-lmi: Fix reference leak (git-fixes). * platform/x86: touchscreen_dmi: Add info for the Positivo C4128B (git-fixes). * power: supply: ucs1002: fix error code in ucs1002_get_property() (git- fixes). * quota: Fix slow quotaoff (bsc#1216621). * r8152: check budget for r8152_poll() (git-fixes). * regmap: fix NULL deref on lookup (git-fixes). * regmap: rbtree: Fix wrong register marked as in-cache when creating new node (git-fixes). * remove unnecessary WARN_ON_ONCE() (bsc#1214823). * ring-buffer: Avoid softlockup in ring_buffer_resize() (git-fixes). * ring-buffer: Do not attempt to read past "commit" (git-fixes). * ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes). * ring-buffer: Update "shortest_full" in polling (git-fixes). * s390/cio: fix a memleak in css_alloc_subchannel (git-fixes bsc#1216510). * s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511). * sched/cpuset: Bring back cpuset_mutex (bsc#1215955). * sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity() (git fixes (sched)). * sched/rt: Fix live lock between select_fallback_rq() and RT push (git fixes (sched)). * sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes (sched)). * scsi: be2iscsi: Add length check when parsing nlattrs (git-fixes). * scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock (git-fixes). * scsi: iscsi: Add length check for nlattr payload (git-fixes). * scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() (git-fixes). * scsi: iscsi_tcp: restrict to TCP sockets (git-fixes). * scsi: mpi3mr: Propagate sense data for admin queue SCSI I/O (git-fixes). * scsi: mpt3sas: Perform additional retries if doorbell read returns 0 (git- fixes). * scsi: pm8001: Setup IRQs on resume (git-fixes). * scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly (git-fixes). * scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly (git-fixes). * scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly (git-fixes). * scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock (git-fixes). * scsi: qla4xxx: Add length check when parsing nlattrs (git-fixes). * selftests/bpf: Add more tests for check_max_stack_depth bug (git-fixes). * selftests/bpf: Add reproducer for decl_tag in func_proto argument (git- fixes). * selftests/bpf: Add reproducer for decl_tag in func_proto return type (git- fixes). * selftests/bpf: Add selftest for check_stack_max_depth bug (git-fixes). * selftests/bpf: Clean up sys_nanosleep uses (git-fixes). * serial: 8250_port: Check IRQ data before use (git-fixes). * soc: imx8m: Enable OCOTP clock for imx8mm before reading registers (git- fixes). * spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes). * spi: stm32: add a delay before SPI disable (git-fixes). * spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain (git-fixes). * spi: sun6i: reduce DMA RX transfer width to single byte (git-fixes). * thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding (git- fixes). * thunderbolt: Restart XDomain discovery handshake after failure (git-fixes). * thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge (git-fixes). * tracing: Have current_trace inc the trace array ref count (git-fixes). * tracing: Have event inject files inc the trace array ref count (git-fixes). * tracing: Have option files inc the trace array ref count (git-fixes). * tracing: Have tracing_max_latency inc the trace array ref count (git-fixes). * tracing: Increase trace array ref count on enable and filter files (git- fixes). * tracing: Make trace_marker{,_raw} stream-like (git-fixes). * usb: cdnsp: Fixes issue with dequeuing not queued requests (git-fixes). * usb: dwc3: Soft reset phy on probe for host (git-fixes). * usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call (git- fixes). * usb: gadget: udc-xilinx: replace memcpy with memcpy_toio (git-fixes). * usb: hub: Guard against accesses to uninitialized BOS descriptors (git- fixes). * usb: musb: Get the musb_qh poniter after musb_giveback (git-fixes). * usb: musb: Modify the "HWVers" register address (git-fixes). * usb: typec: altmodes/displayport: Signal hpd low when exiting mode (git- fixes). * usb: typec: ucsi: Clear EVENT_PENDING bit if ucsi_send_command fails (git- fixes). * usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer (git-fixes). * vmbus_testing: fix wrong python syntax for integer value comparison (git- fixes). * vringh: do not use vringh_kiov_advance() in vringh_iov_xfer() (git-fixes). * watchdog: iTCO_wdt: No need to stop the timer in probe (git-fixes). * watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running (git-fixes). * wifi: cfg80211: Fix 6GHz scan configuration (git-fixes). * wifi: cfg80211: avoid leaking stack data into trace (git-fixes). * wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes). * wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes). * wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes). * wifi: mac80211: allow transmitting EAPOL frames with tainted key (git- fixes). * wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling (git-fixes). * wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet (git- fixes). * wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes). * wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len (git-fixes). * x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772). * x86/cpu, kvm: Add the Null Selector Clears Base feature (bsc#1213772). * x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772). * x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772). * x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772). * x86/cpu: Support AMD Automatic IBRS (bsc#1213772). * x86/mm: Print the encryption features correctly when a paravisor is present (bsc#1206453). * x86/platform/uv: Use alternate source for socket to node data (bsc#1215696). * x86/sev: Check IOBM for IOIO exceptions from user-space (bsc#1212649). * x86/sev: Check for user-space IOIO pointing to kernel space (bsc#1212649). * x86/sev: Disable MMIO emulation from user mode (bsc#1212649). * x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635). * xen-netback: use default TX queue size for vifs (git-fixes). * xhci: Keep interrupt disabled in initialization until host is running (git- fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2023-4414=1 openSUSE-SLE-15.5-2023-4414=1 * Public Cloud Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-4414=1 ## Package List: * openSUSE Leap 15.5 (aarch64 x86_64) * dlm-kmp-azure-5.14.21-150500.33.23.1 * kernel-azure-debugsource-5.14.21-150500.33.23.1 * reiserfs-kmp-azure-5.14.21-150500.33.23.1 * kselftests-kmp-azure-debuginfo-5.14.21-150500.33.23.1 * gfs2-kmp-azure-5.14.21-150500.33.23.1 * kernel-azure-debuginfo-5.14.21-150500.33.23.1 * cluster-md-kmp-azure-5.14.21-150500.33.23.1 * kernel-azure-optional-debuginfo-5.14.21-150500.33.23.1 * kernel-syms-azure-5.14.21-150500.33.23.1 * cluster-md-kmp-azure-debuginfo-5.14.21-150500.33.23.1 * ocfs2-kmp-azure-5.14.21-150500.33.23.1 * kernel-azure-livepatch-devel-5.14.21-150500.33.23.1 * kernel-azure-devel-5.14.21-150500.33.23.1 * reiserfs-kmp-azure-debuginfo-5.14.21-150500.33.23.1 * kernel-azure-extra-debuginfo-5.14.21-150500.33.23.1 * gfs2-kmp-azure-debuginfo-5.14.21-150500.33.23.1 * kernel-azure-optional-5.14.21-150500.33.23.1 * ocfs2-kmp-azure-debuginfo-5.14.21-150500.33.23.1 * dlm-kmp-azure-debuginfo-5.14.21-150500.33.23.1 * kernel-azure-extra-5.14.21-150500.33.23.1 * kselftests-kmp-azure-5.14.21-150500.33.23.1 * kernel-azure-devel-debuginfo-5.14.21-150500.33.23.1 * openSUSE Leap 15.5 (aarch64 nosrc x86_64) * kernel-azure-5.14.21-150500.33.23.1 * openSUSE Leap 15.5 (x86_64) * kernel-azure-vdso-debuginfo-5.14.21-150500.33.23.1 * kernel-azure-vdso-5.14.21-150500.33.23.1 * openSUSE Leap 15.5 (noarch) * kernel-source-azure-5.14.21-150500.33.23.1 * kernel-devel-azure-5.14.21-150500.33.23.1 * Public Cloud Module 15-SP5 (aarch64 nosrc x86_64) * kernel-azure-5.14.21-150500.33.23.1 * Public Cloud Module 15-SP5 (aarch64 x86_64) * kernel-azure-debugsource-5.14.21-150500.33.23.1 * kernel-azure-devel-5.14.21-150500.33.23.1 * kernel-syms-azure-5.14.21-150500.33.23.1 * kernel-azure-debuginfo-5.14.21-150500.33.23.1 * kernel-azure-devel-debuginfo-5.14.21-150500.33.23.1 * Public Cloud Module 15-SP5 (noarch) * kernel-source-azure-5.14.21-150500.33.23.1 * kernel-devel-azure-5.14.21-150500.33.23.1 ## References: * https://www.suse.com/security/cve/CVE-2023-2163.html * https://www.suse.com/security/cve/CVE-2023-2860.html * https://www.suse.com/security/cve/CVE-2023-31085.html * https://www.suse.com/security/cve/CVE-2023-34324.html * https://www.suse.com/security/cve/CVE-2023-3777.html * https://www.suse.com/security/cve/CVE-2023-39189.html * https://www.suse.com/security/cve/CVE-2023-39191.html * https://www.suse.com/security/cve/CVE-2023-39193.html * https://www.suse.com/security/cve/CVE-2023-45862.html * https://www.suse.com/security/cve/CVE-2023-46813.html * https://www.suse.com/security/cve/CVE-2023-5178.html * https://bugzilla.suse.com/show_bug.cgi?id=1208788 * https://bugzilla.suse.com/show_bug.cgi?id=1211162 * https://bugzilla.suse.com/show_bug.cgi?id=1211307 * https://bugzilla.suse.com/show_bug.cgi?id=1212423 * https://bugzilla.suse.com/show_bug.cgi?id=1213705 * https://bugzilla.suse.com/show_bug.cgi?id=1213772 * https://bugzilla.suse.com/show_bug.cgi?id=1214754 * https://bugzilla.suse.com/show_bug.cgi?id=1214874 * https://bugzilla.suse.com/show_bug.cgi?id=1215104 * https://bugzilla.suse.com/show_bug.cgi?id=1215523 * https://bugzilla.suse.com/show_bug.cgi?id=1215545 * https://bugzilla.suse.com/show_bug.cgi?id=1215921 * https://bugzilla.suse.com/show_bug.cgi?id=1215955 * https://bugzilla.suse.com/show_bug.cgi?id=1215986 * https://bugzilla.suse.com/show_bug.cgi?id=1216062 * https://bugzilla.suse.com/show_bug.cgi?id=1216202 * https://bugzilla.suse.com/show_bug.cgi?id=1216322 * https://bugzilla.suse.com/show_bug.cgi?id=1216323 * https://bugzilla.suse.com/show_bug.cgi?id=1216324 * https://bugzilla.suse.com/show_bug.cgi?id=1216333 * https://bugzilla.suse.com/show_bug.cgi?id=1216345 * https://bugzilla.suse.com/show_bug.cgi?id=1216512

1 0

SUSE-SU-2023:4415-1: important: Security update for clamav
by security＠lists.opensuse.org 10 Nov '23

10 Nov '23

# Security update for clamav Announcement ID: SUSE-SU-2023:4415-1 Rating: important References: * bsc#1216625 Cross-References: * CVE-2023-40477 CVSS scores: Affected Products: * Basesystem Module 15-SP4 * Basesystem Module 15-SP5 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE CaaS Platform 4.0 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP1 * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP1 * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.2 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.2 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.2 * SUSE Manager Server 4.3 An update that solves one vulnerability can now be installed. ## Description: This update for clamav fixes the following issues: * Updated to version 0.103.11: * CVE-2023-40477: Updated libclamunrar dependency to version 6.2.12 (bsc#1216625). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4415=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4415=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4415=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4415=1 * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-4415=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4415=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4415=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4415=1 * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-4415=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4415=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4415=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2023-4415=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4415=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4415=1 * SUSE Manager Proxy 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-4415=1 * SUSE Manager Retail Branch Server 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch- Server-4.2-2023-4415=1 * SUSE Manager Server 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4415=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2023-4415=1 * SUSE CaaS Platform 4.0 To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64 x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Manager Proxy 4.2 (x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Manager Retail Branch Server 4.2 (x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Manager Server 4.2 (ppc64le s390x x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 * SUSE CaaS Platform 4.0 (x86_64) * clamav-0.103.11-150000.3.50.1 * clamav-debuginfo-0.103.11-150000.3.50.1 * libclamav9-debuginfo-0.103.11-150000.3.50.1 * libfreshclam2-debuginfo-0.103.11-150000.3.50.1 * clamav-debugsource-0.103.11-150000.3.50.1 * libclamav9-0.103.11-150000.3.50.1 * libfreshclam2-0.103.11-150000.3.50.1 * clamav-devel-0.103.11-150000.3.50.1 ## References: * https://www.suse.com/security/cve/CVE-2023-40477.html * https://bugzilla.suse.com/show_bug.cgi?id=1216625

1 0

openSUSE-SU-2023:0361-1: moderate: Security update for tor
by opensuse-security＠opensuse.org 10 Nov '23

10 Nov '23

openSUSE Security Update: Security update for tor ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0361-1 Rating: moderate References: #1216873 Affected Products: openSUSE Backports SLE-15-SP4 openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for tor fixes the following issues: - tor 0.4.8.8: * Mitigate an issue when Tor compiled with OpenSSL can crash during handshake with a remote relay. (TROVE-2023-004, boo#1216873) * Regenerate fallback directories generated on November 03, 2023. * Update the geoip files to match the IPFire Location Database, as retrieved on 2023/11/03 * directory authority: Look at the network parameter "maxunmeasuredbw" with the correct spelling * vanguards addon support: Count the conflux linked cell as valid when it is successfully processed. This will quiet a spurious warn in the vanguards addon - tor 0.4.8.7: * Fix an issue that prevented us from pre-building more conflux sets after existing sets had been used - tor 0.4.8.6: * onion service: Fix a reliability issue where services were expiring their introduction points every consensus update. This caused connectivity issues for clients caching the old descriptor and intro points * Log the input and output buffer sizes when we detect a potential compression bomb * Disable multiple BUG warnings of a missing relay identity key when starting an instance of Tor compiled without relay support * When reporting a pseudo-networkstatus as a bridge authority, or answering "ns/purpose/*" controller requests, include accurate published-on dates from our list of router descriptors * Use less frightening language and lower the log-level of our run-time ABI compatibility check message in our Zstd compression subsystem - tor 0.4.8.5: * bugfixes creating log BUG stacktrace - tor 0.4.8.4: * Extend DoS protection to partially opened channels and known relays * Dynamic Proof-Of-Work protocol to thwart flooding DoS attacks against hidden services. Disabled by default, enable via "HiddenServicePoW" in torrc * Implement conflux traffic splitting * Directory authorities and relays now interact properly with directory authorities if they change addresses - tor 0.4.7.14: * bugfix affecting vanguards (onion service), and minor fixes - Enable support for scrypt() Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-361=1 - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-361=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): tor-0.4.8.8-bp155.2.3.1 tor-debuginfo-0.4.8.8-bp155.2.3.1 tor-debugsource-0.4.8.8-bp155.2.3.1 - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): tor-0.4.8.8-bp154.2.15.1 References: https://bugzilla.suse.com/1216873

1 0

openSUSE-SU-2023:0360-1: moderate: Security update for go1.21
by opensuse-security＠opensuse.org 09 Nov '23

09 Nov '23

openSUSE Security Update: Security update for go1.21 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0360-1 Rating: moderate References: #1212475 #1212667 #1212669 #1215084 #1215085 #1215086 #1215087 #1215090 #1215985 #1216109 Cross-References: CVE-2023-39318 CVE-2023-39319 CVE-2023-39320 CVE-2023-39321 CVE-2023-39322 CVE-2023-39323 CVE-2023-39325 CVE-2023-44487 CVSS scores: CVE-2023-39318 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2023-39318 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2023-39319 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2023-39319 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2023-39320 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-39320 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-39321 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-39321 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-39322 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-39322 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-39323 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-39323 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-39325 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-39325 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-44487 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-44487 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that solves 8 vulnerabilities and has two fixes is now available. Description: This update introduces go1.21, including fixes for the following issues: - go1.21.3 (released 2023-10-10) includes a security fix to the net/http package. Refs boo#1212475 go1.21 release tracking CVE-2023-39325 CVE-2023-44487 * go#63427 go#63417 boo#1216109 security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work - go1.21.2 (released 2023-10-05) includes one security fixes to the cmd/go package, as well as bug fixes to the compiler, the go command, the linker, the runtime, and the runtime/metrics package. Refs boo#1212475 go1.21 release tracking CVE-2023-39323 * go#63214 go#63211 boo#1215985 security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build * go#62464 runtime: "traceback did not unwind completely" * go#62478 runtime/metrics: /gc/scan* metrics return zero * go#62505 plugin: variable not initialized properly * go#62506 cmd/compile: internal compiler error: InvertFlags should never make it to codegen v100 = InvertFlags v123 * go#62509 runtime: scheduler change causes Delve's function call injection to fail intermittently * go#62537 runtime: "fatal: morestack on g0" with PGO enabled on arm64 * go#62598 cmd/link: issues with Apple's new linker in Xcode 15 beta * go#62668 cmd/compile: slow to compile 17,000 line switch statement? * go#62711 cmd/go: TestScript/gotoolchain_path fails if golang.org/dl/go1.21.1 is installed in the user's $PATH - go1.21.1 (released 2023-09-06) includes four security fixes to the cmd/go, crypto/tls, and html/template packages, as well as bug fixes to the compiler, the go command, the linker, the runtime, and the context, crypto/tls, encoding/gob, encoding/xml, go/types, net/http, os, and path/filepath packages. Refs boo#1212475 go1.21 release tracking CVE-2023-39318 CVE-2023-39319 CVE-2023-39320 CVE-2023-39321 CVE-2023-39322 * go#62290 go#62266 boo#1215087 security: fix CVE-2023-39321 CVE-2023-39322 crypto/tls: panic when processing partial post-handshake message in QUICConn.HandleData * go#62394 go#62198 boo#1215086 security: fix CVE-2023-39320 cmd/go: go.mod toolchain directive allows arbitrary execution * go#62396 go#62196 boo#1215084 security: fix CVE-2023-39318 html/template: improper handling of HTML-like comments within script contexts * go#62398 go#62197 boo#1215085 security: fix CVE-2023-39319 html/template: improper handling of special tags within script contexts * go#61743 go/types: interface.Complete panics for interfaces with duplicate methods * go#61781 cmd/compile: internal compiler error: 'f': value .autotmp_1 (nil) incorrectly live at entry * go#61818 cmd/go: panic: runtime error: index out of range [-1] in collectDepsErrors * go#61821 runtime/internal/wasitest: TestTCPEcho is racy * go#61868 path/filepath: Clean on some invalid Windows paths can lose .. components * go#61904 net/http: go 1.20.6 host validation breaks setting Host to a unix socket address * go#61905 cmd/go: go get/mod tidy panics with internal error: net token acquired but not released * go#61909 cmd/compile: internal compiler error: missed typecheck * go#61910 os: ReadDir fails on file systems without File ID support on Windows * go#61927 cmd/distpack: release archives don't include directory members * go#61930 spec, go/types, types2: restore Go 1.20 unification when compiling for Go 1.20 * go#61932 go/types, types2: index out of range panic in Checker.arguments * go#61958 cmd/compile: write barrier code is sometimes preemptible when compiled with -N * go#61959 go/types, types2: panic: infinite recursion in unification with go1.21.0 * go#61964 os: ReadDir(\\.\pipe\) fails with go1.21 on Windows * go#61967 crypto/tls: add GODEBUG to control max RSA key size * go#61987 runtime: simple programs crash on linux/386 with go1.21 when build with -gcflags='all=-N -l' * go#62019 runtime: execution halts with goroutines stuck in runtime.gopark (protocol error E08 during memory read for packet) * go#62046 runtime/trace: segfault in runtime.fpTracebackPCs during deferred call after recovering from panic * go#62051 encoding/xml: incompatible changes in the Go 1.21.0 * go#62057 cmd/compile: internal compiler error: 'F': func F, startMem[b1] has different values * go#62071 cmd/api: make non-importable * go#62140 cmd/link: slice bounds out of range * go#62143 hash/crc32: panic on arm64 with go1.21.0 when indexing slice * go#62144 cmd/go: locating GOROOT fails when the go command is run from the cross-compiled bin subdirectory * go#62154 encoding/gob: panic decoding into local type, received remote type * go#62189 context: misuse of sync.Cond in ExampleAfterFunc_cond * go#62204 maps: segfault in Clone * go#62205 cmd/compile: backward incompatible change in Go 1.21 type inference with channels * go#62222 cmd/go: 'go test -o' may fail with ETXTBSY when running the compiled test * go#62328 net/http: http client regression building with js/wasm and running on Chrome: net::ERR_H2_OR_QUIC_REQUIRED * go#62329 runtime: MADV_HUGEPAGE causes stalls when allocating memory - go1.21 (released 2023-08-08) is a major release of Go. go1.21.x minor releases will be provided through August 2024. https://github.com/golang/go/wiki/Go-Release-Cycle go1.21 arrives six months after go1.20. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Refs boo#1212475 go1.21 release tracking * Go 1.21 introduces a small change to the numbering of releases. In the past, we used Go 1.N to refer to both the overall Go language version and release family as well as the first release in that family. Starting in Go 1.21, the first release is now Go 1.N.0. Today we are releasing both the Go 1.21 language and its initial implementation, the Go 1.21.0 release. These notes refer to "Go 1.21"; tools like go version will report "go1.21.0" (until you upgrade to Go 1.21.1). See "Go versions" in the "Go Toolchains" documentation for details about the new version numbering. * Language change: Go 1.21 adds three new built-ins to the language. * Language change: The new functions min and max compute the smallest (or largest, for max) value of a fixed number of given arguments. See the language spec for details. * Language change: The new function clear deletes all elements from a map or zeroes all elements of a slice. See the language spec for details. * Package initialization order is now specified more precisely. This may change the behavior of some programs that rely on a specific initialization ordering that was not expressed by explicit imports. The behavior of such programs was not well defined by the spec in past releases. The new rule provides an unambiguous definition. * Multiple improvements that increase the power and precision of type inference have been made. * A (possibly partially instantiated generic) function may now be called with arguments that are themselves (possibly partially instantiated) generic functions. * Type inference now also considers methods when a value is assigned to an interface: type arguments for type parameters used in method signatures may be inferred from the corresponding parameter types of matching methods. * Similarly, since a type argument must implement all the methods of its corresponding constraint, the methods of the type argument and constraint are matched which may lead to the inference of additional type arguments. * If multiple untyped constant arguments of different kinds (such as an untyped int and an untyped floating-point constant) are passed to parameters with the same (not otherwise specified) type parameter type, instead of an error, now type inference determines the type using the same approach as an operator with untyped constant operands. This change brings the types inferred from untyped constant arguments in line with the types of constant expressions. * Type inference is now precise when matching corresponding types in assignments * The description of type inference in the language spec has been clarified. * Go 1.21 includes a preview of a language change we are considering for a future version of Go: making for loop variables per-iteration instead of per-loop, to avoid accidental sharing bugs. For details about how to try that language change, see the LoopvarExperiment wiki page. * Go 1.21 now defines that if a goroutine is panicking and recover was called directly by a deferred function, the return value of recover is guaranteed not to be nil. To ensure this, calling panic with a nil interface value (or an untyped nil) causes a run-time panic of type *runtime.PanicNilError. To support programs written for older versions of Go, nil panics can be re-enabled by setting GODEBUG=panicnil=1. This setting is enabled automatically when compiling a program whose main package is in a module with that declares go 1.20 or earlier. * Go 1.21 adds improved support for backwards compatibility and forwards compatibility in the Go toolchain. * To improve backwards compatibility, Go 1.21 formalizes Go's use of the GODEBUG environment variable to control the default behavior for changes that are non-breaking according to the compatibility policy but nonetheless may cause existing programs to break. (For example, programs that depend on buggy behavior may break when a bug is fixed, but bug fixes are not considered breaking changes.) When Go must make this kind of behavior change, it now chooses between the old and new behavior based on the go line in the workspace's go.work file or else the main module's go.mod file. Upgrading to a new Go toolchain but leaving the go line set to its original (older) Go version preserves the behavior of the older toolchain. With this compatibility support, the latest Go toolchain should always be the best, most secure, implementation of an older version of Go. See "Go, Backwards Compatibility, and GODEBUG" for details. * To improve forwards compatibility, Go 1.21 now reads the go line in a go.work or go.mod file as a strict minimum requirement: go 1.21.0 means that the workspace or module cannot be used with Go 1.20 or with Go 1.21rc1. This allows projects that depend on fixes made in later versions of Go to ensure that they are not used with earlier versions. It also gives better error reporting for projects that make use of new Go features: when the problem is that a newer Go version is needed, that problem is reported clearly, instead of attempting to build the code and instead printing errors about unresolved imports or syntax errors. * To make these new stricter version requirements easier to manage, the go command can now invoke not just the toolchain bundled in its own release but also other Go toolchain versions found in the PATH or downloaded on demand. If a go.mod or go.work go line declares a minimum requirement on a newer version of Go, the go command will find and run that version automatically. The new toolchain directive sets a suggested minimum toolchain to use, which may be newer than the strict go minimum. See "Go Toolchains" for details. * go command: The -pgo build flag now defaults to -pgo=auto, and the restriction of specifying a single main package on the command line is now removed. If a file named default.pgo is present in the main package's directory, the go command will use it to enable profile-guided optimization for building the corresponding program. * go command: The -C dir flag must now be the first flag on the command-line when used. * go command: The new go test option -fullpath prints full path names in test log messages, rather than just base names. * go command: The go test -c flag now supports writing test binaries for multiple packages, each to pkg.test where pkg is the package name. It is an error if more than one test package being compiled has a given package name.] * go command: The go test -o flag now accepts a directory argument, in which case test binaries are written to that directory instead of the current directory. * cgo: In files that import "C", the Go toolchain now correctly reports errors for attempts to declare Go methods on C types. * runtime: When printing very deep stacks, the runtime now prints the first 50 (innermost) frames followed by the bottom 50 (outermost) frames, rather than just printing the first 100 frames. This makes it easier to see how deeply recursive stacks started, and is especially valuable for debugging stack overflows. * runtime: On Linux platforms that support transparent huge pages, the Go runtime now manages which parts of the heap may be backed by huge pages more explicitly. This leads to better utilization of memory: small heaps should see less memory used (up to 50% in pathological cases) while large heaps should see fewer broken huge pages for dense parts of the heap, improving CPU usage and latency by up to 1%. * runtime: As a result of runtime-internal garbage collection tuning, applications may see up to a 40% reduction in application tail latency and a small decrease in memory use. Some applications may also observe a small loss in throughput. The memory use decrease should be proportional to the loss in throughput, such that the previous release's throughput/memory tradeoff may be recovered (with little change to latency) by increasing GOGC and/or GOMEMLIMIT slightly. * runtime: Calls from C to Go on threads created in C require some setup to prepare for Go execution. On Unix platforms, this setup is now preserved across multiple calls from the same thread. This significantly reduces the overhead of subsequent C to Go calls from ~1-3 microseconds per call to ~100-200 nanoseconds per call. * compiler: Profile-guide optimization (PGO), added as a preview in Go 1.20, is now ready for general use. PGO enables additional optimizations on code identified as hot by profiles of production workloads. As mentioned in the Go command section, PGO is enabled by default for binaries that contain a default.pgo profile in the main package directory. Performance improvements vary depending on application behavior, with most programs from a representative set of Go programs seeing between 2 and 7% improvement from enabling PGO. See the PGO user guide for detailed documentation. * compiler: PGO builds can now devirtualize some interface method calls, adding a concrete call to the most common callee. This enables further optimization, such as inlining the callee. * compiler: Go 1.21 improves build speed by up to 6%, largely thanks to building the compiler itself with PGO. * assembler: On amd64, frameless nosplit assembly functions are no longer automatically marked as NOFRAME. Instead, the NOFRAME attribute must be explicitly specified if desired, which is already the behavior on other architectures supporting frame pointers. With this, the runtime now maintains the frame pointers for stack transitions. * assembler: The verifier that checks for incorrect uses of R15 when dynamic linking on amd64 has been improved. * linker: On windows/amd64, the linker (with help from the compiler) now emits SEH unwinding data by default, which improves the integration of Go applications with Windows debuggers and other tools. * linker: In Go 1.21 the linker (with help from the compiler) is now capable of deleting dead (unreferenced) global map variables, if the number of entries in the variable initializer is sufficiently large, and if the initializer expressions are side-effect free. * core library: The new log/slog package provides structured logging with levels. Structured logging emits key-value pairs to enable fast, accurate processing of large amounts of log data. The package supports integration with popular log analysis tools and services. * core library: The new testing/slogtest package can help to validate slog.Handler implementations. * core library: The new slices package provides many common operations on slices, using generic functions that work with slices of any element type. * core library: The new maps package provides several common operations on maps, using generic functions that work with maps of any key or element type. * core library: The new cmp package defines the type constraint Ordered and two new generic functions Less and Compare that are useful with ordered types. * Minor changes to the library: As always, there are various minor changes and updates to the library, made with the Go 1 promise of compatibility in mind. There are also various performance improvements, not enumerated here. * archive/tar: The implementation of the io/fs.FileInfo interface returned by Header.FileInfo now implements a String method that calls io/fs.FormatFileInfo. * archive/zip: The implementation of the io/fs.FileInfo interface returned by FileHeader.FileInfo now implements a String method that calls io/fs.FormatFileInfo. * archive/zip: The implementation of the io/fs.DirEntry interface returned by the io/fs.ReadDirFile.ReadDir method of the io/fs.File returned by Reader.Open now implements a String method that calls io/fs.FormatDirEntry. * bytes: The Buffer type has two new methods: Available and AvailableBuffer. These may be used along with the Write method to append directly to the Buffer. * context: The new WithoutCancel function returns a copy of a context that is not canceled when the original context is canceled. * context: The new WithDeadlineCause and WithTimeoutCause functions provide a way to set a context cancellation cause when a deadline or timer expires. The cause may be retrieved with the Cause function. * context: The new AfterFunc function registers a function to run after a context has been cancelled. * context: An optimization means that the results of calling Background and TODO and converting them to a shared type can be considered equal. In previous releases they were always different. Comparing Context values for equality has never been well-defined, so this is not considered to be an incompatible change. * crypto/ecdsa: PublicKey.Equal and PrivateKey.Equal now execute in constant time. * crypto/elliptic: All of the Curve methods have been deprecated, along with GenerateKey, Marshal, and Unmarshal. For ECDH operations, the new crypto/ecdh package should be used instead. For lower-level operations, use third-party modules such as filippo.io/nistec. * crypto/rand: The crypto/rand package now uses the getrandom system call on NetBSD 10.0 and later. * crypto/rsa: The performance of private RSA operations (decryption and signing) is now better than Go 1.19 for GOARCH=amd64 and GOARCH=arm64. It had regressed in Go 1.20. * crypto/rsa: Due to the addition of private fields to PrecomputedValues, PrivateKey.Precompute must be called for optimal performance even if deserializing (for example from JSON) a previously-precomputed private key. * crypto/rsa: PublicKey.Equal and PrivateKey.Equal now execute in constant time. * crypto/rsa: The GenerateMultiPrimeKey function and the PrecomputedValues.CRTValues field have been deprecated. PrecomputedValues.CRTValues will still be populated when PrivateKey.Precompute is called, but the values will not be used during decryption operations. * crypto/sha256: SHA-224 and SHA-256 operations now use native instructions when available when GOARCH=amd64, providing a performance improvement on the order of 3-4x. * crypto/tls: Servers now skip verifying client certificates (including not running Config.VerifyPeerCertificate) for resumed connections, besides checking the expiration time. This makes session tickets larger when client certificates are in use. Clients were already skipping verification on resumption, but now check the expiration time even if Config.InsecureSkipVerify is set. * crypto/tls: Applications can now control the content of session tickets. * crypto/tls: The new SessionState type describes a resumable session. * crypto/tls: The SessionState.Bytes method and ParseSessionState function serialize and deserialize a SessionState. * crypto/tls: The Config.WrapSession and Config.UnwrapSession hooks convert a SessionState to and from a ticket on the server side. * crypto/tls: The Config.EncryptTicket and Config.DecryptTicket methods provide a default implementation of WrapSession and UnwrapSession. * crypto/tls: The ClientSessionState.ResumptionState method and NewResumptionState function may be used by a ClientSessionCache implementation to store and resume sessions on the client side. * crypto/tls: To reduce the potential for session tickets to be used as a tracking mechanism across connections, the server now issues new tickets on every resumption (if they are supported and not disabled) and tickets don't bear an identifier for the key that encrypted them anymore. If passing a large number of keys to Conn.SetSessionTicketKeys, this might lead to a noticeable performance cost. * crypto/tls: Both clients and servers now implement the Extended Master Secret extension (RFC 7627). The deprecation of ConnectionState.TLSUnique has been reverted, and is now set for resumed connections that support Extended Master Secret. * crypto/tls: The new QUICConn type provides support for QUIC implementations, including 0-RTT support. Note that this is not itself a QUIC implementation, and 0-RTT is still not supported in TLS. * crypto/tls: The new VersionName function returns the name for a TLS version number. * crypto/tls: The TLS alert codes sent from the server for client authentication failures have been improved. Previously, these failures always resulted in a "bad certificate" alert. Now, certain failures will result in more appropriate alert codes, as defined by RFC 5246 and RFC 8446: * crypto/tls: For TLS 1.3 connections, if the server is configured to require client authentication using RequireAnyClientCert or RequireAndVerifyClientCert, and the client does not provide any certificate, the server will now return the "certificate required" alert. * crypto/tls: If the client provides a certificate that is not signed by the set of trusted certificate authorities configured on the server, the server will return the "unknown certificate authority" alert. * crypto/tls: If the client provides a certificate that is either expired or not yet valid, the server will return the "expired certificate" alert. * crypto/tls: In all other scenarios related to client authentication failures, the server still returns "bad certificate". * crypto/x509: RevocationList.RevokedCertificates has been deprecated and replaced with the new RevokedCertificateEntries field, which is a slice of RevocationListEntry. RevocationListEntry contains all of the fields in pkix.RevokedCertificate, as well as the revocation reason code. * crypto/x509: Name constraints are now correctly enforced on non-leaf certificates, and not on the certificates where they are expressed. * debug/elf: The new File.DynValue method may be used to retrieve the numeric values listed with a given dynamic tag. * debug/elf: The constant flags permitted in a DT_FLAGS_1 dynamic tag are now defined with type DynFlag1. These tags have names starting with DF_1. * debug/elf: The package now defines the constant COMPRESS_ZSTD. * debug/elf: The package now defines the constant R_PPC64_REL24_P9NOTOC. * debug/pe: Attempts to read from a section containing uninitialized data using Section.Data or the reader returned by Section.Open now return an error. * embed: The io/fs.File returned by FS.Open now has a ReadAt method that implements io.ReaderAt. * embed: Calling FS.Open.Stat will return a type that now implements a String method that calls io/fs.FormatFileInfo. * errors: The new ErrUnsupported error provides a standardized way to indicate that a requested operation may not be performed because it is unsupported. For example, a call to os.Link when using a file system that does not support hard links. * flag: The new BoolFunc function and FlagSet.BoolFunc method define a flag that does not require an argument and calls a function when the flag is used. This is similar to Func but for a boolean flag. * flag: A flag definition (via Bool, BoolVar, Int, IntVar, etc.) will panic if Set has already been called on a flag with the same name. This change is intended to detect cases where changes in initialization order cause flag operations to occur in a different order than expected. In many cases the fix to this problem is to introduce a explicit package dependence to correctly order the definition before any Set operations. * go/ast: The new IsGenerated predicate reports whether a file syntax tree contains the special comment that conventionally indicates that the file was generated by a tool. * go/ast: The new File.GoVersion field records the minimum Go version required by any //go:build or // +build directives. * go/build: The package now parses build directives (comments that start with //go:) in file headers (before the package declaration). These directives are available in the new Package fields Directives, TestDirectives, and XTestDirectives. * go/build/constraint: The new GoVersion function returns the minimum Go version implied by a build expression. * go/token: The new File.Lines method returns the file's line-number table in the same form as accepted by File.SetLines. * go/types: The new Package.GoVersion method returns the Go language version used to check the package. * hash/maphash: The hash/maphash package now has a pure Go implementation, selectable with the purego build tag. * html/template: The new error ErrJSTemplate is returned when an action appears in a JavaScript template literal. Previously an unexported error was returned. * io/fs: The new FormatFileInfo function returns a formatted version of a FileInfo. The new FormatDirEntry function returns a formatted version of a DirEntry. The implementation of DirEntry returned by ReadDir now implements a String method that calls FormatDirEntry, and the same is true for the DirEntry value passed to WalkDirFunc. * math/big: The new Int.Float64 method returns the nearest floating-point value to a multi-precision integer, along with an indication of any rounding that occurred. * net: On Linux, the net package can now use Multipath TCP when the kernel supports it. It is not used by default. To use Multipath TCP when available on a client, call the Dialer.SetMultipathTCP method before calling the Dialer.Dial or Dialer.DialContext methods. To use Multipath TCP when available on a server, call the ListenConfig.SetMultipathTCP method before calling the ListenConfig.Listen method. Specify the network as "tcp" or "tcp4" or "tcp6" as usual. If Multipath TCP is not supported by the kernel or the remote host, the connection will silently fall back to TCP. To test whether a particular connection is using Multipath TCP, use the TCPConn.MultipathTCP method. * net: In a future Go release we may enable Multipath TCP by default on systems that support it. * net/http: The new ResponseController.EnableFullDuplex method allows server handlers to concurrently read from an HTTP/1 request body while writing the response. Normally, the HTTP/1 server automatically consumes any remaining request body before starting to write the response, to avoid deadlocking clients which attempt to write a complete request before reading the response. The EnableFullDuplex method disables this behavior. * net/http: The new ErrSchemeMismatch error is returned by Client and Transport when the server responds to an HTTPS request with an HTTP response. * net/http: The net/http package now supports errors.ErrUnsupported, in that the expression errors.Is(http.ErrNotSupported, errors.ErrUnsupported) will return true. * os: Programs may now pass an empty time.Time value to the Chtimes function to leave either the access time or the modification time unchanged. * os: On Windows the File.Chdir method now changes the current directory to the file, rather than always returning an error. * os: On Unix systems, if a non-blocking descriptor is passed to NewFile, calling the File.Fd method will now return a non-blocking descriptor. Previously the descriptor was converted to blocking mode. * os: On Windows calling Truncate on a non-existent file used to create an empty file. It now returns an error indicating that the file does not exist. * os: On Windows calling TempDir now uses GetTempPath2W when available, instead of GetTempPathW. The new behavior is a security hardening measure that prevents temporary files created by processes running as SYSTEM to be accessed by non-SYSTEM processes. * os: On Windows the os package now supports working with files whose names, stored as UTF-16, can't be represented as valid UTF-8. * os: On Windows Lstat now resolves symbolic links for paths ending with a path separator, consistent with its behavior on POSIX platforms. * os: The implementation of the io/fs.DirEntry interface returned by the ReadDir function and the File.ReadDir method now implements a String method that calls io/fs.FormatDirEntry. * os: The implementation of the io/fs.FS interface returned by the DirFS function now implements the io/fs.ReadFileFS and the io/fs.ReadDirFS interfaces. * path/filepath: The implementation of the io/fs.DirEntry interface passed to the function argument of WalkDir now implements a String method that calls io/fs.FormatDirEntry. * reflect: In Go 1.21, ValueOf no longer forces its argument to be allocated on the heap, allowing a Value's content to be allocated on the stack. Most operations on a Value also allow the underlying value to be stack allocated. * reflect: The new Value method Value.Clear clears the contents of a map or zeros the contents of a slice. This corresponds to the new clear built-in added to the language. * reflect: The SliceHeader and StringHeader types are now deprecated. In new code prefer unsafe.Slice, unsafe.SliceData, unsafe.String, or unsafe.StringData. * regexp: Regexp now defines MarshalText and UnmarshalText methods. These implement encoding.TextMarshaler and encoding.TextUnmarshaler and will be used by packages such as encoding/json. * runtime: Textual stack traces produced by Go programs, such as those produced when crashing, calling runtime.Stack, or collecting a goroutine profile with debug=2, now include the IDs of the goroutines that created each goroutine in the stack trace. * runtime: Crashing Go applications can now opt-in to Windows Error Reporting (WER) by setting the environment variable GOTRACEBACK=wer or calling debug.SetTraceback("wer") before the crash. Other than enabling WER, the runtime will behave as with GOTRACEBACK=crash. On non-Windows systems, GOTRACEBACK=wer is ignored. * runtime: GODEBUG=cgocheck=2, a thorough checker of cgo pointer passing rules, is no longer available as a debug option. Instead, it is available as an experiment using GOEXPERIMENT=cgocheck2. In particular this means that this mode has to be selected at build time instead of startup time. * runtime: GODEBUG=cgocheck=1 is still available (and is still the default). * runtime: A new type Pinner has been added to the runtime package. Pinners may be used to "pin" Go memory such that it may be used more freely by non-Go code. For instance, passing Go values that reference pinned Go memory to C code is now allowed. Previously, passing any such nested reference was disallowed by the cgo pointer passing rules. See the docs for more details. * runtime/metrics: A few previously-internal GC metrics, such as live heap size, are now available. GOGC and GOMEMLIMIT are also now available as metrics. * runtime/trace: Collecting traces on amd64 and arm64 now incurs a substantially smaller CPU cost: up to a 10x improvement over the previous release. * runtime/trace: Traces now contain explicit stop-the-world events for every reason the Go runtime might stop-the-world, not just garbage collection. * sync: The new OnceFunc, OnceValue, and OnceValues functions capture a common use of Once to lazily initialize a value on first use. * syscall: On Windows the Fchdir function now changes the current directory to its argument, rather than always returning an error. * syscall: On FreeBSD SysProcAttr has a new field Jail that may be used to put the newly created process in a jailed environment. * syscall: On Windows the syscall package now supports working with files whose names, stored as UTF-16, can't be represented as valid UTF-8. The UTF16ToString and UTF16FromString functions now convert between UTF-16 data and WTF-8 strings. This is backward compatible as WTF-8 is a superset of the UTF-8 format that was used in earlier releases. * syscall: Several error values match the new errors.ErrUnsupported, such that errors.Is(err, errors.ErrUnsupported) returns true. ENOSYS ENOTSUP EOPNOTSUPP EPLAN9 (Plan 9 only) ERROR_CALL_NOT_IMPLEMENTED (Windows only) ERROR_NOT_SUPPORTED (Windows only) EWINDOWS (Windows only) * testing: The new -test.fullpath option will print full path names in test log messages, rather than just base names. * testing: The new Testing function reports whether the program is a test created by go test. * testing/fstest: Calling Open.Stat will return a type that now implements a String method that calls io/fs.FormatFileInfo. * unicode: The unicode package and associated support throughout the system has been upgraded to Unicode 15.0.0. * Darwin port: As announced in the Go 1.20 release notes, Go 1.21 requires macOS 10.15 Catalina or later; support for previous versions has been discontinued. * Windows port: As announced in the Go 1.20 release notes, Go 1.21 requires at least Windows 10 or Windows Server 2016; support for previous versions has been discontinued. * WebAssembly port: The new go:wasmimport directive can now be used in Go programs to import functions from the WebAssembly host. * WebAssembly port: The Go scheduler now interacts much more efficiently with the JavaScript event loop, especially in applications that block frequently on asynchronous events. * WebAssembly System Interface port: Go 1.21 adds an experimental port to the WebAssembly System Interface (WASI), Preview 1 (GOOS=wasip1, GOARCH=wasm). * WebAssembly System Interface port: As a result of the addition of the new GOOS value "wasip1", Go files named *_wasip1.go will now be ignored by Go tools except when that GOOS value is being used. If you have existing filenames matching that pattern, you will need to rename them. * ppc64/ppc64le port: On Linux, GOPPC64=power10 now generates PC-relative instructions, prefixed instructions, and other new Power10 instructions. On AIX, GOPPC64=power10 generates Power10 instructions, but does not generate PC-relative instructions. * ppc64/ppc64le port: When building position-independent binaries for GOPPC64=power10 GOOS=linux GOARCH=ppc64le, users can expect reduced binary sizes in most cases, in some cases 3.5%. Position-independent binaries are built for ppc64le with the following -buildmode values: c-archive, c-shared, shared, pie, plugin. * loong64 port: The linux/loong64 port now supports -buildmode=c-archive, -buildmode=c-shared and -buildmode=pie. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2023-360=1 Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (x86_64): go-1.21-41.1 go-doc-1.21-41.1 go1.21-1.21.3-2.1 go1.21-doc-1.21.3-2.1 References: https://www.suse.com/security/cve/CVE-2023-39318.html https://www.suse.com/security/cve/CVE-2023-39319.html https://www.suse.com/security/cve/CVE-2023-39320.html https://www.suse.com/security/cve/CVE-2023-39321.html https://www.suse.com/security/cve/CVE-2023-39322.html https://www.suse.com/security/cve/CVE-2023-39323.html https://www.suse.com/security/cve/CVE-2023-39325.html https://www.suse.com/security/cve/CVE-2023-44487.html https://bugzilla.suse.com/1212475 https://bugzilla.suse.com/1212667 https://bugzilla.suse.com/1212669 https://bugzilla.suse.com/1215084 https://bugzilla.suse.com/1215085 https://bugzilla.suse.com/1215086 https://bugzilla.suse.com/1215087 https://bugzilla.suse.com/1215090 https://bugzilla.suse.com/1215985 https://bugzilla.suse.com/1216109

1 0

SUSE-SU-2023:4386-1: important: Security update for salt
by security＠lists.opensuse.org 09 Nov '23

09 Nov '23

# Security update for salt Announcement ID: SUSE-SU-2023:4386-1 Rating: important References: * bsc#1213293 * bsc#1213518 * bsc#1214477 * bsc#1215157 * jsc#MSQA-706 Cross-References: * CVE-2023-34049 CVSS scores: Affected Products: * Basesystem Module 15-SP5 * openSUSE Leap 15.5 * Server Applications Module 15-SP5 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * Transactional Server Module 15-SP5 An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. ## Description: This update for salt fixes the following issues: Security issues fixed: * CVE-2023-34049: arbitrary code execution via symlink attack (bsc#1215157) Bugs fixed: * Fix optimization_order opt to prevent testsuite fails * Improve salt.utils.json.find_json to avoid fails (bsc#1213293) * Use salt-call from salt bundle with transactional_update * Only call native_str on curl_debug message in tornado when needed * Implement the calling for batch async from the salt CLI * Fix calculation of SLS context vars when trailing dots on targetted sls/state (bsc#1213518) * Rename salt-tests to python3-salt-testsuite * Allow all primitive grain types for autosign_grains (bsc#1214477) ## Special Instructions and Notes: ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4386=1 SUSE-2023-4386=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2023-4386=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4386=1 * Server Applications Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP5-2023-4386=1 * Transactional Server Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Transactional-Server-15-SP5-2023-4386=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586) * salt-proxy-3006.0-150500.4.24.2 * salt-standalone-formulas-configuration-3006.0-150500.4.24.2 * salt-3006.0-150500.4.24.2 * salt-cloud-3006.0-150500.4.24.2 * salt-master-3006.0-150500.4.24.2 * salt-api-3006.0-150500.4.24.2 * salt-minion-3006.0-150500.4.24.2 * salt-syndic-3006.0-150500.4.24.2 * python3-salt-3006.0-150500.4.24.2 * salt-transactional-update-3006.0-150500.4.24.2 * salt-doc-3006.0-150500.4.24.2 * python3-salt-testsuite-3006.0-150500.4.24.2 * salt-ssh-3006.0-150500.4.24.2 * openSUSE Leap 15.5 (noarch) * salt-bash-completion-3006.0-150500.4.24.2 * salt-fish-completion-3006.0-150500.4.24.2 * salt-zsh-completion-3006.0-150500.4.24.2 * SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64) * salt-3006.0-150500.4.24.2 * salt-minion-3006.0-150500.4.24.2 * python3-salt-3006.0-150500.4.24.2 * salt-transactional-update-3006.0-150500.4.24.2 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * salt-doc-3006.0-150500.4.24.2 * salt-3006.0-150500.4.24.2 * salt-minion-3006.0-150500.4.24.2 * python3-salt-3006.0-150500.4.24.2 * Basesystem Module 15-SP5 (noarch) * salt-bash-completion-3006.0-150500.4.24.2 * salt-zsh-completion-3006.0-150500.4.24.2 * Server Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64) * salt-proxy-3006.0-150500.4.24.2 * salt-standalone-formulas-configuration-3006.0-150500.4.24.2 * salt-cloud-3006.0-150500.4.24.2 * salt-master-3006.0-150500.4.24.2 * salt-api-3006.0-150500.4.24.2 * salt-syndic-3006.0-150500.4.24.2 * salt-ssh-3006.0-150500.4.24.2 * Server Applications Module 15-SP5 (noarch) * salt-fish-completion-3006.0-150500.4.24.2 * Transactional Server Module 15-SP5 (aarch64 ppc64le s390x x86_64) * salt-transactional-update-3006.0-150500.4.24.2 ## References: * https://www.suse.com/security/cve/CVE-2023-34049.html * https://bugzilla.suse.com/show_bug.cgi?id=1213293 * https://bugzilla.suse.com/show_bug.cgi?id=1213518 * https://bugzilla.suse.com/show_bug.cgi?id=1214477 * https://bugzilla.suse.com/show_bug.cgi?id=1215157 * https://jira.suse.com/browse/MSQA-706

1 0

SUSE-SU-2023:4387-1: important: Security update for salt
by security＠lists.opensuse.org 09 Nov '23

09 Nov '23

# Security update for salt Announcement ID: SUSE-SU-2023:4387-1 Rating: important References: * bsc#1213293 * bsc#1213518 * bsc#1214477 * bsc#1215157 * jsc#MSQA-706 Cross-References: * CVE-2023-34049 CVSS scores: Affected Products: * Basesystem Module 15-SP4 * openSUSE Leap 15.4 * openSUSE Leap Micro 5.3 * openSUSE Leap Micro 5.4 * Server Applications Module 15-SP4 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 * Transactional Server Module 15-SP4 An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. ## Description: This update for salt fixes the following issues: Security issues fixed: * CVE-2023-34049: arbitrary code execution via symlink attack (bsc#1215157) Bugs fixed: * Fix optimization_order opt to prevent testsuite fails * Improve salt.utils.json.find_json to avoid fails (bsc#1213293) * Use salt-call from salt bundle with transactional_update * Only call native_str on curl_debug message in tornado when needed * Implement the calling for batch async from the salt CLI * Fix calculation of SLS context vars when trailing dots on targetted sls/state (bsc#1213518) * Rename salt-tests to python3-salt-testsuite * Allow all primitive grain types for autosign_grains (bsc#1214477) ## Special Instructions and Notes: ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4387=1 SUSE-2023-4387=1 * openSUSE Leap Micro 5.3 zypper in -t patch openSUSE-Leap-Micro-5.3-2023-4387=1 * openSUSE Leap Micro 5.4 zypper in -t patch openSUSE-Leap-Micro-5.4-2023-4387=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4387=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4387=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4387=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4387=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4387=1 * Server Applications Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2023-4387=1 * Transactional Server Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Transactional-Server-15-SP4-2023-4387=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * salt-master-3006.0-150400.8.49.2 * salt-proxy-3006.0-150400.8.49.2 * salt-transactional-update-3006.0-150400.8.49.2 * salt-3006.0-150400.8.49.2 * salt-standalone-formulas-configuration-3006.0-150400.8.49.2 * salt-minion-3006.0-150400.8.49.2 * salt-syndic-3006.0-150400.8.49.2 * salt-doc-3006.0-150400.8.49.2 * python3-salt-testsuite-3006.0-150400.8.49.2 * salt-api-3006.0-150400.8.49.2 * salt-cloud-3006.0-150400.8.49.2 * salt-ssh-3006.0-150400.8.49.2 * python3-salt-3006.0-150400.8.49.2 * openSUSE Leap 15.4 (noarch) * salt-bash-completion-3006.0-150400.8.49.2 * salt-fish-completion-3006.0-150400.8.49.2 * salt-zsh-completion-3006.0-150400.8.49.2 * openSUSE Leap Micro 5.3 (aarch64 x86_64) * salt-minion-3006.0-150400.8.49.2 * salt-transactional-update-3006.0-150400.8.49.2 * salt-3006.0-150400.8.49.2 * python3-salt-3006.0-150400.8.49.2 * openSUSE Leap Micro 5.4 (aarch64 s390x x86_64) * salt-minion-3006.0-150400.8.49.2 * salt-transactional-update-3006.0-150400.8.49.2 * salt-3006.0-150400.8.49.2 * python3-salt-3006.0-150400.8.49.2 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * salt-minion-3006.0-150400.8.49.2 * salt-transactional-update-3006.0-150400.8.49.2 * salt-3006.0-150400.8.49.2 * python3-salt-3006.0-150400.8.49.2 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * salt-minion-3006.0-150400.8.49.2 * salt-transactional-update-3006.0-150400.8.49.2 * salt-3006.0-150400.8.49.2 * python3-salt-3006.0-150400.8.49.2 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * salt-minion-3006.0-150400.8.49.2 * salt-transactional-update-3006.0-150400.8.49.2 * salt-3006.0-150400.8.49.2 * python3-salt-3006.0-150400.8.49.2 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * salt-minion-3006.0-150400.8.49.2 * salt-transactional-update-3006.0-150400.8.49.2 * salt-3006.0-150400.8.49.2 * python3-salt-3006.0-150400.8.49.2 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * salt-minion-3006.0-150400.8.49.2 * salt-doc-3006.0-150400.8.49.2 * salt-3006.0-150400.8.49.2 * python3-salt-3006.0-150400.8.49.2 * Basesystem Module 15-SP4 (noarch) * salt-bash-completion-3006.0-150400.8.49.2 * salt-zsh-completion-3006.0-150400.8.49.2 * Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64) * salt-master-3006.0-150400.8.49.2 * salt-proxy-3006.0-150400.8.49.2 * salt-standalone-formulas-configuration-3006.0-150400.8.49.2 * salt-syndic-3006.0-150400.8.49.2 * salt-api-3006.0-150400.8.49.2 * salt-cloud-3006.0-150400.8.49.2 * salt-ssh-3006.0-150400.8.49.2 * Server Applications Module 15-SP4 (noarch) * salt-fish-completion-3006.0-150400.8.49.2 * Transactional Server Module 15-SP4 (aarch64 ppc64le s390x x86_64) * salt-transactional-update-3006.0-150400.8.49.2 ## References: * https://www.suse.com/security/cve/CVE-2023-34049.html * https://bugzilla.suse.com/show_bug.cgi?id=1213293 * https://bugzilla.suse.com/show_bug.cgi?id=1213518 * https://bugzilla.suse.com/show_bug.cgi?id=1214477 * https://bugzilla.suse.com/show_bug.cgi?id=1215157 * https://jira.suse.com/browse/MSQA-706

1 0

SUSE-SU-2023:4388-1: important: Security update for salt
by security＠lists.opensuse.org 09 Nov '23

09 Nov '23

# Security update for salt Announcement ID: SUSE-SU-2023:4388-1 Rating: important References: * bsc#1213293 * bsc#1213518 * bsc#1214477 * bsc#1215157 * jsc#MSQA-706 Cross-References: * CVE-2023-34049 CVSS scores: Affected Products: * Basesystem Module 15-SP4 * Basesystem Module 15-SP5 * openSUSE Leap 15.3 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * openSUSE Leap Micro 5.3 * openSUSE Leap Micro 5.4 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Micro for Rancher 5.2 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves one vulnerability, contains one feature and has three security fixes can now be installed. ## Description: This update for salt fixes the following issues: Security issues fixed: * CVE-2023-34049: arbitrary code execution via symlink attack (bsc#1215157) Bugs fixed: * Fix optimization_order opt to prevent testsuite fails * Improve salt.utils.json.find_json to avoid fails (bsc#1213293) * Use salt-call from salt bundle with transactional_update * Only call native_str on curl_debug message in tornado when needed * Implement the calling for batch async from the salt CLI * Fix calculation of SLS context vars when trailing dots on targetted sls/state (bsc#1213518) * Rename salt-tests to python3-salt-testsuite * Allow all primitive grain types for autosign_grains (bsc#1214477) ## Special Instructions and Notes: ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.3 zypper in -t patch SUSE-2023-4388=1 * openSUSE Leap Micro 5.3 zypper in -t patch openSUSE-Leap-Micro-5.3-2023-4388=1 * openSUSE Leap Micro 5.4 zypper in -t patch openSUSE-Leap-Micro-5.4-2023-4388=1 * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4388=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4388=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4388=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4388=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4388=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4388=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2023-4388=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4388=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4388=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4388=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4388=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4388=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4388=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2023-4388=1 * SUSE Linux Enterprise Micro 5.1 zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-4388=1 * SUSE Linux Enterprise Micro 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4388=1 * SUSE Linux Enterprise Micro for Rancher 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4388=1 ## Package List: * openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586) * python2-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-3.17.2-150300.3.4.1 * salt-proxy-3006.0-150300.53.65.2 * salt-minion-3006.0-150300.53.65.2 * salt-ssh-3006.0-150300.53.65.2 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * salt-doc-3006.0-150300.53.65.2 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * salt-master-3006.0-150300.53.65.2 * salt-standalone-formulas-configuration-3006.0-150300.53.65.2 * salt-transactional-update-3006.0-150300.53.65.2 * salt-api-3006.0-150300.53.65.2 * salt-3006.0-150300.53.65.2 * salt-syndic-3006.0-150300.53.65.2 * python2-simplejson-3.17.2-150300.3.4.1 * python3-salt-3006.0-150300.53.65.2 * python3-salt-testsuite-3006.0-150300.53.65.2 * salt-cloud-3006.0-150300.53.65.2 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * openSUSE Leap 15.3 (noarch) * salt-bash-completion-3006.0-150300.53.65.2 * salt-fish-completion-3006.0-150300.53.65.2 * salt-zsh-completion-3006.0-150300.53.65.2 * openSUSE Leap Micro 5.3 (aarch64 x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * openSUSE Leap Micro 5.4 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * salt-proxy-3006.0-150300.53.65.2 * salt-minion-3006.0-150300.53.65.2 * salt-ssh-3006.0-150300.53.65.2 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * salt-master-3006.0-150300.53.65.2 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * salt-standalone-formulas-configuration-3006.0-150300.53.65.2 * salt-api-3006.0-150300.53.65.2 * salt-3006.0-150300.53.65.2 * salt-syndic-3006.0-150300.53.65.2 * python3-salt-3006.0-150300.53.65.2 * salt-doc-3006.0-150300.53.65.2 * salt-cloud-3006.0-150300.53.65.2 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (noarch) * salt-bash-completion-3006.0-150300.53.65.2 * salt-fish-completion-3006.0-150300.53.65.2 * salt-zsh-completion-3006.0-150300.53.65.2 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * salt-proxy-3006.0-150300.53.65.2 * salt-minion-3006.0-150300.53.65.2 * salt-ssh-3006.0-150300.53.65.2 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * salt-master-3006.0-150300.53.65.2 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * salt-standalone-formulas-configuration-3006.0-150300.53.65.2 * salt-api-3006.0-150300.53.65.2 * salt-3006.0-150300.53.65.2 * salt-syndic-3006.0-150300.53.65.2 * python3-salt-3006.0-150300.53.65.2 * salt-doc-3006.0-150300.53.65.2 * salt-cloud-3006.0-150300.53.65.2 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * salt-bash-completion-3006.0-150300.53.65.2 * salt-fish-completion-3006.0-150300.53.65.2 * salt-zsh-completion-3006.0-150300.53.65.2 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * salt-proxy-3006.0-150300.53.65.2 * salt-minion-3006.0-150300.53.65.2 * salt-ssh-3006.0-150300.53.65.2 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * salt-master-3006.0-150300.53.65.2 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * salt-standalone-formulas-configuration-3006.0-150300.53.65.2 * salt-transactional-update-3006.0-150300.53.65.2 * salt-api-3006.0-150300.53.65.2 * salt-3006.0-150300.53.65.2 * salt-syndic-3006.0-150300.53.65.2 * python3-salt-3006.0-150300.53.65.2 * salt-doc-3006.0-150300.53.65.2 * salt-cloud-3006.0-150300.53.65.2 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * salt-bash-completion-3006.0-150300.53.65.2 * salt-fish-completion-3006.0-150300.53.65.2 * salt-zsh-completion-3006.0-150300.53.65.2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * salt-proxy-3006.0-150300.53.65.2 * salt-minion-3006.0-150300.53.65.2 * salt-ssh-3006.0-150300.53.65.2 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * salt-master-3006.0-150300.53.65.2 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * salt-standalone-formulas-configuration-3006.0-150300.53.65.2 * salt-api-3006.0-150300.53.65.2 * salt-3006.0-150300.53.65.2 * salt-syndic-3006.0-150300.53.65.2 * python3-salt-3006.0-150300.53.65.2 * salt-doc-3006.0-150300.53.65.2 * salt-cloud-3006.0-150300.53.65.2 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * salt-bash-completion-3006.0-150300.53.65.2 * salt-fish-completion-3006.0-150300.53.65.2 * salt-zsh-completion-3006.0-150300.53.65.2 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * salt-proxy-3006.0-150300.53.65.2 * salt-minion-3006.0-150300.53.65.2 * salt-ssh-3006.0-150300.53.65.2 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * salt-master-3006.0-150300.53.65.2 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * salt-standalone-formulas-configuration-3006.0-150300.53.65.2 * salt-transactional-update-3006.0-150300.53.65.2 * salt-api-3006.0-150300.53.65.2 * salt-3006.0-150300.53.65.2 * salt-syndic-3006.0-150300.53.65.2 * python3-salt-3006.0-150300.53.65.2 * salt-doc-3006.0-150300.53.65.2 * salt-cloud-3006.0-150300.53.65.2 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Enterprise Storage 7.1 (noarch) * salt-bash-completion-3006.0-150300.53.65.2 * salt-fish-completion-3006.0-150300.53.65.2 * salt-zsh-completion-3006.0-150300.53.65.2 * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * salt-minion-3006.0-150300.53.65.2 * salt-transactional-update-3006.0-150300.53.65.2 * salt-3006.0-150300.53.65.2 * python3-salt-3006.0-150300.53.65.2 * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * salt-minion-3006.0-150300.53.65.2 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * salt-transactional-update-3006.0-150300.53.65.2 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * salt-3006.0-150300.53.65.2 * python3-salt-3006.0-150300.53.65.2 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) * python3-simplejson-3.17.2-150300.3.4.1 * salt-minion-3006.0-150300.53.65.2 * python-simplejson-debugsource-3.17.2-150300.3.4.1 * salt-transactional-update-3006.0-150300.53.65.2 * python-simplejson-debuginfo-3.17.2-150300.3.4.1 * salt-3006.0-150300.53.65.2 * python3-salt-3006.0-150300.53.65.2 * python3-simplejson-debuginfo-3.17.2-150300.3.4.1 ## References: * https://www.suse.com/security/cve/CVE-2023-34049.html * https://bugzilla.suse.com/show_bug.cgi?id=1213293 * https://bugzilla.suse.com/show_bug.cgi?id=1213518 * https://bugzilla.suse.com/show_bug.cgi?id=1214477 * https://bugzilla.suse.com/show_bug.cgi?id=1215157 * https://jira.suse.com/browse/MSQA-706

1 0

SUSE-SU-2023:4367-1: important: Security update for apache-ivy
by security＠lists.opensuse.org 06 Nov '23

06 Nov '23

# Security update for apache-ivy Announcement ID: SUSE-SU-2023:4367-1 Rating: important References: * bsc#1214422 Cross-References: * CVE-2022-46751 CVSS scores: * CVE-2022-46751 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2022-46751 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L Affected Products: * Development Tools Module 15-SP4 * Development Tools Module 15-SP5 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves one vulnerability can now be installed. ## Description: This update for apache-ivy fixes the following issues: * Upgrade to version 2.5.2 (bsc#1214422) * CVE-2022-46751: Fixed an XML External Entity Injections that could be exploited to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. (bsc#1214422) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4367=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4367=1 * Development Tools Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-4367=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-4367=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4367=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4367=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4367=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4367=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4367=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4367=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4367=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2023-4367=1 ## Package List: * openSUSE Leap 15.4 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * apache-ivy-javadoc-2.5.2-150200.3.9.1 * openSUSE Leap 15.5 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * apache-ivy-javadoc-2.5.2-150200.3.9.1 * Development Tools Module 15-SP4 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * Development Tools Module 15-SP5 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * apache-ivy-2.5.2-150200.3.9.1 * SUSE Enterprise Storage 7.1 (noarch) * apache-ivy-2.5.2-150200.3.9.1 ## References: * https://www.suse.com/security/cve/CVE-2022-46751.html * https://bugzilla.suse.com/show_bug.cgi?id=1214422

1 0

SUSE-SU-2023:4375-1: important: Security update for the Linux Kernel
by security＠lists.opensuse.org 06 Nov '23

06 Nov '23

# Security update for the Linux Kernel Announcement ID: SUSE-SU-2023:4375-1 Rating: important References: * bsc#1208788 * bsc#1211162 * bsc#1211307 * bsc#1212423 * bsc#1212649 * bsc#1213705 * bsc#1213772 * bsc#1214754 * bsc#1214874 * bsc#1215095 * bsc#1215104 * bsc#1215523 * bsc#1215545 * bsc#1215921 * bsc#1215955 * bsc#1215986 * bsc#1216062 * bsc#1216202 * bsc#1216322 * bsc#1216323 * bsc#1216324 * bsc#1216333 * bsc#1216345 * bsc#1216512 * bsc#1216621 * bsc#802154 Cross-References: * CVE-2023-2163 * CVE-2023-31085 * CVE-2023-34324 * CVE-2023-3777 * CVE-2023-39189 * CVE-2023-39191 * CVE-2023-39193 * CVE-2023-46813 * CVE-2023-5178 CVSS scores: * CVE-2023-2163 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2023-2163 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N * CVE-2023-31085 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-31085 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-34324 ( SUSE ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-3777 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-3777 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-39189 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N * CVE-2023-39189 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39191 ( SUSE ): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2023-39191 ( NVD ): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39193 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L * CVE-2023-46813 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5178 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5178 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * Basesystem Module 15-SP5 * Development Tools Module 15-SP5 * Legacy Module 15-SP5 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Availability Extension 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Live Patching 15-SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Workstation Extension 15 SP5 An update that solves nine vulnerabilities and has 17 security fixes can now be installed. ## Description: The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: * CVE-2023-3777: Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. (bsc#1215095) * CVE-2023-46813: Fixed a local privilege escalation with user-space programs that have access to MMIO regions (bsc#1212649). * CVE-2023-31085: Fixed a divide-by-zero error in do_div(sz,mtd->erasesize) that could cause a local DoS. (bsc#1210778) * CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860). * CVE-2023-5178: Fixed an use-after-free and a double-free flaw that could allow a malicious user to execute a remote code execution. (bsc#1215768) * CVE-2023-2163: Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (bsc#1215518) * CVE-2023-34324: Fixed a possible deadlock in Linux kernel event handling. (bsc#1215745). * CVE-2023-39189: Fixed a flaw in the Netfilter subsystem that could allow a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (bsc#1216046) * CVE-2023-39191: Fixed a lack of validation of dynamic pointers within user- supplied eBPF programs that may have allowed an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code. (bsc#1215863) The following non-security bugs were fixed: * 9p: virtio: make sure 'offs' is initialized in zc_request (git-fixes). * ACPI: irq: Fix incorrect return value in acpi_register_gsi() (git-fixes). * ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA (git-fixes). * ALSA: hda/realtek - ALC287 I2S speaker platform support (git-fixes). * ALSA: hda/realtek - ALC287 merge RTK codec with CS CS35L41 AMP (git-fixes). * ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (git-fixes). * ALSA: hda/realtek - Fixed two speaker platform (git-fixes). * ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV (git-fixes). * ALSA: hda/realtek: Change model for Intel RVP board (git-fixes). * ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx (git-fixes). * ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q (git-fixes). * ALSA: hda: intel-dsp-cfg: add LunarLake support (git-fixes). * ALSA: hda: intel-sdw-acpi: Use u8 type for link index (git-fixes). * ALSA: usb-audio: Fix microphone sound on Nexigo webcam (git-fixes). * ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset (git-fixes). * ASoC: amd: yc: Fix non-functional mic on Lenovo 82YM (git-fixes). * ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors (git- fixes). * ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind (git-fixes). * ASoC: codecs: wcd938x: drop bogus bind error handling (git-fixes). * ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes). * ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag (git-fixes). * ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link (git-fixes). * ASoC: pxa: fix a memory leak in probe() (git-fixes). * Bluetooth: Avoid redundant authentication (git-fixes). * Bluetooth: Fix a refcnt underflow problem for hci_conn (git-fixes). * Bluetooth: ISO: Fix handling of listen for unicast (git-fixes). * Bluetooth: Reject connection with the device which has same BD_ADDR (git- fixes). * Bluetooth: avoid memcmp() out of bounds warning (git-fixes). * Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes). * Bluetooth: hci_codec: Fix leaking content of local_codecs (git-fixes). * Bluetooth: hci_event: Fix coding style (git-fixes). * Bluetooth: hci_event: Fix using memcmp when comparing keys (git-fixes). * Bluetooth: hci_event: Ignore NULL link key (git-fixes). * Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name (git-fixes). * Bluetooth: hci_sock: fix slab oob read in create_monitor_event (git-fixes). * Bluetooth: vhci: Fix race when opening vhci device (git-fixes). * Documentation: qat: change kernel version (PED-6401). * Documentation: qat: rewrite description (PED-6401). * Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails (git- fixes). * Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs (git- fixes). * HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event (git- fixes). * HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit (git-fixes). * HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (git- fixes). * HID: multitouch: Add required quirk for Synaptics 0xcd7e device (git-fixes). * HID: sony: Fix a potential memory leak in sony_probe() (git-fixes). * HID: sony: remove duplicate NULL check before calling usb_free_urb() (git- fixes). * IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes) * Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case (git-fixes). * Input: powermate - fix use-after-free in powermate_config_complete (git- fixes). * Input: psmouse - fix fast_reconnect function for PS/2 mode (git-fixes). * Input: xpad - add PXN V900 support (git-fixes). * KVM: SVM: Do not kill SEV guest if SMAP erratum triggers in usermode (git- fixes). * KVM: SVM: INTERCEPT_RDTSCP is never intercepted anyway (git-fixes). * KVM: s390: fix gisa destroy operation might lead to cpu stalls (git-fixes bsc#1216512). * KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs is changed (git-fixes). * KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes). * KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772). * KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772). * KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772). * KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772). * KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). * NFS: Fix O_DIRECT locking issues (bsc#1211162). * NFS: Fix a few more clear_bit() instances that need release semantics (bsc#1211162). * NFS: Fix a potential data corruption (bsc#1211162). * NFS: Fix a use after free in nfs_direct_join_group() (bsc#1211162). * NFS: Fix error handling for O_DIRECT write scheduling (bsc#1211162). * NFS: More O_DIRECT accounting fixes for error paths (bsc#1211162). * NFS: More fixes for nfs_direct_write_reschedule_io() (bsc#1211162). * NFS: Use the correct commit info in nfs_join_page_group() (bsc#1211162). * NFS: only issue commit in DIO codepath if we have uncommitted data (bsc#1211162). * NFSD: Never call nfsd_file_gc() in foreground paths (bsc#1215545). * RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes) * RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes) * RDMA/core: Require admin capabilities to set system parameters (git-fixes) * RDMA/cxgb4: Check skb value for failure to allocate (git-fixes) * RDMA/mlx5: Fix NULL string error (git-fixes) * RDMA/mlx5: Fix mutex unlocking on error flow for steering anchor creation (git-fixes) * RDMA/siw: Fix connection failure handling (git-fixes) * RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes) * RDMA/uverbs: Fix typo of sizeof argument (git-fixes) * arm64/smmu: use TLBI ASID when invalidating entire range (bsc#1215921) * ata: libata-core: Do not register PM operations for SAS ports (git-fixes). * ata: libata-core: Fix ata_port_request_pm() locking (git-fixes). * ata: libata-core: Fix port and device removal (git-fixes). * ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes). * ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES (git-fixes). * blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init (bsc#1216062). * blk-cgroup: support to track if policy is online (bsc#1216062). * bonding: Fix extraction of ports from the packet headers (bsc#1214754). * bonding: Return pointer to data after pull on skb (bsc#1214754). * bonding: do not assume skb mac_header is set (bsc#1214754). * bpf: Add copy_map_value_long to copy to remote percpu memory (git-fixes). * bpf: Add missing btf_put to register_btf_id_dtor_kfuncs (git-fixes). * bpf: Add override check to kprobe multi link attach (git-fixes). * bpf: Add zero_map_value to zero map value with special fields (git-fixes). * bpf: Cleanup check_refcount_ok (git-fixes). * bpf: Fix max stack depth check for async callbacks (git-fixes). * bpf: Fix offset calculation error in __copy_map_value and zero_map_value (git-fixes). * bpf: Fix ref_obj_id for dynptr data slices in verifier (git-fixes). * bpf: Fix resetting logic for unreferenced kptrs (git-fixes). * bpf: Fix subprog idx logic in check_max_stack_depth (git-fixes). * bpf: Gate dynptr API behind CAP_BPF (git-fixes). * bpf: Prevent decl_tag from being referenced in func_proto arg (git-fixes). * bpf: Repeat check_max_stack_depth for async callbacks (git-fixes). * bpf: Tighten ptr_to_btf_id checks (git-fixes). * bpf: fix precision propagation verbose logging (git-fixes). * bpf: prevent decl_tag from being referenced in func_proto (git-fixes). * bpf: propagate precision across all frames, not just the last one (git- fixes). * bpf: propagate precision in ALU/ALU64 operations (git-fixes). * bpf: propagate precision in ALU/ALU64 operations (git-fixes). * btf: Export bpf_dynptr definition (git-fixes). * btrfs: do not start transaction for scrub if the fs is mounted read-only (bsc#1214874). * bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes). * bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() (git- fixes). * ceph: add base64 endcoding routines for encrypted names (jsc#SES-1880). * ceph: add encryption support to writepage and writepages (jsc#SES-1880). * ceph: add fscrypt ioctls and ceph.fscrypt.auth vxattr (jsc#SES-1880). * ceph: add helpers for converting names for userland presentation (jsc#SES-1880). * ceph: add infrastructure for file encryption and decryption (jsc#SES-1880). * ceph: add new mount option to enable sparse reads (jsc#SES-1880). * ceph: add object version support for sync read (jsc#SES-1880). * ceph: add read/modify/write to ceph_sync_write (jsc#SES-1880). * ceph: add some fscrypt guardrails (jsc#SES-1880). * ceph: add support for encrypted snapshot names (jsc#SES-1880). * ceph: add support to readdir for encrypted names (jsc#SES-1880). * ceph: add truncate size handling support for fscrypt (jsc#SES-1880). * ceph: align data in pages in ceph_sync_write (jsc#SES-1880). * ceph: allow encrypting a directory while not having Ax caps (jsc#SES-1880). * ceph: create symlinks with encrypted and base64-encoded targets (jsc#SES-1880). * ceph: decode alternate_name in lease info (jsc#SES-1880). * ceph: do not use special DIO path for encrypted inodes (jsc#SES-1880). * ceph: drop messages from MDS when unmounting (jsc#SES-1880). * ceph: encode encrypted name in ceph_mdsc_build_path and dentry release (jsc#SES-1880). * ceph: fix incorrect revoked caps assert in ceph_fill_file_size() (bsc#1216322). * ceph: fix type promotion bug on 32bit systems (bsc#1216324). * ceph: fix updating i_truncate_pagecache_size for fscrypt (jsc#SES-1880). * ceph: fscrypt_auth handling for ceph (jsc#SES-1880). * ceph: handle fscrypt fields in cap messages from MDS (jsc#SES-1880). * ceph: implement -o test_dummy_encryption mount option (jsc#SES-1880). * ceph: invalidate pages when doing direct/sync writes (jsc#SES-1880). * ceph: make ceph_fill_trace and ceph_get_name decrypt names (jsc#SES-1880). * ceph: make ceph_msdc_build_path use ref-walk (jsc#SES-1880). * ceph: make d_revalidate call fscrypt revalidator for encrypted dentries (jsc#SES-1880). * ceph: make ioctl cmds more readable in debug log (jsc#SES-1880). * ceph: make num_fwd and num_retry to __u32 (jsc#SES-1880). * ceph: mark directory as non-complete after loading key (jsc#SES-1880). * ceph: pass the request to parse_reply_info_readdir() (jsc#SES-1880). * ceph: plumb in decryption during reads (jsc#SES-1880). * ceph: preallocate inode for ops that may create one (jsc#SES-1880). * ceph: prevent snapshot creation in encrypted locked directories (jsc#SES-1880). * ceph: remove unnecessary check for NULL in parse_longname() (bsc#1216333). * ceph: send alternate_name in MClientRequest (jsc#SES-1880). * ceph: set DCACHE_NOKEY_NAME flag in ceph_lookup/atomic_open() (jsc#SES-1880). * ceph: size handling in MClientRequest, cap updates and inode traces (jsc#SES-1880). * ceph: switch ceph_lookup/atomic_open() to use new fscrypt helper (jsc#SES-1880). * ceph: use osd_req_op_extent_osd_iter for netfs reads (jsc#SES-1880). * ceph: voluntarily drop Xx caps for requests those touch parent mtime (jsc#SES-1880). * ceph: wait for OSD requests' callbacks to finish when unmounting (jsc#SES-1880). * cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem (bsc#1215955). * cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307). * clk: tegra: fix error return case for recalc_rate (git-fixes). * counter: microchip-tcb-capture: Fix the use of internal GCLK logic (git- fixes). * crypto: qat - Include algapi.h for low-level Crypto API (PED-6401). * crypto: qat - Remove unused function declarations (PED-6401). * crypto: qat - add fw_counters debugfs file (PED-6401). * crypto: qat - add heartbeat counters check (PED-6401). * crypto: qat - add heartbeat feature (PED-6401). * crypto: qat - add internal timer for qat 4xxx (PED-6401). * crypto: qat - add measure clock frequency (PED-6401). * crypto: qat - add missing function declaration in adf_dbgfs.h (PED-6401). * crypto: qat - add qat_zlib_deflate (PED-6401). * crypto: qat - add support for 402xx devices (PED-6401). * crypto: qat - change value of default idle filter (PED-6401). * crypto: qat - delay sysfs initialization (PED-6401). * crypto: qat - do not export adf_init_admin_pm() (PED-6401). * crypto: qat - drop log level of msg in get_instance_node() (PED-6401). * crypto: qat - drop obsolete heartbeat interface (PED-6401). * crypto: qat - drop redundant adf_enable_aer() (PED-6401). * crypto: qat - expose pm_idle_enabled through sysfs (PED-6401). * crypto: qat - extend buffer list logic interface (PED-6401). * crypto: qat - extend configuration for 4xxx (PED-6401). * crypto: qat - fix apply custom thread-service mapping for dc service (PED-6401). * crypto: qat - fix concurrency issue when device state changes (PED-6401). * crypto: qat - fix crypto capability detection for 4xxx (PED-6401). * crypto: qat - fix spelling mistakes from 'bufer' to 'buffer' (PED-6401). * crypto: qat - make fw images name constant (PED-6401). * crypto: qat - make state machine functions static (PED-6401). * crypto: qat - move dbgfs init to separate file (PED-6401). * crypto: qat - move returns to default case (PED-6401). * crypto: qat - refactor device restart logic (PED-6401). * crypto: qat - refactor fw config logic for 4xxx (PED-6401). * crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe (PED-6401). * crypto: qat - replace state machine calls (PED-6401). * crypto: qat - replace the if statement with min() (PED-6401). * crypto: qat - set deprecated capabilities as reserved (PED-6401). * crypto: qat - unmap buffer before free for DH (PED-6401). * crypto: qat - unmap buffers before free for RSA (PED-6401). * crypto: qat - update slice mask for 4xxx devices (PED-6401). * crypto: qat - use kfree_sensitive instead of memset/kfree() (PED-6401). * dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq (git- fixes). * dmaengine: mediatek: Fix deadlock caused by synchronize_irq() (git-fixes). * dmaengine: stm32-mdma: abort resume if no ongoing transfer (git-fixes). * drm/amd/display: Do not check registers, if using AUX BL control (git- fixes). * drm/amd/display: Do not set dpms_off for seamless boot (git-fixes). * drm/amd/pm: add unique_id for gc 11.0.3 (git-fixes). * drm/amd: Fix detection of _PR3 on the PCIe root port (git-fixes). * drm/amdgpu/nbio4.3: set proper rmmio_remap.reg_offset for SR-IOV (git- fixes). * drm/amdgpu/soc21: do not remap HDP registers for SR-IOV (git-fixes). * drm/amdgpu: Handle null atom context in VBIOS info ioctl (git-fixes). * drm/amdgpu: add missing NULL check (git-fixes). * drm/amdkfd: Flush TLB after unmapping for GFX v9.4.3 (git-fixes). * drm/amdkfd: Insert missing TLB flush on GFX10 and later (git-fixes). * drm/amdkfd: Use gpu_offset for user queue's wptr (git-fixes). * drm/atomic-helper: relax unregistered connector check (git-fixes). * drm/bridge: ti-sn65dsi83: Do not generate HFP/HBP/HSA and EOT packet (git- fixes). * drm/i915/gt: Fix reservation address in ggtt_reserve_guc_top (git-fixes). * drm/i915/pmu: Check if pmu is closed before stopping event (git-fixes). * drm/i915: Retry gtt fault when out of fence registers (git-fixes). * drm/mediatek: Correctly free sg_table in gem prime vmap (git-fixes). * drm/msm/dp: do not reinitialize phy unless retry during link training (git- fixes). * drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow (git- fixes). * drm/msm/dsi: fix irq_of_parse_and_map() error checking (git-fixes). * drm/msm/dsi: skip the wait for video mode done if not applicable (git- fixes). * drm/vmwgfx: fix typo of sizeof argument (git-fixes). * drm: panel-orientation-quirks: Add quirk for One Mix 2S (git-fixes). * firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels() (git- fixes). * firmware: arm_ffa: Do not set the memory region attributes for MEM_LEND (git-fixes). * firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels() (git-fixes). * fix x86/mm: print the encryption features in hyperv is disabled * fprobe: Ensure running fprobe_exit_handler() finished before calling rethook_free() (git-fixes). * fscrypt: new helper function - fscrypt_prepare_lookup_partial() (jsc#SES-1880). * gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() (git- fixes). * gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip (git-fixes). * gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes). * gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() (git-fixes). * gpio: timberdale: Fix potential deadlock on &tgpio->lock (git-fixes). * gpio: vf610: set value before the direction to avoid a glitch (git-fixes). * gve: Do not fully free QPL pages on prefill errors (git-fixes). * i2c: aspeed: Fix i2c bus hang in slave read (git-fixes). * i2c: i801: unregister tco_pdev in i801_probe() error path (git-fixes). * i2c: mux: Avoid potential false error message in i2c_mux_add_adapter (git- fixes). * i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() (git- fixes). * i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes). * i2c: mux: gpio:Â Replace custom acpi_get_local_address() (git-fixes). * i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node() (git-fixes). * i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node() (git-fixes). * i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() (git-fixes). * i2c: npcm7xx: Fix callback completion ordering (git-fixes). * i2c: stm32f7: Fix PEC handling in case of SMBUS transfers (git-fixes). * ieee802154: ca8210: Fix a potential UAF in ca8210_probe (git-fixes). * iio: adc: xilinx-xadc: Correct temperature offset/scale for UltraScale (git- fixes). * iio: adc: xilinx-xadc: Do not clobber preset voltage/temperature thresholds (git-fixes). * iio: exynos-adc: request second interupt only when touchscreen mode is used (git-fixes). * iio: pressure: bmp280: Fix NULL pointer exception (git-fixes). * iio: pressure: dps310: Adjust Timeout Settings (git-fixes). * iio: pressure: ms5611: ms5611_prom_is_valid false negative bug (git-fixes). * intel x86 platform vsec kABI workaround (bsc#1216202). * io_uring/fs: remove sqe->rw_flags checking from LINKAT (git-fixes). * io_uring/rw: defer fsnotify calls to task context (git-fixes). * io_uring/rw: ensure kiocb_end_write() is always called (git-fixes). * io_uring/rw: remove leftover debug statement (git-fixes). * io_uring: Replace 0-length array with flexible array (git-fixes). * io_uring: ensure REQ_F_ISREG is set async offload (git-fixes). * io_uring: fix fdinfo sqe offsets calculation (git-fixes). * io_uring: fix memory leak when removing provided buffers (git-fixes). * iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops callback (bsc#1212423). * iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops callback (bsc#1212423). * iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support (bsc#1212423). * iommu/arm-smmu-v3: Fix soft lockup triggered by (bsc#1215921) * kABI: fix bpf Tighten-ptr_to_btf_id checks (git-fixes). * kabi: blkcg_policy_data fix KABI (bsc#1216062). * kabi: workaround for enum nft_trans_phase (bsc#1215104). * kprobes: Prohibit probing on CFI preamble symbol (git-fixes). * leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes). * libceph: add CEPH_OSD_OP_ASSERT_VER support (jsc#SES-1880). * libceph: add new iov_iter-based ceph_msg_data_type and ceph_osd_data_type (jsc#SES-1880). * libceph: add sparse read support to OSD client (jsc#SES-1880). * libceph: add sparse read support to msgr1 (jsc#SES-1880). * libceph: add spinlock around osd->o_requests (jsc#SES-1880). * libceph: allow ceph_osdc_new_request to accept a multi-op read (jsc#SES-1880). * libceph: define struct ceph_sparse_extent and add some helpers (jsc#SES-1880). * libceph: new sparse_read op, support sparse reads on msgr2 crc codepath (jsc#SES-1880). * libceph: support sparse reads on msgr2 secure codepath (jsc#SES-1880). * libceph: use kernel_connect() (bsc#1216323). * misc: fastrpc: Clean buffers on remote invocation failures (git-fixes). * mm, memcg: reconsider kmem.limit_in_bytes deprecation (bsc#1208788 bsc#1213705). * mmc: core: Capture correct oemid-bits for eMMC cards (git-fixes). * mmc: core: sdio: hold retuning if sdio in 1-bit mode (git-fixes). * mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw (git-fixes). * mtd: physmap-core: Restore map_rom fallback (git-fixes). * mtd: rawnand: arasan: Ensure program page operations are successful (git- fixes). * mtd: rawnand: marvell: Ensure program page operations are successful (git- fixes). * mtd: rawnand: pl353: Ensure program page operations are successful (git- fixes). * mtd: rawnand: qcom: Unmap the right resource upon probe failure (git-fixes). * mtd: spinand: micron: correct bitmask for ecc status (git-fixes). * net/sched: fix netdevice reference leaks in attach_default_qdiscs() (git- fixes). * net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() (git-fixes). * net: mana: Fix TX CQE error handling (bsc#1215986). * net: mana: Fix oversized sge0 for GSO packets (bsc#1215986). * net: nfc: llcp: Add lock when modifying device list (git-fixes). * net: rfkill: gpio: prevent value glitch during probe (git-fixes). * net: sched: add barrier to fix packet stuck problem for lockless qdisc (bsc#1216345). * net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog (bsc#1216345). * net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read (git- fixes). * net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git- fixes). * net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git- fixes). * net: usb: smsc95xx: Fix an error code in smsc95xx_reset() (git-fixes). * net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg (git- fixes). * net: use sk_is_tcp() in more places (git-fixes). * netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain (git-fixes). * netfilter: nf_tables: unbind non-anonymous set if rule construction fails (git-fixes). * nfc: nci: assert requested protocol is valid (git-fixes). * nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (git- fixes). * nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() (git-fixes). * nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() (bsc#1214842). * phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins (git-fixes). * phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes). * phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes). * pinctrl: avoid unsafe code pattern in find_pinctrl() (git-fixes). * pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes). * platform/surface: platform_profile: Propagate error if profile registration fails (git-fixes). * platform/x86/intel/pmt: Ignore uninitialized entries (bsc#1216202). * platform/x86/intel/pmt: telemetry: Fix fixed region handling (bsc#1216202). * platform/x86/intel/vsec: Rework early hardware code (bsc#1216202). * platform/x86/intel: Fix 'rmmod pmt_telemetry' panic (bsc#1216202). * platform/x86/intel: Fix pmt_crashlog array reference (bsc#1216202). * platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e (git-fixes). * platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events (git- fixes). * platform/x86: think-lmi: Fix reference leak (git-fixes). * platform/x86: touchscreen_dmi: Add info for the Positivo C4128B (git-fixes). * power: supply: ucs1002: fix error code in ucs1002_get_property() (git- fixes). * quota: Fix slow quotaoff (bsc#1216621). * r8152: Cancel hw_phy_work if we have an error in probe (git-fixes). * r8152: Increase USB control msg timeout to 5000ms as per spec (git-fixes). * r8152: Release firmware if we have an error in probe (git-fixes). * r8152: Run the unload routine if we have errors during probe (git-fixes). * r8152: check budget for r8152_poll() (git-fixes). * regmap: fix NULL deref on lookup (git-fixes). * regmap: rbtree: Fix wrong register marked as in-cache when creating new node (git-fixes). * ring-buffer: Avoid softlockup in ring_buffer_resize() (git-fixes). * ring-buffer: Do not attempt to read past "commit" (git-fixes). * ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes). * ring-buffer: Update "shortest_full" in polling (git-fixes). * s390/cio: fix a memleak in css_alloc_subchannel (git-fixes bsc#1216510). * s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511). * s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956 LTC#203788 bsc#1215957). * sched/cpuset: Bring back cpuset_mutex (bsc#1215955). * sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity() (git fixes (sched)). * sched/rt: Fix live lock between select_fallback_rq() and RT push (git fixes (sched)). * sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes (sched)). * scsi: be2iscsi: Add length check when parsing nlattrs (git-fixes). * scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock (git-fixes). * scsi: iscsi: Add length check for nlattr payload (git-fixes). * scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() (git-fixes). * scsi: iscsi_tcp: restrict to TCP sockets (git-fixes). * scsi: mpi3mr: Propagate sense data for admin queue SCSI I/O (git-fixes). * scsi: mpt3sas: Perform additional retries if doorbell read returns 0 (git- fixes). * scsi: pm8001: Setup IRQs on resume (git-fixes). * scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly (git-fixes). * scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly (git-fixes). * scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly (git-fixes). * scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock (git-fixes). * scsi: qla4xxx: Add length check when parsing nlattrs (git-fixes). * selftests/bpf: Add more tests for check_max_stack_depth bug (git-fixes). * selftests/bpf: Add reproducer for decl_tag in func_proto argument (git- fixes). * selftests/bpf: Add reproducer for decl_tag in func_proto return type (git- fixes). * selftests/bpf: Add selftest for check_stack_max_depth bug (git-fixes). * selftests/bpf: Clean up sys_nanosleep uses (git-fixes). * serial: 8250_port: Check IRQ data before use (git-fixes). * soc: imx8m: Enable OCOTP clock for imx8mm before reading registers (git- fixes). * spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes). * spi: stm32: add a delay before SPI disable (git-fixes). * spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain (git-fixes). * spi: sun6i: reduce DMA RX transfer width to single byte (git-fixes). * thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding (git- fixes). * thunderbolt: Restart XDomain discovery handshake after failure (git-fixes). * thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge (git-fixes). * tracing: Have current_trace inc the trace array ref count (git-fixes). * tracing: Have event inject files inc the trace array ref count (git-fixes). * tracing: Have option files inc the trace array ref count (git-fixes). * tracing: Have tracing_max_latency inc the trace array ref count (git-fixes). * tracing: Increase trace array ref count on enable and filter files (git- fixes). * tracing: Make trace_marker{,_raw} stream-like (git-fixes). * treewide: Spelling fix in comment (git-fixes). * usb: cdnsp: Fixes issue with dequeuing not queued requests (git-fixes). * usb: dwc3: Soft reset phy on probe for host (git-fixes). * usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call (git- fixes). * usb: gadget: udc-xilinx: replace memcpy with memcpy_toio (git-fixes). * usb: hub: Guard against accesses to uninitialized BOS descriptors (git- fixes). * usb: musb: Get the musb_qh poniter after musb_giveback (git-fixes). * usb: musb: Modify the "HWVers" register address (git-fixes). * usb: serial: option: add Fibocom to DELL custom modem FM101R-GL (git-fixes). * usb: serial: option: add Telit LE910C4-WWX 0x1035 composition (git-fixes). * usb: serial: option: add entry for Sierra EM9191 with new firmware (git- fixes). * usb: typec: altmodes/displayport: Signal hpd low when exiting mode (git- fixes). * usb: typec: ucsi: Clear EVENT_PENDING bit if ucsi_send_command fails (git- fixes). * usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer (git-fixes). * vmbus_testing: fix wrong python syntax for integer value comparison (git- fixes). * vringh: do not use vringh_kiov_advance() in vringh_iov_xfer() (git-fixes). * watchdog: iTCO_wdt: No need to stop the timer in probe (git-fixes). * watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running (git-fixes). * wifi: cfg80211: Fix 6GHz scan configuration (git-fixes). * wifi: cfg80211: avoid leaking stack data into trace (git-fixes). * wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes). * wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes). * wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes). * wifi: mac80211: allow transmitting EAPOL frames with tainted key (git- fixes). * wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling (git-fixes). * wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet (git- fixes). * wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes). * wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len (git-fixes). * x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772). * x86/cpu, kvm: Add the Null Selector Clears Base feature (bsc#1213772). * x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772). * x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772). * x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772). * x86/cpu: Support AMD Automatic IBRS (bsc#1213772). * x86/mm: Print the encryption features correctly when a paravisor is present (bsc#1206453). * x86/platform/uv: Use alternate source for socket to node data (bsc#1215696). * x86/sev: Check IOBM for IOIO exceptions from user-space (bsc#1212649). * x86/sev: Check for user-space IOIO pointing to kernel space (bsc#1212649). * x86/sev: Disable MMIO emulation from user mode (bsc#1212649). * x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635). * xen-netback: use default TX queue size for vifs (git-fixes). * xhci: Keep interrupt disabled in initialization until host is running (git- fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Live Patching 15-SP5 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP5-2023-4375=1 Please note that this is the initial kernel livepatch without fixes itself, this package is later updated by separate standalone kernel livepatch updates. * SUSE Linux Enterprise High Availability Extension 15 SP5 zypper in -t patch SUSE-SLE-Product-HA-15-SP5-2023-4375=1 * SUSE Linux Enterprise Workstation Extension 15 SP5 zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2023-4375=1 * openSUSE Leap 15.5 zypper in -t patch SUSE-2023-4375=1 openSUSE-SLE-15.5-2023-4375=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2023-4375=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4375=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2023-4375=1 * Legacy Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Legacy-15-SP5-2023-4375=1 ## Package List: * SUSE Linux Enterprise Live Patching 15-SP5 (nosrc) * kernel-default-5.14.21-150500.55.36.1 * SUSE Linux Enterprise Live Patching 15-SP5 (ppc64le s390x x86_64) * kernel-default-livepatch-5.14.21-150500.55.36.1 * kernel-livepatch-5_14_21-150500_55_36-default-debuginfo-1-150500.11.5.1 * kernel-livepatch-5_14_21-150500_55_36-default-1-150500.11.5.1 * kernel-default-debuginfo-5.14.21-150500.55.36.1 * kernel-default-livepatch-devel-5.14.21-150500.55.36.1 * kernel-default-debugsource-5.14.21-150500.55.36.1 * kernel-livepatch-SLE15-SP5_Update_7-debugsource-1-150500.11.5.1 * SUSE Linux Enterprise High Availability Extension 15 SP5 (aarch64 ppc64le s390x x86_64) * dlm-kmp-default-debuginfo-5.14.21-150500.55.36.1 * gfs2-kmp-default-debuginfo-5.14.21-150500.55.36.1 * ocfs2-kmp-default-5.14.21-150500.55.36.1 * dlm-kmp-default-5.14.21-150500.55.36.1 * cluster-md-kmp-default-5.14.21-150500.55.36.1 * ocfs2-kmp-default-debuginfo-5.14.21-150500.55.36.1 * kernel-default-debuginfo-5.14.21-150500.55.36.1 * kernel-default-debugsource-5.14.21-150500.55.36.1 * cluster-md-kmp-default-debuginfo-5.14.21-150500.55.36.1 * gfs2-kmp-default-5.14.21-150500.55.36.1 * SUSE Linux Enterprise High Availability Extension 15 SP5 (nosrc) * kernel-default-5.14.21-150500.55.36.1 * SUSE Linux Enterprise Workstation Extension 15 SP5 (nosrc) * kernel-default-5.14.21-150500.55.36.1 * SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64) * kernel-default-debugsource-5.14.21-150500.55.36.1 * kernel-default-extra-debuginfo-5.14.21-150500.55.36.1 * kernel-default-debuginfo-5.14.21-150500.55.36.1 * kernel-default-extra-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (noarch nosrc) * kernel-docs-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (noarch) * kernel-devel-5.14.21-150500.55.36.1 * kernel-source-vanilla-5.14.21-150500.55.36.1 * kernel-docs-html-5.14.21-150500.55.36.1 * kernel-source-5.14.21-150500.55.36.1 * kernel-macros-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (nosrc ppc64le x86_64) * kernel-debug-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (ppc64le x86_64) * kernel-debug-devel-debuginfo-5.14.21-150500.55.36.1 * kernel-debug-debuginfo-5.14.21-150500.55.36.1 * kernel-debug-devel-5.14.21-150500.55.36.1 * kernel-debug-livepatch-devel-5.14.21-150500.55.36.1 * kernel-debug-debugsource-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (x86_64) * kernel-default-vdso-debuginfo-5.14.21-150500.55.36.1 * kernel-kvmsmall-vdso-5.14.21-150500.55.36.1 * kernel-debug-vdso-5.14.21-150500.55.36.1 * kernel-default-vdso-5.14.21-150500.55.36.1 * kernel-kvmsmall-vdso-debuginfo-5.14.21-150500.55.36.1 * kernel-debug-vdso-debuginfo-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (aarch64 ppc64le x86_64) * kernel-kvmsmall-devel-5.14.21-150500.55.36.1 * kernel-kvmsmall-debugsource-5.14.21-150500.55.36.1 * kernel-default-base-rebuild-5.14.21-150500.55.36.1.150500.6.15.3 * kernel-kvmsmall-livepatch-devel-5.14.21-150500.55.36.1 * kernel-kvmsmall-debuginfo-5.14.21-150500.55.36.1 * kernel-kvmsmall-devel-debuginfo-5.14.21-150500.55.36.1 * kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * kernel-obs-qa-5.14.21-150500.55.36.1 * kselftests-kmp-default-5.14.21-150500.55.36.1 * gfs2-kmp-default-debuginfo-5.14.21-150500.55.36.1 * kernel-default-devel-5.14.21-150500.55.36.1 * reiserfs-kmp-default-5.14.21-150500.55.36.1 * kernel-obs-build-debugsource-5.14.21-150500.55.36.1 * kernel-default-optional-debuginfo-5.14.21-150500.55.36.1 * kernel-obs-build-5.14.21-150500.55.36.1 * dlm-kmp-default-debuginfo-5.14.21-150500.55.36.1 * kernel-default-livepatch-5.14.21-150500.55.36.1 * kernel-default-extra-5.14.21-150500.55.36.1 * cluster-md-kmp-default-5.14.21-150500.55.36.1 * kernel-default-livepatch-devel-5.14.21-150500.55.36.1 * kselftests-kmp-default-debuginfo-5.14.21-150500.55.36.1 * cluster-md-kmp-default-debuginfo-5.14.21-150500.55.36.1 * ocfs2-kmp-default-5.14.21-150500.55.36.1 * dlm-kmp-default-5.14.21-150500.55.36.1 * kernel-default-devel-debuginfo-5.14.21-150500.55.36.1 * kernel-default-debuginfo-5.14.21-150500.55.36.1 * reiserfs-kmp-default-debuginfo-5.14.21-150500.55.36.1 * kernel-syms-5.14.21-150500.55.36.1 * gfs2-kmp-default-5.14.21-150500.55.36.1 * kernel-default-optional-5.14.21-150500.55.36.1 * kernel-default-extra-debuginfo-5.14.21-150500.55.36.1 * ocfs2-kmp-default-debuginfo-5.14.21-150500.55.36.1 * kernel-default-debugsource-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 nosrc) * kernel-default-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (aarch64 nosrc ppc64le x86_64) * kernel-kvmsmall-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (ppc64le s390x x86_64) * kernel-livepatch-SLE15-SP5_Update_7-debugsource-1-150500.11.5.1 * kernel-livepatch-5_14_21-150500_55_36-default-1-150500.11.5.1 * kernel-livepatch-5_14_21-150500_55_36-default-debuginfo-1-150500.11.5.1 * openSUSE Leap 15.5 (nosrc s390x) * kernel-zfcpdump-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (s390x) * kernel-zfcpdump-debugsource-5.14.21-150500.55.36.1 * kernel-zfcpdump-debuginfo-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (nosrc) * dtb-aarch64-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (aarch64) * dlm-kmp-64kb-debuginfo-5.14.21-150500.55.36.1 * kernel-64kb-debugsource-5.14.21-150500.55.36.1 * ocfs2-kmp-64kb-5.14.21-150500.55.36.1 * reiserfs-kmp-64kb-5.14.21-150500.55.36.1 * kernel-64kb-extra-debuginfo-5.14.21-150500.55.36.1 * kernel-64kb-optional-debuginfo-5.14.21-150500.55.36.1 * dtb-allwinner-5.14.21-150500.55.36.1 * kernel-64kb-livepatch-devel-5.14.21-150500.55.36.1 * dtb-arm-5.14.21-150500.55.36.1 * ocfs2-kmp-64kb-debuginfo-5.14.21-150500.55.36.1 * kernel-64kb-devel-debuginfo-5.14.21-150500.55.36.1 * dtb-rockchip-5.14.21-150500.55.36.1 * dtb-socionext-5.14.21-150500.55.36.1 * dtb-altera-5.14.21-150500.55.36.1 * kernel-64kb-devel-5.14.21-150500.55.36.1 * dtb-broadcom-5.14.21-150500.55.36.1 * dtb-cavium-5.14.21-150500.55.36.1 * dtb-freescale-5.14.21-150500.55.36.1 * kselftests-kmp-64kb-debuginfo-5.14.21-150500.55.36.1 * dtb-lg-5.14.21-150500.55.36.1 * dtb-amlogic-5.14.21-150500.55.36.1 * kernel-64kb-debuginfo-5.14.21-150500.55.36.1 * dlm-kmp-64kb-5.14.21-150500.55.36.1 * dtb-apple-5.14.21-150500.55.36.1 * dtb-sprd-5.14.21-150500.55.36.1 * dtb-renesas-5.14.21-150500.55.36.1 * dtb-mediatek-5.14.21-150500.55.36.1 * kernel-64kb-extra-5.14.21-150500.55.36.1 * gfs2-kmp-64kb-5.14.21-150500.55.36.1 * cluster-md-kmp-64kb-debuginfo-5.14.21-150500.55.36.1 * reiserfs-kmp-64kb-debuginfo-5.14.21-150500.55.36.1 * dtb-qcom-5.14.21-150500.55.36.1 * dtb-apm-5.14.21-150500.55.36.1 * dtb-xilinx-5.14.21-150500.55.36.1 * dtb-nvidia-5.14.21-150500.55.36.1 * kselftests-kmp-64kb-5.14.21-150500.55.36.1 * dtb-exynos-5.14.21-150500.55.36.1 * kernel-64kb-optional-5.14.21-150500.55.36.1 * dtb-amd-5.14.21-150500.55.36.1 * dtb-amazon-5.14.21-150500.55.36.1 * dtb-marvell-5.14.21-150500.55.36.1 * gfs2-kmp-64kb-debuginfo-5.14.21-150500.55.36.1 * cluster-md-kmp-64kb-5.14.21-150500.55.36.1 * dtb-hisilicon-5.14.21-150500.55.36.1 * openSUSE Leap 15.5 (aarch64 nosrc) * kernel-64kb-5.14.21-150500.55.36.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 nosrc s390x x86_64) * kernel-default-5.14.21-150500.55.36.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 x86_64) * kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3 * SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64) * kernel-default-debugsource-5.14.21-150500.55.36.1 * kernel-default-debuginfo-5.14.21-150500.55.36.1 * Basesystem Module 15-SP5 (aarch64 nosrc) * kernel-64kb-5.14.21-150500.55.36.1 * Basesystem Module 15-SP5 (aarch64) * kernel-64kb-devel-debuginfo-5.14.21-150500.55.36.1 * kernel-64kb-debugsource-5.14.21-150500.55.36.1 * kernel-64kb-devel-5.14.21-150500.55.36.1 * kernel-64kb-debuginfo-5.14.21-150500.55.36.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64 nosrc) * kernel-default-5.14.21-150500.55.36.1 * Basesystem Module 15-SP5 (aarch64 ppc64le x86_64) * kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * kernel-default-debugsource-5.14.21-150500.55.36.1 * kernel-default-devel-5.14.21-150500.55.36.1 * kernel-default-devel-debuginfo-5.14.21-150500.55.36.1 * kernel-default-debuginfo-5.14.21-150500.55.36.1 * Basesystem Module 15-SP5 (noarch) * kernel-macros-5.14.21-150500.55.36.1 * kernel-devel-5.14.21-150500.55.36.1 * Basesystem Module 15-SP5 (nosrc s390x) * kernel-zfcpdump-5.14.21-150500.55.36.1 * Basesystem Module 15-SP5 (s390x) * kernel-zfcpdump-debugsource-5.14.21-150500.55.36.1 * kernel-zfcpdump-debuginfo-5.14.21-150500.55.36.1 * Development Tools Module 15-SP5 (noarch nosrc) * kernel-docs-5.14.21-150500.55.36.1 * Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64) * kernel-obs-build-debugsource-5.14.21-150500.55.36.1 * kernel-obs-build-5.14.21-150500.55.36.1 * kernel-syms-5.14.21-150500.55.36.1 * Development Tools Module 15-SP5 (noarch) * kernel-source-5.14.21-150500.55.36.1 * Legacy Module 15-SP5 (nosrc) * kernel-default-5.14.21-150500.55.36.1 * Legacy Module 15-SP5 (aarch64 ppc64le s390x x86_64) * kernel-default-debugsource-5.14.21-150500.55.36.1 * kernel-default-debuginfo-5.14.21-150500.55.36.1 * reiserfs-kmp-default-debuginfo-5.14.21-150500.55.36.1 * reiserfs-kmp-default-5.14.21-150500.55.36.1 ## References: * https://www.suse.com/security/cve/CVE-2023-2163.html * https://www.suse.com/security/cve/CVE-2023-31085.html * https://www.suse.com/security/cve/CVE-2023-34324.html * https://www.suse.com/security/cve/CVE-2023-3777.html * https://www.suse.com/security/cve/CVE-2023-39189.html * https://www.suse.com/security/cve/CVE-2023-39191.html * https://www.suse.com/security/cve/CVE-2023-39193.html * https://www.suse.com/security/cve/CVE-2023-46813.html * https://www.suse.com/security/cve/CVE-2023-5178.html * https://bugzilla.suse.com/show_bug.cgi?id=1208788 * https://bugzilla.suse.com/show_bug.cgi?id=1211162 * https://bugzilla.suse.com/show_bug.cgi?id=1211307 * https://bugzilla.suse.com/show_bug.cgi?id=1212423 * https://bugzilla.suse.com/show_bug.cgi?id=1212649 * https://bugzilla.suse.com/show_bug.cgi?id=1213705 * https://bugzilla.suse.com/show_bug.cgi?id=1213772 * https://bugzilla.suse.com/show_bug.cgi?id=1214754 * https://bugzilla.suse.com/show_bug.cgi?id=1214874 * https://bugzilla.suse.com/show_bug.cgi?id=1215095 * https://bugzilla.suse.com/show_bug.cgi?id=1215104 * https://bugzilla.suse.com/show_bug.cgi?id=1215523 * https://bugzilla.suse.com/show_bug.cgi?id=1215545 * https://bugzilla.suse.com/show_bug.cgi?id=1215921 * https://bugzilla.suse.com/show_bug.cgi?id=1215955 * https://bugzilla.suse.com/show_bug.cgi?id=1215986 * https://bugzilla.suse.com/show_bug.cgi?id=1216062 * https://bugzilla.suse.com/show_bug.cgi?id=1216202 * https://bugzilla.suse.com/show_bug.cgi?id=1216322 * https://bugzilla.suse.com/show_bug.cgi?id=1216323 * https://bugzilla.suse.com/show_bug.cgi?id=1216324 * https://bugzilla.suse.com/show_bug.cgi?id=1216333 * https://bugzilla.suse.com/show_bug.cgi?id=1216345 * https://bugzilla.suse.com/show_bug.cgi?id=1216512 * https://bugzilla.suse.com/show_bug.cgi?id=1216621 * https://bugzilla.suse.com/show_bug.cgi?id=802154

1 0