SUSE-IU-2024:1218-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:1218-1 Interim 1 1 2025-03-15T14:40:03Z current 2024-09-13T01:00:00Z 2024-09-13T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:1218-1 / google/sle-micro-5-2-byos-v20240913-x86-64 This image update for google/sle-micro-5-2-byos-v20240913-x86-64 contains the following changes: Package 000release-packages:SUSE-MicroOS-release was updated: Package ca-certificates-mozilla was updated: - Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020 - Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3 - remove-trustcor.patch: removed, now upstream - do a versioned obsoletes of &quot;openssl-certs&quot;. Package containerd was updated: - Update to containerd v1.7.21. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.21&gt; Fixes CVE-2023-47108. bsc#1217070 Fixes CVE-2023-45142. bsc#1228553 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package curl was updated: - Security fix: [bsc#1230093, CVE-2024-8096] * curl: OCSP stapling bypass with GnuTLS * Add curl-CVE-2024-8096.patch - Security fix: [bsc#1228535, CVE-2024-7264] * curl: ASN.1 date parser overread * Add curl-CVE-2024-7264.patch Package glib2 was updated: - Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in a dbus message. Fixes a possible use after free (boo#1224044). Package glibc was updated: - s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ [#31934]) Package grub2 was updated: - Fix btrfs subvolume for platform modules not mounting at runtime when the default subvolume is the topmost root tree (bsc#1228124) * grub2-btrfs-06-subvol-mount.patch - Rediff * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch Package kernel-default was updated: - Update patches.suse/usb-f_fs-Fix-use-after-free-for-epfile.patch (git-fixes bsc#1228040 CVE-2022-48822). - commit 2c8d4da - ima: Fix use-after-free on a dentry's dname.name (bsc#1227716 CVE-2024-39494). - commit f6c5c97 - ASoC: topology: Fix route memory corruption (CVE-2024-41069 bsc#1228644). - commit f66560f - IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145) - commit f02f32a - ASoC: topology: Fix references to freed memory (CVE-2024-41069 bsc#1228644). - commit 92df0ca - hfsplus: fix uninit-value in copy_name (bsc#1228561 CVE-2024-41059). - commit 97ed148 - dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list (CVE-2024-40956 bsc#1227810). - commit 26f1077 - ocfs2: fix DIO failure due to insufficient transaction credits (bsc#1216834). - commit 300f953 - SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (CVE-2023-52885 bsc#1227750). - commit e97b8a4 - scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task (bsc#1228013 CVE-2022-48792). - commit e1a6b29 - tap: add missing verification for short frame (CVE-2024-41090 bsc#1228328). - commit ebf78ce - ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions (CVE-2021-47291 bsc#1224918). - ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions (bsc#1224918 CVE-2021-47126 bsc#1221539). - commit 8e8ce7c - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages (CVE-2024-41011 bsc#1228115). - commit 71f4e95 - sch_cake: do not call cake_destroy() from cake_init() (CVE-2021-47598 bsc#1226574). - commit bd20b3c - scsi: scsi_debug: Fix type in min_t to avoid stack OOB (bsc#1226550 CVE-2021-47580). - scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() (bsc#1222824 CVE-2021-47219). - commit 2e165bd - X.509: Fix the parser of extended key usage for length (bsc#1218820 bsc#1226666). - commit 2d78310 - gve: Clear napi-&gt;skb before dev_kfree_skb_any() (CVE-2024-40937 bsc#1227836). - commit 2df93fe - Update References patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch (bsc#1186463 CVE-2021-0129 CVE-2020-26558 bsc#1179610 CVE-2020-26558). - commit d06a0d0 - Update patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch (bsc#1186463 CVE-2021-0129 CVE-2020-26558 bsc#1179610 CVE-2020-26558). - commit 9cfc088 - misc: fastrpc: avoid double fput() on failed usercopy (CVE-2022-48821 bsc#1227976). - commit 57e770a - Update patches.suse/tls-fix-use-after-free-on-failed-backlog-decryption.patch (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186 CVE-2024-26800 bsc#1222728). - commit 72c3b29 - Update patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_eve.patch (bsc#1065729 CVE-2023-52686 bsc#1224682). - Update patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch (bsc#1226758 CVE-2024-38559 bsc#1226785). - commit 53c517e - nfsd: fix use-after-free due to delegation race (CVE-2021-47506 bsc#1225404 bsc#1227497). - commit b195c7b - Update patches.suse/net-tls-factor-out-tls_-crypt_async_wait.patch. - fix build warning - commit 7f81dcf - Fix spurious WARNING caused by a qxl driver patch (bsc#1227213) Refresh patches.suse/drm-qxl-fix-UAF-on-handle-creation.patch - commit e245863 - Update patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch (bsc#1226785 CVE-2024-38559). Fix incorrect bug reference. - commit 7bd70b9 - can: pch_can: pch_can_rx_normal: fix use after free (bsc#1225431 CVE-2021-47520). - commit 0094102 - powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() (bsc#1227487). - commit 74bce38 - blacklist.conf: - commit cdd4002 - NFS: Don't overfill uncached readdir pages (bsc#1226662). - commit d0f2933 - tls: fix use-after-free on failed backlog decryption (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: separate no-async decryption request handling from async (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: decrement decrypt_pending if no async completion will be called (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - net: tls: handle backlogging of crypto requests (CVE-2024-26584 bsc#1220186). - tls: fix race between tx work scheduling and socket close (CVE-2024-26585 bsc#1220187). - tls: fix race between async notify and socket close (CVE-2024-26583 bsc#1220185). - net: tls: factor out tls_*crypt_async_wait() (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - net: tls: fix async vs NIC crypto offload (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: use async as an in-out argument (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: assume crypto always calls our callback (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: don't track the async count (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: simplify async wait (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: wrap decryption arguments in a structure (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: don't report text length from the bowels of decrypt (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - tls: rx: drop unnecessary arguments from tls_setup_from_iter() (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - net/tls: race causes kernel panic (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186). - commit cf4818b - Delete patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch. Will be replaced with refreshed version once all conflicting patches are in. - commit e1dd229 - dm btree remove: fix use after free in rebalance_children() (CVE-2021-47600, bsc#1226575). - commit 088e9db Package openssl-1_1 was updated: - Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch Package snapper was updated: - handle content-length of stomp in zypper plugin (gh#openSUSE/snapper#918) (bsc#1229142) * added pr919.patch * added pr920.patch Package libsolv was updated: - removed dependency on external find program in the repo2solv tool- bindings: fix return value of repodata.add_solv() - new SOLVER_FLAG_FOCUS_NEW flag - bump version to 0.7.30 Package libzypp was updated: - Make sure not to statically linked installed tools (bsc#1228787)- version 17.35.8 (35) - MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208) - version 17.35.7 (35) - Export CredentialManager for legacy YAST versions (bsc#1228420) - version 17.35.6 (35) - Export asSolvable for YAST (bsc#1228420) - Fix 4 typos in zypp.conf. - version 17.35.5 (35) - Fix typo in the geoip update pipeline (bsc#1228206) - Export RepoVariablesStringReplacer for yast2 (bsc#1228138) - version 17.35.4 (35) - Translation: updated .pot file. - Conflict with python zypp-plugin &lt; 0.6.4 (bsc#1227793) Older zypp-plugins reject stomp headers including a '-'. Like the 'content-length' header we may send. - Fix int overflow in Provider (fixes #559) This patch fixes an issue in safe_strtonum which caused timestamps to overflow in the Provider message parser. - Fix error reporting on repoindex.xml parse error (bsc#1227625) - version 17.35.3 (35) - Keep UrlResolverPlugin API public (fixes #560) - Blacklist /snap executables for 'zypper ps' (bsc#1226014) - Fix handling of buddies when applying locks (bsc#1225267) Buddy pairs (like -release package and product) internally share the same status object. When applying locks from query results the locked bit must be set if either item is locked. - version 17.35.2 (35) - Install zypp/APIConfig.h legacy include (fixes #557) - version 17.35.1 (35) - Update soname due to RepoManager refactoring and cleanup. - version 17.35.0 (35) - Workaround broken libsolv-tools-base requirements (fixes openSUSE/zypper#551) - Strip ssl_clientkey from repo urls (bsc#1226030) - Remove protobuf build dependency. - Lazily attach medium during refresh workflows (bsc#1223094) - Refactor RepoManager and add Service workflows. - version 17.34.2 (34) Package pam was updated: - Prevent cursor escape from the login prompt [bsc#1194818] * Added: pam-bsc1194818-cursor-escape.patch Package python-PyYAML was updated: Package python-setuptools was updated: - Add patch CVE-2024-6345-code-execution-via-download-funcs.patch: * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105) Package zypp-plugin was updated: - Fix stomp header regex to include '-' (bsc#1227793)- version 0.6.4 - singlespec in Tumbleweed must support multiple python3 flavors in the future gh#openSUSE/python-rpm-macros#66 - Provide python3-zypp-plugin down to SLE12 (bsc#1081596) - Provide python3-zypp-plugin in SLE12-SP3 (bsc#1081596) Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.14. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.14&gt;. Includes the patch for CVE-2024-45310. bsc#1230092 - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch Package selinux-policy was updated: - Update to version 20210716+git63.fcc8cf99: * Fix mkhomedir_helper label to match on sbin (bsc#1229701) * allow init to run bpf programs. We do this during early startup (bsc#1215423) * Allow sysadm_t run kernel bpf programs - Packaging rework. Move policy to git repository Please use `osc service manualrun` to update this OBS package to the newest git version. * Added _service and _servicedata file that pulls from selinux-policy and tar it * Replaced old tar file: fedora-policy-20210716.tar.bz2 with tar file generated via OBS service: selinux-policy-20210716+git58.9a9cb7dc.tar.xz * Updated selinux-policy.spec to build selinux-policy with container-selinux * Removed suse specific modules as they are now covered by git commits * packagekit.te packagekit.if packagekit.fc * rebootmgr.te rebootmgr.if rebootmgr.fc * rtorrent.te rtorrent.if rtorrent.fc * wicked.te wicked.if wicked.fc * Removed *.patch as they are now covered by git commits: * fix_djbdns.patch * fix_dbus.patch * fix_java.patch * fix_hadoop.patch * fix_thunderbird.patch * fix_postfix.patch * fix_nscd.patch * fix_sysnetwork.patch * fix_logging.patch * fix_xserver.patch * fix_miscfiles.patch * fix_init.patch * fix_locallogin.patch * fix_iptables.patch * fix_irqbalance.patch * fix_ntp.patch * fix_fwupd.patch * fix_firewalld.patch * fix_logrotate.patch * fix_selinuxutil.patch * fix_corecommand.patch * fix_snapper.patch * fix_systemd.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_chronyd.patch * fix_networkmanager.patch * fix_accountsd.patch * fix_automount.patch * fix_colord.patch * fix_mcelog.patch * fix_sslh.patch * fix_nagios.patch * fix_openvpn.patch * fix_cron.patch * fix_usermanage.patch * fix_smartmon.patch * fix_geoclue.patch * fix_authlogin.patch * fix_screen.patch * fix_unprivuser.patch * fix_rpm.patch * fix_apache.patch * fix_nis.patch * fix_libraries.patch * fix_dovecot.patch * fix_cockpit.patch * fix_systemd_watch.patch * fix_kernel_sysctl.patch * fix_auditd.patch * fix_hypervkvp.patch * systemd_domain_dyntrans_type.patch * fix_cloudform.patch * sedoctool.patch * init_watch_unallocated_ttys.patch - Move update.sh to selinux-devel-tools git repository (does not need to be tracked by OBS since it is an internal tool for package update) Package supportutils was updated: - Changes to version 3.2.8 + Avoid getting duplicate kernel verifications in boot.text (pr#190) + lvm: suppress file descriptor leak warnings from lvm commands (pr#191) + docker_info: Add timestamps to container logs (pr#196) + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198) + Update supportconfig get pam.d sorted (pr#199) + yast_files: Exclude .zcat (pr#201) + Sanitize grub bootloader (bsc#1227127, pr#203) + Sanitize regcodes (pr#204) + Improve product detection (pr#205) + Add read_values for s390x (bsc#1228265, pr#206) + hardware_info: Remove old alsa ver check (pr#209) + drbd_info: Fix incorrect escape of quotes (pr#210) Package suse-build-key was updated: - extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339) - gpg-pubkey-39db7c82-5f68629b.asc + gpg-pubkey-39db7c82-66c5d91a.asc Package xen was updated: - bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86 IOMMU identity mapping (XSA-460) xsa460.patch - bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through with shared resources (XSA-461) xsa461.patch Package zypper was updated: - Show rpm install size before installing (bsc#1224771) If filesystem snapshots are taken before the installation (e.g. by snapper) no disk space is freed by removing old packages. In this case the install size of all packages is a hint how much additional disk space is needed by the new packages static content. - version 1.14.76 - Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly (bsc#1227205) - version 1.14.75 - Let_readline_abort_on_Ctrl-C (bsc#1226493) - packages: add '--system' to show @System packages (bsc#222971) - version 1.14.74 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sle-micro-5-2-byos-v20240913-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 ca-certificates-mozilla-2.68-150200.33.1 containerd-1.7.21-150000.117.1 curl-7.66.0-150200.4.78.1 docker-25.0.6_ce-150000.207.1 glib2-tools-2.62.6-150200.3.21.1 glibc-2.31-150300.86.3 glibc-locale-2.31-150300.86.3 glibc-locale-base-2.31-150300.86.3 grub2-2.04-150300.22.46.1 grub2-i386-pc-2.04-150300.22.46.1 grub2-x86_64-efi-2.04-150300.22.46.1 kernel-default-5.3.18-150300.59.170.1 libcurl4-7.66.0-150200.4.78.1 libgio-2_0-0-2.62.6-150200.3.21.1 libglib-2_0-0-2.62.6-150200.3.21.1 libgmodule-2_0-0-2.62.6-150200.3.21.1 libgobject-2_0-0-2.62.6-150200.3.21.1 libopenssl1_1-1.1.1d-150200.11.94.1 libsnapper5-0.8.16-150300.3.9.1 libsolv-tools-0.7.30-150200.37.2 libsolv-tools-base-0.7.30-150200.37.2 libyaml-0-2-0.1.7-150000.3.2.1 libzypp-17.35.8-150200.121.1 openssl-1_1-1.1.1d-150200.11.94.1 pam-1.3.0-150000.6.71.2 python3-PyYAML-5.4.1-150300.3.3.1 python3-setuptools-40.5.0-150100.6.9.1 python3-zypp-plugin-0.6.4-150200.9.3.2 runc-1.1.14-150000.70.1 selinux-policy-20210716+git63.fcc8cf99-150300.13.13.1 selinux-policy-targeted-20210716+git63.fcc8cf99-150300.13.13.1 snapper-0.8.16-150300.3.9.1 supportutils-3.2.8-150300.7.35.33.1 suse-build-key-12.0-150000.8.52.3 xen-libs-4.14.6_18-150300.3.78.1 zypper-1.14.76-150200.88.10 zypper-needs-restarting-1.14.76-150200.88.10 ca-certificates-mozilla-2.68-150200.33.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 containerd-1.7.21-150000.117.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 curl-7.66.0-150200.4.78.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 docker-25.0.6_ce-150000.207.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 glib2-tools-2.62.6-150200.3.21.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 glibc-2.31-150300.86.3 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 glibc-locale-2.31-150300.86.3 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 glibc-locale-base-2.31-150300.86.3 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 grub2-2.04-150300.22.46.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 grub2-i386-pc-2.04-150300.22.46.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 grub2-x86_64-efi-2.04-150300.22.46.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 kernel-default-5.3.18-150300.59.170.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libcurl4-7.66.0-150200.4.78.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libgio-2_0-0-2.62.6-150200.3.21.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libglib-2_0-0-2.62.6-150200.3.21.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libgmodule-2_0-0-2.62.6-150200.3.21.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libgobject-2_0-0-2.62.6-150200.3.21.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libopenssl1_1-1.1.1d-150200.11.94.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libsnapper5-0.8.16-150300.3.9.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libsolv-tools-0.7.30-150200.37.2 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libsolv-tools-base-0.7.30-150200.37.2 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libyaml-0-2-0.1.7-150000.3.2.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 libzypp-17.35.8-150200.121.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 openssl-1_1-1.1.1d-150200.11.94.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 pam-1.3.0-150000.6.71.2 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 python3-PyYAML-5.4.1-150300.3.3.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 python3-setuptools-40.5.0-150100.6.9.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 python3-zypp-plugin-0.6.4-150200.9.3.2 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 runc-1.1.14-150000.70.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 selinux-policy-20210716+git63.fcc8cf99-150300.13.13.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 selinux-policy-targeted-20210716+git63.fcc8cf99-150300.13.13.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 snapper-0.8.16-150300.3.9.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 supportutils-3.2.8-150300.7.35.33.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 suse-build-key-12.0-150000.8.52.3 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 xen-libs-4.14.6_18-150300.3.78.1 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 zypper-1.14.76-150200.88.10 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 zypper-needs-restarting-1.14.76-150200.88.10 as a component of Public Cloud Image google/sle-micro-5-2-byos-v20240913-x86-64 Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2020-26558 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. CVE-2021-0129 moderate 2.7 AV:A/AC:L/Au:S/C:P/I:N/A:N In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions Reported by syzbot: HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7 compiler: Debian clang version 11.0.1-2 ================================================================== BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760 CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x202/0x31e lib/dump_stack.c:120 print_address_description+0x5f/0x3b0 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report+0x15c/0x200 mm/kasan/report.c:416 fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536 fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174 rcu_do_batch kernel/rcu/tree.c:2559 [inline] rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794 __do_softirq+0x372/0x7a6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422 irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 </IRQ> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515 Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d RSP: 0018:ffffc90009e06560 EFLAGS: 00000206 RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1 R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4 rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267 rcu_read_lock include/linux/rcupdate.h:656 [inline] ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231 ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212 ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379 ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982 ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238 ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638 ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848 ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900 ext4_append+0x1a4/0x360 fs/ext4/namei.c:67 ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768 ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814 vfs_mkdir+0x45b/0x640 fs/namei.c:3819 ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline] ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146 ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193 ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788 ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355 ovl_get_workdir fs/overlayfs/super.c:1492 [inline] ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035 mount_nodev+0x52/0xe0 fs/super.c:1413 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x86/0x270 fs/super.c:1497 do_new_mount fs/namespace.c:2903 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3233 do_mount fs/namespace.c:3246 [inline] __do_sys_mount fs/namespace.c:3454 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 ---truncated--- CVE-2021-47126 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() The following issue was observed running syzkaller: BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831 Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815 CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xe4/0x14a lib/dump_stack.c:118 print_address_description+0x73/0x280 mm/kasan/report.c:253 kasan_report_error mm/kasan/report.c:352 [inline] kasan_report+0x272/0x370 mm/kasan/report.c:410 memcpy+0x1f/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:377 [inline] sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831 fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021 resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772 schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429 scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835 scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896 scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034 __blk_run_queue_uncond block/blk-core.c:464 [inline] __blk_run_queue+0x1a4/0x380 block/blk-core.c:484 blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78 sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847 sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716 sg_write+0x64/0xa0 drivers/scsi/sg.c:622 __vfs_write+0xed/0x690 fs/read_write.c:485 kill_bdev:block_device:00000000e138492c vfs_write+0x184/0x4c0 fs/read_write.c:549 ksys_write+0x107/0x240 fs/read_write.c:599 do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe We get 'alen' from command its type is int. If userspace passes a large length we will get a negative 'alen'. Switch n, alen, and rlen to u32. CVE-2021-47219 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions While running the self-tests on a KASAN enabled kernel, I observed a slab-out-of-bounds splat very similar to the one reported in commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions"). We additionally need to take care of fib6_metrics initialization failure when the caller provides an nh. The fix is similar, explicitly free the route instead of calling fib6_info_release on a half-initialized object. CVE-2021-47291 important In the Linux kernel, the following vulnerability has been resolved: nfsd: fix use-after-free due to delegation race A delegation break could arrive as soon as we've called vfs_setlease. A delegation break runs a callback which immediately (in nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we then exit nfs4_set_delegation without hashing the delegation, it will be freed as soon as the callback is done with it, without ever being removed from del_recall_lru. Symptoms show up later as use-after-free or list corruption warnings, usually in the laundromat thread. I suspect aba2072f4523 "nfsd: grant read delegations to clients holding writes" made this bug easier to hit, but I looked as far back as v3.0 and it looks to me it already had the same problem. So I'm not sure where the bug was introduced; it may have been there from the beginning. CVE-2021-47506 moderate In the Linux kernel, the following vulnerability has been resolved: can: pch_can: pch_can_rx_normal: fix use after free After calling netif_receive_skb(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is dereferenced just after the call netif_receive_skb(skb). Reordering the lines solves the issue. CVE-2021-47520 important In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix type in min_t to avoid stack OOB Change min_t() to use type "u32" instead of type "int" to avoid stack out of bounds. With min_t() type "int" the values get sign extended and the larger value gets used causing stack out of bounds. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707 CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189 memcpy+0x23/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000 fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162 fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline] resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline] scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-47580 moderate In the Linux kernel, the following vulnerability has been resolved: sch_cake: do not call cake_destroy() from cake_init() qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [inline] tcf_block_put_ext net/sched/cls_api.c:1376 [inline] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK> CVE-2021-47598 important In the Linux kernel, the following vulnerability has been resolved: dm btree remove: fix use after free in rebalance_children() Move dm_tm_unlock() after dm_tm_dec(). CVE-2021-47600 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion(). In this case, the following are the two steps in handling those I/O completions: - Call complete() to inform the upper layer handler of completion of the I/O. - Release driver resources associated with the sas_task in pm8001_ccb_task_free() call. When complete() is called, the upper layer may free the sas_task. As such, we should not touch the associated sas_task afterwards, but we do so in the pm8001_ccb_task_free() call. Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering. CVE-2022-48792 moderate In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: avoid double fput() on failed usercopy If the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact, dma_buf_fd() called fd_install() before, i.e. "consumed" one reference, leaving us with none. Calling dma_buf_put() will therefore put a reference we no longer own, leading to a valid file descritor table entry for an already released 'file' object which is a straight use-after-free. Simply avoid calling dma_buf_put() and rely on the process exit code to do the necessary cleanup, if needed, i.e. if the file descriptor is still valid. CVE-2022-48821 important In the Linux kernel, the following vulnerability has been resolved: usb: f_fs: Fix use-after-free for epfile Consider a case where ffs_func_eps_disable is called from ffs_func_disable as part of composition switch and at the same time ffs_epfile_release get called from userspace. ffs_epfile_release will free up the read buffer and call ffs_data_closed which in turn destroys ffs->epfiles and mark it as NULL. While this was happening the driver has already initialized the local epfile in ffs_func_eps_disable which is now freed and waiting to acquire the spinlock. Once spinlock is acquired the driver proceeds with the stale value of epfile and tries to free the already freed read buffer causing use-after-free. Following is the illustration of the race: CPU1 CPU2 ffs_func_eps_disable epfiles (local copy) ffs_epfile_release ffs_data_closed if (last file closed) ffs_data_reset ffs_data_clear ffs_epfiles_destroy spin_lock dereference epfiles Fix this races by taking epfiles local copy & assigning it under spinlock and if epfiles(local) is null then update it in ffs->epfiles then finally destroy it. Extending the scope further from the race, protecting the ep related structures, and concurrent accesses. CVE-2022-48822 moderate OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. CVE-2023-45142 important OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. CVE-2023-47108 important In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check in opal_event_init() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. CVE-2023-52686 moderate In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket. CVE-2023-52885 important In the Linux kernel, the following vulnerability has been resolved: tls: fix race between async notify and socket close The submitting thread (one which called recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete() so any code past that point risks touching already freed data. Try to avoid the locking and extra flags altogether. Have the main thread hold an extra reference, this way we can depend solely on the atomic ref counter for synchronization. Don't futz with reiniting the completion, either, we are now tightly controlling when completion fires. CVE-2024-26583 moderate In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical. CVE-2024-26584 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do. CVE-2024-26585 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released. CVE-2024-26800 moderate Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 important When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 low In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38559 moderate In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. CVE-2024-39494 important In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed. CVE-2024-40937 important In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list Use list_for_each_entry_safe() to allow iterating through the list and deleting the entry in the iteration process. The descriptor is freed via idxd_desc_complete() and there's a slight chance may cause issue for the list iterator when the descriptor is reused by another thread without it being deleted from the list. CVE-2024-40956 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: don't allow mapping the MMIO HDP page with large pages We don't get the right offset in that case. The GPU has an unused 4K area of the register BAR space into which you can remap registers. We remap the HDP flush registers into this space to allow userspace (CPU or GPU) to flush the HDP when it updates VRAM. However, on systems with >4K pages, we end up exposing PAGE_SIZE of MMIO space. CVE-2024-41011 important In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value in copy_name [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. CVE-2024-41059 important In the Linux kernel, the following vulnerability has been resolved: ASoC: topology: Fix references to freed memory Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. CVE-2024-41069 important In the Linux kernel, the following vulnerability has been resolved: tap: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090 CVE-2024-41090 important In the Linux kernel, the following vulnerability has been resolved: IB/core: Implement a limit on UMAD receive List The existing behavior of ib_umad, which maintains received MAD packets in an unbounded list, poses a risk of uncontrolled growth. As user-space applications extract packets from this list, the rate of extraction may not match the rate of incoming packets, leading to potential list overflow. To address this, we introduce a limit to the size of the list. After considering typical scenarios, such as OpenSM processing, which can handle approximately 100k packets per second, and the 1-second retry timeout for most packets, we set the list size limit to 200k. Packets received beyond this limit are dropped, assuming they are likely timed out by the time they are handled by user-space. Notably, packets queued on the receive list due to reasons like timed-out sends are preserved even when the list is full. CVE-2024-42145 important runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested. CVE-2024-45310 low Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. CVE-2024-5535 moderate A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. CVE-2024-6345 important libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. CVE-2024-7264 moderate When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. CVE-2024-8096 moderate