SUSE-IU-2024:871-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:871-1 Interim 1 1 2025-07-08T20:18:50Z current 2024-08-09T01:00:00Z 2024-08-09T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:871-1 / google/sles-15-sp3-byos-v20240809-x86-64 This image update for google/sles-15-sp3-byos-v20240809-x86-64 contains the following changes: Package aaa_base was updated: - modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch to also fix the typo to set JAVA_BINDIR in the csh variant of the alljava profile script (bsc#1221361) - modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch drop the stderr redirection for csh (bsc#1221361) - add git-49-3f8f26123d91f70c644677a323134fc79318c818.patch drop sysctl.d/50-default-s390.conf (bsc#1211721) - add aaa_base-preinstall.patch make sure the script does not exit with 1 if a file with content is found (bsc#1222547) - add patch git-48-477bc3c05fcdabf9319e84278a1cba2c12c9ed5a.patch home and end button not working from ssh client (bsc#1221407) - use autosetup in prep stage of specfile - silence the output in the case of broken symlinks (bsc#1218232) - fix git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch to actually apply - replace git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch by git-47-056fc66c699a8544c7692a03c905fca568f5390b.patch * fix the issues from bsc#1107342 and bsc#1215434 and just use the settings from update-alternatives to set JAVA_HOME - Add patch git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch * respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342) Package autofs was updated: - autofs-5.1.6-remove-intr-hosts-map-mount-option.patch Don't use the intr option on NFS mounts by default, it's been ignored by the kernel for a long time now. (bsc#1225130) - autofs-5.1.8-dont-use-initgroups-at-spawn.patch Don't use initgroups at spawn (bsc#1214710, bsc#1221181) - autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch Fix off-by-one error in recursive map handling. (bsc#1209653) Package autoyast2 was updated: - Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)- 4.3.106 - Properly install the selected products, do not lose them after resetting the package manager internally (bsc#1202234) - 4.3.105 - Process the &lt;ask-list/&gt; section in an installed system once the &lt;general/&gt; section is imported in the (bsc#1201953). - 4.3.104 - Revert the modification done in version 4.3.97 running the initscripts before systed-user-sessions service again once systemd fixed logind (bsc#1195059, bsc#1200780) - 4.3.103 Package bind was updated: - Security Fixes: * It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737) [bsc#1228256, bind-9.16-CVE-2024-1737.patch] * Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975) [bsc#1228257, bind-9.16-CVE-2024-1975.patch] - Security Fixes: * Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387) [bsc#1219823, bind-CVE-2023-50387-CVE-2023-50868.patch] * Preparing an NSEC3 closest encloser proof could cause excessiv CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) [bsc#1219826, bind-CVE-2023-50387-CVE-2023-50868.patch] * Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408) [bsc#1219851, bind-CVE-2023-4408.patch] * Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) [bsc#1219852, bind-CVE-2023-5517.patch] * Query patterns that continuously triggered cache database maintenance could cause an excessive amount of memory to be allocated, exceeding max-cache-size and potentially leading to all available memory on the host running named being exhausted This has been fixed. (CVE-2023-6516) [bsc#1219854, bind-CVE-2023-6516.patch] - Security Fix: * Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. [bsc#1215472, CVE-2023-3341, bind-CVE-2023-3341.patch] - Add libs as requires because they may need to be updated when installing bind [bsc#1213748] - Add dnstap support [jsc#PED-4852] - Security Fix: * The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. [bsc#1212544, CVE-2023-2828, bind-CVE-2023-2828.patch] - Security Fix: * An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). [bsc#1207471, CVE-2022-3094, bind-CVE-2022-3094.patch] - Add systemd drop-in directory for named service [bsc#1201689, bind.spec] Package binutils was updated: - Update to version 2.41 [PED-5778]: * The MIPS port now supports the Sony Interactive Entertainment Allegrex processor, used with the PlayStation Portable, which implements the MIPS II ISA along with a single-precision FPU and a few implementation-specific integer instructions. * Objdump's --private option can now be used on PE format files to display the fields in the file header and section headers. * New versioned release of libsframe: libsframe.so.1. This release introduces versioned symbols with version node name LIBSFRAME_1.0. This release also updates the ABI in an incompatible way: this includes removal of sframe_get_funcdesc_with_addr API, change in the behavior of sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs. * SFrame Version 2 is now the default (and only) format version supported by gas, ld, readelf and objdump. * Add command-line option, --strip-section-headers, to objcopy and strip to remove ELF section header from ELF file. * The RISC-V port now supports the following new standard extensions: - Zicond (conditional zero instructions) - Zfa (additional floating-point instructions) - Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng, Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions) * The RISC-V port now supports the following vendor-defined extensions: - XVentanaCondOps * Add support for Intel FRED, LKGS and AMX-COMPLEX instructions. * A new .insn directive is recognized by x86 gas. * Add SME2 support to the AArch64 port. * The linker now accepts a command line option of --remap-inputs &lt;PATTERN&gt;=&lt;FILE&gt; to relace any input file that matches &lt;PATTERN&gt; with &lt;FILE&gt;. In addition the option --remap-inputs-file=&lt;FILE&gt; can be used to specify a file containing any number of these remapping directives. * The linker command line option --print-map-locals can be used to include local symbols in a linker map. (ELF targets only). * For most ELF based targets, if the --enable-linker-version option is used then the version of the linker will be inserted as a string into the .comment section. * The linker script syntax has a new command for output sections: ASCIZ &quot;string&quot; This will insert a zero-terminated string at the current location. * Add command-line option, -z nosectionheader, to omit ELF section header. - Removed obsolete patches: binutils-2.40-branch.diff.gz, riscv-dynamic-tls-reloc-pie.patch, riscv-pr22263-1.patch, extensa-gcc-4_3-fix.diff . - Add binutils-2.41-branch.diff.gz . - Add binutils-old-makeinfo.diff for SLE-12 and older. - Rebased aarch64-common-pagesize.patch and binutils-revert-rela.diff . - Contains fixes for these non-CVEs (not security bugs per upstreams SECURITY.md): * bsc#1209642 aka CVE-2023-1579 aka PR29988 * bsc#1210297 aka CVE-2023-1972 aka PR30285 * bsc#1210733 aka CVE-2023-2222 aka PR29936 * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc) * bsc#1214565 aka CVE-2020-19726 aka PR26240 * bsc#1214567 aka CVE-2022-35206 aka PR29290 * bsc#1214579 aka CVE-2022-35205 aka PR29289 * bsc#1214580 aka CVE-2022-44840 aka PR29732 * bsc#1214604 aka CVE-2022-45703 aka PR29799 * bsc#1214611 aka CVE-2022-48065 aka PR29925 * bsc#1214619 aka CVE-2022-48064 aka PR29922 * bsc#1214620 aka CVE-2022-48063 aka PR29924 * bsc#1214623 aka CVE-2022-47696 aka PR29677 * bsc#1214624 aka CVE-2022-47695 aka PR29846 * bsc#1214625 aka CVE-2022-47673 aka PR29876 - Add binutils-disable-dt-relr.sh for an compatibility problem caused by binutils-revert-rela.diff in SLE codestreams. Needed for update of glibc as that would otherwise pick up the broken relative relocs support. [bsc#1213282, PED-1435] - This only existed only for a very short while in SLE-15, as the main variant in devel:gcc subsumed this in binutils-revert-rela.diff. Hence: - Remove binutils-disable-dt-relr.sh as subsumed. - riscv-dynamic-tls-reloc-pie.patch: Backport for PR ld/22263 and PR ld/25694 - riscv-pr22263-1.patch: Backport for PR ld/22263 - Rebase branch patch (includes fix for PR30281). - Document fixed CVEs: * bnc#1208037 aka CVE-2023-25588 aka PR29677 * bnc#1208038 aka CVE-2023-25587 aka PR29846 * bnc#1208040 aka CVE-2023-25585 aka PR29892 * bnc#1208409 aka CVE-2023-0687 aka PR29444 - Enable bpf-none cross target and add bpf-none to the multitarget set of supported targets. - Disable packed-relative-relocs for old codestreams. They generate buggy relocations when binutils-revert-rela.diff is active. [bsc#1206556] - Disable ZSTD debug section compress by default. - Enable zstd compression algorithm (instead of zlib) for debug info sections by default. - Pack libgprofng only for supported platforms. - Remove upstreamed patch binutils-maxpagesize.diff. - Rebase binutils-2.40-branch.diff.gz as it includes fix for PR30043. - Move libgprofng-related libraries to the proper locations (packages). - Add --without=bootstrap for skipping of bootstrap (faster testing of the package). - Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515] - Update to version 2.40: * Objdump has a new command line option --show-all-symbols which will make it display all symbols that match a given address when disassembling. (Normally only the first symbol that matches an address is shown). * Add --enable-colored-disassembly configure time option to enable colored disassembly output by default, if the output device is a terminal. Note, this configure option is disabled by default. * DCO signed contributions are now accepted. * objcopy --decompress-debug-sections now supports zstd compressed debug sections. The new option --compress-debug-sections=zstd compresses debug sections with zstd. * addr2line and objdump --dwarf now support zstd compressed debug sections. * The dlltool program now accepts --deterministic-libraries and - -non-deterministic-libraries as command line options to control whether or not it generates deterministic output libraries. If neither of these options are used the default is whatever was set when the binutils were configured. * readelf and objdump now have a newly added option --sframe which dumps the SFrame section. * Add support for Intel RAO-INT instructions. * Add support for Intel AVX-NE-CONVERT instructions. * Add support for Intel MSRLIST instructions. * Add support for Intel WRMSRNS instructions. * Add support for Intel CMPccXADD instructions. * Add support for Intel AVX-VNNI-INT8 instructions. * Add support for Intel AVX-IFMA instructions. * Add support for Intel PREFETCHI instructions. * Add support for Intel AMX-FP16 instructions. * gas now supports --compress-debug-sections=zstd to compress debug sections with zstd. * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd} that selects the default compression algorithm for --enable-compressed-debug-sections. * Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs, XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx, XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head ISA manual, which are implemented in the Allwinner D1. * Add support for the RISC-V Zawrs extension, version 1.0-rc4. * Add support for Cortex-X1C for Arm. * New command line option --gsframe to generate SFrame unwind information on x86_64 and aarch64 targets. * The linker has a new command line option to suppress the generation of any warning or error messages. This can be useful when there is a need to create a known non-working binary. The option is -w or --no-warnings. * ld now supports zstd compressed debug sections. The new option - -compress-debug-sections=zstd compresses debug sections with zstd. * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd} that selects the default compression algorithm for --enable-compressed-debug-sections. * Remove support for -z bndplt (MPX prefix instructions). - Rebased patches: add-ulp-section.diff, ld-relro.diff, binutils-revert-plt32-in-branches.diff, cross-avr-size.patch. - Removed patch: binutils-pr29482.diff. - New patch: extensa-gcc-4_3-fix.diff. - Includes fixes for these CVEs: * bnc#1206080 aka CVE-2022-4285 aka PR29699 - Enable by default: --enable-colored-disassembly. - fix build on x86_64_vX platforms - Add binutils-maxpagesize.diff for a problem on old code streams, where we would generate too large binaries. - s390-pic-dso.diff: use %pB instead of %B - SLE toolchain update of binutils. Update to 2.39 from 2.37, which means obsoleting and hence removing these patches: binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff, binutils-add-efi-aarch64-3.diff, binutils-fix-keepdebug.diff, binutils-add-z16-name.diff. Implements [jsc#SLE-25046, jsc#PED-2029, jsc#PED-2035, jsc#PED-2033, jsc#PED-2030, jsc#PED-2038, jsc#PED-2032, jsc#PED-2034, jsc#PED-2031, jsc#SLE-25047] - This fixes these CVEs relative to 2.37: [bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648 [bsc#1193929] aka PR28694 aka CVE-2021-45078 [bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195 [bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943 [bsc#1202966] aka PR29289 aka CVE-2022-38126 [bsc#1202967] aka PR29290 aka CVE-2022-38127 [bsc#1202969] aka CVE-2021-3826 - add arm32-avoid-copyreloc.patch for PR16177 (bsc#1200962) - Add binutils-pr29482.diff for PR29482, aka CVE-2022-38533 [bsc#1202816] - Rebase binutils-2.39-branch.diff.gz that contains fix for PR29451. - Add binutils-2.39-branch.diff.gz. - Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes. - Add gprofng subpackage. - Update to binutils 2.39: * The ELF linker will now generate a warning message if the stack is made executable. Similarly it will warn if the output binary contains a segment with all three of the read, write and execute permission bits set. These warnings are intended to help developers identify programs which might be vulnerable to attack via these executable memory regions. The warnings are enabled by default but can be disabled via a command line option. It is also possible to build a linker with the warnings disabled, should that be necessary. * The ELF linker now supports a --package-metadata option that allows embedding a JSON payload in accordance to the Package Metadata specification. * In linker scripts it is now possible to use TYPE=&lt;type&gt; in an output section description to set the section type value. * The objdump program now supports coloured/colored syntax highlighting of its disassembler output for some architectures. (Currently: AVR, RiscV, s390, x86, x86_64). * The nm program now supports a --no-weak/-W option to make it ignore weak symbols. * The readelf and objdump programs now support a -wE option to prevent them from attempting to access debuginfod servers when following links. * The objcopy program's --weaken, --weaken-symbol, and - -weaken-symbols options now works with unique symbols as well. - Rebase binutils-compat-old-behaviour.diff, binutils-revert-hlasm-insns.diff, binutils-revert-plt32-in-branches.diff and remove binutils-2.38-branch.diff.gz. - For now use --disable-gprofng. - Includes fixes for these CVEs: bnc#1142579 aka CVE-2019-1010204 aka PR23765 (Fake entry from SLE for tracking purposes:) Package blog was updated: - Add patch blog.dif * Fix big endian cast problems to be able to read commands and ansers (blogctl) as well as passphrases (blogd) Package ca-certificates-mozilla was updated: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle &quot;valid before nov 30 2022&quot; and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 Patch: remove-trustcor.patch Package ca-certificates was updated: - Update to version 2+git20240416.98ae794 (bsc#1221184): * Use flock to serialize calls (boo#1188500) * Make certbundle.run container friendly * Create /var/lib/ca-certificates if needed Package catatonit was updated: - Update to catatonit v0.2.0. * Change license to GPL-2.0-or-later. - Remove upstreamed patches: - 99bb9048f.patch - Update to catatont v0.1.7 - This release adds the ability for catatonit to be used as the only process in a pause container, by passing the -P flag (in this mode no subprocess is spawned and thus no signal forwarding is done). - Add 99bb9048f.patch: configure.ac: call AM_INIT_AUTOMAKE only once. Fix build with autocnf 2.71 / automake 1.16.5. - Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors). - Update catatonit-rpmlintrc in order to cover that static binaries are now an error not a warning. Package chrony was updated: - Use make quickcheck instead of make check to avoid &gt;1h build times and failures due to timeouts. This was the default before 3.2 but it changed to make tests more reliable. Here a seed is already set to get deterministic execution. - Use shorter NTS-KE retry interval when network is down (bsc#1213551, chrony-burst_total_samples_to_go.patch, chrony-retry_interval_ke_start.patch). Package cloud-netconfig was updated: - Update to version 1.14 + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757) - Add version settings to Provides/Obsoletes - Update to version 1.12 (bsc#1221202) + If token access succeeds using IPv4 do not use the IPv6 endpoint only use the IPv6 IMDS endpoint if IPv4 access fails. - Add Provides/Obsoletes for dropped cloud-netconfig-nm - Install dispatcher script into /etc/NetworkManager/dispatcher.d on older distributions - Add BuildReqires: NetworkManager to avoid owning dispatcher.d parent directory - Update to version 1.11: + Revert address metadata lookup in GCE to local lookup (bsc#1219454) + Fix hang on warning log messages + Check whether getting IPv4 addresses from metadata failed and abort if true + Only delete policy rules if they exist + Skip adding/removing IPv4 ranges if metdata lookup failed + Improve error handling and logging in Azure + Set SCRIPTDIR when installing netconfig wrapper - Update to version 1.10: + Drop cloud-netconfig-nm sub package and include NM dispatcher script in main packages (bsc#1219007) + Spec file cleanup - Update to version 1.9: + Drop package dependency on sysconfig-netconfig + Improve log level handling + Support IPv6 IMDS endpoint in EC2 (bsc#1218069) - Update to version 1.8: + Fix Azure metadata check (bsc#1214715) + Fix cleanup on ifdown - Update to version 1.7: + Overhaul policy routing setup (issue #19) + Support alias IPv4 ranges (issue #14) + Add support for NetworkManager (bsc#1204549) + Remove dependency on netconfig + Install into libexec directory + Clear stale ifcfg files for accelerated NICs (bsc#1199853) + More debug messages + Documentation update - /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in Tumbleweed, update path (poo#116221) Package cloud-regionsrv-client was updated: - Update to version 10.1.7 (bsc#1220164, bsc#1220165) + Fix the failover path to a new target update server. At present a new server is not found since credential validation fails. We targeted the server detected in down condition to verify the credentials instead of the replacement server. - Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159) + Fix the algorithm to determine the region from the availability zone information retrieved from IMDS. - Update to version 10.1.6 + Support specifying an IPv6 address for a manually configured target update server. - Update to version 10.1.5 (bsc#1217583) + Fix fallback path when IPv6 network path is not usable + Enable an IPv6 fallback path in IMDS access if it cannot be accessed over IPv4 + Enable IMDS access over IPv6 - Update to version 10.1.4 (bsc#1217451) + Fetch cert for new update server during failover - Update to version 10.1.3 (bsc#1214801) + Add a warning if we detect a Python package cert bundle for certifi This will help with debugging and point to potential issues when using SUSE images in AWS, Azure, and GCE - Update to version 10.1.2 (bsc#1211282) + Properly handle Ipv6 when checking update server responsiveness. If not available fall back and use IPv4 information + Use systemd_ordered to allow use in a container without pulling systemd into the container as a requirement - Update to version 10.1.1 (bsc#1210020, bsc#1210021) + Clean up the system if baseproduct registraion fails to leave the system in prestine state + Log when the registercloudguest command is invoked with --clean - Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 ) - Removes a warning about system_token entry present in the credentials file. - Adds logrotate configuration for log rotation. - Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 ) - Removes a warning about system_token entry present in the credentials file. - Adds logrotate configuration for log rotation. - Update to version 10.0.8 (bsc#1206428) - Fix regression introduced by 10.0.7. When the hosts file was modified such that there is no empty line at the end of the file the content after removing the registration data does not match the content prior to registration. The update fixes the issue triggered by an index logic error. - Guard dmidecode dependency (bsc#1206082) - Update to version 10.0.7 (bsc#1191880, bsc#1195925, bsc#1195924) - Implement functionality to detect if an update server has a new cert. Import the new cert when it is detected. - Forward port fix-for-sles12-disable-ipv6.patch - From 10.0.6 (bsc#1205089) - Credentials are equal when username and password are the same ignore other entries in the credentials file - Handle multiple zypper names in process table, zypper and Zypp-main to properly detect the running process - Add patch to block IPv6 on SLE12 (bsc#1203382) Package containerd was updated: - Revert noarch for devel subpackage Switching to noarch causes issues on SLES maintenance updates, reverting it fixes our image builds - Update to containerd v1.7.17. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.17&gt; - Switch back to using tar_scm service. Aside from obs_scm using more bandwidth and storage than a locally-compressed tar.xz, it seems there's some weird issue with paths in obscpio that break our SLE-12-only patch. - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.16. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.16&gt; CVE-2023-45288 bsc#1221400 - Use obs_scm service instead of tar_scm - Removed patch 0002-shim-Create-pid-file-with-0644-permissions.patch (merged upstream at &lt;https://github.com/containerd/containerd/pull/9571&gt;) - Update to containerd v1.7.15. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.15&gt; - Update to containerd v1.7.14. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.14&gt; - Update to containerd v1.7.13. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.13&gt; - Update to containerd v1.7.12. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.12&gt; - Update to containerd v1.7.11. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.11&gt; GHSA-jq35-85cj-fj4p bsc#1224323 - Use %patch -P N instead of deprecated %patchN. - Enable manpage generation - Make devel package noarch - adjust rpmlint filters - Add patch for bsc#1217952: + 0002-shim-Create-pid-file-with-0644-permissions.patch - Update to containerd v1.7.10. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.10&gt; - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.8. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.8&gt; bsc#1200528 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.7. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.7&gt; - Add patch to fix build on SLE-12: + 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.6 for Docker v24.0.6-ce. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.6&gt; bsc#1215323 - Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages - Update to containerd v1.6.21 for Docker v23.0.6-ce. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.6.21&gt; bsc#1211578 - Require a minimum Go version explicitly rather than using golang(API). Fixes the change for bsc#1210298. [ This was only released in SLE. ] - unversion to golang requires to always use the current default go. (bsc#1210298) - Update to containerd v1.6.20 for Docker v23.0.4-ce. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.6.20&gt; - Update to containerd v1.6.19 for Docker v23.0.2-ce. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.6.19&gt; Includes fixes for: - CVE-2023-25153 bsc#1208423 - CVE-2023-25173 bsc#1208426 - Re-build containerd to use updated golang-packaging. jsc#1342 - Update to containerd v1.6.16 for Docker v23.0.1-ce. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.6.16&gt; - Update to containerd v1.6.12 to fix CVE-2022-23471 bsc#1206235. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.6.12&gt; - Update to containerd v1.6.11. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.6.11&gt; - Update to containerd v1.6.9 for Docker v20.10.21-ce. Also includes a fix for CVE-2022-27191. boo#1206065 bsc#1197284 Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.6.9&gt; - add devel subpackage, which is needed by open-vm-tools Package coreutils was updated: - coreutils-ls-avoid-triggering-automounts.patch ls: avoid triggering automounts (bsc#1221632) Package cpio was updated: - Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238 * fix-bsc1219238.patch - Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571) * fix-CVE-2023-7207.patch Package cups was updated: - Require the exact matching version-release of all libcups* sub-packages (bsc#1226192) - cups-2.2.7-CVE-2024-35235.patch is derived from the upstream patch against master (CUPS 2.5) to behave backward compatible for CUPS 2.2.7 in SLE15 and openSUSE Leap 15 to fix CVE-2024-35235 &quot;cupsd Listen port arbitrary chmod 0140777&quot; without the more secure but backward-incompatible behaviour of the upstream patch for CUPS 2.5 that ignores domain sockets specified in 'Listen' entries in /etc/cups/cupsd.conf when cupsd is lauched via systemd (in particular when launched on-demand by systemd) https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f bsc#1225365 - cups-2.2.7-web-ui-kerberos-authentication.patch, update patch to handle local 'Negotiate' authentication response for cli clients. (bsc#1223179). - Remove '--enable-debug-printfs' from configure options, see https://github.com/OpenPrinting/cups/issues/875 (bsc#1217119). - cups-2.2.7-CVE-2023-4504.patch fixes CVE-2023-4504 &quot;CUPS PostScript Parsing Heap Overflow&quot; https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h bsc#1215204 - cups-2.2.7-CVE-2023-32360.patch fixes CVE-2023-32360 &quot;Information leak through Cups-Get-Document operation&quot; by requiring authentication for CUPS-Get-Document in cupsd.conf https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g bsc#1214254 - cups-2.2.7-additional_policies.patch is an updated version of cups-2.0.3-additional_policies.patch that replaces it to add the 'allowallforanybody' policy to cupsd.conf after cups-2.2.7-CVE-2023-32360.patch was applied - cups-2.2.7-CVE-2023-34241.patch fixes CVE-2023-34241 &quot;use-after-free in cupsdAcceptClient()&quot; https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25 bsc#1212230 - cups-2.2.7-CVE-2023-32324.patch fixes CVE-2023-32324 &quot;Heap buffer overflow in cupsd&quot; https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7 bsc#1211643 - 0001-cups-dests.c-cupsGetNamedDest-set-IPP_STATUS_ERROR_N.patch improves logging on 'IPP_STATUS_ERROR_NOT_FOUND' error that fixes bsc#1191467, bsc#1198932: &quot;lpr reports 'No such file or directory' for missing catalogue files&quot; &quot;/usr/bin/lpr: No such file or directory&quot; - after-network_target-sssd_service.patch is derived from https://github.com/apple/cups/issues/5550 with its https://github.com/apple/cups/commit/aaebca5660fdd7f7b6f30461f0788d91ef6e2fee and SUSE PTF:24471 cups.SUSE_SLE-15_Update cups-2.2.7-wait-for-network.patch to add &quot;After=network.target sssd.service&quot; to the systemd unit source files cupsd.service.in and cups.cups-lpdAT.service.in to fix bsc#1201234, bsc#1200321: &quot;Missing network dependency in systemd unit for cups-2.2.7&quot; &quot;CUPS may not always start if sssd is in use&quot; - cups-branch-2.2-commit-876fdc1c90a885a58644c8757bc1283c9fd5bcb7.diff is https://github.com/OpenPrinting/cups/commit/876fdc1c90a885a58644c8757bc1283c9fd5bcb7 which belongs to https://github.com/OpenPrinting/cups/issues/308 that fixes bsc#1191525, bsc#1203446: &quot;Print jobs on cups.sock return with EAGAIN (Resource temporarily unavailable)&quot; &quot;/usr/bin/lpr: Error - The printer or class does not exist.&quot; Package curl was updated: - regression fix [bsc#1219273] https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 - added patches + curl-CVE-2023-27534-tilde-back.patch - Security fix: [bsc#1221667, CVE-2024-2398] * curl: HTTP/2 push headers memory-leak * Add curl-CVE-2024-2398.patch - Fix: libssh: Implement SFTP packet size limit (bsc#1216987) * Add curl-libssh_Implement_SFTP_packet_size_limit.patch - Security fixes: * [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass * Add patches: - curl-http-lowercase-headernames-for-HTTP-2-and-HTTP-3.patch - curl-CVE-2023-46218.patch - Security fix: [bsc#1215889, CVE-2023-38546] * Cookie injection with none file * Add curl-CVE-2023-38546.patch - Security fixes: * [bsc#1211231, CVE-2023-28320] siglongjmp race condition - Add curl-CVE-2023-28320.patch * [bsc#1211232, CVE-2023-28321] IDN wildcard matching - Add curl-CVE-2023-28321.patch [bsc#1211339] * [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion - Add curl-CVE-2023-28322.patch - Security fixes: * [bsc#1209209, CVE-2023-27533] TELNET option IAC injection Add curl-CVE-2023-27533-no-sscanf.patch curl-CVE-2023-27533.patch * [bsc#1209210, CVE-2023-27534] SFTP path ~ resolving discrepancy Add curl-CVE-2023-27534.patch curl-CVE-2023-27534-dynbuf.patch * [bsc#1209211, CVE-2023-27535] FTP too eager connection reuse Add curl-CVE-2023-27535.patch * [bsc#1209212, CVE-2023-27536] GSS delegation too eager connection re-use Add curl-CVE-2023-27536.patch * [bsc#1209214, CVE-2023-27538] SSH connection too eager reuse still Add curl-CVE-2023-27538.patch - Security Fix: [bsc#1207992, CVE-2023-23916] * HTTP multi-header compression denial of service * Add curl-CVE-2023-23916.patch - Security Fix: [bsc#1206309, CVE-2022-43552] * HTTP Proxy deny use-after-free * Add curl-CVE-2022-43552.patch Package dbus-1 was updated: - Sometimes unprivileged users were able to crash dbus-daemon (CVE-2023-34969, bsc#1212126) * fix-upstream-CVE-2023-34969.patch Package lvm2 was updated: - blkdeactivate calls wrong mountpoint cmd (bsc#1214071) + bug-1214071-blkdeactivate_calls_wrong_mountpoint.patch - killed lvmlockd doesn't clear/adopt locks leading to inability to start volume group (bsc#1203216) - bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch - dracut-initqueue timeouts with 5.3.18-150300.59.63 kernel on ppc64le (bsc#1199074) - in lvm2.spec, change device_mapper_version from 1.02.163 to %{lvm2_version}_1.02.163 - lvm2.spec %post deletes libdevmapper and triggers kernel panic (bsc#1198523) - change %post behaviour, only do deleting job for non-link folder Package dhcp was updated: - bsc#1203988, CVE-2022-2928, dhcp-CVE-2022-2928.patch: An option refcount overflow exists in dhcpd - bsc#1203989, CVE-2022-2929, dhcp-CVE-2022-2929.patch: DHCP memory leak Package dmidecode was updated: - use-read_file-to-read-from-dump.patch: Fix an old harmless bug which would prevent root from using the --from-dump option since the latest security fixes (bsc#1210418). Security fixes (CVE-2023-30630) - dmidecode-split-table-fetching-from-decoding.patch: dmidecode: Clean up function dmi_table so that it does only one thing (bsc#1210418). - dmidecode-write-the-whole-dump-file-at-once.patch: When option - -dump-bin is used, write the whole dump file at once, instead of opening and closing the file separately for the table and then for the entry point (bsc#1210418). - dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch: Make sure that the file passed to option --dump-bin does not already exist (bsc#1210418). - ensure-dev-mem-is-a-character-device-file.patch: Add a safety check on the type of the mem device file we are asked to read from, if we are root (bsc#1210418). 3 recommended fixes from upstream: - dmidecode-fortify-entry-point-length-checks.patch: Ensure that the SMBIOS entry point is long enough to include all the fields we need. - dmidecode-fix-the-alignment-of-type-25-name.patch: Drop a stray tabulation before the name of DMI record type 25. - dmidecode-print-type-33-name-unconditionally.patch: Display the name of DMI record type 33 even if we can't decode it. Package docker was updated: [NOTE: This update was only ever released in SLES and Leap.]- Update to Docker 25.0.6-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2506&gt; - This update includes a fix for CVE-2024-41110. bsc#1228324 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. Backport of &lt;https://github.com/moby/buildkit/pull/4896&gt; and &lt;https://github.com/moby/buildkit/pull/5060&gt;. bsc#1221916 + 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch - Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. Backport of &lt;https://github.com/moby/moby/pull/48034&gt;. bsc#1214855 + 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch [NOTE: This update was only ever released in SLES and Leap.] - Update to Docker 25.0.5-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2505&gt; bsc#1223409 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - Update --add-runtime to point to correct binary path. [NOTE: This update was only ever released in SLES and Leap.] - Add patch to fix bsc#1220339 * 0007-daemon-overlay2-remove-world-writable-permission-fro.patch - rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch - Allow to disable apparmor support (ALP supports only SELinux) - Update to Docker 25.0.3-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/25.0/#2503&gt; - Fixes: * bsc#1219267 - CVE-2024-23651 * bsc#1219268 - CVE-2024-23652 * bsc#1219438 - CVE-2024-23653 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch - Vendor latest buildkit v0.11: Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that vendors in the latest v0.11 buildkit branch including bugfixes for the following: * bsc#1219438: CVE-2024-23653 * bsc#1219268: CVE-2024-23652 * bsc#1219267: CVE-2024-23651 - rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - switch from %patchN to %patch -PN syntax - remove unused rpmlint filters and add filters to silence pointless bash &amp; zsh completion warnings - Update to Docker 24.0.7-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/24.0/#2407&gt;. bsc#1217513 * Deny containers access to /sys/devices/virtual/powercap by default. - CVE-2020-8694 bsc#1170415 - CVE-2020-8695 bsc#1170446 - CVE-2020-12912 bsc#1178760 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Add a patch to fix apparmor on SLE-12, reverting the upstream removal of version-specific templating for the default apparmor profile. bsc#1213500 + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Update to Docker 24.0.6-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/24.0/#2406&gt;. bsc#1215323 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Switch from disabledrun to manualrun in _service. - Add a docker.socket unit file, but with socket activation effectively disabled to ensure that Docker will always run even if you start the socket individually. Users should probably just ignore this unit file. bsc#1210141 - Update to Docker 24.0.5-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/24.0/#2405&gt;. bsc#1213229 - Update to Docker 24.0.4-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/24.0/#2404&gt;. bsc#1213500 - Update to Docker 24.0.3-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/24.0/#2403&gt;. bsc#1213120 - Rebase patches: * cli-0001-docs-include-required-tools-in-source-tree.patch - Recommend docker-rootless-extras instead of Require(ing) it, given it's an additional functionality and not inherently required for docker to function. - Add docker-rootless-extras subpackage (https://docs.docker.com/engine/security/rootless) - Update to Docker 24.0.2-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/24.0/#2402&gt;. bsc#1212368 * Includes the upstreamed fix for the mount table pollution issue. bsc#1210797 - Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as being provided by this package. - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Update to Docker 23.0.6-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/23.0/#2306&gt;. bsc#1211578 - Rebase patches: * cli-0001-docs-include-required-tools-in-source-tree.patch - Re-unify packaging for SLE-12 and SLE-15. - Add patch to fix build on SLE-12 by switching back to libbtrfs-devel headers (the uapi headers in SLE-12 are too old). + 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch - Re-numbered patches: - 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch` - Update to Docker 23.0.5-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/23.0/#2305&gt;. - Rebase patches: * cli-0001-docs-include-required-tools-in-source-tree.patch - Update to Docker 23.0.4-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/23.0/#2304&gt;. bsc#1208074 - Fixes: * bsc#1214107 - CVE-2023-28840 * bsc#1214108 - CVE-2023-28841 * bsc#1214109 - CVE-2023-28842 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Renumbered patches: - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Remove upstreamed patches: - 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch - 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch - 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch - Backport &lt;https://github.com/docker/cli/pull/4228&gt; to allow man pages to be built without internet access in OBS. + cli-0001-docs-include-required-tools-in-source-tree.patch - update to 20.10.23-ce. * see upstream changelog at https://docs.docker.com/engine/release-notes/#201023 - drop kubic flavor as kubic is EOL. this removes: kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch - Update to Docker 20.10.21-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/#201021&gt;. bsc#1206065 bsc#1205375 CVE-2022-36109 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch * 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch - The PRIVATE-REGISTRY patch will now output a warning if it is being used (in preparation for removing the feature). This feature was never meant to be used by users directly (and is only available in the -kubic/CaaSP version of the package anyway) and thus should not affect any users. - Fix wrong After: in docker.service, fixes bsc#1188447 - Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux. - Fix syntax of boolean dependency - Allow to install container-selinux instead of apparmor-parser. - Change to using systemd-sysusers Package dracut was updated: - Update to version 049.1+suse.257.gf94c3fd1: * fix(udev-rules): Correct network device naming (bsc#1192986) - Update to version 049.1+suse.255.g19bd61fd: * fix(dracut.sh): exit if resolving executable dependencies fails (bsc#1214081) - Update to version 049.1+suse.253.g1008bf13: * fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640) - Update to version 049.1+suse.251.g0b8dad5: * fix(dracut.sh): omission is an addition to other omissions in conf files (bsc#1208929) * fix(nfs): chown using rpc default group (bsc#1204929) - Update to version 049.1+suse.247.gfb7df05c: * fix(systemd): add missing modprobe@.service (bsc#1203749) * fix(i18n): do not fail if FONT in /etc/vconsole.conf has the file extension (bsc#1203267) * fix(drm): consider also drm_dev_register when looking for gpu driver (bsc#1195618) * fix(integrity): do not display any error if there is no IMA certificate (bsc#1187654) Package elfutils was updated: - 0001-libelf-Fixup-SHF_COMPRESSED-sh_addralign-in-elf_upda.patch: make debuginfo extraction from go1.19 built binaries work again. (bsc#1203599) Package fonts-config was updated: - get the homedir from getpwuid when no $ENV{&quot;HOME&quot;} set- added patches fix bsc#1210700 + fonts-config-homedir-getpwuid.patch Package gawk was updated: - format-tree-positional-arg.patch: Validate index into argument list (CVE-2023-4156, bsc#1214025) Package glib2 was updated: - Add patches to fix CVE-2024-34397 (boo#1224044): glib2-allocate-SignalSubscriber-structs-individually.patch glib2-CVE-2024-34397.patch (glgo#GNOME/glib#3268). glib2-fix-ibus-regression.patch (glgo#GNOME/glib#3353) - Update glib2-fix-normal-form-handling-in-gvariant.patch: Backported from upstream to fix regression on s390x. (bsc#1210135, glgo#GNOME/glib!2978) - Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported from upstream to fix normal form handling in GVariant. (CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713, glgo#GNOME/glib!3125) Package glibc was updated: - nscd-netgroup-cache-timeout.patch: Use time_t for return type of addgetnetgrentX (CVE-2024-33602, bsc#1223425) - ulp-prologue-into-asm-functions.patch: Avoid creating ULP prologue for _start routine (bsc#1221940) - glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch: nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599, bsc#1223423, BZ #31677) - glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch: nscd: Avoid null pointer crashes after notfound response (CVE-2024-33600, bsc#1223424, BZ #31678) - glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch: nscd: Do not send missing not-found response in addgetnetgrentX (CVE-2024-33600, bsc#1223424, BZ #31678) - glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch: netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, CVE-2024-33602, bsc#1223425, BZ #31680) - iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992) - duplocale-global-locale.patch: duplocale: protect use of global locale (bsc#1220441, BZ #23970) - qsort-invalid-cmp.patch: qsort: handle degenerated compare function (bsc#1218866) - getaddrinfo-eai-memory.patch: getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163) - aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113) - dl-map-segment-align-munmap.patch: elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676) - gai-merge-continue-actions.patch: Simplify allocations and fix merge and continue actions (CVE-2023-4813, bsc#1215286, BZ #28931) - gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243) - nscd-netlink-cache-invalidation.patch: nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415) - nss-files-hosts-v4mapped.patch: Restore lookup of IPv4 mapped addresses in files database (bsc#1212819, BZ #25457) - remove-excessive-p-align-check.patch: elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688) - segment-align.patch: elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676) - ld-so-always-use-map-copy.patch: ld.so: Always use MAP_COPY to map the first segment (BZ #30452) - resolv-conf-lock.patch: resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527) - ulp-prologue-into-asm-functions.patch: Add support for livepatches in ASM written functions (bsc#1211726) - getlogin-no-loginuid.patch: getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235) - Exclude static archives from preparation for live patching (bnc#1208721) - amd-cacheinfo.patch: x86: Cache computation for AMD architecture (bsc#1207957) - gmon-hash-table-size.patch: gmon: Fix allocated buffer overflow (CVE-2023-0687, bsc#1207975, BZ #29444) - strncmp-avx2-boundary.patch: Fix avx2 strncmp offset compare condition check (bsc#1208358, BZ #25933) - dlopen-filter-object.patch: elf: Allow dlopen of filter object to work (bsc#1207571, BZ #16272) - powerpc-tst-ucontext.patch: powerpc: Fix unrecognized instruction errors with recent GCC Package google-guest-agent was updated: - Update to version 20240314.00 (bsc#1221900, bsc#1221901) * NetworkManager: only set secondary interfaces as up (#378) * address manager: make sure we check for oldMetadata (#375) * network: early setup network (#374) * NetworkManager: fix ipv6 and ipv4 mode attribute (#373) * Network Manager: make sure we clean up ifcfg files (#371) * metadata script runner: fix script download (#370) * oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369) * Dynamic vlan (#361) * Check for nil response (#366) * Create NetworkManager implementation (#362) * Skip interface manager on Windows (#363) * network: remove ignore setup (#360) * Create wicked network service implementation and its respective unit (#356) * Update metadata script runner, add tests (#357) * Refactor guest-agent to use common retry util (#355) * Flush logs before exiting #358 (#359) - Refresh patches for new version * dont_overwrite_ifcfg.patch - No need for double %setup. - Use %patch -P N instead of deprecated %patchN. - Update to version 20240213.00 * Create systemd-networkd unit tests (#354) - from version 20240209.00 * Update network manager unit tests (#351) - from version 20240207.02 * Implement retry util (#350) - from version 20240207.01 * Refactor utils package to not dump everything unrelated into one file (#352) - from version 20240207.00 * Set version on metadata script runner (#353) * Implement cleanup of deprecated configuration directives (#348) * Ignore DHCP offered routes only for secondary nics (#347) * Deprecate DHClient in favor of systemd-networkd (#342) * Generate windows and linux licenses (#346) - from version 20240122.00 * Remove quintonamore from OWNERS (#345) - from version 20240111.00 * Delete integration tests (#343) - from version 20240109.00 * Update licenses with dependencies of go-winio (#339) * Add github.com/Microsoft/go-winio to third party licensing (#337) - Add explicit versioned dependency on google-guest-oslogin (bsc#1219642) - Refresh patches for new version * dont_overwrite_ifcfg.patch - Update to version 20231214.00 * Fix snapshot test failure (#336) - from version 20231212.00 * Implement json-based command messaging system for guest-agent (#326) - from version 20231118.00 * sshca: Remove certificate caching (#334) - from version 20231115.00 * revert: 3ddd9d4a496f7a9c591ded58c3f541fd9cc7e317 (#333) * Update script runner to use common cfg package (#331) - Update to version 20231110.00 * Update Google UEFI variable (#329) * Update owners (#328) - from version 20231103.00 * Make config parsing order consistent (#327) - Update to version 20231031.01 (bsc#1216547, bsc#1216751) * Add prefix to scheduler logs (#325) - from version 20231030.00 * Test configuration files are loaded in the documented order. Fix initial integration test. (#324) * Enable mTLS by default (#323) - from version 20231026.00 * Rotate MDS root certificate (#322) - from version 20231020.00 * Update response struct, add tests (#315) * Don't try to schedule mTLS job twice (#317) - from version 20231019.00 * snapshot: Add context cancellation handling (#318) - Bump the golang compiler version to 1.21 (bsc#1216546) - Update to version 20231016.00 * instance setup: trust/rely on metadata package's retry (#316) - from version 20231013.01 * Update known cert dirs for updaters (#314) - from version 20231011.00 * Verify cert refresher is enabled before running (#312) - from version 20231009.00 * Add support for the SSH key options (#296) - from version 20231006.01 * Events interface improvement (#290) - from version 20231006.00 * Refactor script runner to use common metadata package (#311) * Schedule MTLS job before notifying systemd (#310) * Refactor authorized keys to use metadata package (#300) - from version 20231005.00 * docs update: add configuration and event manager's docs. (#309) - from version 20231004.01 * Fix license header (#301) * packaging(deb): add epoch to oslogin dep declaration (#308) - from version 20231004.00 * packaging(deb): ignore suffix of version (#306) * packaging: force epoch and ignore suffix of version (#305) - from version 20231003.01 * oslogin: declare explicitly dependency (#304) * oslogin: remove Unstable.pamless_auth_stack feature flag (#303) - from version 20231003.00 * oslogin: resort ssh configuration keys (#299) - from version 20230925.00 * oslogin: introduce a feature flag to cert auth (#298) - from version 20230923.00 * gitignore: unify ignore in the root dir (#297) - from version 20230921.01 * managers: we accidentally disabled addressMgr, bring it back (#295) * cfg: fix typos (#294) * cfg: config typos (#293) * cfg: introduce a configuration management package (#288) - from version 20230921.00 * mtls: bring it back (#292) - from version 20230920.01 * Fix permissions on file created by SaferWriteFile() (#291) - from version 20230920.00 * sshca: re-enable the event watcher &amp; handler (#289) - from version 20230919.01 * oslogin: add PAMless Authorization Stack configuration (#285) - from version 20230919.00 * Preparing it for review (#287) * sshca: make sure to restore SELinux context of the pipe (#286) * remove deprecated usage, fix warnings (#282) * Update system store (#278) * Update workload certificate endpoints, use metadata package (#275) * metadata: use url package to form metadata URLs (#284) - from version 20230913.00 * release prep: disable ssh trusted ca module (#281) - from version 20230912.00 * New Guest Agent Release (#280) - from version 20230909.00 * Revert &quot;service: remove the use of the service library (#273)&quot; (#276) * service: remove the use of the service library (#273) - from version 20230906.01 * Store keys to machine keyset (#272) - from version 20230905.00 * restorecon: first try to determine if it's installed (#271) * run: change all commands to use CommandContext (#268) * Notify systemd after scheduling required jobs (#270) * Store certs in ProgramData instead of Program Files (#269) * metadata watcher: remove local retry &amp; implement unit tests (#267) * run: split command running utilities into its own package (#265) - Update to version 20230828.00 * snapshot: Use main context rather than create its own (#266) - from version 20230825.01 * Verify if cert was successfully added to certpool (#264) - from version 20230825.00 * Find previous cert for cleanup using one stored on disk (#263) - from version 20230823.00 * Revert &quot;sshtrustedca: configure selinux context for sshtrustedca pipe (#256)&quot; (#262) * Update credentials directory on Linux (#260) - from version 20230821.00 * Update owners (#261) - from version 20230819.00 * Revert &quot;guest-agent: prepare for public release (#258)&quot; (#259) - from version 20230817.00 * guest-agent: prepare for public release (#258) - from version 20230816.01 * Enable telemetry collection by default (#253) - from version 20230816.00 * Add pkcs12 license and update retry logic (#257) * sshtrustedca: Configure selinux context for sshtrustedca pipe (#256) * Store windows certs in certstore (#255) * events: Multiplex event watchers (#250) * Scheduler fixes (#254) * Update license files (#251) * Run telemetry every 24 hours, record pretty name on linux (#248) - Update to version 20230811.00 * sshca: move the event handler to its own package (#247) - from version 20230809.02 * Move scheduler package to google_guest_agent (#249) - from version 20230809.01 * Add scheduler utility to run jobs at interval (#244) - from version 20230809.00 * sshca: transform the format from json to openssh (#246) - from version 20230803.00 * Add support for reading UEFI variables on windows (#243) - from version 20230801.03 * sshtrustedca watcher: fix concurrency error (#242) - from version 20230801.02 * metadata: add a delta between http client timeout and hang (#241) - from version 20230801.00 * metadata: properly set request config (#240) * main: bring back the mds client initialization (#239) * metadata: don't try to use metadata before agentInit() is done (#238) * Add (disabled) telemetry logic to GuestAgent (#219) * metadata event handler: updates and bug fixes (#235) * Verify client credentials are signed by root CA before writing on disk (#236) * metadata: properly handle context cancelation (#234) * metadata: fix context cancelation error check (#233) * metadata: remove the sleep around metadata in instance setup (#232) * metadata: implement backoff strategy (#231) * Decrypt and store client credentials on disk (#230) * Upgrade Go version 1.20 (#228) * Fetch guest credentials and add MDS response proto (#226) * metadata: pass main context to WriteGuestAttributes() (#227) * Support for reading &amp; writing Root CA cert from UEFI variable (#225) * ssh_trusted_ca: enable the feature (#224) * sshTrustedCA: add pipe event handler (#222) * events: start using events layer (#223) - from version 20230726.00 * events: introducing a events handling subsystem (#221) - from version 20230725.00 * metadata: add metadata client interface (#220) - from version 20230711.00 * metadata: moving to its own package (#218) - from version 20230707.00 * snapshot: fix request handling error (#217) - Bump Go API version to 1.20 - Update to version 20230601.00 (bsc#1212418, bsc#1212759) * Revert &quot;Avoid conflict with automated package updates (#212)&quot; (#214) * Don't block google-osconfig-agent (#213) - from version 20230531.00 * Avoid conflict with automated package updates (#212) * Add a support of TrustedUserCAKeys into sshd configuration (#206) - Update to version 20230510.00 * Fix dependencies after updating go ver to 1.17 (#211) * Update Go version (#210) - from version 20230426.00 * Fix compilation directives (#207) - from version 20230403.00 * Mod update (#205) * Update mod: update golang.org/x/net to 0.8.0 and its dependencies (#204) - Bump go API version to 1.18 (bsc#1208723) + Address CVE-2021-38297 and CVE-2022-23806 - Update to version 20230221.00 * Allow a comment part of a pub ssh key to have an arbitrary format (#198) + Split GetUserKey() into two functions: get and validate + Correct the name of ValidateUser func as it validates only users + Update tests * Update OWNERS (#201) - from version 20230207.00 * Update OWNERS file (#199) - Update to version 20230112.00 * Updating logging module so cloud logs are flushed prior to exit (#196) * Windows: retry adding MDS route (#194) - Update to version 20221109.00 * Validate user key for whitespace chars (#188) - from version 20221107.00 * Fix typo with wsfc agent (#189) - from version 20221104.00 * Updates to gce-workload-cert-refresh (#186) - from version 20221025.00 * Add workload cert refresh to preset (#185) - Update to version 20221018.00 * Write workload cert status file (#184) - from version 20221017.00 * Update workload_cert permissions (#180) - Update to version 20220927.00 * Workload certificate refresh (#182) - Update to version 20220824.00 * Workload certs (#177) - from version 20220823.00 * add members to OWNERS (#178) * Expired key tests (#176) * correct expired key handling (#175) - avoid bashism in post-install scripts (bsc#1195391) Package google-guest-configs was updated: - Update to version 20240307.00 (bsc#1221146, bsc#1221900, bsc#1221901) * Support dot in NVMe device ids (#68) - from version 20240304.00 * google_set_hostname: Extract rsyslog service name with a regexp for valid systemd unit names (#67) - from version 20240228.00 * Remove quintonamore from OWNERS (#64) - from version 20240119.00 * Setup smp affinity for IRQs and XPS on A3+ VMs (#63) - Update to version 20231214.00 * set multiqueue: A3 check set timeout the MDS call in 1s (#62) - from version 20231103.00 * Update owners (#61) * Update owners (#58) - Update to version 20230929.00 * Update multinic filter to pick only pci devices (#59) - Update to version 20230808.00 (bsc#1214546, bsc#1214572) * 64-gce-disk-removal.rules: delete (#51) - from version 20230801.00 * Replace xxd with dd for google_nvme_id (#56) - from version 20230729.00 * Setup irq binding for a3 8g vm (#57) - from version 20230724.00 * Debian packaging: add xxd dependency (#55) - Update to version 20230626.00 (bsc#1212418, bsc#1212759) * Revert &quot;Replace `xxd` to `cut` for google_nvme_id (#49)&quot; (#54) - Update to version 20230526.00 * dracut: Add a new dracut module for gcp udev rules (#53) - from version 20230522.00 * src/lib/udev: only create symlinks for GCP devices (#52) - from version 20230515.00 * Replace `xxd` to `cut` for google_nvme_id (#49) - from version 20230328.00 * Set hostname: consider fully qualified static hostname (#46) - Update to version 20230217.01 * Support multiple local SSD controllers (#39) - from version 20230217.00 * Update OWNERS (#45) - from version 20230215.00 * DHCP hostname: don't reset hostname if the hostname hasn't changed (#44) - from version 20230202.00 * Update OWNERS file (#43) - from version 20230123.00 * Fix a repository URL in packaging specs (#41) - Add nvme-cli to Requires (bsc#1204068, bsc#1204091) Package google-guest-oslogin was updated: - Fix file permissions for google_authorized_principals binary (bsc#1222171) - Update to version 20240311.00 (bsc#1218548, bsc#1221900, bsc#1221901) * pam: Bring back pam's account management implementation (#133) * Change error messages when checking login policy (#129) * Remove quintonamore from OWNERS (#128) - Add explicit versioned dependency on google-guest-agent (bsc#1219642) - Update to version 20231116.00 * build: Fix DESTDIR concatenation (#124) - from version 20231113.00 * build: Fix clang build (#122) - from version 20231103.00 * Update owners (#121) - Update to version 20231101.00 (bsc#1216548, bsc#1216750) * Fix HTTP calls retry logic (#117) - Update to version 20231004 * packaging: Make the dependency explicit (#120) - update to 20230926.00: * fix suse build * selinux: fix selinux build (#114) * test: align CXX Flags * sshca: Make the implementation more C++ like * sshca: Add a SysLog wrapper * oslogin_utils: introduce AuthorizeUser() API * sshca: move it out of pam dir * pam: start disabling the use of oslogin_sshca * sshca: consider sshca API to assume a cert only * authorized principals: introduce the new command * authorize keys: update to use new APIs * pam modules: remove pam_*_admin and update pam_*_login * cache_refresh: should be catching by reference. - Update to version 20230823.00 * selinux: Add sshd_key_t type enforcement to trusted user ca (#113) - from version 20230822.00 * sshca: Add tests with fingerprint and multiple extensions (#111) - from version 20230821.01 * sshca: Support method token and handle multi line (#109) - from version 20230821.00 * Update owners (#110) - Update to version 20230808.00 * byoid: extract and apply the ca fingerprint to policy call (#106) - Update to version 20230502.00 * Improve the URL in 2fa prompt (#104) - from version 20230406.02 * Check open files (#101) - from version 20230406.01 * Initialize variables (#100) * Fix formatting (#102) - from version 20230406.00 * PAM cleanup: remove duplicates (#97) - from version 20230405.00 * NSS cleanup (#98) - from version 20230403.01 * Cleanup Makefiles (#95) - from version 20230403.00 * Add anandadalton to the owners list (#96) - Update to version 20230217.00 * Update OWNERS (#91) - from version 20230202.00 * Update owners file (#89) Package google-osconfig-agent was updated: - Update to version 20240320.00 (bsc#1221900, bsc#1221901) * Enable OSConfig agent to read GPG keys files with multiple entities (#537) - from version 20240314.00 * Update OWNERS file to replace mahmoudn GitHub username by personal email GitHub username (#534) - from version 20240313.01 * Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 in /e2e_tests (#535) - from version 20240313.00 * Adds a console and gcloud example policies (#533) - from version 20240228.00 * GuestPolicies e2e: Remove ed package if exist for zypper startup_script in recipe-steps tests (#532) - from version 20240126.00 * Fix Enterprise Linux Recipe-Steps tests to install info dependency package in the startup-script (#530) - from version 20240125.01 * Fix SUSE pkg-update and pkg-no-update e2e tests (#529) - from version 20240125.00 * Fix zypper patch info parser to consider conflicts-pkgs float versions (#528) - from version 20240123.01 * Fix SUSE package update e2e tests to use another existing package (#527) - from version 20240123.00 * Update cis-exclude-check-once-a-day.yaml (#526) - Update to version 20231219.00 * Bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#524) - from version 20231207.01 * Some change to create an agent release (#523) - from version 20231207.00 * Some change to create an agent release (#522) - from version 20231205.00 * Some change to create an agent release (#521) - from version 20231130.02 * Merge pull request #519 from Gulio/just-release * Merge branch 'master' into just-release * Some change to create an agent release * Some change to create an agent release - from version 20231130.00 * Some change to create an agent release (#518) - from version 20231129.00 * Fix parse yum updates to consider the packages under installing-dependencies keyword (#502) * Update feature names in the README file (#517) - from version 20231128.00 * Updating owners (#508) - from version 20231127.00 * Move OS policy CIS examples under the console folder (#514) - from version 20231123.01 * Adds three more OS Policy examples to CIS folder (#509) * Added ekrementeskii and MahmoudNada0 to OWNERS (#505) - from version 20231123.00 * docs(osconfig):add OS policy examples for CIS scanning (#503) - from version 20231121.02 * Added SCODE to Windows error description (#504) - from version 20231121.01 * Update OWNERS (#501) * Update go version to 1.21 (#507) - from version 20231121.00 * Call fqdn (#481) - from version 20231116.00 * Removing obsolete MS Windows 2019 images (#500) - from version 20231107.00 * Update owners. (#498) - from version 20231103.02 * Increasing test timeouts (#499) * Update OWNERS (#497) - from version 20231103.01 * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 in /e2e_tests (#493) * Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#494) - from version 20231103.00 * Removing deprecated Win for containers OSs (#496) - from version 20231027.00 * Shortening the reported image names (#495) - from version 20231025.00 * Merge pull request #492 from GoogleCloudPlatform/michaljankowiak-patch-1 * Merge branch 'master' into michaljankowiak-patch-1 * Fixing name changes * Fixing rename issue * Fixed formatting * Fixed formatting * Fixing formatting * Removing support for RHEL 6, adding RHEL 9 * Removing support for RHEL 6, adding for RHEL 9 * Removing support for RHEL 6 and adding for RHEL 9 * Removing step needed for RHEL 6 * Fixing build issues * Removing nonexistent images and adding new ones - from version 20231024.00 * Removing obsolete OS images and adding new ones (#491) - from version 20231020.00 * Change debug messages when parsing zypper patch output (#490) - from version 20231013.00 * Bump golang.org/x/net from 0.7.0 to 0.17.0 (#489) - from version 20231010.00 * Revert &quot;Added [main] section with gpgcheck to the agent-managed repo file (#484)&quot; (#488) - from version 20231003.00 * Bump google.golang.org/grpc from 1.42.0 to 1.53.0 in /e2e_tests (#478) - from version 20230920.00 * Update OWNERS (#485) - from version 20230912.00 * Added [main] section with gpgcheck to the agent-managed repo file (#484) * Migrate empty interface to any (#483) - Bump the golang compiler version to 1.21 (bsc#1216546) - Update to version 20230829.00 * Added burov, dowgird, paulinakania and Gulio to OWNERS (#482) &gt;&gt;&gt;&gt;&gt;&gt;&gt; ./google-osconfig-agent.changes.new - Update to version 20230706.02 (bsc#1212418, bsc#1212759) * Update go version in go.mod (#479) - from version 20230706.01 * Fix condition to have 10 attempts rather than 11. (#477) - from version 20230706.00 * Remove tests for Ubuntu 18.04 (EOL) (#476) - from version 20230605.00 * Update old SLES images paths (#475) - from version 20230602.00 * Adding what exit codes mean for OS Config policy (#474) - from version 20230504.00 * Set DEBIAN_FRONTEND=noninteractive for apt-get (#472) - from version 20230403.00 * Disable repos clean-up (#471) - from version 20230330.00 * Revert &quot;Call FQDN (#454)&quot; (#470) - from version 20230327.00 * support new format of zypper patch (#469) * Fix comparing exec.Cmd in mock on Go1.20 - from version 20230316.00 * Remove old images from e2e tests image list - from version 20230227.01 * Update dependencies (#466) - from version 20230227.00 * Bump golang.org/x/sys from 0.0.0-20210923061019-b8560ed6a9b7 to 0.1.0 (#463) - Bump go API version to 1.18 (bsc#1208723) + Address CVE-2021-38297 and CVE-2022-23806 - Update to version 20230222.00 * Remove Debian 9 from e2e tests image list (#460) - from version 20230217.00 * Update OWNERS (#458) - from version 20230208.00 * Fix the error in the `copy_file_from_bucket.yaml` example. (#456) - from version 20230202.00 * Update owners file. (#455) - from version 20230123.00 * Call FQDN (#454) - Update to version 20221214.00 * Close clients that are not passed anywhere (#450) - Update to version 20221013.01 * Don't print raw pointer data. (#446) - from version 20221013.00 * Delete yum transaction files if created. (#445) - Update to version 20220829.00 * Fix exclude packages field processing (#440) - from version 20220824.00 * Check for exclusive patches. (#442) Package gpg2 was updated: - Suppress error message on trial reading as PEM format when using dirmngr to validate broken DER encoded files (bsc#1217212) * Add patches: - gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch - gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch Package growpart-rootgrow was updated: - Update to version 1.0.7 (bsc#1219941) + Support root to be in a btrfs snapshot + 1.0.6 had different implementation for btrfs in snapshot support Package grub2 was updated: - Fix CVE-2023-4692 (bsc#1215935)- Fix CVE-2023-4693 (bsc#1215936) * 0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch * 0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch * 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch * 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch * 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch * 0006-fs-ntfs-Make-code-more-readable.patch - Bump upstream SBAT generation to 4 - grub2-once: Fix 'sh: terminal_output: command not found' error (bsc#1204563) - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064) (bsc#1209234) * 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch - Fix installation over serial console ends up in infinite boot loop (bsc#1187810) (bsc#1209667) (bsc#1209372) * 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch - Fix aarch64 kiwi image's file not found due to '/@' prepended to path in btrfs filesystem. (bsc#1209165) * grub2-btrfs-05-grub2-mkconfig.patch - Make grub more robust against storage race condition causing system boot failures (bsc#1189036) * 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch - Make grub.cfg invariant to efi and legacy platforms (bsc#1205200) - Removed patch linuxefi * grub2-secureboot-provide-linuxefi-config.patch * grub2-secureboot-use-linuxefi-on-uefi-in-os-prober.patch * grub2-secureboot-use-linuxefi-on-uefi.patch - Rediff * grub2-btrfs-05-grub2-mkconfig.patch * grub2-efi-xen-cmdline.patch * grub2-s390x-05-grub2-mkconfig.patch * grub2-suse-remove-linux-root-param.patch - Move unsupported zfs modules into 'extras' packages (bsc#1205554) (PED-2947) - Security fixes and hardenings * 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch * 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch - Fix CVE-2022-2601 (bsc#1205178) * 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch * 0004-font-Remove-grub_font_dup_glyph.patch * 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch * 0006-font-Fix-integer-overflow-in-BMP-index.patch * 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch * 0008-fbutil-Fix-integer-overflow.patch - Fix CVE-2022-3775 (bsc#1205182) * 0009-font-Fix-an-integer-underflow-in-blit_comb.patch * 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch * 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch * 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch - Bump upstream SBAT generation to 3 Package hwinfo was updated: - merge gh#openSUSE/hwinfo#132- avoid linking problems with libsamba (bsc#1212756) - 21.85 - merge gh#openSUSE/hwinfo#127 - create xen usb controller device if necessary (bsc#1204294) - 21.84 - merge gh#openSUSE/hwinfo#115 - improve treatment of NVME devices (bsc#1200975) - fix compiler warnings - 21.83 Package irqbalance was updated: - Last changes log was wrong, this part has been added to SP4 changes but were missing in SP2/SP3 and are added now (bsc#1208717): Fix segfault from previous update (bsc#1206668) A Fix-uninitialized-variable.patch - Fix segfault from previous update (bsc#1206668) - Fix version - Maintainer forgot to increase version to 1.4.0 A fix_version_1_4_0 - Add mainline fixes (bnc#1204961): The first 2 patches are cleanup patches which should not have any functional change, but make life easier to backport the real fix. All patches are mainline: A Update-classify.c.patch A irqbalance-properly-check-if-irq-is-banned.patch A remove-unused-path-in-check_for_irq_ban.patch Package open-iscsi was updated: - Branched SLE-15-SP3 from Factory. No longer in sync with Tumbleweed. - Backported upstream commit, which sets 'safe_logout' and 'startup' in iscsid.conf, to address bsc#1207157 - Updated year in SPEC file Package issue-generator was updated: - Update to version 1.13 - SELinux: Do not call agetty --reload [bsc#1186178] - Update to version 1.12 - Update manual page - Use python3 instead of python 2.x - Update to version 1.11 - Don't display issue.d/*.issue files, agetty will do that [bsc#1177891] - Ignore /run/issue.d in issue-generator.path, else issue-generator will be called too fast too often [bsc#1177865] - Ignore *.bak, *~ and *.rpm* files [bsc#1118862] - Handle the .path unit in scriptlets as well - Update to version 1.10 - Display wlan interfaces [bsc#1169070] - Update to version 1.9 - Fix path for systemd files - Update to version 1.8 - Handle network interface renames Package kernel-default was updated: - Update patches.suse/0020-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch (git-fixes CVE-2021-47600 bsc#1226575). - Update patches.suse/0022-block-Fix-wrong-offset-in-bio_truncate.patch (git-fixes CVE-2022-48747 bsc#1226643). - Update patches.suse/ARM-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch (git-fixes CVE-2021-47618 bsc#1226644). - Update patches.suse/ASoC-max9759-fix-underflow-in-speaker_gain_control_p.patch (git-fixes CVE-2022-48717 bsc#1226679). - Update patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_-4cf28e9ae6e2.patch (git-fixes CVE-2022-48736 bsc#1226721). - Update patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_-4f1e50d6a9cf.patch (git-fixes CVE-2022-48737 bsc#1226762). - Update patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_.patch (git-fixes CVE-2022-48738 bsc#1226674). - Update patches.suse/Bluetooth-refactor-malicious-adv-data-check.patch (git-fixes CVE-2021-47620 bsc#1226669). - Update patches.suse/IB-hfi1-Fix-AIP-early-init-panic.patch (jsc#SLE-13208 CVE-2022-48728 bsc#1226691). - Update patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch (git-fixes CVE-2021-47617 bsc#1226614). - Update patches.suse/RDMA-ucma-Protect-mc-during-concurrent-multicast-lea.patch (bsc#1181147 CVE-2022-48726 bsc#1226686). - Update patches.suse/ceph-properly-put-ceph_string-reference-after-async-create-attempt.patch (bsc#1195798 CVE-2022-48767 bsc#1226715). - Update patches.suse/dma-buf-heaps-Fix-potential-spectre-v1-gadget.patch (git-fixes CVE-2022-48730 bsc#1226713). - Update patches.suse/drm-msm-dpu-invalid-parameter-check-in-dpu_setup_dsp.patch (git-fixes CVE-2022-48749 bsc#1226650). - Update patches.suse/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch (git-fixes CVE-2022-48756 bsc#1226698). - Update patches.suse/drm-nouveau-fix-off-by-one-in-BIOS-boundary-checking.patch (git-fixes CVE-2022-48732 bsc#1226716). - Update patches.suse/firmware-arm_scpi-Fix-string-overflow-in-SCPI-genpd-.patch (git-fixes CVE-2021-47609 bsc#1226562). - Update patches.suse/i40e-Fix-queues-reservation-for-XDP.patch (git-fixes CVE-2021-47619 bsc#1226645). - Update patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch (git-fixes CVE-2021-47589 bsc#1226557). - Update patches.suse/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping (git-fixes CVE-2022-48724 bsc#1226624). - Update patches.suse/mac80211-track-only-QoS-data-frames-for-admission-co.patch (git-fixes CVE-2021-47602 bsc#1226554). - Update patches.suse/mac80211-validate-extended-element-ID-is-present.patch (git-fixes CVE-2021-47611 bsc#1226583). - Update patches.suse/net-bridge-vlan-fix-memory-leak-in-__allowed_ingress.patch (bsc#1176447 CVE-2022-48748 bsc#1226647). - Update patches.suse/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch (jsc#SLE-14777 CVE-2021-47596 bsc#1226558). - Update patches.suse/net-ieee802154-ca8210-Stop-leaking-skb-s.patch (git-fixes CVE-2022-48722 bsc#1226619). - Update patches.suse/net-mlx5e-Fix-handling-of-wrong-devices-during-bond-.patch (jsc#SLE-15172 CVE-2022-48746 bsc#1226703). - Update patches.suse/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch (bsc#1176774 CVE-2021-47595 bsc#1226552). - Update patches.suse/nfc-fix-segfault-in-nfc_genl_dump_devices_done.patch (git-fixes CVE-2021-47612 bsc#1226585). - Update patches.suse/phylib-fix-potential-use-after-free.patch (git-fixes CVE-2022-48754 bsc#1226692). - Update patches.suse/powerpc-perf-Fix-power_pmu_disable-to-call-clear_pmi.patch (bsc#1156395 CVE-2022-48752 bsc#1226709). - Update patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ctr.patch (git-fixes CVE-2022-48759 bsc#1226711). - Update patches.suse/scsi-bnx2fc-Flush-destroy_work-queue-before-calling-bnx2fc_interface_put (git-fixes CVE-2022-48758 bsc#1226708). - Update patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe (git-fixes CVE-2022-48715 bsc#1226621). - Update patches.suse/scsi-scsi_debug-Sanity-check-block-descriptor-length-in-resp_mode_select.patch (git-fixes CVE-2021-47576 bsc#1226537). - Update patches.suse/smb-client-set-correct-id-uid-and-cruid-for-multiuser-automounts.patch (git-fixes CVE-2024-26822 bsc#1223011). - Update patches.suse/tracing-histogram-Fix-a-potential-memory-leak-for-kstrdup.patch (git-fixes CVE-2022-48768 bsc#1226720). - commit 3239c2b - Update patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch (CVE-2022-22942 bsc#1195065 CVE-2022-48771 bsc#1226732). - Update patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-.patch (CVE-2021-43389 CVE-2021-3896 bsc#1191958 git-fixes CVE-2021-4439 bsc#1226670). - Update patches.suse/media-mxl111sf-change-mutex_init-location.patch (git-fixes CVE-2021-47583 bsc#1226563). - Update patches.suse/of-module-prevent-NULL-pointer-dereference-in-vsnprintf.patch (bsc#1226587 CVE-2024-38541 CVE-2024-35878 bsc#1224671). - Update patches.suse/tipc-improve-size-validations-for-received-domain-re.patch (bsc#1195254 CVE-2022-0435 CVE-2022-48711 bsc#1226672). - commit 4e385ef - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique() (CVE-2024-36904 bsc#1225732). - commit 80f0f47 - tcp: do not accept ACK of bytes we never sent (CVE-2023-52881 bsc#1225611). - commit 874a2d3 - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs (bsc#1222015 bsc#1226962). - commit c8cabcf - USB: core: Fix hang in usb_kill_urb by adding memory barriers (CVE-2022-48760 bsc#1226712). - commit da8ec3e - scsi: qedf: Ensure the copied buf is NUL terminated (bsc#1226758 CVE-2024-38559). - scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786 CVE-2024-38560). - commit 0e33f69 - Update References tag patches.suse/Bluetooth-Disconnect-if-E0-is-used-for-Level-4.patch (bsc#1171988 CVE-2020-10135 bsc#1218148 CVE-2023-24023). - commit 906dfa6 - RDMA/hns: Fix UAF for cq async event (bsc#1226595 CVE-2024-38545) - commit d57d06d - of: module: prevent NULL pointer dereference in vsnprintf() (bsc#1226587 CVE-2024-38541) - commit c381bb4 - of: module: add buffer overflow check in of_modalias() (bsc#1226587 CVE-2024-38541) - commit 212b607 - net/mlx5e: Fix use-after-free of encap entry in neigh update handler (bsc#1224865 CVE-2021-47247). - commit 91cae43 - net: qcom/emac: fix UAF in emac_remove (bsc#1225010 CVE-2021-47311). - commit 5533443 - NFS: avoid infinite loop in pnfs_update_layout (bsc#1219633 bsc#1226226). - commit 1b48f4e - net: macb: fix use after free on rmmod (CVE-2021-47372 bsc#1225184). - commit c9f62c2 - ocfs2: fix sparse warnings (bsc#1219224). - ocfs2: speed up chain-list searching (bsc#1219224). - ocfs2: adjust enabling place for la window (bsc#1219224). - ocfs2: improve write IO performance when fragmentation is high (bsc#1219224). - commit 124c57b - smb: client: fix potential UAF in smb2_is_network_name_deleted() (bsc#1224764, CVE-2024-35862). - commit 8a40236 - smb: client: fix potential UAF in smb2_is_valid_lease_break() (bsc#1224765, CVE-2024-35864). - commit 8030dd8 - smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() (bsc#1224766, CVE-2024-35861). - commit d1384a0 - smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225487, CVE-2023-52752). - commit c058f4e - blacklist.conf: bsc#1225047 CVE-2021-47328 breaks kABI and does not apply - commit 8d10b79 - blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd (CVE-2021-47379 bsc#1225203). - commit af72a45 - wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (CVE-2024-35789 bsc#1224749). - commit 7707dc6 - fs/9p: only translate RWX permissions for plain 9P2000 (bsc#1225866 CVE-2024-36964). - commit c4d4f4c - pinctrl: core: delete incorrect free in pinctrl_enable() (CVE-2024-36940 bsc#1225840). - commit 6932105 - staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() (CVE-2021-47571 bsc#1225518). - commit b52b9d0 - enetc: Fix illegal access when reading affinity_hint (CVE-2021-47368 bsc#1225161). - commit cde762c - Bluetooth: Add more enc key size check (bsc#1218148 CVE-2023-24023). - commit 529bf5d - Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt (bsc#1218148 CVE-2023-24023). - commit 4ac624b - blacklist.conf: Add 1971d13ffa84a &quot;af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().&quot; - commit 1f2871b - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (CVE-2024-36894 bsc#1225749). - commit 99fc30d - net: preserve kabi for sk_buff (CVE-2024-26921 bsc#1223138). - commit 62989dd - inet: inet_defrag: prevent sk release while still in use (CVE-2024-26921 bsc#1223138). - commit 599b2eb - drm/client: Fully protect modes with dev-&gt;mode_config.mutex (CVE-2024-35950 bsc#1224703). - commit f5de9d8 - smb: client: set correct id, uid and cruid for multiuser automounts (git-fixes). - commit 548a1f6 - smb: client: fix dfs link mount against w2k8 (git-fixes). - commit ffabd7c - cifs: use tcon allocation functions even for dummy tcon (bsc#1213476). - commit 8a18c8c - cifs: avoid race conditions with parallel reconnects (bsc#1213476). - commit 0156937 - cifs: check only tcon status on tcon related functions (bsc#1213476). - commit 3ee757c - cifs: return DFS root session id in DebugData (bsc#1213476). - commit 40d8689 - cifs: fix use-after-free bug in refresh_cache_worker() (bsc#1213476). - Refresh patches.suse/cifs-avoid-dup-prefix-path-in-dfs_get_automount_devname-.patch. - commit efddc92 - cifs: set DFS root session in cifs_get_smb_ses() (bsc#1213476). - commit 249b33f - cifs: reuse cifs_match_ipaddr for comparison of dstaddr too (bsc#1213476). - commit c221add - cifs: match even the scope id for ipv6 addresses (bsc#1213476). - commit 376b929 - cifs: get rid of dns resolve worker (bsc#1213476). - commit 36fdff3 - nvme-rdma: destroy cm id before destroy qp to avoid use after free (CVE-2021-47378 bsc#1225201). - commit 132f56c - net/tls: Fix flipped sign in tls_err_abort() calls (CVE-2021-47496 bsc#1225354) - commit c2b236a - net: sched: flower: protect fl_walk() with rcu (CVE-2021-47402 bsc#1225301) - commit 5275989 - Update patches.suse/0001-x86-ioremap-Map-efi_mem_reserve-memory-as-encrypted-.patch (bsc#1186885 bsc#1224826 CVE-2021-47228). - Update patches.suse/0002-bcache-avoid-oversized-read-request-in-cache-miss.patch (bsc#1187357 bsc#1185570 bsc#1184631 bsc#1224965 CVE-2021-47275). - Update patches.suse/0002-ocfs2-fix-race-between-searching-chunks-and-release-.patch (bsc#1199304 bsc#1225439 CVE-2021-47493). - Update patches.suse/0003-drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch (bsc#1152472 bsc#1222838 CVE-2021-47200). - Update patches.suse/0015-dm-btree-remove-assign-new_root-only-when-removal-su.patch (git-fixes bsc#1225155 CVE-2021-47343). - Update patches.suse/0019-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch (git-fixes bsc#1225247 CVE-2021-47435). - Update patches.suse/ACPI-fix-NULL-pointer-dereference.patch (git-fixes bsc#1224984 CVE-2021-47289). - Update patches.suse/ALSA-pcm-oss-Limit-the-period-size-to-16MB.patch (git-fixes bsc#1225409 CVE-2021-47509). - Update patches.suse/ALSA-seq-Fix-race-of-snd_seq_timer_open.patch (git-fixes bsc#1224983 CVE-2021-47281). - Update patches.suse/ALSA-usx2y-Don-t-call-free_pages_exact-with-NULL-add.patch (git-fixes bsc#1225091 CVE-2021-47332). - Update patches.suse/ASoC-SOF-Fix-DSP-oops-stack-dump-output-contents.patch (git-fixes bsc#1225206 CVE-2021-47381). - Update patches.suse/ASoC-codecs-wcd934x-handle-channel-mappping-list-cor.patch (git-fixes bsc#1225369 CVE-2021-47502). - Update patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch (git-fixes bsc#1225303 CVE-2021-47404). - Update patches.suse/HID-bigbenff-prevent-null-pointer-dereference.patch (CVE-2022-20132 bsc#1200619 bsc#1225437 CVE-2021-47522). - Update patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch (git-fixes bsc#1225238 CVE-2021-47405). - Update patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch (git-fixes bsc#1225438 CVE-2021-47523). - Update patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch (CVE-2021-47485 bsc#1224904 bsc#1220960 CVE-2021-47104). - Update patches.suse/KVM-PPC-Book3S-HV-Fix-stack-handling-in-idle_kvm_sta.patch (bko#206669 bsc#1174585 bsc#1192107 CVE-2021-43056 bsc#1225341 CVE-2021-47465). - Update patches.suse/KVM-mmio-Fix-use-after-free-Read-in-kvm_vm_ioctl_unr.patch (git-fixes bsc#1224923 CVE-2021-47341). - Update patches.suse/KVM-x86-Immediately-reset-the-MMU-context-when-the-S.patch (git-fixes bsc#1224853 CVE-2021-47230). - Update patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch (git-fixes bsc#1225263 CVE-2021-47442). - Update patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch (git-fixes bsc#1225262 CVE-2021-47443). - Update patches.suse/NFS-Fix-use-after-free-in-nfs4_init_client.patch (git-fixes bsc#1224953 CVE-2021-47259). - Update patches.suse/RDMA-Verify-port-when-creating-flow-rule.patch (git-fixes bsc#1224957 CVE-2021-47265). - Update patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch (git-fixes bsc#1210629 CVE-2023-2176 bsc#1225318 CVE-2021-47391). - Update patches.suse/RDMA-cma-Fix-listener-leak-in-rdma_cma_listen_on_all.patch (bsc#1181147 bsc#1225320 CVE-2021-47392). - Update patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch (CVE-2021-39698 bsc#1196956 bsc#1225400 CVE-2021-47505). - Update patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch (git-fixes bsc#1225393 CVE-2021-47464). - Update patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch (bsc#1191452 bsc#1225193 CVE-2021-47375). - Update patches.suse/bpf-s390-Fix-potential-memory-leak-about-jit_data.patch (git-fixes bsc#1225370 CVE-2021-47426). - Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch (git-fixes bsc#1225256 CVE-2021-47456). - Update patches.suse/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_car.patch (git-fixes bsc#1225435 CVE-2021-47521). - Update patches.suse/cfg80211-fix-management-registrations-locking.patch (git-fixes bsc#1225450 CVE-2021-47494). - Update patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch (bsc#1185902 bsc#1224961 CVE-2021-47307). - Update patches.suse/cpufreq-schedutil-Use-kobject-release-method-to-free.patch (git-fixes bsc#1225316 CVE-2021-47387). - Update patches.suse/dm-rq-don-t-queue-request-to-blk-mq-during-DM-suspen.patch (bsc#1221113 bsc#1225357 CVE-2021-47498). - Update patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch (git-fixes bsc#1224968 CVE-2021-47305). - Update patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch (git-fixes bsc#1224982 CVE-2021-47280). - Update patches.suse/drm-amd-display-Avoid-HDCP-over-read-and-corruption.patch (git-fixes bsc#1225178 CVE-2021-47348). - Update patches.suse/drm-amd-display-Fix-potential-memory-leak-in-DMUB-hw.patch (git-fixes bsc#1224886 CVE-2021-47253). - Update patches.suse/drm-amdgpu-fix-gart.bo-pin_count-leak.patch (git-fixes bsc#1225390 CVE-2021-47431). - Update patches.suse/drm-edid-In-connector_bad_edid-cap-num_of_ext-by-num.patch (git-fixes bsc#1225243 CVE-2021-47444). - Update patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch (git-fixes bsc#1225261 CVE-2021-47445). - Update patches.suse/drm-msm-a6xx-Allocate-enough-space-for-GMU-registers.patch (git-fixes bsc#1225446 CVE-2021-47535). - Update patches.suse/drm-nouveau-avoid-a-use-after-free-when-BO-init-fail.patch (bsc#1152472 bsc#1224816 CVE-2020-36788). - Update patches.suse/drm-nouveau-debugfs-fix-file-release-memory-leak.patch (git-fixes bsc#1225366 CVE-2021-47423). - Update patches.suse/drm-nouveau-kms-nv50-fix-file-release-memory-leak.patch (git-fixes bsc#1225233 CVE-2021-47422). - Update patches.suse/drm-radeon-fix-a-possible-null-pointer-dereference.patch (git-fixes bsc#1225230 CVE-2022-48710). - Update patches.suse/drm-sched-Avoid-data-corruptions.patch (git-fixes bsc#1225140 CVE-2021-47354). - Update patches.suse/ethtool-strset-fix-message-length-calculation.patch (bsc#1176447 bsc#1224842 CVE-2021-47241). - Update patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch (git-fixes bsc#1224924 CVE-2021-47338). - Update patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch (git-fixes bsc#1224966 CVE-2021-47276). - Update patches.suse/gpio-wcd934x-Fix-shift-out-of-bounds-error.patch (git-fixes bsc#1224955 CVE-2021-47263). - Update patches.suse/hwmon-mlxreg-fan-Return-non-zero-value-when-fan-curr.patch (git-fixes bsc#1225321 CVE-2021-47393). - Update patches.suse/i2c-acpi-fix-resource-leak-in-reconfiguration-device.patch (git-fixes bsc#1225223 CVE-2021-47425). - Update patches.suse/i40e-Fix-NULL-pointer-dereference-in-i40e_dbg_dump_d.patch (git-fixes bsc#1225361 CVE-2021-47501). - Update patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch (git-fixes bsc#1225367 CVE-2021-47424). - Update patches.suse/ice-avoid-bpf_prog-refcount-underflow.patch (jsc#SLE-7926 bsc#1225500 CVE-2021-47563). - Update patches.suse/ice-fix-vsi-txq_map-sizing.patch (jsc#SLE-7926 bsc#1225499 CVE-2021-47562). - Update patches.suse/igb-Fix-use-after-free-error-during-reset.patch (git-fixes bsc#1224916 CVE-2021-47301). - Update patches.suse/igc-Fix-use-after-free-error-during-reset.patch (git-fixes bsc#1224917 CVE-2021-47302). - Update patches.suse/iio-accel-kxcjk-1013-Fix-possible-memory-leak-in-pro.patch (git-fixes bsc#1225358 CVE-2021-47499). - Update patches.suse/isdn-mISDN-Fix-sleeping-function-called-from-invalid.patch (git-fixes bsc#1225346 CVE-2021-47468). - Update patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch (git-fixes bsc#1224987 CVE-2021-47284). - Update patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch (bsc#1194591 bsc#1225198 CVE-2021-47478). - Update patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch (git-fixes bsc#1225328 CVE-2021-47399). - Update patches.suse/jfs-fix-GPF-in-diFree.patch (bsc#1203389 bsc#1225148 CVE-2021-47340). - Update patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch (git-fixes bsc#1225143 CVE-2021-47356). - Update patches.suse/mac80211-fix-use-after-free-in-CCMP-GCMP-RX.patch (git-fixes bsc#1225214 CVE-2021-47388). - Update patches.suse/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch (git-fixes bsc#1225327 CVE-2021-47396). - Update patches.suse/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch (git-fixes bsc#1225326 CVE-2021-47395). - Update patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch (git-fixes bsc#1224922 CVE-2021-47344). - Update patches.suse/misc-alcor_pci-fix-null-ptr-deref-when-there-is-no-P.patch (git-fixes bsc#1225113 CVE-2021-47333). - Update patches.suse/misc-libmasm-module-Fix-two-use-after-free-in-ibmasm.patch (git-fixes bsc#1225112 CVE-2021-47334). - Update patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch (git-fixes bsc#1225224 CVE-2021-47441). - Update patches.suse/mt76-mt7915-fix-NULL-pointer-dereference-in-mt7915_g.patch (git-fixes bsc#1225386 CVE-2021-47540). - Update patches.suse/net-batman-adv-fix-error-handling.patch (git-fixes bsc#1224909 CVE-2021-47482). - Update patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch (git-fixes bsc#1224844 CVE-2021-47235). - Update patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch (CVE-2022-1195 bsc#1198029 bsc#1224830 CVE-2021-47237). - Update patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch (git-fixes bsc#1225453 CVE-2021-47541). - Update patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch (git-fixes bsc#1224981 CVE-2021-47285). - Update patches.suse/net-qlogic-qlcnic-Fix-a-NULL-pointer-dereference-in-.patch (git-fixes bsc#1225455 CVE-2021-47542). - Update patches.suse/net-sched-fq_pie-prevent-dismantle-issue.patch (jsc#SLE-15172 bsc#1225424 CVE-2021-47512). - Update patches.suse/net-sched-sch_ets-don-t-peek-at-classes-beyond-nband.patch (bsc#1176774 bsc#1225468 CVE-2021-47557). - Update patches.suse/net-smc-fix-wrong-list_del-in-smc_lgr_cleanup_early (git-fixes bsc#1225447 CVE-2021-47536). - Update patches.suse/netfilter-xt_IDLETIMER-fix-panic-that-occurs-when-ti.patch (bsc#1176447 bsc#1225237 CVE-2021-47451). - Update patches.suse/nfc-fix-potential-NULL-pointer-deref-in-nfc_genl_dum.patch (git-fixes bsc#1225372 CVE-2021-47518). - Update patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch (git-fixes bsc#1225427 CVE-2021-47516). - Update patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch (git-fixes bsc#1225058 CVE-2021-47320). - Update patches.suse/nfsd-Fix-nsfd-startup-race-again.patch (git-fixes bsc#1225405 CVE-2021-47507). - Update patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch (git-fixes bsc#1225404 CVE-2021-47506). - Update patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch (bsc#1190795 bsc#1225251 CVE-2021-47460). - Update patches.suse/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch (bsc#1197760 bsc#1225252 CVE-2021-47458). - Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes bsc#1225336 CVE-2021-47416). - Update patches.suse/powerpc-64s-fix-program-check-interrupt-emergency-st.patch (bsc#1156395 bsc#1225387 CVE-2021-47428). - Update patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch (bsc#1156395 bsc#1225181 CVE-2021-47350). - Update patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch (git-fixes bsc#1224907 CVE-2021-47483). - Update patches.suse/rxrpc-Fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch (bsc#1154353 bnc#1151927 5.3.9 bsc#1225448 CVE-2021-47538). - Update patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup (git-fixes bsc#1223512 CVE-2022-48636). - Update patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list (git-fixes bsc#1225164 CVE-2021-47369). - Update patches.suse/s390-qeth-fix-deadlock-during-failing-recovery (git-fixes bsc#1225207 CVE-2021-47382). - Update patches.suse/sata_fsl-fix-UAF-in-sata_fsl_port_stop-when-rmmod-sa.patch (git-fixes bsc#1225508 CVE-2021-47549). - Update patches.suse/scsi-core-Fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch (git-fixes bsc#1224926 CVE-2021-47337). - Update patches.suse/scsi-core-Fix-error-handling-of-scsi_host_alloc.patch (git-fixes bsc#1224899 CVE-2021-47258). - Update patches.suse/scsi-core-Put-LLD-module-refcnt-after-SCSI-device-is-released.patch (git-fixes bsc#1225322 CVE-2021-47480). - Update patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs.patch (git-fixes bsc#1222867 CVE-2021-47192). - Update patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch (bsc#1188616 bsc#1224963 CVE-2021-47308). - Update patches.suse/scsi-megaraid_sas-Fix-resource-leak-in-case-of-probe-failure.patch (git-fixes bsc#1225083 CVE-2021-47329). - Update patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test (git-fixes bsc#1225384 CVE-2021-47565). - Update patches.suse/scsi-pm80xx-Do-not-call-scsi_remove_host-in-pm8001_alloc (git-fixes bsc#1225374 CVE-2021-47503). - Update patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els (git-fixes bsc#1225192 CVE-2021-47473). - Update patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch (git-fixes bsc#1194288 CVE-2021-47527). - Update patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch (git-fixes bsc#1224990 CVE-2021-47274). - Update patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch (bsc#1222619 CVE-2023-52880). - Update patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch (git-fixes bsc#1225084 CVE-2021-47330). - Update patches.suse/udf-Fix-NULL-pointer-dereference-in-udf_symlink-func.patch (bsc#1206646 bsc#1225128 CVE-2021-47353). - Update patches.suse/usb-chipidea-ci_hdrc_imx-Also-search-for-phys-phandl.patch (git-fixes bsc#1225333 CVE-2021-47413). - Update patches.suse/usb-dwc2-check-return-value-after-calling-platform_g.patch (git-fixes bsc#1225330 CVE-2021-47409). - Update patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch (git-fixes bsc#1224996 CVE-2021-47269). - Update patches.suse/usb-fix-various-gadget-panics-on-10gbps-cabling.patch (git-fixes bsc#1224993 CVE-2021-47267). - Update patches.suse/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cab.patch (git-fixes bsc#1224997 CVE-2021-47270). - Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch (git-fixes bsc#1225244 CVE-2021-47436). - Update patches.suse/usbnet-sanity-check-for-maxpacket.patch (git-fixes bsc#1225351 CVE-2021-47495). - Update patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch (git-fixes bsc#1225060 CVE-2021-47321). - Update patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch (git-fixes bsc#1225030 CVE-2021-47324). - Update patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch (git-fixes bsc#1225026 CVE-2021-47323). - Update patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch (git-fixes bsc#1225177 CVE-2021-47347). - Update patches.suse/x86-fpu-prevent-state-corruption-in-_fpu__restore_sig.patch (bsc#1178134 bsc#1224852 CVE-2021-47227). - Update patches.suse/xhci-Fix-command-ring-pointer-corruption-while-abort.patch (git-fixes bsc#1225232 CVE-2021-47434). - commit 0b290f8 - Update patches.suse/0002-bcache-avoid-oversized-read-request-in-cache-miss.patch (bsc#1184631 bsc#1224965 CVE-2021-47275). - Update patches.suse/ACPI-fix-NULL-pointer-dereference.patch (git-fixes bsc#1224984 CVE-2021-47289). - Update patches.suse/ALSA-usx2y-Don-t-call-free_pages_exact-with-NULL-add.patch (git-fixes bsc#1225091 CVE-2021-47332). - Update patches.suse/ASoC-SOF-Fix-DSP-oops-stack-dump-output-contents.patch (git-fixes bsc#1225206 CVE-2021-47381). - Update patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch (git-fixes bsc#1225303 CVE-2021-47404). - Update patches.suse/HID-bigbenff-prevent-null-pointer-dereference.patch (CVE-2022-20132 bsc#1200619 bsc#1225437 CVE-2021-47522). - Update patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch (git-fixes bsc#1225238 CVE-2021-47405). - Update patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch (CVE-2021-47485 bsc#1224904 bsc#1220960 CVE-2021-47104). - Update patches.suse/KVM-PPC-Book3S-HV-Fix-stack-handling-in-idle_kvm_sta.patch (bko#206669 bsc#1174585 bsc#1192107 CVE-2021-43056 bsc#1225341 CVE-2021-47465). - Update patches.suse/KVM-mmio-Fix-use-after-free-Read-in-kvm_vm_ioctl_unr.patch (git-fixes bsc#1224923 CVE-2021-47341). - Update patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch (git-fixes bsc#1225263 CVE-2021-47442). - Update patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch (git-fixes bsc#1225262 CVE-2021-47443). - Update patches.suse/NFS-Fix-use-after-free-in-nfs4_init_client.patch (git-fixes bsc#1224953 CVE-2021-47259). - Update patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch (bsc#1210629 CVE-2023-2176 bsc#1225318 CVE-2021-47391). - Update patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch (CVE-2021-39698 bsc#1196956 bsc#1225400 CVE-2021-47505). - Update patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch (git-fixes bsc#1225393 CVE-2021-47464). - Update patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch (bsc#1191452 bsc#1225193 CVE-2021-47375). - Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch (git-fixes bsc#1225256 CVE-2021-47456). - Update patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch (bsc#1185902 bsc#1224961 CVE-2021-47307). - Update patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch (git-fixes bsc#1224968 CVE-2021-47305). - Update patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch (git-fixes bsc#1224982 CVE-2021-47280). - Update patches.suse/drm-amdgpu-fix-gart.bo-pin_count-leak.patch (git-fixes bsc#1225390 CVE-2021-47431). - Update patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch (git-fixes bsc#1225261 CVE-2021-47445). - Update patches.suse/drm-nouveau-debugfs-fix-file-release-memory-leak.patch (git-fixes bsc#1225366 CVE-2021-47423). - Update patches.suse/drm-sched-Avoid-data-corruptions.patch (git-fixes bsc#1225140 CVE-2021-47354). - Update patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch (git-fixes bsc#1224924 CVE-2021-47338). - Update patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch (git-fixes bsc#1224966 CVE-2021-47276). - Update patches.suse/hwmon-mlxreg-fan-Return-non-zero-value-when-fan-curr.patch (git-fixes bsc#1225321 CVE-2021-47393). - Update patches.suse/i2c-acpi-fix-resource-leak-in-reconfiguration-device.patch (git-fixes bsc#1225223 CVE-2021-47425). - Update patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch (git-fixes bsc#1225367 CVE-2021-47424). - Update patches.suse/ice-avoid-bpf_prog-refcount-underflow.patch (jsc#SLE-7926 bsc#1225500 CVE-2021-47563). - Update patches.suse/ice-fix-vsi-txq_map-sizing.patch (jsc#SLE-7926 bsc#1225499 CVE-2021-47562). - Update patches.suse/igb-Fix-use-after-free-error-during-reset.patch (git-fixes bsc#1224916 CVE-2021-47301). - Update patches.suse/igc-Fix-use-after-free-error-during-reset.patch (git-fixes bsc#1224917 CVE-2021-47302). - Update patches.suse/isdn-mISDN-Fix-sleeping-function-called-from-invalid.patch (git-fixes bsc#1225346 CVE-2021-47468). - Update patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch (git-fixes bsc#1224987 CVE-2021-47284). - Update patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch (git-fixes bsc#1225328 CVE-2021-47399). - Update patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch (git-fixes bsc#1225143 CVE-2021-47356). - Update patches.suse/mac80211-fix-use-after-free-in-CCMP-GCMP-RX.patch (git-fixes bsc#1225214 CVE-2021-47388). - Update patches.suse/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch (git-fixes bsc#1225327 CVE-2021-47396). - Update patches.suse/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch (git-fixes bsc#1225326 CVE-2021-47395). - Update patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch (git-fixes bsc#1224922 CVE-2021-47344). - Update patches.suse/misc-alcor_pci-fix-null-ptr-deref-when-there-is-no-P.patch (git-fixes bsc#1225113 CVE-2021-47333). - Update patches.suse/misc-libmasm-module-Fix-two-use-after-free-in-ibmasm.patch (git-fixes bsc#1225112 CVE-2021-47334). - Update patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch (git-fixes bsc#1225224 CVE-2021-47441). - Update patches.suse/net-batman-adv-fix-error-handling.patch (git-fixes bsc#1224909 CVE-2021-47482). - Update patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch (git-fixes bsc#1225453 CVE-2021-47541). - Update patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch (git-fixes bsc#1224981 CVE-2021-47285). - Update patches.suse/net-qlogic-qlcnic-Fix-a-NULL-pointer-dereference-in-.patch (git-fixes bsc#1225455 CVE-2021-47542). - Update patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch (git-fixes bsc#1225427 CVE-2021-47516). - Update patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch (git-fixes bsc#1225058 CVE-2021-47320). - Update patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch (bsc#1190795 bsc#1225251 CVE-2021-47460). - Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes bsc#1225336 CVE-2021-47416). - Update patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch (bsc#1156395 bsc#1225181 CVE-2021-47350). - Update patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch (git-fixes bsc#1224907 CVE-2021-47483). - Update patches.suse/rxrpc-Fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch (bsc#1154353 bnc#1151927 5.3.9 bsc#1225448 CVE-2021-47538). - Update patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list (git-fixes bsc#1225164 CVE-2021-47369). - Update patches.suse/s390-qeth-fix-deadlock-during-failing-recovery (git-fixes bsc#1225207 CVE-2021-47382). - Update patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch (bsc#1188616 bsc#1224963 CVE-2021-47308). - Update patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test (git-fixes bsc#1225384 CVE-2021-47565). - Update patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els (git-fixes bsc#1225192 CVE-2021-47473). - Update patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch (git-fixes bsc#1194288 CVE-2021-47527). - Update patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch (git-fixes bsc#1224990 CVE-2021-47274). - Update patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch (bsc#1222619 CVE-2023-52880). - Update patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch (git-fixes bsc#1225084 CVE-2021-47330). - Update patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch (git-fixes bsc#1224996 CVE-2021-47269). - Update patches.suse/usb-fix-various-gadget-panics-on-10gbps-cabling.patch (git-fixes bsc#1224993 CVE-2021-47267). - Update patches.suse/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cab.patch (git-fixes bsc#1224997 CVE-2021-47270). - Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch (git-fixes bsc#1225244 CVE-2021-47436). - Update patches.suse/usbnet-sanity-check-for-maxpacket.patch (git-fixes bsc#1225351 CVE-2021-47495). - Update patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch (git-fixes bsc#1225060 CVE-2021-47321). - Update patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch (git-fixes bsc#1225030 CVE-2021-47324). - Update patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch (git-fixes bsc#1225026 CVE-2021-47323). - Update patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch (git-fixes bsc#1225177 CVE-2021-47347). - Update patches.suse/xhci-Fix-command-ring-pointer-corruption-while-abort.patch (git-fixes bsc#1225232 CVE-2021-47434). - commit 37dba5a - net/smc: kABI workarounds for struct smc_link (CVE-2022-48673 bsc#1223934). - net/smc: Fix possible access to freed memory in link clear (CVE-2022-48673 bsc#1223934). - commit 0f509bf - soc: qcom: llcc: Handle a second device without data corruption (bsc#1225534 CVE-2023-52871) - commit f6adad8 - x86/xen: Drop USERGS_SYSRET64 paravirt call (git-fixes). - Refresh patches.suse/x86-entry_64-Add-VERW-just-before-userspace-transition.patch. - Refresh patches.suse/x86-xen-add-xenpv_restore_regs_and_return_to_usermode.patch. - commit fa16bf8 - cifs: fix underflow in parse_server_interfaces() (bsc#1223084, CVE-2024-26828). - commit 8a48c12 - nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells (bsc#1225355 CVE-2021-47497). - commit 33cab00 - Refresh patches.suse/firmware-raspberrypi-introduce-vl805-init-routine.patch. - Refresh patches.suse/pci-brcmstb-wait-for-raspberry-pi-s-firmware-when-present.patch. - Refresh patches.suse/usb-pci-quirks-add-raspberry-pi-4-quirk.patch. - Rename to patches.suse/soc-bcm2835-add-notify-xhci-reset-property.patch. Add upstream references, sync with upstream and move to the sorted section. 3 of these patches were later reverted, but only because they were replaced by a different implementation, not because they were wrong. Add the reverts to blacklist.conf. - commit ebed050 - iio: mma8452: Fix trigger reference couting (bsc#1225360 CVE-2021-47500). - commit 8ee9c73 - efi/capsule-loader: fix incorrect allocation size (bsc#1224438 CVE-2024-27413). - commit 66f7463 - tty: Fix out-of-bound vmalloc access in imageblit (CVE-2021-47383 bsc#1225208). - commit aa2473d - ALSA: pcm: oss: Fix negative period/buffer sizes (CVE-2021-47511 bsc#1225411). - commit 094796a - Update tags in patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch. And move to the sorted section of series.conf. - commit dc0df73 - Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch. - Refresh patches.suse/x86-cpu-amd-move-the-errata-checking-functionality-up.patch. Move 2 upstream arch-specific patches to the sorted section. - commit d5f36cd - Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() (CVE-2023-52840 bsc#1224928). - commit 3a1b2ed - IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() (CVE-2021-47485 bsc#1224904) - commit 7e99b42 - af_unix: annote lockless accesses to unix_tot_inflight &amp; gc_in_progress (bsc#1223384). - Refresh patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch. - commit 03fbb54 - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields (CVE-2021-47485 bsc#1224904) - commit c9482fe - IB/mlx5: Fix initializing CQ fragments buffer (bsc#1224954 CVE-2021-47261) - commit 77cbada - Move powerpc patches to their specific section They are apparently not going upstream. - commit eea93a0 - Move upstream patches to the sorted section - commit 757eb5a - Update patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch (bsc#1209657 CVE-2023-0160 CVE-2024-35895 bsc#1224511). - Update patches.suse/nfsd-Fix-error-cleanup-path-in-nfsd_rename.patch (bsc#1221044 CVE-2023-52591 CVE-2024-35914 bsc#1224482). - Update patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch (CVE-2023-47233 bsc#1216702 CVE-2024-35811 bsc#1224592). - commit e0bcd81 - Update patches.suse/KVM-PPC-Fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch (bsc#1156395 CVE-2021-47296 bsc#1224891). - Update patches.suse/NFS-Fix-a-potential-NULL-dereference-in-nfs_get_clie.patch (git-fixes CVE-2021-47260 bsc#1224834). - Update patches.suse/PCI-aardvark-Fix-kernel-panic-during-PIO-transfer.patch (git-fixes CVE-2021-47229 bsc#1224854). - Update patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch (git-fixes CVE-2021-47252 bsc#1224882). - Update patches.suse/can-mcba_usb-fix-memory-leak-in-mcba_usb.patch (git-fixes CVE-2021-47231 bsc#1224849). - Update patches.suse/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch (bsc#1188772 CVE-2021-47255 bsc#1224832). - Update patches.suse/media-ngene-Fix-out-of-bounds-bug-in-ngene_command_c.patch (git-fixes CVE-2021-47288 bsc#1224889). - Update patches.suse/memory-fsl_ifc-fix-leak-of-IO-mapping-on-probe-failu.patch (git-fixes CVE-2021-47315 bsc#1224892). - Update patches.suse/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch (git-fixes CVE-2021-47314 bsc#1224893). - Update patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch (git-fixes CVE-2021-47236 bsc#1224841). - Update patches.suse/net-mlx5e-Fix-page-reclaim-for-dead-peer-hairpin.patch (git-fixes CVE-2021-47246 bsc#1224831). - Update patches.suse/net-qrtr-fix-OOB-Read-in-qrtr_endpoint_post.patch (CVE-2021-3743 bsc#1189883 CVE-2021-47240 bsc#1224843). - Update patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch (git-fixes CVE-2021-47239 bsc#1224846). - Update patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch (git-fixes CVE-2021-47220 bsc#1224859). - commit 5376688 - gfs2: Fix use-after-free in gfs2_glock_shrink_scan (bsc#1224888 CVE-2021-47254). - commit bf82ce3 - btrfs: do not start relocation until in progress drops are done (bsc#1222251). - commit a41ddb4 - btrfs: do not start relocation until in progress drops are done (bsc#1222251). - commit 0f3d5ec - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout (bsc#1224174 CVE-2024-27398). - commit 2d99726 - af_unix: Fix garbage collector racing against connect() (CVE-2024-26923 bsc#1223384). - af_unix: Replace BUG_ON() with WARN_ON_ONCE() (bsc#1223384). - af_unix: Do not use atomic ops for unix_sk(sk)-&gt;inflight (bsc#1223384). - commit 9a2eeaf - blacklist.conf: Fix for code not present (CVE-2024-26929) - commit 3d9e5d9 - Refresh patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch. - Refresh patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch. - Refresh patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch. Adjust headers to minimize merge conflicts. - commit 0300a69 - Refresh patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch. Swap headers to avoid a conflict when merging into consumer branches. - commit 1510229 - Refresh patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch. Update Patch-mainline tag and move to sorted section. - commit 81abd64 - Refresh patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch. Add upstream commit ID and move to sorted section. - commit 5c72346 - Refresh patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch. Update Patch-mainline tag and move to sorted section. - commit 684103a - Refresh patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch. Update Patch-mainline tag and move to sorted section. - commit a75fb60 - Refresh patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch. Driver was deleted upstream so this fix will stay out-of-tree forever. Move to the appropriate section. - commit bce6652 - Refresh patches.suse/media-dvb-core-Fix-UAF-due-to-refcount-races-at-rele.patch. Add upstream commit ID and move to sorted section. - commit 39ecedd - Refresh patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch. Add upstream commit ID and move to sorted section. - commit 6754ecb - Refresh patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch. Add upstream commit ID and move to sorted section. - commit 92fa4c5 - Refresh patches.suse/SUNRPC-auth-async-tasks-mustn-t-block-waiting-for-me.patch. - Refresh patches.suse/SUNRPC-call_alloc-async-tasks-mustn-t-block-waiting-.patch. - Refresh patches.suse/SUNRPC-improve-swap-handling-scheduling-and-PF_MEMAL.patch. - Refresh patches.suse/SUNRPC-remove-scheduling-boost-for-SWAPPER-tasks.patch. - Refresh patches.suse/SUNRPC-xprt-async-tasks-mustn-t-block-waiting-for-me.patch. Add upstream commit IDs and move to sorted section. - commit 245a308 - Refresh patches.suse/NFS-change-nfs_access_get_cached-to-only-report-the-.patch. - Refresh patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch. - Refresh patches.suse/NFS-pass-cred-explicitly-for-access-tests.patch. Add upstream commit IDs and move to sorted section. - commit 8f85449 - Refresh patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch. Add upstream commit ID and move to sorted section. - commit 0e0054f - NFC: nxp: add NXP1002 (bsc#1185589). Add upstream commit ID and subject, and move to sorted section. - commit 01c3222 - series.conf: Move block-genhd-use-atomic_t-for-disk_event-block.patch Patch was never accepted upstream and was dropped from later products as it had problematic side effects. Move it to the appropriate out-of-tree section. - commit 9199401 - PCI: rpaphp: Add MODULE_DESCRIPTION (bsc#1176869 ltc#188243). Add upstream commit ID and subject, and move to sorted section. - commit 4630de9 - Refresh patches.suse/drivers-base-memory.c-cache-blocks-in-radix-tree-to-.patch. Document why this commit will never go upstream and move it to its specific section. - commit f30bed3 - Refresh patches.suse/x86-boot-Ignore-relocations-in-.notes-sections-in-walk_rel.patch. Move to sorted section. - commit 9bdf9d5 - blacklist.conf: add fix for code not present (CVE-2024-26930) - commit 19f6175 - Update patches.suse/netfilter-nf_tables-mark-set-as-dead-when-unbinding-.patch (git-fixes CVE-2024-26643 bsc#1221829). - Update patches.suse/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch (git-fixes CVE-2024-26925 bsc#1223390). - Update patches.suse/netfilter-nft_set_rbtree-skip-end-interval-element-f.patch (git-fixes CVE-2024-26581 bsc#1220144). - commit 5b5ef95 - Update patches.suse/io_uring-af_unix-disable-sending-io_uring-over-socke.patch (bsc#1220754 CVE-2023-6531 CVE-2023-52654 bsc#1224099). - Update patches.suse/netfilter-nf_tables-fix-memleak-when-more-than-255-e.patch (git-fixes CVE-2023-52581 bsc#1220877). - Update patches.suse/netfilter-nft_set_rbtree-skip-sync-GC-for-new-elemen.patch (git-fixes CVE-2023-52433 bsc#1220137). - commit ab7595e - blacklist.conf: Add 9474c62ab65f net/sched: Add module alias for sch_fq_pie - commit 0f0d88e - usb: aqc111: check packet for fixup for true limit (bsc#1217169 CVE-2023-52655). - commit 1678228 - Update patches.suse/drm-radeon-add-a-force-flush-to-delay-work-when-rade.patch (git-fixes CVE-2022-48704 bsc#1223932). - commit d602686 - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path (git-fixes). - commit 453d60a - netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout (git-fixes). - commit a3b6f2c - netfilter: nft_set_rbtree: skip end interval element from gc (git-fixes). - commit f941d80 - netfilter: nf_tables: skip dead set elements in netlink dump (git-fixes). - commit 11672cf - netfilter: nf_tables: mark newset as dead on transaction abort (git-fixes). - commit deeefa0 - blacklist.conf: update blacklist - commit d111502 - blacklist.conf: update blacklist - commit c053707 - netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure (git-fixes). - commit 787a388 - Refresh patches.kabi/netfilter-preserve-nf_tables-kabi.patch. - commit f69dce7 - netfilter: nf_tables: fix memleak when more than 255 elements expired (git-fixes). - commit 55db444 - blacklist.conf: update blacklist - commit 3075338 - netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration (git-fixes). - commit bc13e9b - netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention (git-fixes). - commit 9ed8e71 - netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction (git-fixes). - commit 0d564a0 - netfilter: nf_tables: defer gc run if previous batch is still pending (git-fixes). - commit 1cb21d0 - netfilter: nf_tables: use correct lock to protect gc_list (git-fixes). - commit f315c4c - netfilter: nf_tables: GC transaction race with abort path (git-fixes). - commit ce0642f - netfilter: nf_tables: GC transaction race with netns dismantle (git-fixes). - commit d9e442c - blacklist.conf: update blacklist - commit 51055c8 - netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path (git-fixes). - commit eacca32 - netfilter: nf_tables: fix kdoc warnings after gc rework (git-fixes). - commit f86c22d - Update patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch (git-fixes CVE-2022-48695 bsc#1223941). - commit 033821b - Update patches.suse/ALSA-emu10k1-Fix-out-of-bounds-access-in-snd_emu10k1.patch (git-fixes CVE-2022-48702 bsc#1223923). - commit c521d4a - Update patches.suse/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch (git-fixes CVE-2022-48672 bsc#1223931). - commit e3fefd5 - cachefiles: fix memory leak in cachefiles_add_cache() (bsc#1222976 CVE-2024-26840). - commit aa1fa99 - netfilter: nf_tables: adapt set backend to use GC transaction API (bsc#1215420 CVE-2023-4244). - commit 2a5fb01 - btrfs: abort in rename_exchange if we fail to insert the second ref (CVE-2021-47113 bsc#1221543) Refresh patches.suse/btrfs-prevent-rename2-from-exchanging-a-subvol-with-a-directory-from-different-parents.patch - commit cc57e15 - Update patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch references (CVE-2024-26739 bsc#1222559, drop incorrect references). - commit 8b3f599 - net/tls: Remove the context from the list in tls_device_down (bsc#1221545). - commit aca4b2e - blacklist.conf: add 94ce3b64c62d Blacklist commit 94ce3b64c62d (&quot;net/tls: Use RCU API to access tls_ctx-&gt;netdev&quot;). This is a follow-up to c55dcdd435aa which addresses an issue which is rather theoretical and the backport would be quite intrusive. - commit 64bbcaf - tls: Fix context leak on tls_device_down (bsc#1221545). - commit 23bab3f - Update patches.suse/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch (bsc#1200313 bsc#1201489 CVE-2022-48686 bsc#1223948). - commit 5e5f9fe - Update patches.suse/ALSA-usb-audio-Fix-an-out-of-bounds-bug-in-__snd_usb.patch (git-fixes CVE-2022-48701 bsc#1223921). - commit 5de225e - Update patches.suse/soc-brcmstb-pm-arm-Fix-refcount-leak-and-__iomem-lea.patch (git-fixes CVE-2022-48693 bsc#1223963). - commit 0e4cd62 - kabi: hide new member of struct tls_context (CVE-2021-47131 bsc#1221545). - net/tls: Fix use-after-free after the TLS device goes down and up (CVE-2021-47131 bsc#1221545). - commit c19ff47 - Update patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch (bsc#1211592 CVE-2023-2860 CVE-2022-48687 bsc#1223952). - commit 94a1c44 - net/ipv6: avoid possible UAF in ip6_route_mpath_notify() (CVE-2024-26852 bsc#1223057). - commit f51e744 - openvswitch: fix stack OOB read while fragmenting IPv4 packets (CVE-2021-46955 bsc#1220513). - commit 37faff4 - packet: annotate data-races around ignore_outgoing (CVE-2024-26862 bsc#1223111). - commit 9b14c5d - sctp: fix potential deadlock on &amp;net-&gt;sctp.addr_wq_lock (CVE-2024-0639 bsc#1218917). - commit c0f421c - netfilter: preserve nf_tables kabi (bsc#1215420 CVE-2023-424). - commit e6ab556 - media: edia: dvbdev: fix a use-after-free (CVE-2024-27043 bsc#1223824). - commit 1c01fe0 - ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth &gt; 0 (bsc#1223475 CVE-2022-48631). - commit 911e181 - md/raid5: fix atomicity violation in raid5_cache_count (bsc#1219169, CVE-2024-23307). - commit b804891 - Update patches.suse/cgroup-cgroup_get_from_id-must-check-the-looked-up-kn-is-a-directory.patch (bsc#1203906 CVE-2022-48638 bsc#1223522). - commit 3bd7c2d - netfilter: nf_tables: GC transaction API to avoid race with control plane (bsc#1215420 CVE-2023-4244). - commit 361e5a0 - netfilter: nf_tables: don't skip expired elements during walk (bsc#1215420 CVE-2023-4244). - commit 47ee234 - Update patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch (bsc#1203935 CVE-2022-48650 bsc#1223509). - commit c5c2590 - Update patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch (bsc#1204614 CVE-2022-48654 bsc#1223482). - commit 1221e0a - netfilter: nft_set_rbtree: fix overlap expiration walk (git-fixes). - commit 90d7112 - netfilter: nft_set_rbtree: fix null deref on element insertion (git-fixes). - commit f25e27c - netfilter: nft_set_rbtree: skip elements in transaction from garbage collection (git-fixes). - commit 845bbc6 - netfilter: nft_set_rbtree: Switch to node list walk for overlap detection (git-fixes). - commit bd48625 - netfilter: nft_set_rbtree: overlap detection with element re-addition after deletion (git-fixes). - commit d362ed4 - netfilter: nft_set_rbtree: Detect partial overlap with start endpoint match (git-fixes). - commit 4970ce9 - netfilter: nft_set_rbtree: Handle outcomes of tree rotations in overlap detection (git-fixes). - commit bc0387c - netfilter: nft_set_rbtree: Don't account for expired elements on insertion (git-fixes). - commit c90c848 - netfilter: nft_set_rbtree: Add missing expired checks (git-fixes). - commit 0d65e63 - netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion (git-fixes). - commit a64c352 - netfilter: nft_set_rbtree: Detect partial overlaps on insertion (git-fixes). - commit 39167a3 - netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start() (git-fixes). - commit 9b991e8 - netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets (git-fixes). - commit 1a2cbfc - ipvlan: Fix out-of-bound bugs caused by unset skb-&gt;mac_header (bsc#1223513 CVE-2022-48651). - commit 0325bf2 - x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (bsc#1223202 CVE-2024-26906). - commit 4dcafb9 - x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h (bsc#1223202 CVE-2024-26906). - commit 4e61cac - x86/boot: Ignore relocations in .notes sections in walk_relocs() too (bsc#1222624 CVE-2024-26816). - commit 8d2e301 - x86, relocs: Ignore relocations in .notes section (bsc#1222624 CVE-2024-26816). - commit b1ed209 - Update patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch (bsc#1219264 CVE-2024-0841 CVE-2024-26688 bsc#1222482). - Update patches.suse/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch (bsc#1219170 CVE-2024-22099 CVE-2024-26903 bsc#1223187). - Update patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch (CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559). - commit edcb3fa - Update patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch (git-fixes CVE-2021-47207 bsc#1222790). - Update patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch (git-fixes CVE-2021-47194 bsc#1222829). - Update patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch (git-fixes CVE-2021-47184 bsc#1222666). - Update patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch (git-fixes CVE-2021-47201 bsc#1222792). - Update patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch (git-fixes CVE-2021-47212 bsc#1222709). - Update patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch (bsc#1190576 CVE-2021-47203 bsc#1222881). - Update patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch (bsc#1192145 CVE-2021-47198 bsc#1222883). - Update patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch (git-fixes CVE-2021-47185 bsc#1222669). - Update patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch (git-fixes CVE-2021-47206 bsc#1222894). - commit 8d3f18a - Update patches.suse/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch (bsc#1218562 CVE-2023-6270 CVE-2024-26898 bsc#1223016). - commit 8d6a724 - Update patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch (git-fixes CVE-2021-47216 bsc#1222876). - commit 1856476 - wifi: iwlwifi: fix a memory corruption (CVE-2024-26610 bsc#1221299). - commit cceba2c - Update patches.suse/arp-Prevent-overflow-in-arp_req_get.patch - fix build warning - commit d969104 - ceph: prevent use-after-free in encode_cap_msg() (CVE-2024-26689 bsc#1222503). - commit c431df1 - Update patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch (git-fixes CVE-2021-47202 bsc#1222878) - commit 94c254a - nvme-tcp: can't set sk_user_data without write_lock (CVE-2021-47041 bsc#1220755). - commit c3bc01a - nvme-loop: fix memory leak in nvme_loop_create_ctrl() (CVE-2021-47074 bsc#1220854). - nvme-loop: don't put ctrl on nvme_init_ctrl error (CVE-2021-47074 bsc#1220854). - commit 8101361 - nvmet-tcp: fix incorrect locking in state_change sk callback (CVE-2021-47041 bsc#1220755). - commit ee0c72d - RDMA/srpt: Support specifying the srpt_service_guid parameter (bsc#1222449 CVE-2024-26744) - commit 12241af - Refresh patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch. - commit ea3cbb2 - Update patches.suse/bpf-Fix-integer-overflow-involving-bucket_size.patch Fix CVE refence format. - commit 86e8797 - Update patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch (git-fixes CVE-2021-47189 bsc#1222706). - commit ed3e4bc - Update patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch (git-fixes CVE-2021-47185). - commit 972d0f6 - Update patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch (bsc#1192145 CVE-2021-47183 bsc#1222664). - commit add99e0 - Update patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch (git-fixes CVE-2021-47181 bsc#1222660). - commit 87eb148 - tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc (bsc#1222619). - commit 7db5139 - arp: Prevent overflow in arp_req_get() (CVE-2024-26733 bsc#1222585). - commit 0a4c958 - net/sched: act_mirred: don't override retval if we already lost the skb (CVE-2024-26733 bsc#1222585). - commit cc1339b - ext4: fix double-free of blocks due to wrong extents moved_len (bsc#1222422 CVE-2024-26704). - commit d1a6e8f - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super (bsc#1219264). - commit bc51f7b - nfsd: Fix error cleanup path in nfsd_rename() (bsc#1221044 CVE-2023-52591). - commit 24c2d2e - Update patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch (bsc#1214842 CVE-2023-52508 bsc#1221015). - Update patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch (git-fixes CVE-2023-52575 bsc#1220871). - commit 61a8300 - Update patches.suse/Bluetooth-avoid-deadlock-between-hci_dev-lock-and-so.patch (git-fixes CVE-2021-47038 bsc#1220753). - Update patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch (git-fixes CVE-2021-47097 bsc#1220982). - Update patches.suse/KEYS-trusted-Fix-TPM-reservation-for-seal-unseal.patch (git-fixes CVE-2021-46922 bsc#1220475). - Update patches.suse/KEYS-trusted-Fix-memory-leak-on-object-td.patch (git-fixes CVE-2021-47009 bsc#1220733). - Update patches.suse/RDMA-rtrs-clt-destroy-sysfs-after-removing-session-f.patch (jsc#SLE-15176 CVE-2021-47026 bsc#1220685). - Update patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch (git-fixes CVE-2021-47101 bsc#1220987). - Update patches.suse/ath10k-Fix-a-use-after-free-in-ath10k_htc_send_bundl.patch (git-fixes CVE-2021-47017 bsc#1220678). - Update patches.suse/ch_ktls-Fix-kernel-panic.patch (jsc#SLE-15131 CVE-2021-46911 bsc#1220400). - Update patches.suse/dmaengine-idxd-Fix-clobbering-of-SWERR-overflow-bit-.patch (git-fixes CVE-2021-46920 bsc#1220426). - Update patches.suse/dmaengine-idxd-Fix-potential-null-dereference-on-poi.patch (git-fixes CVE-2021-47003 bsc#1220677). - Update patches.suse/dmaengine-idxd-clear-MSIX-permission-entry-on-shutdo.patch (git-fixes CVE-2021-46918 bsc#1220429). - Update patches.suse/dmaengine-idxd-fix-wq-cleanup-of-WQCFG-registers.patch (git-fixes CVE-2021-46917 bsc#1220432). - Update patches.suse/dmaengine-idxd-fix-wq-size-store-permission-state.patch (git-fixes CVE-2021-46919 bsc#1220414). - Update patches.suse/drm-amd-display-Fix-off-by-one-in-hdmi_14_process_tr.patch (git-fixes CVE-2021-47046 bsc#1220758). - Update patches.suse/drm-i915-Fix-crash-in-auto_retire.patch (git-fixes CVE-2021-46976 bsc#1220621). - Update patches.suse/iommu-vt-d-remove-wo-permissions-on-second-level-paging-entries (bsc#1187346 CVE-2021-47035 bsc#1220688). - Update patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch (git-fixes CVE-2021-47100 bsc#1220985). - Update patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch (git-fixes CVE-2021-47095 bsc#1220979). - Update patches.suse/ixgbe-fix-unbalanced-device-enable-disable-in-suspen.patch (jsc#SLE-13706 CVE-2021-46914 bsc#1220465). - Update patches.suse/net-dsa-mt7530-fix-VLAN-traffic-leaks.patch (git-fixes CVE-2021-47160 bsc#1221974). - Update patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch (git-fixes CVE-2021-47150 bsc#1221973). - Update patches.suse/net-lantiq-fix-memory-corruption-in-RX-ring.patch (git-fixes CVE-2021-47137 bsc#1221932). - Update patches.suse/net-mlx5e-Fix-null-deref-accessing-lag-dev.patch (jsc#SLE-15172 CVE-2021-47164 bsc#1221978). - Update patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch (jsc#SLE-15172 CVE-2021-46931 bsc#1220486). - Update patches.suse/net-sched-act_ct-fix-wild-memory-access-when-clearin.patch (bsc#1176447 CVE-2021-47014 bsc#1220630). - Update patches.suse/net-sched-fq_pie-fix-OOB-access-in-the-traffic-path.patch (jsc#SLE-15172 CVE-2021-47175 bsc#1222003). - Update patches.suse/netfilter-nft_set_pipapo_avx2-Add-irq_fpu_usable-che.patch (bsc#1176447 CVE-2021-47174 bsc#1221990). - Update patches.suse/nvmet-fix-freeing-unallocated-p2pmem.patch (git-fixes CVE-2021-47130 bsc#1221552). - Update patches.suse/nvmet-rdma-Fix-NULL-deref-when-SEND-is-completed-wit.patch (git-fixes CVE-2021-46983 bsc#1220639). - Update patches.suse/s390-dasd-add-missing-discipline-function (bsc#1188130 ltc#193581 CVE-2021-47176 bsc331221996 bsc#1221996). - Update patches.suse/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak (git-fixes CVE-2021-46968 bsc#1220689). - Update patches.suse/sched-fair-Fix-shift-out-of-bounds-in-load_balance.patch (git fixes (sched) CVE-2021-47044 bsc#1220759). - Update patches.suse/spi-Fix-use-after-free-with-devm_spi_alloc_.patch (git-fixes CVE-2021-46959 bsc#1220734). - Update patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch (git-fixes CVE-2021-47087 bsc#1220954). - Update patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch (git-fixes CVE-2021-46933 bsc#1220487). - Update patches.suse/usb-typec-ucsi-Retrieve-all-the-PDOs-instead-of-just.patch (git-fixes CVE-2021-46980 bsc#1220663). - Update patches.suse/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch (bsc#1185558 CVE-2021-46956 bsc#1220516). - Update patches.suse/xprtrdma-Fix-cwnd-update-ordering.patch (git-fixes CVE-2021-47001 bsc#1220670). - commit d6fc0df - Update patches.suse/i2c-imx-fix-reference-leak-when-pm_runtime_get_sync-.patch (git-fixes CVE-2020-36781 bsc#1220557). - commit c903cb8 - Update patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch (CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117). - Update patches.suse/scsi-pm80xx-Avoid-leaking-tags-when-processing-OPC_INB_SET_CONTROLLER_CONFIG-command.patch (bsc#1220883 CVE-2023-52500). - commit 81ec1ab - scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command (bsc#1220883 cve-2023-52500). - commit a52992b - Fixup NULL ptr dereference due to mistake in backporting in patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch. - commit f07130b - bpf, sockmap: Prevent lock inversion deadlock in map delete elem (bsc#1209657 CVE-2023-0160). - commit 299921b - blacklist.conf: omit reverted sockmap deadlock fix - commit 66facc4 - netfilter: nf_tables: disallow anonymous set with timeout flag (CVE-2024-26642 bsc#1221830). - commit ca89796 - netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192 bsc#1218479). - commit c40a2c4 - README.BRANCH: Remove copy of branch name - commit 27396e8 - README.BRANCH: Remove copy of branch name - commit 757f48f - Update patches.suse/net-zero-initialize-tc-skb-extension-on-allocation.patch (bsc#1176447 CVE-2021-47136 bsc#1221931). - commit adea53b - ipv6: init the accept_queue's spinlocks in inet6_create (bsc#1221293 CVE-2024-26614). - commit 0cf80b2 - tcp: make sure init the accept_queue's spinlocks once (bsc#1221293 CVE-2024-26614). - commit d27abbc - userfaultfd: release page in error path to avoid BUG_ON (CVE-2021-46988 bsc#1220706). - commit 37b27a1 - powerpc/mm: Fix null-pointer dereference in pgtable_cache_add (CVE-2023-52607 bsc#1221061). - commit 37ce65f - perf/core: Fix unconditional security_locked_down() call (bsc#1220697, CVE-2021-46971). - commit b2c4fe7 - Update patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch (bsc#1208995 CVE-2023-1192 CVE-2023-52572 bsc#1220946). - Update patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356 CVE-2023-52454 bsc#1220320). - Update patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch (bsc#1221044 CVE-2023-52591 CVE-2023-52590 bsc#1221088). - Update patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch (bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836). - Update patches.suse/usb-hub-Guard-against-accesses-to-uninitialized-BOS-.patch (git-fixes CVE-2023-52477 bsc#1220790). - commit 807fa36 - Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch (bsc#1194516 CVE-2022-0487 CVE-2022-48626 bsc#1220366). - commit 32e1ae4 - Update patches.suse/0005-dm-rq-fix-double-free-of-blk_mq_tag_set-in-dev-remov.patch (git-fixes CVE-2021-46938 bsc#1220554). - Update patches.suse/0005-drm-bridge-panel-Cleanup-connector-on-bridge-detach.patch (bsc#1152489 CVE-2021-47063 bsc#1220777). - Update patches.suse/0006-nbd-Fix-NULL-pointer-in-flush_workqueue.patch (git-fixes CVE-2021-46981 bsc#1220611). - Update patches.suse/ARM-9064-1-hw_breakpoint-Do-not-directly-check-the-event-s-overflow_handler-hook.patch (git-fixes CVE-2021-47006 bsc#1220751). - Update patches.suse/ARM-footbridge-fix-PCI-interrupt-mapping.patch (git-fixes CVE-2021-46909 bsc#1220442). - Update patches.suse/HID-magicmouse-fix-NULL-deref-on-disconnect.patch (git-fixes CVE-2021-47120 bsc#1221606). - Update patches.suse/KVM-Destroy-I-O-bus-devices-on-unregister-failure-_a.patch (bsc#git-fixes CVE-2021-47061 bsc#1220745). - Update patches.suse/NFC-nci-fix-memory-leak-in-nci_allocate_device.patch (git-fixes CVE-2021-47180 bsc#1221999). - Update patches.suse/NFS-Don-t-corrupt-the-value-of-pg_bytes_written-in-n.patch (git-fixes CVE-2021-47166 bsc#1221998). - Update patches.suse/NFS-Fix-an-Oopsable-condition-in-__nfs_pageio_add_re.patch (git-fixes CVE-2021-47167 bsc#1221991). - Update patches.suse/NFS-fix-an-incorrect-limit-in-filelayout_decode_layo.patch (git-fixes CVE-2021-47168 bsc#1222002). - Update patches.suse/NFSv4-Fix-a-NULL-pointer-dereference-in-pnfs_mark_ma.patch (git-fixes CVE-2021-47179 bsc#1222001). - Update patches.suse/USB-usbfs-Don-t-WARN-about-excessively-large-memory-.patch (git-fixes CVE-2021-47170 bsc#1222004). - Update patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch (git-fixes CVE-2021-47015 bsc#1220794). - Update patches.suse/btrfs-fix-race-between-transaction-aborts-and-fsyncs.patch (bsc#1186441 CVE-2021-46958 bsc#1220521). - Update patches.suse/ceph-fix-inode-leak-on-getattr-error-in-_fh_to_dentry.patch (bsc#1186501 CVE-2021-47000 bsc#1220669). - Update patches.suse/cifs-Return-correct-error-code-from-smb2_get_enc_key.patch (git-fixes CVE-2021-46960 bsc#1220528). - Update patches.suse/crypto-qat-ADF_STATUS_PF_RUNNING-should-be-set-after.patch (git-fixes CVE-2021-47056 bsc#1220769). - Update patches.suse/cxgb4-avoid-accessing-registers-when-clearing-filter.patch (git-fixes CVE-2021-47138 bsc#1221934). - Update patches.suse/drm-amd-amdgpu-fix-refcount-leak.patch (git-fixes CVE-2021-47144 bsc#1221989). - Update patches.suse/drm-amdgpu-Fix-a-use-after-free.patch (git-fixes CVE-2021-47142 bsc#1221952). - Update patches.suse/drm-meson-fix-shutdown-crash-when-component-not-prob.patch (git-fixes CVE-2021-47165 bsc#1221965). - Update patches.suse/ethernet-enic-Fix-a-use-after-free-bug-in-enic_hard_.patch (git-fixes CVE-2021-46998 bsc#1220625). - Update patches.suse/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_spli.patch (bsc#1187408 CVE-2021-47117 bsc#1221575). - Update patches.suse/ext4-fix-memory-leak-in-ext4_fill_super.patch (bsc#1187409 CVE-2021-47119 bsc#1221608). - Update patches.suse/gve-Add-NULL-pointer-checks-when-freeing-irqs.patch (git-fixes CVE-2021-47141 bsc#1221949). - Update patches.suse/i2c-i801-Don-t-generate-an-interrupt-on-bus-reset.patch (git-fixes CVE-2021-47153 bsc#1221969). - Update patches.suse/i40e-Fix-use-after-free-in-i40e_client_subtask.patch (git-fixes CVE-2021-46991 bsc#1220575). - Update patches.suse/iio-adc-ad7124-Fix-potential-overflow-due-to-non-seq.patch (git-fixes CVE-2021-47172 bsc#1221992). - Update patches.suse/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu (bsc#1189218 CVE-2021-47177 bsc#1221997). - Update patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch (bsc#1185988 bsc1220826 CVE-2021-47069 bsc#1220826). - Update patches.suse/kyber-fix-out-of-bounds-access-when-preempted.patch (bsc#1187403 CVE-2021-46984 bsc#1220631). - Update patches.suse/locking-qrwlock-Fix-ordering-in-queued_write_lock_sl.patch (bsc#1185041 CVE-2021-46921 bsc#1220468). - Update patches.suse/md-raid1-properly-indicate-failure-when-ending-a-fai.patch (bsc#1185680 CVE-2021-46950 bsc#1220662). - Update patches.suse/media-staging-intel-ipu3-Fix-memory-leak-in-imu_fmt.patch (git-fixes CVE-2021-46944 bsc#1220566). - Update patches.suse/media-staging-intel-ipu3-Fix-set_fmt-error-handling.patch (git-fixes CVE-2021-46943 bsc#1220583). - Update patches.suse/misc-uss720-fix-memory-leak-in-uss720_probe.patch (git-fixes CVE-2021-47173 bsc#1221993). - Update patches.suse/mmc-uniphier-sd-Fix-a-resource-leak-in-the-remove-fu.patch (git-fixes CVE-2021-46962 bsc#1220532). - Update patches.suse/msft-hv-2305-Drivers-hv-vmbus-Use-after-free-in-__vmbus_open.patch (git-fixes CVE-2021-47049 bsc#1220692). - Update patches.suse/msft-hv-2316-uio_hv_generic-Fix-a-memory-leak-in-error-handling-p.patch (git-fixes CVE-2021-47071 bsc#1220846). - Update patches.suse/msft-hv-2317-uio_hv_generic-Fix-another-memory-leak-in-error-hand.patch (git-fixes CVE-2021-47070 bsc#1220829). - Update patches.suse/mtd-require-write-permissions-for-locking-and-badblo.patch (git-fixes CVE-2021-47055 bsc#1220768). - Update patches.suse/net-hns3-put-off-calling-register_netdev-until-clien.patch (bsc#1154353 CVE-2021-47139 bsc#1221935). - Update patches.suse/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch (CVE-2021-23134 bsc#1186060 CVE-2021-47068 bsc#1220739). - Update patches.suse/net-usb-fix-memory-leak-in-smsc75xx_bind.patch (git-fixes CVE-2021-47171 bsc#1221994). - Update patches.suse/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch (CVE-2021-47013 bsc#1220641 CVE-2021-46992 bsc#1220638). - Update patches.suse/ocfs2-fix-data-corruption-by-fallocate.patch (bsc#1187412 CVE-2021-47114 bsc#1221548). - Update patches.suse/pid-take-a-reference-when-initializing-cad_pid.patch (bsc#1152489 CVE-2021-47118 bsc#1221605). - Update patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch (git-fixes CVE-2021-47073 bsc#1220850). - Update patches.suse/powerpc-64s-Fix-crashes-when-toggling-entry-flush-ba.patch (bsc#1177666 git-fixes bsc#1186460 ltc#192531 CVE-2021-46990 bsc#1220743). - Update patches.suse/powerpc-64s-Fix-pte-update-for-kernel-memory-on-radi.patch (bsc#1055117 git-fixes CVE-2021-47034 bsc#1220687). - Update patches.suse/regmap-set-debugfs_name-to-NULL-after-it-is-freed.patch (git-fixes CVE-2021-47058 bsc#1220779). - Update patches.suse/rtw88-Fix-array-overrun-in-rtw_get_tx_power_params.patch (git-fixes CVE-2021-47065 bsc#1220749). - Update patches.suse/scsi-lpfc-Fix-null-pointer-dereference-in-lpfc_prep_.patch (bsc#1182574 CVE-2021-47045 bsc#1220640). - Update patches.suse/scsi-qedf-Add-pointer-checks-in-qedf_update_link_speed (git-fixes CVE-2021-47077 bsc#1220861). - Update patches.suse/scsi-qla2xxx-Fix-crash-in-qla2xxx_mqueuecommand.patch (bsc#1185491 CVE-2021-46963 bsc#1220536). - Update patches.suse/serial-rp2-use-request_firmware-instead-of-request_f.patch (git-fixes CVE-2021-47169 bsc#1222000). - Update patches.suse/soundwire-stream-fix-memory-leak-in-stream-config-er.patch (git-fixes CVE-2021-47020 bsc#1220785). - Update patches.suse/spi-fsl-lpspi-Fix-PM-reference-leak-in-lpspi_prepare.patch (git-fixes CVE-2021-47051 bsc#1220764). - Update patches.suse/spi-spi-fsl-dspi-Fix-a-resource-leak-in-an-error-han.patch (git-fixes CVE-2021-47161 bsc#1221966). - Update patches.suse/tpm-efi-Use-local-variable-for-calculating-final-log.patch (git-fixes CVE-2021-46951 bsc#1220615). - Update patches.suse/tracing-Restructure-trace_clock_global-to-never-block.patch (git-fixes CVE-2021-46939 bsc#1220580). - Update patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch (bsc#1209635 CVE-2022-4744 CVE-2021-47082 bsc#1220969). - Update patches.suse/x86-kvm-Disable-kvmclock-on-all-CPUs-on-shutdown.patch (bsc#1185308 CVE-2021-47110 bsc#1221532). - Update patches.suse/x86-kvm-Teardown-PV-features-on-boot-CPU-as-well.patch (bsc#1185308 CVE-2021-47112 bsc#1221541). - commit 563b877 - Update patches.suse/i2c-img-scb-fix-reference-leak-when-pm_runtime_get_s.patch (git-fixes CVE-2020-36783 bsc#1220561). - Update patches.suse/i2c-imx-lpi2c-fix-reference-leak-when-pm_runtime_get.patch (git-fixes CVE-2020-36782 bsc#1220560). - Update patches.suse/i2c-sprd-fix-reference-leak-when-pm_runtime_get_sync.patch (git-fixes CVE-2020-36780 bsc#1220556). - commit 33b0d9d - IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests (bsc#1220445 CVE-2023-52474) - commit bdb2e0c - Update patches.suse/s390-dasd-add-missing-discipline-function (bsc#1188130 ltc#193581 CVE-2021-47176 bsc331221996). - commit d918596 - wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336 CVE-2023-7042). - commit 22d99d7 - dmaengine: fix NULL pointer in channel unregistration function (bsc#1221276 CVE-2023-52492) - commit b24663f - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security (bsc#1219170 CVE-2024-22099). - commit b8c2f38 - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts (bsc#1218562 CVE-2023-6270). - commit 0e87477 - fs: no need to check source (bsc#1221044 CVE-2023-52591). - commit df2f811 - rename(): avoid a deadlock in the case of parents having no common ancestor (bsc#1221044 CVE-2023-52591). - commit faa6432 - kill lock_two_inodes() (bsc#1221044 CVE-2023-52591). - commit d6f6371 - rename(): fix the locking of subdirectories (bsc#1221044 CVE-2023-52591). - commit 063df0d - f2fs: Avoid reading renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit 4dfa62d - ext4: don't access the source subdirectory content on same-directory rename (bsc#1221044 CVE-2023-52591). - commit 80ff66b - ext2: Avoid reading renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit 03d3930 - udf_rename(): only access the child content on cross-directory rename (bsc#1221044 CVE-2023-52591). - commit 4bff17c - ocfs2: Avoid touching renamed directory if parent does not change (bsc#1221044 CVE-2023-52591). - commit 74fc5ec - reiserfs: Avoid touching renamed directory if parent does not change (git-fixes bsc#1221044 CVE-2023-52591). Refresh patches.suse/reiserfs-add-check-to-detect-corrupted-directory-entry.patch Refresh patches.suse/reiserfs-don-t-panic-on-bad-directory-entries.patch - commit f392df9 - fs: don't assume arguments are non-NULL (bsc#1221044 CVE-2023-52591). - commit a11eadd - fs: Restrict lock_two_nondirectories() to non-directory inodes (bsc#1221044 CVE-2023-52591). - commit 6ad8632 - fs: ocfs2: check status values (bsc#1221044 CVE-2023-52591). - commit 696c231 - fs: Lock moved directories (bsc#1221044 CVE-2023-52591). - commit c14fbaa - fs: Establish locking order for unrelated directories (bsc#1221044 CVE-2023-52591). - commit b424ded - fs: introduce lock_rename_child() helper (bsc#1221044 CVE-2023-52591). - commit 02e4cc0 - dm: rearrange core declarations for extended use from dm-zone.c (bsc#1221113). - Refresh patches.kabi/kABI-dm-fix-deadlock-when-swapping-to-encrypted-device.patch. - commit 741eac7 - perf/x86/lbr: Filter vsyscall addresses (bsc#1220703, CVE-2023-52476). - commit c46d003 - dm rq: don't queue request to blk-mq during DM suspend (bsc#1221113). - commit b77fc22 - neighbour: allow NUD_NOARP entries to be forced GCed (bsc#1221534 CVE-2021-47109). - commit d36f6ec - net/sched: Add module alias for sch_fq_pie (bsc#1210335 CVE-2023-1829). - commit d985f7c - net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829). - net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829). - net/sched: Add module aliases for cls_,sch_,act_ modules (bsc#1210335 CVE-2023-1829). - net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829). - net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829). - net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829). - net/sched: Add module aliases for cls_,sch_,act_ modules (bsc#1210335 CVE-2023-1829). - net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829). - commit 6a5afc3 - x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (bsc#1213456 CVE-2023-28746). - commit 15a7f43 - Sort already upstream patches - Refresh patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch. - Refresh patches.suse/KVM-VMX-Move-VERW-closer-to-VMentry-for-MDS-mitigation.patch. - Refresh patches.suse/KVM-VMX-Use-BT-JNC-i.e.-EFLAGS.CF-to-select-VMRESUME-vs.-V.patch. - Refresh patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch. - Refresh patches.suse/x86-bugs-Add-asm-helpers-for-executing-VERW.patch. - Refresh patches.suse/x86-bugs-Use-ALTERNATIVE-instead-of-mds_user_clear-static-.patch. - Refresh patches.suse/x86-entry_32-Add-VERW-just-before-userspace-transition.patch. - Refresh patches.suse/x86-entry_64-Add-VERW-just-before-userspace-transition.patch. - Refresh patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch. - commit 851bcbe - perf/core: Fix unconditional security_locked_down() call (bsc#1220697, CVE-2021-46971). - commit 0b7f805 - io_uring/af_unix: disable sending io_uring over sockets (bsc#1220754 CVE-2023-6531). - commit a0d28a2 - usb: mtu3: fix list_head check warning (bsc#1220484 CVE-2021-46930). - commit b548734 - Refresh patches.kabi/team-Hide-new-member-header-ops.patch. Fix for kABI workaround. - commit ff68767 - ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058 CVE-2023-52583). - commit 5c7a950 - usb: hub: Guard against accesses to uninitialized BOS descriptors (git-fixes). Altered because 5.3 does not do SSP - commit 6d423f3 - Update patches.suse/scsi-qla2xxx-Fix-SRB-leak-on-switch-command-timeout.patch added CVE reference to: (jsc#SLE-9714 jsc#SLE-10327 jsc#SLE-10334 bnc#1151927 5.3.17 cve-2021-46963). - commit bac1eb3 - Update reference of bpf-Use-correct-permission-flag-for-mixed-signed-bou.patch (bsc#1184942 bsc#1220425 CVE-2021-29155 CVE-2021-46908). - commit 787c408 - drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (bsc#1220413 CVE-2023-52470). - commit d61356a - drivers/amd/pm: fix a use-after-free in kv_parse_power_table (bsc#1220411 CVE-2023-52469). - commit 10972e5 - irqchip/gic-v3: Do not enable irqs when handling spurious interrups (bsc#1220529,CVE-2021-46961) - commit 83fe0b1 - group-source-files.pl: Quote filenames (boo#1221077). The kernel source now contains a file with a space in the name. Add quotes in group-source-files.pl to avoid splitting the filename. Also use -print0 / -0 when updating timestamps. - commit a005e42 - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600) - commit c4890bf - mm: fix gup_pud_range (bsc#1220824). - commit d0caaa5 - RDMA/rxe: Clear all QP fields if creation failed (bsc#1220863 CVE-2021-47078) - commit 23bba26 - RDMA/rxe: Return CQE error if invalid lkey was supplied (bsc#1220860 CVE-2021-47076) - commit 1171085 - ACPI: extlog: fix NULL pointer dereference check (bsc#1221039 CVE-2023-52605). - commit a37794c - Update patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch (bsc#1220416 bsc#1220418 CVE-2021-46904 CVE-2021-46905). Added second CVE reference - commit 6b7d257 - Update patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch (bsc#1220416 CVE-2021-46904). - Update patches.suse/net-hso-fix-null-ptr-deref-during-tty-device-unregis.patch (bsc#1220416 CVE-2021-46904). Added CVE references - commit ce2a61e - kernel-binary: Fix i386 build Fixes: 89eaf4cdce05 (&quot;rpm templates: Move macro definitions below buildrequires&quot;) - commit f7c6351 - KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746). - commit d0c95ff - x86/rfds: Mitigate Register File Data Sampling (RFDS) (bsc#1213456 CVE-2023-28746). - commit 7725a96 - net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831). - commit 3983469 - btrfs: remove BUG() after failure to insert delayed dir index item (bsc#1220918 CVE-2023-52569). - commit ff844fd - btrfs: improve error message after failure to add delayed dir index item (bsc#1220918 CVE-2023-52569). - commit f310611 - Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746). - commit bff3e02 - x86/srso: Add SRSO mitigation for Hygon processors (bsc#1220735 CVE-2023-52482). - commit 1f25b34 - KVM: s390: fix setting of fpc register (bsc#1221040 CVE-2023-52597). - commit 8155006 - vt: fix memory overlapping when deleting chars in the buffer (bsc#1220845 CVE-2022-48627). - commit b8e8505 - kernel-binary: vdso: fix filelist for non-usrmerged kernel Fixes: a6ad8af207e6 (&quot;rpm templates: Always define usrmerged&quot;) - commit fb3f221 - kabi: team: Hide new member header_ops (bsc#1220870 CVE-2023-52574). - commit 04e32d4 - i2c: validate user data in compat ioctl (git-fixes bsc#1220469 CVE-2021-46934). - commit 554cd35 - ravb: Fix use-after-free issue in ravb_tx_timeout_work() (bsc#1212514 CVE-2023-35827). - net: mana: Fix TX CQE error handling (bsc#1220932 CVE-2023-52532). - team: fix null-ptr-deref when team device type is changed (bsc#1220870 CVE-2023-52574). - commit 5631a0c - Update reference of bpf-Fix-masking-negation-logic-upon-negative-dst-reg.patch (bsc#1155518 bsc#1220700 CVE-2021-46974). - commit 5f6c988 - wifi: mac80211: fix potential key use-after-free (CVE-2023-52530 bsc#1220930). - wifi: iwlwifi: mvm: Fix a memory corruption issue (CVE-2023-52531 bsc#1220931). - commit 7072ac0 - pinctrl: mediatek: fix global-out-of-bounds issue (CVE-2021-47083 bsc#1220917). - commit f54296c - drm/bridge: sii902x: Fix probing race issue (bsc#1220736 CVE-2024-26607). - commit 470c611 - KVM: Destroy target device if coalesced MMIO unregistration fails (git-fixes). - commit c99d976 - KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio (git-fixes). - commit f7f8d3b - bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS (bsc#1220255 CVE-2024-26589). - commit 84782c1 - PCI: endpoint: Fix NULL pointer dereference for -&gt;get_features() (bsc#1220660 CVE-2021-47005). - commit 4cda383 - tls: fix race between tx work scheduling and socket close (CVE-2024-26585 bsc#1220187). - commit 7207999 - kabi: restore return type of dst_ops::gc() callback (CVE-2023-52340 bsc#1219295). - ipv6: remove max_size check inline with ipv4 (CVE-2023-52340 bsc#1219295). - commit 077e12d - netfilter: nf_tables: fix 64-bit load issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - commit b02bdeb - netfilter: nf_tables: fix 64-bit load issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() (CVE-2024-0607 bsc#1218915). - commit 67cfeec - Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch (CVE-2022-20154 CVE-2021-46929 bsc#1200599 bsc#1220482). - commit 8d1b35f - Update patches.suse/scsi-qla2xxx-Reserve-extra-IRQ-vectors.patch (bsc#1184436 bsc#1186286 bsc#1220538 CVE-2021-46964). - commit e5c6db2 - KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (bsc#1220742 CVE-2021-47060). - commit 7287801 - netfilter: nft_set_pipapo: skip inactive elements during set walk (CVE-2023-6817 bsc#1218195). - commit ba8530f - tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825 CVE-2024-26622). - commit 6d24f8e - Update patches.suse/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak (git-fixes CVE-2021-46968). - commit a63feba - doc/README.SUSE: Update information about module support status (jsc#PED-5759) Following the code change in SLE15-SP6 to have externally supported modules no longer taint the kernel, update the respective documentation in README.SUSE: * Describe that support status can be obtained at runtime for each module from /sys/module/$MODULE/supported and for the entire system from /sys/kernel/supported. This provides a way how to now check that the kernel has any externally supported modules loaded. * Remove a mention that externally supported modules taint the kernel, but keep the information about bit 16 (X) and add a note that it is still tracked per module and can be read from /sys/module/$MODULE/taint. This per-module information also appears in Oopses. - commit 9ed8107 - powerpc/pseries/memhp: Fix access beyond end of drmem array (bsc#1220250,CVE-2023-52451). - commit 9865154 - Input: appletouch - initialize work before device registration (CVE-2021-46932 bsc#1220444). - commit 8f106a8 - Update patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch (bsc#1185988, bsc1220826, CVE-2021-47069). - commit f01183e - Update References patches.suse/ACPI-GTDT-Don-t-corrupt-interrupt-mappings-on-watchd.patch (git-fixes bsc#1220599 CVE-2021-46953). - commit 5b10499 - Update References patches.suse/ACPI-custom_method-fix-potential-use-after-free-issu.patch (git-fixes bsc#1220572 CVE-2021-46966). - commit 8eecec3 - efivarfs: force RO when remounting if SetVariable is not supported (bsc#1220328 CVE-2023-52463). - commit 0c76724 - RDMA/siw: Fix a use after free in siw_alloc_mr (bsc#1220627 CVE-2021-47012). - commit 96f4478 - mtd: Fix gluebi NULL pointer dereference caused by ftl notifier (bsc#1220238 CVE-2023-52449). - commit d23e49b - Input: powermate - fix use-after-free in powermate_config_complete (CVE-2023-52475 bsc#1220649). - HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (CVE-2023-52478 bsc#1220796). - commit 92ea315 - hfsplus: prevent corruption in shrinking truncate (bsc#1220737 CVE-2021-46989). - commit cc37c78 - Update patch reference for qcom bus fix (CVE-2021-47054 bsc#1220767) - commit 024411a - netfilter: nft_limit: avoid possible divide error in nft_limit_init (bsc#1220436 CVE-2021-46915). - commit 291b0ff - NFC: st21nfca: Fix memory leak in device probe and remove (CVE-2021-46924 bsc#1220459). - commit 2b46faa - Update patch reference for HID fix (CVE-2021-46906 bsc#1220421) - commit 89e5504 - i2c: Fix a potential use after free (bsc#1220409 CVE-2019-25162). - commit 6421697 - i2c: cadence: fix reference leak when pm_runtime_get_sync fails (bsc#1220570 CVE-2020-36784). - commit 5fa02fa - KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU (bsc#git-fixes, CVE-2021-47061). - commit b2a896d - Update patch reference for media usb fix (CVE-2020-36777 bsc#1220526) - commit f0fcd0d - media: pvrusb2: fix use after free on context disconnection (CVE-2023-52445 bsc#1220241). - commit 3f02f88 - nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (bsc#1219125 CVE-2023-46343). - commit 9371a32 - uio: Fix use-after-free in uio_open (bsc#1220140 CVE-2023-52439). - commit 758615f - apparmor: avoid crash when parsed profile name is empty (CVE-2023-52443 bsc#1220240). - commit 9d07817 - sched/membarrier: reduce the ability to hammer on sys_membarrier (git-fixes, bsc#1220398, CVE-2024-26602). - commit b645222 - i2c: i801: Fix block process call transactions (bsc#1220009 CVE-2024-26593). - commit c348c97 - netfilter: nftables: avoid overflows in nft_hash_buckets() (CVE-2021-47013 bsc#1220641). - commit f0d286e - net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send (CVE-2021-47013 bsc#1220641). - commit 378bb67 - mlxsw: spectrum_acl_tcam: Fix stack corruption (bsc#1220243 CVE-2024-26586). - mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path (bsc#1220344 CVE-2024-26595). - commit 76ed3a3 - EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330) - commit 5f2e003 - gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump (bsc#1220253 CVE-2023-52448). - commit a731316 - rpm templates: Always define usrmerged usrmerged is now defined in kernel-spec-macros and not the distribution. Only check if it's defined in kernel-spec-macros, not everywhere where it's used. - commit a6ad8af - KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). - commit fda6073 - blacklist.conf: Blacklist a clang fix - commit 6540830 - rpm templates: Move macro definitions below buildrequires Many of the rpm macros defined in the kernel packages depend directly or indirectly on script execution. OBS cannot execute scripts which means values of these macros cannot be used in tags that are required for OBS to see such as package name, buildrequires or buildarch. Accumulate macro definitions that are not directly expanded by mkspec below buildrequires and buildarch to make this distinction clear. - commit 89eaf4c - net: openvswitch: limit the number of recursions from action sets (bsc#1219835 CVE-2024-1151). - commit 5a5045f - rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE Introduced by commit 68fb3ca0e408 (&quot;update workarounds for gcc &quot;asm goto&quot; issue&quot;). - commit be1bdab - compute-PATCHVERSION: Do not produce output when awk fails compute-PATCHVERSION uses awk to produce a shell script that is subsequently executed to update shell variables which are then printed as the patchversion. Some versions of awk, most notably bysybox-gawk do not understand the awk program and fail to run. This results in no script generated as output, and printing the initial values of the shell variables as the patchversion. When the awk program fails to run produce 'exit 1' as the shell script to run instead. That prevents printing the stale values, generates no output, and generates invalid rpm spec file down the line. Then the problem is flagged early and should be easier to diagnose. - commit 8ef8383 - x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (git-fixes). - commit 6d2e676 - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (git-fixes). - commit 1f3dbeb - KVM: x86: synthesize CPUID leaf 0x80000021h if useful (git-fixes). - commit 2581a0e - KVM: x86: add support for CPUID leaf 0x80000021 (git-fixes). - commit 79ab1f6 - x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes). - commit 26d80bf - KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes). - KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes). - x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes). Also add the removed mds_user_clear symbol to kABI severities as it is exposed just for KVM module and is generally a core kernel component so removing it is low risk. - x86/entry_32: Add VERW just before userspace transition (git-fixes). - x86/entry_64: Add VERW just before userspace transition (git-fixes). - x86/bugs: Add asm helpers for executing VERW (git-fixes). - commit 8f33ff8 - mbcache: Fixup kABI of mb_cache_entry (bsc#1207653 bsc#1219915). - commit 52b181f - ext4: fix deadlock due to mbcache entry corruption (bsc#1207653 bsc#1219915). - commit 14e0a9c - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv (bsc#1219127 CVE-2024-23849). - commit 75b4a5b - cifs: fix missing unload_nls() in smb2_reconnect() (bsc#1213476). - commit 7236d05 - cifs: fix status checks in cifs_tree_connect (bsc#1213476). - commit a4a76da - smb: client: fix null auth (bsc#1213476). - commit 08d9d59 - kernel-binary: Move build script to the end All other spec templates have the build script at the end, only kernel-binary has it in the middle. Align with the other templates. - commit 98cbdd0 - rpm templates: Aggregate subpackage descriptions While in some cases the package tags, description, scriptlets and filelist are located together in other cases they are all across the spec file. Aggregate the information related to a subpackage in one place. - commit 8eeb08c - rpm templates: sort rpm tags The rpm tags in kernel spec files are sorted at random. Make the order of rpm tags somewhat more consistent across rpm spec templates. - commit 8875c35 - Update to add CVE-2024-23851 tag, patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch (bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851). - commit ef15d5e - dm: limit the number of targets and parameter size area (bsc#1219827, bsc#1219146, CVE-2023-52429). - commit 2431307 - vhost: use kzalloc() instead of kmalloc() followed by memset() (CVE-2024-0340, bsc#1218689). - commit aa86ef0 - kernel-binary: certs: Avoid trailing space - commit bc7dc31 - rpm/kernel-binary.spec.in: install scripts/gdb when enabled in config (bsc#1219653) They are put into -devel subpackage. And a proper link to /usr/share/gdb/auto-load/ is created. - commit 1dccf2a - Refresh patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch. Add the upstream commit ID. - commit d9857fd - netfilter: nf_tables: reject QUEUE/DROP verdict parameters (CVE-2024-1086 bsc#1219434). - commit 33a2cdd - drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128 CVE-2023-51042). - commit 2e8464f - rpm/mkspec: sort entries in _multibuild Otherwise it creates unnecessary diffs when tar-up-ing. It's of course due to readdir() using &quot;random&quot; order as served by the underlying filesystem. See for example: https://build.opensuse.org/request/show/1144457/changes - commit d1155de - atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780 bsc#1218730). - commit 6405c59 - xen-netback: don't produce zero-size SKB frags (CVE-2023-46838, XSA-448, bsc#1218836). - commit 7d3a106 - ext4: fix kernel BUG in 'ext4_write_inline_data_end()' (CVE-2021-33631 bsc#1219412). - commit 792d624 - kernel-source: Fix description typo - commit 8abff35 - nvmet-tcp: Fix the H2C expected PDU len calculation (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - nvmet-tcp: fix a crash in nvmet_req_complete() (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - commit e2033e6 - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach (CVE-2023-47233 bsc#1216702). - commit 6452010 - rpm/constraints.in: set jobs for riscv to 8 The same workers are used for x86 and riscv and the riscv builds take ages. So align the riscv jobs count to x86. - commit b2c82b9 - x86/entry/ia32: Ensure s32 is sign extended to s64 (bsc#1193285). - commit 8395685 - net: sched: sch_qfq: Use non-work-conserving warning handler (CVE-2023-4921 bsc#1215275). - commit aabd893 - mkspec: Use variant in constraints template Constraints are not applied consistently with kernel package variants. Add variant to the constraints template as appropriate, and expand it in mkspec. - commit cc68ab9 - rpm/constraints.in: add static multibuild packages Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for constraints on multibuild) added &quot;kernel-source:&quot; prefix to the dynamically generated kernels. But there are also static ones like kernel-docs. Those fail to build as the constraints are still not applied. So add the prefix also to the static ones. Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it will ever be multibuilt... - commit c2e0681 - drm/atomic: Fix potential use-after-free in nonblocking commits (bsc#1219120 CVE-2023-51043). - commit 1f381b4 - Revert &quot;Limit kernel-source build to architectures for which the kernel binary&quot; This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132. The fix for bsc#1108281 directly causes bsc#1218768, revert. - commit 2943b8a - mkspec: Include constraints for both multibuild and plain package always There is no need to check for multibuild flag, the constraints can be always generated for both cases. - commit 308ea09 - rpm/mkspec: use kernel-source: prefix for constraints on multibuild Otherwise the constraints are not applied with multibuild enabled. - commit 841012b - rpm/kernel-source.rpmlintrc: add action-ebpf Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf plugin) added this precompiled binary blob. Adapt rpmlintrc for kernel-source. - commit b5ccb33 - ext4: improve error recovery code paths in __ext4_remount() (bsc#1219053 CVE-2024-0775). - commit f053871 - scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old The previous change added the manual entry from kernel-sources.change.old to old_changelog.txt unnecessarily. Let's fix it. - commit fb033e8 - rpm/kernel-docs.spec.in: fix build with 6.8 Since upstream commit f061c9f7d058 (Documentation: Document each netlink family), the build needs python yaml. - commit 6a7ece3 - smb: client: fix OOB in receive_encrypted_standard() (bsc#1218832 CVE-2024-0565). - commit 59d97af - ida: Fix crash in ida_free when the bitmap is empty (bsc#1218804 CVE-2023-6915). - commit e0cf5bf - netfilter: nf_tables: Reject tables of unsupported family (bsc#1218752 CVE-2023-6040). - commit 9fd7b64 - net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782 bsc#1218757). - commit 1ba2d82 - powerpc/powernv: Add a null pointer check in opal_event_init() (bsc#1065729 CVE-2023-52686). - commit 0f57a9b - Store the old kernel changelog entries in kernel-docs package (bsc#1218713) The old entries are found in kernel-docs/old_changelog.txt in docdir. rpm/old_changelog.txt can be an optional file that stores the similar info like rpm/kernel-sources.changes.old. It can specify the commit range that have been truncated. scripts/tar-up.sh expands from the git log accordingly. - commit c9a2566 - smb: client: fix potential OOB in smb2_dump_detail() (bsc#1217946 CVE-2023-6610). - commit 838930f - Limit kernel-source build to architectures for which the kernel binary is built (bsc#1108281). - commit 08a9e44 - Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg (CVE-2023-51779 bsc#1218559). - commit 10b8efc - clocksource: Suspend the watchdog temporarily when high read latency detected (bsc#1218105). - commit 683a4c2 - clocksource: Avoid accidental unstable marking of clocksources (bsc#1218105). - commit 0d50b3e - mkspec: Add multibuild support (JSC-SLE#5501, boo#1211226, bsc#1218184) When MULTIBUILD option in config.sh is enabled generate a _multibuild file listing all spec files. - commit f734347 - Build in the correct KOTD repository with multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184) With multibuild setting repository flags is no longer supported for individual spec files - see https://github.com/openSUSE/open-build-service/issues/3574 Add ExclusiveArch conditional that depends on a macro set up by bs-upload-kernel instead. With that each package should build only in one repository - either standard or QA. Note: bs-upload-kernel does not interpret rpm conditionals, and only uses the first ExclusiveArch line to determine the architectures to enable. - commit aa5424d - Bluetooth: avoid memcmp() out of bounds warning (bsc#1215237 CVE-2020-26555). - Bluetooth: hci_event: Fix coding style (bsc#1215237 CVE-2020-26555). - Bluetooth: hci_event: Fix using memcmp when comparing keys (bsc#1215237 CVE-2020-26555). - commit bb86106 - Bluetooth: Reject connection with the device which has same BD_ADDR (bsc#1215237 CVE-2020-26555). - commit 360840a - Bluetooth: hci_event: Ignore NULL link key (bsc#1215237 CVE-2020-26555). - commit 13b41ce - perf: Fix perf_event_validate_size() lockdep splat (CVE-2023-6931 bsc#1218258). - perf: Fix perf_event_validate_size() (CVE-2023-6931 bsc#1218258). - commit e551d3d - smb: client: fix OOB in smbCalcSize() (bsc#1217947 CVE-2023-6606). - commit bba90ea - ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet (bsc#1218253 CVE-2023-6932). - commit 1240db6 - io_uring: fix 32-bit compatability with sendmsg/recvmsg (bsc#1217709). This was originally blacklisted for no good reason. Since now we have an actual bug report that breaks LTP, drop from blacklist and backport. - commit 8a7380f - efi/mokvar: Reserve the table only if it is in boot services data (bsc#1215375). - commit 2c6d22d - nvmet: nul-terminate the NQNs passed in the connect command (bsc#1217250 CVE-2023-6121). - commit 3b11907 - kernel-source: Remove config-options.changes (jsc#PED-5021) The file doc/config-options.changes was used in the past to document kernel config changes. It was introduced in 2010 but haven't received any updates on any branch since 2015. The file is renamed by tar-up.sh to config-options.changes.txt and shipped in the kernel-source RPM package under /usr/share/doc. As its content now only contains outdated information, retaining it can lead to confusion for users encountering this file. Config changes are nowadays described in associated Git commit messages, which get automatically collected and are incorporated into changelogs of kernel RPM packages. Drop then this obsolete file, starting with its packaging logic. For branch maintainers: Upon merging this commit on your branch, please correspondingly delete the file doc/config-options.changes. - commit adedbd2 - doc/README.SUSE: Simplify the list of references (jsc#PED-5021) Reduce indentation in the list of references, make the style consistent with README.md. - commit 70e3c33 - doc/README.SUSE: Add how to update the config for module signing (jsc#PED-5021) Configuration files for SUSE kernels include settings to integrate with signing support provided by the Open Build Service. This creates problems if someone tries to use such a configuration file to build a &quot;standalone&quot; kernel as described in doc/README.SUSE: * Default configuration files available in the kernel-source repository unset CONFIG_MODULE_SIG_ALL to leave module signing to pesign-obs-integration. In case of a &quot;standalone&quot; build, this integration is not available and the modules don't get signed. * The kernel spec file overrides CONFIG_MODULE_SIG_KEY to &quot;.kernel_signing_key.pem&quot; which is a file populated by certificates provided by OBS but otherwise not available. The value ends up in /boot/config-$VERSION-$RELEASE-$FLAVOR and /proc/config.gz. If someone decides to use one of these files as their base configuration then the build fails with an error because the specified module signing key is missing. Add information on how to enable module signing and where to find the relevant upstream documentation. - commit a699dc3 - doc/README.SUSE: Remove how to build modules using kernel-source (jsc#PED-5021) Remove the first method how to build kernel modules from the readme. It describes a process consisting of the kernel-source installation, configuring this kernel and then performing an ad-hoc module build. This method is not ideal as no modversion data is involved in the process. It results in a module with no symbol CRCs which can be wrongly loaded on an incompatible kernel. Removing the method also simplifies the readme because only two main methods how to build the modules are then described, either doing an ad-hoc build using kernel-devel, or creating a proper Kernel Module Package. - commit 9285bb8 - net: mana: Configure hwc timeout from hardware (bsc#1214037). - net: mana: Fix MANA VF unload when hardware is unresponsive (bsc#1214764). - commit b006ee9 - Call flush_delayed_fput() from nfsd main-loop (bsc#1217408). - commit f407bf4 - powerpc: Don't clobber f0/vs0 during fp|altivec register save (bsc#1217780). - commit 96932d7 - netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one (CVE-2023-39197 bsc#1216976). - commit 5e51ad1 - kernel-binary: suse-module-tools is also required when installed Requires(pre) adds dependency for the specific sciptlet. However, suse-module-tools also ships modprobe.d files which may be needed at posttrans time or any time the kernel is on the system for generating ramdisk. Add plain Requires as well. - commit 8c12816 - rpm: Use run_if_exists for all external scriptlets With that the scriptlets do not need to be installed for build. - commit 25edd65 - net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() (bsc#1217332 CVE-2023-6176). - commit 20678d9 - ALSA: hda: Disable power-save on KONTRON SinglePC (bsc#1217140). - commit ad1e507 - README.SUSE: fix patches.addon use It's series, not series.conf in there. And make it more precise on when the patches are applied. - commit cb8969c - Do not store build host name in initrd Without this patch, kernel-obs-build stored the build host name in its .build.initrd.kvm This patch allows for reproducible builds of kernel-obs-build and thus avoids re-publishing the kernel-obs-build.rpm when nothing changed. Note that this has no influence on the /etc/hosts file that is used during other OBS builds. https://bugzilla.opensuse.org/show_bug.cgi?id=1084909 - commit fd3a75e - Ensure ia32_emulation is always enabled for kernel-obs-build If ia32_emulation is disabled by default, ensure it is enabled back for OBS kernel to allow building 32bit binaries (jsc#PED-3184) [ms: Always pass the parameter, no need to grep through the config which may not be very reliable] - commit 56a2c2f - kobject: Fix slab-out-of-bounds in fill_kobj_path() (bsc#1216058 CVE-2023-45863). - commit 1b6a097 - rpm: Define git commit as macro - commit bcc92c8 - kernel-source: Move provides after sources - commit dbbf742 - patches.suse/0003-btrfs-tree-checker-Refactor-prev_key-check-for-ino-i.patch: (bsc#1215371). - commit 39aefaa - patches.suse/0002-btrfs-tree-checker-Add-check-for-INODE_REF.patch: (bsc#1215371). - commit d3fc74a - patches.suse/0001-btrfs-tree-checker-Try-to-detect-missing-INODE_ITEM.patch: (bsc#1215371). - commit b772e7a - rpm/check-for-config-changes: add HAVE_SHADOW_CALL_STACK to IGNORED_CONFIGS_RE Not supported by our compiler. - commit eb32b5a - igb: set max size RX buffer when store bad packet is enabled (bsc#1216259 CVE-2023-45871). - commit 9445d70 - drm/qxl: fix UAF on handle creation (CVE-2023-39198 bsc#1216965). - commit a0819bc - Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO (bsc#1210780 CVE-2023-31083). - commit 7f7eb62 - perf/core: Fix potential NULL deref (bsc#1216584 CVE-2023-5717). - commit dbf3f79 - perf: Disallow mis-matched inherited group reads (bsc#1216584 CVE-2023-5717). Implement KABI fix for above - commit c397b9e - rpm/check-for-config-changes: add AS_WRUSS to IGNORED_CONFIGS_RE Add AS_WRUSS as an IGNORED_CONFIGS_RE entry in check-for-config-changes to fix build on x86_32. There was a fix submitted to upstream but it was not accepted: https://lore.kernel.org/all/20231031140504.GCZUEJkMPXSrEDh3MA@fat_crate.local/ So carry this in IGNORED_CONFIGS_RE instead. - commit 7acca37 - Fix patches.suse/io_uring-used-cached-copies-of-sq-dropped-and-cq-ove.patch. (bsc#1214344) To protect itself against userspace corrupting the counter of io_uring dropped submission entries, the kernel relies on a cache of the counter instead of reading the counter directly. But, the stable patch that was brought to SP3 implementing the this mechanism was done incorrectly, and let's the kernel read from the userspace value instead of the cache in one situation. This allows userspace to subvert the counter, hanging the application forever. Fix the backport to read from the cached value. 5.3 stable is long dead, so there is nothing to fix upstream or in - stable. - commit 2f88408 - ibmvfc: make 'max_sectors' a module option (bsc#1216223). - commit ecc46dc - scsi: Update max_hw_sectors on rescan (bsc#1216223). - commit 2c4e392 - nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() (bsc#1214842). - commit b96c59b - ubi: Refuse attaching if mtd's erasesize is 0 (CVE-2023-31085 bsc#1210778). - commit cf2c572 - bpf: propagate precision in ALU/ALU64 operations (git-fixes). - commit 3cd9fd7 - USB: ene_usb6250: Allocate enough memory for full object (bsc#1216051 CVE-2023-45862). - commit 850ea88 - bpf: Fix incorrect verifier pruning due to missing register precision taints (bsc#1215518 CVE-2023-2163). - commit 37a3998 - netfilter: nf_tables: skip bound chain on rule flush (CVE-2023-3777 bsc#1215095). - commit 5558be6 - xen/events: replace evtchn_rwlock with RCU (bsc#1215745, xsa-441, cve-2023-34324). - commit 4227b23 - KVM: x86: fix sending PV IPI (git-fixes, bsc#1210853, bsc#1216134). - commit 8704b8e - netfilter: nfnetlink_osf: avoid OOB read (bsc#1216046 CVE-2023-39189). - commit c154d64 - btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() (bsc#1212051 CVE-2023-3111). - commit 2048118 - doc/README.PATCH-POLICY.SUSE: Convert the document to Markdown (jsc#PED-5021) - commit c05cfc9 - doc/README.SUSE: Convert the document to Markdown (jsc#PED-5021) - commit bff5e3e - Update patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch (bsc#1211592 CVE-2023-2860). - commit 267cf38 - net: xfrm: Fix xfrm_address_filter OOB read (CVE-2023-39194 bsc#1215861). - commit 1bf7dab - netfilter: xt_sctp: validate the flag_info count (CVE-2023-39193 bsc#1215860). - commit 6fc23b4 - netfilter: xt_u32: validate user space input (CVE-2023-39192 bsc#1215858). - commit 5f8a021 - ipv4: fix null-deref in ipv4_link_failure (CVE-2023-42754 bsc#1215467). - commit ecc7c7a - btrfs: fix root ref counts in error handling in btrfs_get_root_ref (bsc#1214351 CVE-2023-4389). - commit 14e72e8 - Revert rwsem backport (bsc#1207270 jsc#PED-4567) The rwsem backport enabled database software to run on largest VMs in Azure (M416v2, M832v2). It is reportedly no longer needed: - Delete patches.suse/lockdep-Add-preemption-enabled-disabled-assertion-AP.patch. - Delete patches.suse/locking-Add-missing-__sched-attributes.patch. - Delete patches.suse/locking-Remove-rcu_read_-un-lock-for-preempt_-dis-en.patch. - Delete patches.suse/locking-rwsem-Add-__always_inline-annotation-to-__do.patch. - Delete patches.suse/locking-rwsem-Allow-slowpath-writer-to-ignore-handof.patch. - Delete patches.suse/locking-rwsem-Always-try-to-wake-waiters-in-out_nolo.patch. - Delete patches.suse/locking-rwsem-Better-collate-rwsem_read_trylock.patch. - Delete patches.suse/locking-rwsem-Conditionally-wake-waiters-in-reader-w.patch. - Delete patches.suse/locking-rwsem-Disable-preemption-for-spinning-region.patch. - Delete patches.suse/locking-rwsem-Disable-preemption-in-all-down_read-an.patch. - Delete patches.suse/locking-rwsem-Disable-preemption-in-all-down_write-a.patch. - Delete patches.suse/locking-rwsem-Disable-preemption-while-trying-for-rw.patch. - Delete patches.suse/locking-rwsem-Enable-reader-optimistic-lock-stealing.patch. - Delete patches.suse/locking-rwsem-Fix-comment-typo.patch. - Delete patches.suse/locking-rwsem-Fix-comments-about-reader-optimistic-l.patch. - Delete patches.suse/locking-rwsem-Fold-__down_-read-write.patch. - Delete patches.suse/locking-rwsem-Introduce-rwsem_write_trylock.patch. - Delete patches.suse/locking-rwsem-Make-handoff-bit-handling-more-consist.patch. - Delete patches.suse/locking-rwsem-No-need-to-check-for-handoff-bit-if-wa.patch. - Delete patches.suse/locking-rwsem-Optimize-down_read_trylock-under-highl.patch. - Delete patches.suse/locking-rwsem-Pass-the-current-atomic-count-to-rwsem.patch. - Delete patches.suse/locking-rwsem-Prevent-non-first-waiter-from-spinning.patch. - Delete patches.suse/locking-rwsem-Prevent-potential-lock-starvation.patch. - Delete patches.suse/locking-rwsem-Remove-an-unused-parameter-of-rwsem_wa.patch. - Delete patches.suse/locking-rwsem-Remove-reader-optimistic-spinning.patch. - Delete patches.suse/rwsem-Implement-down_read_interruptible.patch. - Delete patches.suse/rwsem-Implement-down_read_killable_nested.patch. - blacklist.conf: add a rwsem patch that causes lockups Restore the patch disabling optimistic spinning for readers: - locking/rwsem: Disable reader optimistic spinning (bnc#1176588). Add down_read_interruptible and down_read_killable_nested, which were exported symbols added by the patchset being reverted, to kabi/severities. - commit ae06a1f - doc/README.PATCH-POLICY.SUSE: Remove the list of links (jsc#PED-5021) All links have been incorporated into the text. Remove now unnecessary list at the end of the document. - commit 43d62b1 - doc/README.SUSE: Adjust heading style (jsc#PED-5021) * Underscore all headings as a preparation for Markdown conversion. * Use title-style capitalization for the document name and sentence-style capitalization for section headings, as recommended in the current SUSE Documentation Style Guide. - commit 11e3267 - netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c (CVE-2023-42753 bsc#1215150). - commit c0f449e - tcp: Reduce chance of collisions in inet6_hashfn() (CVE-2023-1206 bsc#1212703). - commit fdc3ce8 - scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). - commit 9be81b4 - Refresh patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch. - commit dc11875 - doc/README.PATCH-POLICY.SUSE: Reflow text to 80-column width (jsc#PED-5021) - commit be0158c - doc/README.PATCH-POLICY.SUSE: Update information about the tools (jsc#PED-5021) * Replace bugzilla.novell.com with bugzilla.suse.com and FATE with Jira. * Limit the range of commits in the exportpatch example to prevent it from running for too long. * Incorporate URLs directly into the text. * Fix typos and improve some wording, in particular avoid use of &quot;there is/are&quot; and prefer the present tense over the future one. - commit c0bea0c - doc/README.PATCH-POLICY.SUSE: Update information about the patch format (jsc#PED-5021) * Replace bugzilla.novell.com with bugzilla.suse.com and FATE with Jira. * Remove references to links to the patchtools and kernel source. They are incorporated in other parts of the text. * Use sentence-style capitalization for section headings, as recommended in the current SUSE Documentation Style Guide. * Fix typos and some wording, in particular avoid use of &quot;there is/are&quot;. - commit ce98345 - doc/README.PATCH-POLICY.SUSE: Update the summary and background (jsc#PED-5021) * Drop information about patches being split into directories per a subsystem because that is no longer the case. * Remove the mention that the expanded tree is present since SLE11-SP2 as that is now only a historical detail. * Incorporate URLs and additional information in parenthenses directly into the text. * Fix typos and improve some wording. - commit 640988f - net: sched: sch_qfq: Fix UAF in qfq_dequeue() (CVE-2023-4921 bsc#1215275). - commit b3e4331 - kernel-binary: Move build-time definitions together Move source list and build architecture to buildrequires to aid in future reorganization of the spec template. - commit 30e2cef - bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322). - commit 9c9c729 - x86/srso: Fix srso_show_state() side effect (git-fixes). - commit a76a23f - x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). - commit 184fe4b - x86/srso: Don't probe microcode in a guest (git-fixes). - commit 1dd85db - x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). - commit 4dac766 - Update patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch. (bsc#1207036 CVE-2023-23454) Fold downstream fixup of caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12. - commit bd0b138 - kernel-binary: python3 is needed for build At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18 Other simimlar scripts may exist. - commit c882efa - netfilter: nft_set_pipapo: fix improper element removal (bsc#1213812 CVE-2023-4004). - commit 593f458 - af_unix: Fix null-ptr-deref in unix_stream_sendpage() (CVE-2023-4622 bsc#1215117). - commit bd1d942 - net/sched: sch_hfsc: Ensure inner classes have fsc curve (CVE-2023-4623 bsc#1215115). - commit 0cd315e - cec-api: prevent leaking memory through hole in structure (CVE-2020-36766 bsc#1215299). - commit d226bc0 - doc/README.SUSE: Reflow text to 80-column width (jsc#PED-5021) - commit e8f2c67 - doc/README.SUSE: Minor content clean up (jsc#PED-5021) * Mark the user's build directory as a variable, not a command: 'make -C $(your_build_dir)' -&gt; 'make -C $YOUR_BUILD_DIR'. * Unify how to get the current directory: 'M=$(pwd)' -&gt; 'M=$PWD'. * 'GIT' / 'git' -&gt; 'Git'. - commit 1cb4ec8 - doc/README.SUSE: Update information about module paths (jsc#PED-5021) * Use version variables to describe names of the /lib/modules/$VERSION-$RELEASE-$FLAVOR/... directories instead of using specific example versions which get outdated quickly. * Note: Keep the /lib/modules/ prefix instead of using the new /usr/lib/modules/ location for now. The updated README is expected to be incorporated to various branches that are not yet usrmerged. - commit 7eba2f0 - doc/README.SUSE: Update information about custom patches (jsc#PED-5021) * Replace mention of various patches.* directories with only patches.suse as the typical location for patches. * Replace i386 with x86_64 in the example how to define a config addon. * Fix some typos and wording. - commit 2997d22 - x86/pkeys: Revert a5eff7259790 (&quot;x86/pkeys: Add PKRU value to init_fpstate&quot;) (bsc#1215356). - commit 012d8e6 - 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition (bsc#1215206, CVE-2023-1859). - commit fe5b126 - doc/README.SUSE: Update information about config files (jsc#PED-5021) * Use version variables to describe a name of the /boot/config-... file instead of using specific example versions which get outdated quickly. * Replace removed silentoldconfig with oldconfig. * Mention that oldconfig can automatically pick a base config from &quot;/boot/config-$(uname -r)&quot;. * Avoid writing additional details in parentheses, incorporate them instead properly in the text. - commit cba5807 - sctp: leave the err path free in sctp_stream_init to sctp_stream_free (CVE-2023-2177 bsc#1210643). - commit 2ef1e9d - netfilter: nftables: exthdr: fix 4-byte stack OOB write (CVE-2023-4881 bsc#1215221). - commit 780699b - doc/README.SUSE: Update the patch selection section (jsc#PED-5021) * Make the steps how to obtain expanded kernel source more generic in regards to version numbers. * Use '#' instead of '$' as the command line indicator to signal that the steps need to be run as root. * Update the format of linux-$SRCVERSION.tar.bz2 to xz. * Improve some wording. - commit e14852c - doc/README.SUSE: Update information about (un)supported modules (jsc#PED-5021) * Update the list of taint flags. Convert it to a table that matches the upstream documentation format and describe specifically flags that are related to module support status. * Fix some typos and wording. - commit e46f0df - doc/README.SUSE: Bring information about compiling up to date (jsc#PED-5021) * When building the kernel, don't mention to initially change the current directory to /usr/src/linux because later description discourages it and specifies to use 'make -C /usr/src/linux'. * Avoid writing additional details in parentheses, incorporate them instead properly in the text. * Fix the obsolete name of /etc/modprobe.d/unsupported-modules -&gt; /etc/modprobe.d/10-unsupported-modules.conf. * Drop a note that a newly built kernel should be added to the boot manager because that normally happens automatically when running 'make install'. * Update a link to the Kernel Module Packages Manual. * When preparing a build for external modules, mention use of the upstream recommended 'make modules_prepare' instead of a pair of 'make prepare' + 'make scripts'. * Fix some typos+grammar. - commit b9b7e79 - cifs: add missing spinlock around tcon refcount (bsc#1213476). - commit 1a00f64 - cifs: avoid dup prefix path in dfs_get_automount_devname() (bsc#1213476). - commit c1a52f2 - cifs: split out ses and tcon retrieval from mount_get_conns() (bsc#1213476). - commit ebada2a - cifs: remove unused smb3_fs_context::mount_options (bsc#1213476). - commit af50097 - cifs: set resolved ip in sockaddr (bsc#1213476). - commit c2e848a - doc/README.SUSE: Bring the overview section up to date (jsc#PED-5021) * Update information in the overview section that was no longer accurate. * Improve wording and fix some typos+grammar. - commit 798c075 - cifs: prevent data race in smb2_reconnect() (bsc#1213476). - commit eafa010 - cifs: remove unused function (bsc#1213476). - commit fde895d - cifs: fix return of uninitialized rc in dfs_cache_update_tgthint() (bsc#1213476). - commit 924ead8 - cifs: handle cache lookup errors different than -ENOENT (bsc#1213476). - commit c0a1798 - cifs: remove duplicate code in __refresh_tcon() (bsc#1213476). - commit fbf8b77 - cifs: don't take exclusive lock for updating target hints (bsc#1213476). - commit 9fca9a3 - cifs: avoid re-lookups in dfs_cache_find() (bsc#1213476). - commit 3b10c1a - cifs: fix potential deadlock in cache_refresh_path() (bsc#1213476). - commit 15d2508 - cifs: ignore ipc reconnect failures during dfs failover (bsc#1213476). - commit f1aa7e2 - cifs: use origin fullpath for automounts (bsc#1213476). - commit 49eaf17 - cifs: set correct status of tcon ipc when reconnecting (bsc#1213476). - commit f0a500e - cifs: optimize reconnect of nested links (bsc#1213476). - commit 6b7513b - cifs: fix source pathname comparison of dfs supers (bsc#1213476). - commit b6c447e - cifs: fix confusing debug message (bsc#1213476). - commit e408d5b - cifs: don't block in dfs_cache_noreq_update_tgthint() (bsc#1213476). - commit a33b3ed - cifs: refresh root referrals (bsc#1213476). - commit 9e232c2 - cifs: fix refresh of cached referrals (bsc#1213476). - commit fcfdfe6 - doc/README.SUSE: Update the references list (jsc#PED-5021) * Remove the reference to Linux Documentation Project. It has been inactive for years and mostly contains old manuals that aren't relevant for contemporary systems and hardware. * Update the name and link to LWN.net. The original name &quot;Linux Weekly News&quot; has been deemphasized over time by its authors. * Update the link to Kernel newbies website. * Update the reference to The Linux Kernel Module Programming Guide. The document has not been updated for over a decade but it looks its content is still relevant for today. * Point Kernel Module Packages Manual to the current version. * Add a reference to SUSE SolidDriver Program. - commit 0edac75 - doc/README.SUSE: Update title information (jsc#PED-5021) * Drop the mention of kernel versions from the readme title. * Remove information about the original authors of the document. Rely as in case of other readmes on Git metadata to get information about all contributions. * Strip the table of contents. The document is short and easy to navigate just by scrolling through it. - commit 06f5139 - doc/README.SUSE: Update information about DUD (jsc#PED-5021) Remove a dead link to description of Device Update Disks found previously on novell.com. Replace it with a short section summarizing what DUD is and reference the mkdud + mksusecd tools and their documentation for more information. - commit 7eeba4e - cifs: don't refresh cached referrals from unactive mounts (bsc#1213476). - commit 13ea817 - cifs: share dfs connections and supers (bsc#1213476). - commit d01493c - Delete patches.suse/genksyms-add-override-flag.diff. The override flag is no longer used in kernel-binary. - commit 79d5655 - rpm/kernel-binary.spec.in: Drop use of KBUILD_OVERRIDE=1 Genksyms has functionality to specify an override for each type in a symtypes reference file. This override is then used instead of an actual type and allows to preserve modversions (CRCs) of symbols that reference the type. It is kind of an alternative to doing kABI fix-ups with '#ifndef __GENKSYMS__'. The functionality is hidden behind the genksyms --preserve option which primarily tells the tool to strictly verify modversions against a given reference file or fail. Downstream patch patches.suse/genksyms-add-override-flag.diff which is present in various kernel-source branches separates the override logic. It allows it to be enabled with a new --override flag and used without specifying the --preserve option. Setting KBUILD_OVERRIDE=1 in the spec file is then a way how the build is told that --override should be passed to all invocations of genksyms. This was needed for SUSE kernels because their build doesn't use --preserve but instead resulting CRCs are later checked by scripts/kabi.pl. However, this override functionality was not utilized much in practice and the only use currently to be found is in SLE11-SP1-LTSS. It means that no one should miss this option and KBUILD_OVERRIDE=1 together with patches.suse/genksyms-add-override-flag.diff can be removed. Notes for maintainers merging this commit to their branches: * Downstream patch patches.suse/genksyms-add-override-flag.diff can be dropped after merging this commit. * Branch SLE11-SP1-LTSS uses the mentioned override functionality and this commit should not be merged to it, or needs to be reverted afterwards. - commit 4aa02b8 - cifs: do all necessary checks for credits within or before locking (bsc#1213476). - commit ce2dc27 - cifs: avoid use of global locks for high contention data (bsc#1213476). - Refresh patches.suse/cifs-set-resolved-ip-in-sockaddr.patch. - Refresh patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch. - commit 7ce18a4 - cifs: get rid of mount options string parsing (bsc#1213476). - commit a615bd3 - cifs: use fs_context for automounts (bsc#1213476). - commit 231aad6 - cifs: set correct ipc status after initial tree connect (bsc#1213476). - Refresh patches.suse/cifs-set-correct-tcon-status-after-initial-tree-connect.patch. - commit abf3572 - cifs: set correct tcon status after initial tree connect (bsc#1213476). - commit a4030d4 - Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb (bsc#1214233 CVE-2023-40283). - commit 11dc4cc - Refresh patches.suse/powerpc-Move-DMA64_PROPNAME-define-to-a-header.patch. - commit d263157 - x86/speculation: Mark all Skylake CPUs as vulnerable to GDS (git-fixes). - commit a3ff58c - drm/vmwgfx: Test shader type against SVGA3d_SHADERTYPE_MIN (bsc#1203517 CVE-2022-36402) - commit 5b2dbae - cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995 CVE-2023-1192). - commit 87f52bf - powerpc/rtas: remove ibm_suspend_me_token (bsc#1023051). - commit 4f01e57 - Do not add and remove genksyms ifdefs - Refresh patches.kabi/lockdown-kABI-workaround-for-lockdown_reason-changes.patch. - Refresh patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch. - commit e497b88 - powerpc/rtas: move syscall filter setup into separate function (bsc#1023051). - commit a36442d - rpm/mkspec-dtb: support for nested subdirs Commit 724ba6751532 (&quot;ARM: dts: Move .dts files to vendor sub-directories&quot;) moved the dts to nested subdirs, add a support for that. That is, generate a %dir entry in %files for them. - commit 6484eda - x86/speculation: Add cpu_show_gds() prototype (git-fixes). - commit 5d94fff - x86: Move gds_ucode_mitigated() declaration to header (git-fixes). - commit 5ab0096 - blacklist.conf: Blacklist redundant docu patch - commit 1c6d737 - Sort recent hw security-related patches Move them to the sorted section and adjust patches accordingly. - Refresh patches.suse/kvm-add-gds_no-support-to-kvm.patch. - Refresh patches.suse/x86-speculation-add-force-option-to-gds-mitigation.patch. - Refresh patches.suse/x86-speculation-add-gather-data-sampling-mitigation.patch. - Refresh patches.suse/x86-speculation-add-kconfig-option-for-gds.patch. - Refresh patches.suse/x86-srso-add-a-speculative-ras-overflow-mitigation.patch. - Refresh patches.suse/x86-srso-add-srso_no-support.patch. - commit 5c87dd7 - Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync() (bsc#1213971 CVE-2023-4134). - commit 3ffe891 - powerpc/rtas: block error injection when locked down (bsc#1023051). Refresh patches.kabi/lockdown-kABI-workaround-for-lockdown_reason-changes.patch - commit 3bd253d - powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051). - commit 3251f7a - powerpc: Move DMA64_PROPNAME define to a header (bsc#1214297 ltc#197503). - commit c36e5b8 - x86/CPU/AMD: Fix the DIV(0) initial fix attempt (bsc#1213927, CVE-2023-20588). - commit 48fc5d8 - x86/CPU/AMD: Do not leak quotient data after a division by 0 (bsc#1213927, CVE-2023-20588). - commit 5e5738e - old-flavors: Drop 2.6 kernels. 2.6 based kernels are EOL, upgrading from them is no longer suported. - commit 7bb5087 - net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup() (bsc#1214451 CVE-2023-4459). - commit 1ac9015 - net: nfc: Fix use-after-free caused by nfc_llcp_find_local (bsc#1213601 CVE-2023-3863). - nfc: llcp: simplify llcp_sock_connect() error paths (bsc#1213601 CVE-2023-3863). - nfc: llcp: nullify llcp_sock-&gt;dev on connect() error paths (bsc#1213601 CVE-2023-3863). - commit 9d4529d - kabi/severities: Ignore newly added SRSO mitigation functions - commit 95ed32f - x86/srso: Correct the mitigation status when SMT is disabled (git-fixes). - commit 309af7f - x86/srso: Explain the untraining sequences a bit more (git-fixes). - commit fa09ab7 - x86/cpu/kvm: Provide UNTRAIN_RET_VM (git-fixes). - commit 5038558 - x86/cpu: Cleanup the untrain mess (git-fixes). - commit eda7e6d - x86/cpu: Rename srso_(.*)_alias to srso_alias_\1 (git-fixes). - commit 6e5dea6 - xfrm: add NULL check in xfrm_update_ae_params (bsc#1213666 CVE-2023-3772). - commit fdc40c6 - x86/cpu: Rename original retbleed methods (git-fixes). - commit 554babe - x86/srso: Disable the mitigation on unaffected configurations (git-fixes). - commit a99796e - x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() (git-fixes). - commit 2b91cd9 - Update config files. Drop the dpt_i2o kernel module. For: jsc#PED-4579, CVE-2023-2007 - commit 6a43698 - fs: jfs: fix possible NULL pointer dereference in dbFree() (bsc#1214348 CVE-2023-4385). - commit ee83171 - xfs: fix sb write verify for lazysbcount (bsc#1214275). - commit 37c728c - xfs: update superblock counters correctly for !lazysbcount (bsc#1214275). - commit 2b6e01d - xfs: gut error handling in xfs_trans_unreserve_and_mod_sb() (bsc#1214275). - commit e55f7c6 - mkspec: Allow unsupported KMPs (bsc#1214386) - commit 55d8b82 - pseries/iommu/ddw: Fix kdump to work in absence of ibm,dma-window (bsc#1214297 ltc#197503). - commit ea499bc - check-for-config-changes: ignore BUILTIN_RETURN_ADDRESS_STRIPS_PAC (bsc#1214380). gcc7 on SLE 15 does not support this while later gcc does. - commit 5b41c27 - net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf() (bsc#1214350 CVE-2023-4387). - commit 0fa208f - e1000: Remove unnecessary use of kmap_atomic() (jsc#PED-5738). - commit dfa3fd7 - intel/e1000:fix repeated words in comments (jsc#PED-5738). - commit e5d93d0 - e1000: Fix typos in comments (jsc#PED-5738). - commit 64fd6bc - e1000: switch to napi_consume_skb() (jsc#PED-5738). - commit 1ad8d9c - intel: remove checker warning (jsc#PED-5738). - commit c3ad152 - net: e1000: remove repeated words for e1000_hw.c (jsc#PED-5738). - commit ace3bf9 - net: e1000: remove repeated word &quot;slot&quot; for e1000_main.c (jsc#PED-5738). - commit cfd4849 - e1000: Fix fall-through warnings for Clang (jsc#PED-5738). - commit 7817f78 - e1000: drop unneeded assignment in e1000_set_itr() (jsc#PED-5738). - commit d2ba4db - io_uring: Acquire completion_lock around io_get_deferred_req (bsc#1213272 CVE-2023-21400). - commit 84db304 - kernel-binary: Common dependencies cleanup Common dependencies are copied to a subpackage, there is no need for copying defines or build dependencies there. - commit 254b03c - kernel-binary: Drop code for kerntypes support Kerntypes was a SUSE-specific feature dropped before SLE 12. - commit 2c37773 - md/raid0: Fix performance regression for large sequential writes (bsc#1213916). - md/raid0: Factor out helper for mapping and submitting a bio (bsc#1213916). - commit b0544bd - media: usb: siano: Fix warning due to null work_func_t function pointer (bsc#1213969 CVE-2023-4132). - commit c44d7c3 - media: usb: siano: Fix use after free bugs caused by do_submit_urb (bsc#1213969 CVE-2023-4132). - commit a27f430 - net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free (bsc#1214149 CVE-2023-4128). - net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free (bsc#1214149 CVE-2023-4128). - net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free (bsc#1214149 CVE-2023-4128). - commit ea3bad4 - exfat: check if filename entries exceeds max filename length (bsc#1214120 CVE-2023-4273). - commit d8c4244 - series.conf: resort - commit b2ee92a - netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID (CVE-2023-4147 bsc#1213968). - commit 1258138 - cxgb4: fix use after free bugs caused by circular dependency problem (bsc#1213970 CVE-2023-4133). - timers: Provide timer_shutdown[_sync]() (bsc#1213970). - timers: Add shutdown mechanism to the internal functions (bsc#1213970). - timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode (bsc#1213970). - timers: Silently ignore timers with a NULL function (bsc#1213970). - timers: Rename del_timer() to timer_delete() (bsc#1213970). - timers: Rename del_timer_sync() to timer_delete_sync() (bsc#1213970). - timers: Use del_timer_sync() even on UP (bsc#1213970). - timers: Update kernel-doc for various functions (bsc#1213970). - timers: Replace BUG_ON()s (bsc#1213970). - clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown() function (bsc#1213970). - clocksource/drivers/arm_arch_timer: Do not use timer namespace for timer_shutdown() function (bsc#1213970). - ARM: spear: Do not use timer namespace for timer_shutdown() function (bsc#1213970). - commit 6a1c404 - xen/netback: Fix buffer overrun triggered by unusual packet (CVE-2023-34319, XSA-432, bsc#1213546). - commit 3617080 - x86/srso: Tie SBPB bit setting to microcode patch detection (bsc#1213287, CVE-2023-20569). - commit 3f35ab4 - net: tun_chr_open(): set sk_uid from current_fsuid() (CVE-2023-4194 bsc#1214019). - commit 25c979d - net: tap_open(): set sk_uid from current_fsuid() (CVE-2023-4194 bsc#1214019). - commit b03d1d8 - x86/microcode/AMD: Make stub function static inline (bsc#1213868). - Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch. - commit f587833 - mm: Move mm_cachep initialization to mm_init() (bsc#1206418, CVE-2022-40982). - commit 487512d - bpf: add missing header file include (bsc#1211738 CVE-2023-0459). - commit 0e6ab49 - locking/rwsem: Add __always_inline annotation to __down_read_common() and inlined callers (bsc#1207270 jsc#PED-4567). - commit 9e46337 - locking/rwsem: Disable preemption in all down_write*() and up_write() code paths (bsc#1207270 jsc#PED-4567). - commit e8b39d0 - locking/rwsem: Disable preemption in all down_read*() and up_read() code paths (bsc#1207270 jsc#PED-4567). - commit f20a53f - locking/rwsem: Prevent non-first waiter from spinning in down_write() slowpath (bsc#1207270 jsc#PED-4567). - commit 9c40fdf - locking/rwsem: Disable preemption while trying for rwsem lock (bsc#1207270 jsc#PED-4567). - commit d6741e8 - locking/rwsem: Allow slowpath writer to ignore handoff bit if not set by first waiter (bsc#1207270 jsc#PED-4567). - commit 22681e5 - locking/rwsem: Always try to wake waiters in out_nolock path (bsc#1207270 jsc#PED-4567). - commit 2dd13e8 - locking/rwsem: Conditionally wake waiters in reader/writer slowpaths (bsc#1207270 jsc#PED-4567). - commit c20a7d3 - locking/rwsem: No need to check for handoff bit if wait queue empty (bsc#1207270 jsc#PED-4567). - commit 7d6a2e9 - locking: Add missing __sched attributes (bsc#1207270 jsc#PED-4567). - commit 0f7a2d1 - locking/rwsem: Optimize down_read_trylock() under highly contended case (bsc#1207270 jsc#PED-4567). - commit 46658e6 - locking/rwsem: Make handoff bit handling more consistent (bsc#1207270 jsc#PED-4567). - commit e47427d - locking/rwsem: Fix comments about reader optimistic lock stealing conditions (bsc#1207270 jsc#PED-4567). - commit 4a0d7cf - locking: Remove rcu_read_{,un}lock() for preempt_{dis,en}able() (bsc#1207270 jsc#PED-4567). - commit ee007db - lockdep: Add preemption enabled/disabled assertion APIs (bsc#1207270 jsc#PED-4567). - commit 1386d93 - locking/rwsem: Disable preemption for spinning region (bsc#1207270 jsc#PED-4567). - commit 0fad749 - locking/rwsem: Remove an unused parameter of rwsem_wake() (bsc#1207270 jsc#PED-4567). - commit b255b46 - locking/rwsem: Fix comment typo (bsc#1207270 jsc#PED-4567). - commit 0ac673a - locking/rwsem: Remove reader optimistic spinning (bsc#1207270 jsc#PED-4567). - commit 4b129c1 - locking/rwsem: Enable reader optimistic lock stealing (bsc#1207270 jsc#PED-4567). - commit 7c0e82a - locking/rwsem: Prevent potential lock starvation (bsc#1207270 jsc#PED-4567). - commit 00b076e - locking/rwsem: Pass the current atomic count to rwsem_down_read_slowpath() (bsc#1207270 jsc#PED-4567). - commit 1d2b5fa - locking/rwsem: Fold __down_{read,write}*() (bsc#1207270 jsc#PED-4567). - commit fd0b8b5 - locking/rwsem: Introduce rwsem_write_trylock() (bsc#1207270 jsc#PED-4567). - commit daa9d5f - locking/rwsem: Better collate rwsem_read_trylock() (bsc#1207270 jsc#PED-4567). - commit 23252c2 - rwsem: Implement down_read_interruptible (bsc#1207270 jsc#PED-4567). - commit 07e26fd - rwsem: Implement down_read_killable_nested (bsc#1207270 jsc#PED-4567). - commit 42f4ca4 - locking/rwsem: Prepare for a rwsem backport The rwsem backport will enable the kernel to run on large VMs in Azure (M416v2, M832v2). The rwsem code is going to be updated with newest features one of which disables optimistic spinning for readers. - blacklist.conf: Remove an entry that is part of the backported patch set. - Delete patches.suse/locking-rwsem-Disable-reader-optimistic-spinning.patch. - commit d354394 - ipv6: rpl: Fix Route of Death (CVE-2023-2156 bsc#1211131). - commit 5601bfa - x86/srso: Add IBPB on VMEXIT (bsc#1213287, CVE-2023-20569). - commit f2c709c - x86/srso: Add IBPB (bsc#1213287, CVE-2023-20569). - commit ef6bc71 - x86/srso: Add SRSO_NO support (bsc#1213287, CVE-2023-20569). - commit a905016 - x86/cpu, kvm: Add support for CPUID_80000021_EAX (bsc#1213287, CVE-2023-20569). - Refresh patches.suse/x86-cpufeatures-add-kabi-padding.patch. - commit f39cd8f - x86/srso: Add IBPB_BRTYPE support (bsc#1213287, CVE-2023-20569). - commit 5d6a6a0 - x86: Sanitize linker script (bsc#1213287, CVE-2023-20569). - commit 8ff4f99 - x86/retbleed: Add __x86_return_thunk alignment checks (bsc#1213287, CVE-2023-20569). - commit e623809 - x86/srso: Add a Speculative RAS Overflow mitigation (bsc#1213287, CVE-2023-20569). - commit 707be59 - kernel-binary.spec.in: Remove superfluous %% in Supplements Fixes: 02b7735e0caf (&quot;rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs&quot;) - commit 264db74 - net/sched: sch_qfq: account for stab overhead in qfq_enqueue (CVE-2023-3611 bsc#1213585). - net/sched: sch_qfq: refactor parsing of netlink parameters (bsc#1213585). - blacklist follow-up commit 158810b261d0 (&quot;net/sched: sch_qfq: reintroduce lmax bound check for MTU&quot;) as unlike the original upstream commit, our backport does not remove the check - commit 609da2e - net/sched: cls_u32: Fix reference counter leak leading to overflow (CVE-2023-3609 bsc#1213586). - commit b22e9b9 - net/sched: cls_fw: Fix improper refcount update leads to use-after-free (CVE-2023-3776 bsc#1213588). - commit b7fc513 - vc_screen: don't clobber return value in vcs_read (bsc#1213167 CVE-2023-3567). - vc_screen: modify vcs_size() handling in vcs_read() (bsc#1213167 CVE-2023-3567). - vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF (bsc#1213167 CVE-2023-3567). - commit da930b7 - block, bfq: Fix division by zero error on zero wsum (bsc#1213653). - commit 67879a5 - x86/xen: Fix secondary processors' FPU initialization (bsc#1206418, CVE-2022-40982). - commit 8a9c409 - x86/fpu: Move FPU initialization into arch_cpu_finalize_init() (bsc#1206418, CVE-2022-40982). - commit d9e45bd - x86/fpu: Mark init functions __init (bsc#1206418, CVE-2022-40982). - commit 613212d - x86/fpu: Remove cpuinfo argument from init functions (bsc#1206418). - commit 82c61db - init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() (bsc#1206418). - commit 6fb5f8f - init: Invoke arch_cpu_finalize_init() earlier (bsc#1206418). - commit 8ef61c6 - init: Remove check_bugs() leftovers (bsc#1206418). - commit a639423 - ARM: cpu: Switch to arch_cpu_finalize_init() (bsc#1206418). - commit cbb96e9 - x86/cpu: Switch to arch_cpu_finalize_init() (bsc#1206418). - commit 7fa4777 - x86/mm: Initialize text poking earlier (bsc#1206418, CVE-2022-40982). - Refresh patches.suse/init-provide-arch_cpu_finalize_init.patch. - commit 9784a5e - init: Provide arch_cpu_finalize_init() (bsc#1206418). - commit f81d332 - x86/mm: fix poking_init() for Xen PV guests (bsc#1206418, CVE-2022-40982). - commit b12d1bf - x86/mm: Use mm_alloc() in poking_init() (bsc#1206418, CVE-2022-40982). - commit 9a1d45f - rpm/mkspec-dtb: add riscv64 dtb-allwinner subpackage - commit ec82ffc - net: tun: fix bugs for oversize packet when napi frags enabled (bsc#1213543 CVE-2023-3812). - commit 5e9be17 - netfilter: nf_tables: do not ignore genmask when looking up chain by id (CVE-2023-31248 bsc#1213061). - commit 414921d - netfilter: nf_tables: prevent OOB access in nft_byteorder_eval (CVE-2023-35001 bsc#1213059). - commit b0acbe2 - uaccess: Add speculation barrier to copy_from_user() (bsc#1211738 CVE-2023-0459). - commit 93eec59 - netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE (CVE-2023-3390 CVE-2023-3117 bsc#1212846 bsc#1213245). - commit 176a7df - KVM: Add GDS_NO support to KVM (bsc#1206418, CVE-2022-40982). - commit 6550823 - x86/speculation: Add Kconfig option for GDS (bsc#1206418, CVE-2022-40982). - commit eb94624 - x86/speculation: Add force option to GDS mitigation (bsc#1206418, CVE-2022-40982). - commit 79691d3 - x86/speculation: Add Gather Data Sampling mitigation (bsc#1206418, CVE-2022-40982). - commit 74a70bc - ocfs2: fix defrag path triggering jbd2 ASSERT (bsc#1199304). - ocfs2: fix a deadlock when commit trans (bsc#1199304). - jbd2: export jbd2_journal_[grab|put]_journal_head (bsc#1199304). - ocfs2: fix race between searching chunks and release journal_head from buffer_head (bsc#1199304). - commit f86bdfe - Refresh patches.suse/keys-Fix-linking-a-duplicate-key-to-a-keyring-s-asso.patch. - commit d8b8cf8 - x86/cpu/amd: Add a Zenbleed fix (bsc#1213286, CVE-2023-20593). - commit c2a9155 - x86/cpu/amd: Move the errata checking functionality up (bsc#1213286, CVE-2023-20593). - commit d7a9bc3 - rpm: Update dependency to match current kmod. - commit d687dc3 - keys: Do not cache key in task struct if key is requested from kernel thread (bsc#1213354). - commit 0121b9a - net: mana: Add support for vlan tagging (bsc#1212301). - commit 613e87e - fs: hfsplus: fix UAF issue in hfsplus_put_super (bsc#1211867, CVE-2023-2985). - commit e01b911 - rpm/check-for-config-changes: ignore also RISCV_ISA_* and DYNAMIC_SIGFRAME They depend on CONFIG_TOOLCHAIN_HAS_*. - commit 1007103 - ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size (bsc#1210584). - ubi: ensure that VID header offset + VID header size &lt;= alloc, size (bsc#1210584). - commit 8f5f025 - Remove more packaging cruft for SLE &lt; 12 SP3 - commit a16781c - Get module prefix from kmod (bsc#1212835). - commit f6691b0 - rpm/check-for-config-changes: ignore also PAHOLE_HAS_* We now also have options like CONFIG_PAHOLE_HAS_LANG_EXCLUDE. - commit 86b52c1 - usrmerge: Adjust module path in the kernel sources (bsc#1212835). With the module path adjustment applied as source patch only ALP/Tumbleweed kernel built on SLE/Leap needs the path changed back to non-usrmerged. - commit dd9a820 - ipvlan:Fix out-of-bounds caused by unclear skb-&gt;cb (bsc#1212842 CVE-2023-3090). - commit ddb6922 - x86/build: Avoid relocation information in final vmlinux (bsc#1187829). - commit 88b515e - Refresh patches.suse/cifs-fix-open-leaks-in-open_cached_dir.patch. s/sync_hdr/hdr/ - fix build breakage on CONFIG_CIFS_DEBUG2=y. - commit c3cb631 - kernel-docs: Use python3 together with python3-Sphinx (bsc#1212741). - commit 95a40a6 - HID: intel_ish-hid: Add check for ishtp_dma_tx_map (git-fixes bsc#1212606 CVE-2023-3358). - commit 7077c4f - usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition (bsc#1212513 CVE-2023-35828). - commit 1f06f62 - binfmt_elf: Take the mmap lock when walking the VMA list (bsc#1209039 CVE-2023-1249). - commit 3f46ff2 - bluetooth: Perform careful capability checks in hci_sock_ioctl() (bsc#1210533 CVE-2023-2002). - commit cb86eb0 - relayfs: fix out-of-bounds access in relay_file_read (bsc#1212502 CVE-2023-3268). - kernel/relay.c: fix read_pos error when multiple readers (bsc#1212502 CVE-2023-3268). - commit 73e4027 - media: dm1105: Fix use after free bug in dm1105_remove due to race condition (bsc#1212501 CVE-2023-35824). - commit 0c9d507 - media: saa7134: fix use after free bug in saa7134_finidev due to race condition (bsc#1212494 CVE-2023-35823). - commit 61b38d8 - net/sched: flower: fix possible OOB write in fl_set_geneve_opt() (CVE-2023-35788 bsc#1212504). - commit 865936b - Drop a buggy dvb-core fix patch (bsc#1205758) Also the kabi workaround is dropped, too - commit 7ace3fb - cifs: fix open leaks in open_cached_dir() (bsc#1209342). - commit 82c30e2 - kernel-docs: Add buildrequires on python3-base when using python3 The python3 binary is provided by python3-base. - commit c5df526 - fbcon: Check font dimension limits (CVE-2023-3161 bsc#1212154). - commit 6f6d21f - Move setting %%build_html to config.sh - commit 3f65cd5 - memstick: r592: Fix UAF bug in r592_remove due to race condition (CVE-2023-3141 bsc#1212129 bsc#1211449). - commit 4d760e7 - firewire: fix potential uaf in outbound_phy_packet_callback() (CVE-2023-3159 bsc#1212128). - commit 444321d - Fix missing top level chapter numbers on SLE12 SP5 (bsc#1212158). - commit 7ebcbd5 - Move setting %%split_optional to config.sh - commit 4519250 - Move setting %%supported_modules_check to config.sh - commit d9c64aa - rpm/kernel-docs.spec.in: pass PYTHON=python3 to fix build error (bsc#1160435) - commit 799f050 - rpm/kernel-binary.spec.in: Fix compatibility wth newer rpm - commit 334fb4d - Also include kernel-docs build requirements for ALP - commit 114d088 - Move the kernel-binary conflicts out of the spec file. Thie list of conflicting packages varies per release. To reduce merge conflicts move the list out of the spec file. - commit 4d81125 - sched/rt: pick_next_rt_entity(): check list_entry (bsc#1208600 CVE-2023-1077) - commit a8f82d0 - Avoid unsuported tar parameter on SLE12 - commit f11765a - gve: Remove the code of clearing PBA bit (bsc#1211519). - gve: Secure enough bytes in the first TX desc for all TCP pkts (bsc#1211519). - gve: Cache link_speed value from device (bsc#1211519). - gve: Handle alternate miss completions (bsc#1211519). - gve: Adding a new AdminQ command to verify driver (bsc#1211519). - gve: Fix error return code in gve_prefill_rx_pages() (bsc#1211519). - gve: Reduce alloc and copy costs in the GQ rx path (bsc#1211519). - gve: Fix GFP flags when allocing pages (bsc#1211519). - google/gve:fix repeated words in comments (bsc#1211519). - gve: Fix spelling mistake &quot;droping&quot; -&gt; &quot;dropping&quot; (bsc#1211519). - gve: enhance no queue page list detection (bsc#1211519). - commit 5088617 - Move obsolete KMP list into a separate file. The list of obsoleted KMPs varies per release, move it out of the spec file. - commit 016bc55 - Trim obsolete KMP list. SLE11 is out of support, we do not need to handle upgrading from SLE11 SP1. - commit 08819bb - Generalize kernel-doc build requirements. - commit 23b058f - kernel-binary: Add back kernel-default-base guarded by option Add configsh option for splitting off kernel-default-base, and for not signing the kernel on non-efi - commit 28c22af - net: rpl: fix rpl header size calculation (CVE-2023-2156 bsc#1211131). - commit 884cd15 - Drivers: hv: vmbus: Optimize vmbus_on_event (bsc#1211622). - commit 6cf7013 - usrmerge: Compatibility with earlier rpm (boo#1211796) - commit 2191d32 - Fix usrmerge error (boo#1211796) - commit da84579 - Update References patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch (bsc#1198400 bsc#1209779 CVE-2023-1637). - commit 23e11e7 - tcp: Fix data races around icsk-&gt;icsk_af_ops (bsc#1204405 CVE-2022-3566). - commit d1f836b - Remove usrmerge compatibility symlink in buildroot (boo#1211796) Besides Makefile depmod.sh needs to be patched to prefix /lib/modules. Requires corresponding patch to kmod. - commit b8e00c5 - Update patches.suse/netfilter-x_tables-use-correct-memory-barriers.patch (bsc#1184208 CVE-2021-29650 bsc#1211596 CVE-2020-36694). - commit 0092ed2 - HID: asus: use spinlock to safely schedule workers (bsc#1208604 CVE-2023-1079). - commit df4ce9a - HID: asus: use spinlock to protect concurrent accesses (bsc#1208604 CVE-2023-1079). - commit 4b7a2e4 - ipv6: sr: fix out-of-bounds read when setting HMAC data (bsc#1211592). - commit f37c1a1 - power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition (CVE-2023-33288 bsc#1211590). - commit 3e2047c - kernel-source: Remove unused macro variant_symbols - commit 915ac72 - media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760). - media: dvb_frontend: kABI workaround (CVE-2022-45885 bsc#1205758). - commit c99685c - media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() (CVE-2022-45887 bsc#1205762). - media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221 (CVE-2022-45919 bsc#1205803). - media: dvb-core: Fix use-after-free due to race at dvb_register_device() (CVE-2022-45884 bsc#1205756). - media: dvb-core: Fix use-after-free due on race condition at dvb_net (CVE-2022-45886 bsc#1205760). - media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*() (CVE-2023-31084 bsc#1210783). - media: dvb-core: Fix use-after-free on race condition at dvb_frontend (CVE-2022-45885 bsc#1205758). - commit f5d1bea - media: dvbdev: fix error logic at dvb_register_device() (CVE-2022-45884 bsc#1205756). - media: dvbdev: Fix memleak in dvb_register_device (CVE-2022-45884 bsc#1205756). - media: media/dvb: Use kmemdup rather than duplicating its implementation (CVE-2022-45884 bsc#1205756). - commit fa580d0 - net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg (bsc#1210940 CVE-2023-31436). - commit eeb865d - i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() (bsc#1210715 CVE-2023-2194). - commit e9b03ca - netrom: Fix use-after-free caused by accept on already connected socket (bsc#1211186 CVE-2023-32269). - commit e76516d - SUNRPC: Ensure the transport backchannel association (bsc#1211203). - commit db18275 - rpm/constraints.in: Increase disk size constraint for riscv64 to 52GB - commit 1c1a4cd - netfilter: nf_tables: deactivate anonymous set from preparation phase (CVE-2023-32233 bsc#1211043). - commit 8d253dc - act_mirred: use the backlog for nested calls to mirred ingress (CVE-2022-4269 bsc#1206024). - net/sched: act_mirred: better wording on protection against excessive stack growth (CVE-2022-4269 bsc#1206024). - net/sched: act_mirred: refactor the handle of xmit (CVE-2022-4269 bsc#1206024). - commit c36d39a - wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380). - commit 238a208 - Remove obsolete rpm spec constructs defattr does not need to be specified anymore buildroot does not need to be specified anymore - commit c963185 - kernel-spec-macros: Fix up obsolete_rebuilds_subpackage to generate obsoletes correctly (boo#1172073 bsc#1191731). rpm only supports full length release, no provides - commit c9b5bc4 - ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h (bsc#1206878 bsc#1211105 CVE-2023-2513). - commit 2a8658b - ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878 bsc#1211105 CVE-2023-2513). - commit 880db90 - kernel-binary: install expoline.o (boo#1210791 bsc#1211089) - commit d6c8c20 - net: qcom/emac: Fix use after free bug in emac_remove due to race condition (bsc#1211037 CVE-2023-2483). - commit d3abec2 - Update patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch Fix the missing the bsc# prefix for the bug number in the References tag. - commit 704a6c4 - timens: Forbid changing time namespace for an io_uring process (bsc#1208474 CVE-2023-23586). - commit 89cf4b3 - s390,dcssblk,dax: Add dax zero_page_range operation to dcssblk driver (bsc#1199636). - commit 6a9faa3 - xfs: verify buffer contents when we skip log replay (bsc#1210498 CVE-2023-2124). - commit 8eed3d3 - io_uring: prevent race on registering fixed files (1210414 CVE-2023-1872). - commit e53cfa3 - KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS (bsc#1206992 CVE-2022-2196). - commit f66a218 - keys: Fix linking a duplicate key to a keyring's assoc_array (bsc#1207088). - commit 527a5be - xirc2ps_cs: Fix use after free bug in xirc2ps_detach (bsc#1209871 CVE-2023-1670). - commit cfec974 - Drivers: vmbus: Check for channel allocation before looking up relids (git-fixes). - commit de13f74 - scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress (bsc#1210647 CVE-2023-2162). - commit d0a859e - RDMA/core: Refactor rdma_bind_addr (bsc#1210629 CVE-2023-2176) - commit 5886145 - RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1210629 CVE-2023-2176) - commit 8b6288f - RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1210629 CVE-2023-2176) - commit c706a03 - RDMA/cma: Make the locking for automatic state transition more clear (bsc#1210629 CVE-2023-2176) - commit 7a43827 - vmxnet3: use gro callback when UPT is enabled (bsc#1209739). - commit f513a6e - x86/speculation: Allow enabling STIBP with legacy IBRS (bsc#1210506 CVE-2023-1998). - commit d03ef09 - cifs: fix negotiate context parsing (bsc#1210301). - commit 5d87bbe - power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition (CVE-2023-30772 bsc#1210329). - commit 61aa622 - k-m-s: Drop Linux 2.6 support - commit 22b2304 - Remove obsolete KMP obsoletes (bsc#1210469). - commit 7f325c6 - udmabuf: add back sanity check (git-fixes bsc#1210453 CVE-2023-2008). - commit b2b9158 - hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition (CVE-2023-1855 bsc#1210202). - commit 4401c6f - netlink: limit recursion depth in policy validation (CVE-2020-36691 bsc#1209613). - Refresh patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch. - commit 374a1af - nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition (git-fixes bsc#1210337 CVE-2023-1990). - commit 775e632 - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work (CVE-2023-1989 bsc#1210336). - commit e27c00d - Update patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch (bsc#1205128 CVE-2022-43945 bsc#1210124). - Update patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch (bsc#1205128 CVE-2022-43945 bsc#1210124). - Update patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch (bsc#1205128 CVE-2022-43945 bsc#1210124). Fix performance problem with these patches - bsc@1210124 - commit 4dbd22d - btrfs: fix race between quota disable and quota assign ioctls (CVE-2023-1611 bsc#1209687). - commit 3fdcd22 - Fix double fget() in vhost_net_set_backend() (bsc#1210203 CVE-2023-1838). - commit 7e671a8 - Define kernel-vanilla as source variant The vanilla_only macro is overloaded. It is used for determining if there should be two kernel sources built as well as for the purpose of determmioning if vanilla kernel should be used for kernel-obs-build. While the former can be determined at build time the latter needs to be baked into the spec file template. Separate the two while also making the latter more generic. $build_dtbs is enabled on every single rt and azure branch since 15.3 when the setting was introduced, gate on the new $obs_build_variant setting as well. - commit 36ba909 - series.conf: cleanup - update upstream references and resort: - patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch - commit 9bae747 - net/ulp: use consistent error code when blocking ULP (CVE-2023-0461 bsc#1208787). - net/ulp: prevent ULP without clone op from entering the LISTEN status (CVE-2023-0461 bsc#1208787). - commit 028f0fd - rpm/constraints.in: increase the disk size for armv6/7 to 24GB It grows and the build fails recently on SLE15-SP4/5. - commit 41ac816 - rpm/check-for-config-changes: add TOOLCHAIN_NEEDS_* to IGNORED_CONFIGS_RE This new form was added in commit e89c2e815e76 (&quot;riscv: Handle zicsr/zifencei issues between clang and binutils&quot;). - commit 234baea - seq_buf: Fix overflow in seq_buf_putmem_hex() (bsc#1209549 CVE-2023-28772). - commit 5c5e4d3 - PCI: hv: Add a per-bus mutex state_lock (bsc#1209785). - Revert &quot;PCI: hv: Fix a timing issue which causes kdump to fail occasionally&quot; (bsc#1209785). - PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev (bsc#1209785). - PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic (bsc#1209785). - PCI: hv: fix a race condition bug in hv_pci_query_relations() (bsc#1209785). - commit 6b9e385 - kvm: initialize all of the kvm_debugregs structure before sending it to userspace (bsc#1209532 CVE-2023-1513). - commit bd9c11d - Bluetooth: Fix double free in hci_conn_cleanup (bsc#1209052 CVE-2023-28464). - commit 677d920 - net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (bsc#1209366 CVE-2023-28466). - commit 5f7c4a6 - Move ENA upstream fix to sorted section. - commit aff6c71 - RDMA/core: Don't infoleak GRH fields (bsc#1209778 CVE-2021-3923) - commit 50ba48b - sched/psi: Fix use-after-free in ep_remove_wait_queue() (CVE-2023-52707 bsc#1225109). - commit 25893f2 - tipc: fix NULL deref in tipc_link_xmit() (bsc#1209289 CVE-2023-1390). - commit b2c1533 - tun: avoid double free in tun_free_netdev (bsc#1209635 CVE-2022-4744). - commit c5cf205 - net/sched: tcindex: update imperfect hash filters respecting rcu (CVE-2023-1281 bsc#1209634). - commit 97b3f9d - fs/proc: task_mmu.c: don't read mapcount for migration entry (CVE-2023-1582, bsc#1209636). - commit 35d5c42 - af_unix: Get user_ns from in_skb in unix_diag_get_exact() (bsc#1209290 CVE-2023-28327). - commit 000517c - netlink: prevent potential spectre v1 gadgets (bsc#1209547 CVE-2017-5753). - commit cec3f24 - tipc: add an extra conn_get in tipc_conn_alloc (bsc#1209288 CVE-2023-1382). - commit 6a58da4 - tipc: set con sock in tipc_conn_alloc (bsc#1209288 CVE-2023-1382). - commit 06eaf34 - Refresh patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch. - commit 890554b - media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() (bsc#1209291 CVE-2023-28328). - commit af7b7eb - rpm/group-source-files.pl: Fix output difference when / is in location While previous attempt to fix group-source-files.pl in 6d651362c38 &quot;rpm/group-source-files.pl: Deal with {pre,post}fixed / in location&quot; breaks the infinite loop, it does not properly address the issue. Having prefixed and/or postfixed forward slash still result in different output. This commit changes the script to use the Perl core module File::Spec for proper path manipulation to give consistent output. - commit 4161bf9 - Require suse-kernel-rpm-scriptlets at all times. The kernel packages call scriptlets for each stage, add the dependency to make it clear to libzypp that the scriptlets are required. There is no special dependency for posttrans, these scriptlets run when transactions are resolved. The plain dependency has to be used to support posttrans. - commit 56c4dbe - Replace mkinitrd dependency with dracut (bsc#1202353). Also update mkinitrd refrences in documentation and comments. - commit e356c9b - prlimit: do_prlimit needs to have a speculation check (bsc#1209256 CVE-2017-5753). - commit a2ac7fb - rpm/kernel-obs-build.spec.in: Remove SLE11 cruft - commit 871eeb4 - rds: rds_rm_zerocopy_callback() correct order for list_add_tail() (CVE-2023-1078 bsc#1208601). - rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078 bsc#1208601). - commit ec0c93c - net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075 bsc#1208598). - commit d651270 - tap: tap_open(): correctly initialize socket uid (CVE-2023-1076 bsc#1208599). - tun: tun_chr_open(): correctly initialize socket uid (CVE-2023-1076 bsc#1208599). - net: add sock_init_data_uid() (CVE-2023-1076 bsc#1208599). - netfilter: nf_tables: fix null deref due to zeroed list head (CVE-2023-1095 bsc#1208777). - commit b65b67b - cifs: fix use-after-free caused by invalid pointer `hostname` (bsc#1208971). - commit d1a37f1 - HID: bigben: use spinlock to safely schedule workers (CVE-2023-25012 bsc#1207560). - HID: bigben_worker() remove unneeded check on report_field (CVE-2023-25012 bsc#1207560). - HID: bigben: use spinlock to protect concurrent accesses (CVE-2023-25012 bsc#1207560). - commit 3c79258 - malidp: Fix NULL vs IS_ERR() checking (bsc#1208843 CVE-2023-23004). - commit a8f9557 - Do not sign the vanilla kernel (bsc#1209008). - commit cee4d89 - rpm/group-source-files.pl: Deal with {pre,post}fixed / in location When the source file location provided with -L is either prefixed or postfixed with forward slash, the script get stuck in a infinite loop inside calc_dirs() where $path is an empty string. user@localhost:/tmp&gt; perl &quot;$HOME/group-source-files.pl&quot; -D devel.files -N nondevel.files -L /usr/src/linux-5.14.21-150500.41/ ... path = /usr/src/linux-5.14.21-150500.41/Documentation/Kconfig path = /usr/src/linux-5.14.21-150500.41/Documentation path = /usr/src/linux-5.14.21-150500.41 path = /usr/src path = /usr path = path = path = ... # Stuck in an infinite loop This workarounds the issue by breaking out the loop once path is an empty string. For a proper fix we'd want something that filesystem-aware, but this workaround should be enough for the rare occation that this script is ran manually. Link: http://mailman.suse.de/mlarch/SuSE/kernel/2023/kernel.2023.03/msg00024.html - commit 6d65136 - media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() (CVE-2023-1118 bsc#1208837). - phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function (CVE-2023-23000 bsc#1208816). - commit 52c897a - scsi: qla2xxx: Add option to disable FC2 Target support (bsc#1198438 bsc#1206103). - Delete patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch. - commit 5959f82 - drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init (bsc#1208776 CVE-2023-22998). - commit 2fd8a08 - net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources (bsc#1208845 CVE-2023-23006). - commit 14082ec - mm/slub: fix panic in slab_alloc_node() (bsc#1208023). - commit b092aa9 - kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179). When -b is specified the script is prefixed with KMP_NEEDS_MKINITRD=1 which sets the variable for a simple command. However, the script is no longer a simple command. Export the variable instead. - commit 152a069 - README.BRANCH: Update Relieve Ivan Ivanov of his duties as branch maintainer as I am back. - commit 1da55f1 - usb: dwc3: dwc3-qcom: Add missing platform_device_put() in dwc3_qcom_acpi_register_core (bsc#1208741 CVE-2023-22995). - commit 7a31d48 - net: mpls: fix stale pointer if allocation fails during device rename (bsc#1208700 CVE-2023-26545). - commit 18d9ec7 - s390/kexec: fix ipl report address for kdump (bsc#1207575). - commit 7a62f13 - x86/mm: Randomize per-cpu entry area (bsc#1207845 CVE-2023-0597). - commit 3a695c7 - vmxnet3: move rss code block under eop descriptor (bsc#1208212). - commit f589074 - usb: rndis_host: Secure rndis_query check against int overflow (CVE-2023-23559 bsc#1207051). - commit d9a137b - net: mana: Assign interrupts to CPUs based on NUMA nodes (bsc#1208153). - Refresh patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch. - commit 342fb4d - net: mana: Fix accessing freed irq affinity_hint (bsc#1208153). - genirq: Provide new interfaces for affinity hints (bsc#1208153). - commit 4d24191 - drm/vmwgfx: Avoid NULL-ptr deref in vmw_cmd_dx_define_query() (bsc#1203331 CVE-2022-38096) - commit 1f21d95 - module: Don't wait for GOING modules (bsc#1196058, bsc#1186449, bsc#1204356, bsc#1204662). - commit 77af0b0 - drm/vmwgfx: Validate the box size for the snooped cursor (bsc#1203332 CVE-2022-36280) - commit f246cad - Refresh patches.kabi/scsi-kABI-fix-for-eh_should_retry_cmd.patch (bsc#1206351). The former kABI fix only move the newly added member to scsi_host_template to the end of the struct. But that is usually allocated statically, even by 3rd party modules relying on kABI. Before we use the member we need to signalize that it is to be expected. As we only expect it to be allocated by in-tree modules that we can control, we can use a space in the bitfield to signalize that. - commit 0e772e8 - net: mana: Fix IRQ name - add PCI and queue number (bsc#1207875). - commit f2c8c19 - x86/bugs: Flush IBP in ib_prctl_set() (bsc#1207773 CVE-2023-0045). - commit baf6bec - net: ena: optimize data access in fast-path code (bsc#1208137). - commit 09cfdc0 - net: sched: fix race condition in qdisc_graft() (CVE-2023-0590 bsc#1207795). - net_sched: add __rcu annotation to netdev-&gt;qdisc (CVE-2023-0590 bsc#1207795). - commit c6f042b - Update patches.suse/net-mlx5-Allocate-individual-capability.patch (bsc#1195175). - Update patches.suse/net-mlx5-Dynamically-resize-flow-counters-query-buff.patch (bsc#1195175). - Update patches.suse/net-mlx5-Fix-flow-counters-SF-bulk-query-len.patch (bsc#1195175). - Update patches.suse/net-mlx5-Reduce-flow-counters-bulk-query-buffer-size.patch (bsc#1195175). - Update patches.suse/net-mlx5-Reorganize-current-and-maximal-capabilities.patch (bsc#1195175). - Update patches.suse/net-mlx5-Use-order-0-allocations-for-EQs.patch (bsc#1195175). Fixed bugzilla reference. - commit e56868b - watchdog: diag288_wdt: do not use stack buffers for hardware data (bsc#1207497). - commit f31eb64 - watchdog: diag288_wdt: fix __diag288() inline assembly (bsc#1207497). - commit 2f246cf - RDMA/core: Fix ib block iterator counter overflow (bsc#1207878). - commit 64f6682 - libbpf: Fix null-pointer dereference in find_prog_by_sec_insn() (bsc#1204502 CVE-2022-3606). - commit eef9e8d - cifs: do not include page data when checking signature (bsc#1200217). - commit 89d2457 - config.conf: Drop armv7l, Leap 15.3 is EOL. - Delete config/armv7hl/default. - Delete config/armv7hl/lpae. - commit 022c807 - mm: /proc/pid/smaps_rollup: fix no vma's null-deref (bsc#1207769). - commit be9727c - scsi: mpi3mr: Refer CONFIG_SCSI_MPI3MR in Makefile (git-fixes). - scsi: snic: Fix possible UAF in snic_tgt_create() (git-fixes). - scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails (git-fixes). - scsi: ipr: Fix WARNING in ipr_init() (git-fixes). - scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper() (git-fixes). - scsi: fcoe: Fix possible name leak when device_register() fails (git-fixes). - scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() (git-fixes). - scsi: hpsa: Fix error handling in hpsa_add_sas_host() (git-fixes). - scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() (git-fixes). - scsi: hpsa: Fix possible memory leak in hpsa_init_one() (git-fixes). - scsi: scsi_debug: Fix a warning in resp_write_scat() (git-fixes). - scsi: core: Fix a race between scsi_done() and scsi_timeout() (git-fixes). - scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper() (git-fixes). - scsi: core: Restrict legal sdev_state transitions via sysfs (git-fixes). - scsi: 3w-9xxx: Avoid disabling device if failing to enable it (git-fixes). - scsi: qedf: Fix a UAF bug in __qedf_probe() (git-fixes). - scsi: megaraid_sas: Fix double kfree() (git-fixes). - scsi: Revert &quot;scsi: qla2xxx: Fix disk failure to rediscover&quot; (git-fixes). - commit 25cb1e4 - dm thin: Use last transaction's pmd-&gt;root when commit failed (git-fixes). - dm thin: resume even if in FAIL mode (git-fixes). - dm cache: set needs_check flag after aborting metadata (git-fixes). - dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort (git-fixes). - dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata (git-fixes). - dm integrity: Fix UAF in dm_integrity_dtr() (git-fixes). - dm cache: Fix UAF in destroy() (git-fixes). - dm clone: Fix UAF in clone_dtr() (git-fixes). - dm thin: Fix UAF in run_timer_softirq() (git-fixes). - blktrace: Fix output non-blktrace event when blk_classic option enabled (git-fixes). - dm integrity: flush the journal on suspend (git-fixes). - dm ioctl: fix misbehavior if list_versions races with module loading (git-fixes). - md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d (git-fixes). - bcache: fix set_at_max_writeback_rate() for multiple attached devices (git-fixes). - nbd: Fix hung when signal interrupts nbd_start_device_ioctl() (git-fixes). - md: Flush workqueue md_rdev_misc_wq in md_alloc() (git-fixes). - drivers:md:fix a potential use-after-free bug (git-fixes). - null_blk: fix ida error handling in null_add_dev() (git-fixes). - md: Notify sysfs sync_completed in md_reap_sync_thread() (git-fixes). - nbd: fix io hung while disconnecting device (git-fixes). - nbd: fix race between nbd_alloc_config() and module removal (git-fixes). - nbd: call genl_unregister_family() first in nbd_cleanup() (git-fixes). - md: protect md_unregister_thread from reentrancy (git-fixes). - nbd: Fix hung on disconnect request if socket is closed before (git-fixes). - dm ioctl: prevent potential spectre v1 gadget (git-fixes). - loop: use sysfs_emit() in the sysfs xxx show() (git-fixes). - dm space map common: add bounds check to sm_ll_lookup_bitmap() (git-fixes). - dm btree: add a defensive bounds check to insert_at() (git-fixes). - commit 223b9c6 - nbd: Fix incorrect error handle when first_minor is illegal in nbd_dev_add (git-fixes). - Refresh for the above change, patches.suse/0019-nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_.patch. - commit 9c00c1c - nbd: fix max value for 'first_minor' (git-fixes). - Refresh for the above change, patches.suse/0012-nbd-fix-possible-overflow-for-first_minor-in-nbd_dev.patch. - commit dd126a5 - dm space maps: don't reset space map allocation cursor when committing (git-fixes). - dm verity: fix require_signatures module_param permissions (git-fixes). - dm integrity: fix flush with external metadata device (git-fixes). - dm integrity: select CRYPTO_SKCIPHER (git-fixes). - dm verity: skip verity work if I/O error when system is shutting down (git-fixes). - dm table: Remove BUG_ON(in_interrupt()) (git-fixes). - nbd: make the config put is called before the notifying the waiter (git-fixes). - nbd: restore default timeout when setting it to zero (git-fixes). - loop: unset GENHD_FL_NO_PART_SCAN on LOOP_CONFIGURE (git-fixes). - blktrace: ensure our debugfs dir exists (git-fixes). - commit 50ca764 - rbd: work around -Wuninitialized warning (git-fixes). - Refresh for the above change, patches.suse/rbd-export-some-functions-used-by-lio-rbd-backend.patch. - commit e923159 - blacklist.conf: add git-fixes commits which won't be backported - commit 4601d33 - blacklist.conf: removing SCSI git-fix mistakenly added This fix was labelled as already present in our code base, but it was not. - commit bcd8cfe - scsi: pmcraid: Fix missing resource cleanup in error case (git-fixes). - scsi: ipr: Fix missing/incorrect resource cleanup in error case (git-fixes). - scsi: vmw_pvscsi: Expand vcpuHint to 16 bits (git-fixes). - scsi: myrb: Fix up null pointer access on myrb_cleanup() (git-fixes). - scsi: megaraid: Fix error check return value of register_chrdev() (git-fixes). - scsi: qedi: Fix failed disconnect handling (git-fixes). - scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan (git-fixes). - scsi: mvsas: Add PCI ID of RocketRaid 2640 (git-fixes). - scsi: libfc: Fix use after free in fc_exch_abts_resp() (git-fixes). - scsi: aha152x: Fix aha152x_setup() __setup handler return value (git-fixes). - scsi: pm8001: Fix pm8001_mpi_task_abort_resp() (git-fixes). - scsi: bfa: Replace snprintf() with sysfs_emit() (git-fixes). - scsi: mvsas: Replace snprintf() with sysfs_emit() (git-fixes). - scsi: myrs: Fix crash in error case (git-fixes). - scsi: qedf: Fix refcount issue when LOGO is received during TMF (git-fixes). - scsi: sr: Don't use GFP_DMA (git-fixes). - scsi: vmw_pvscsi: Set residual data length conditionally (git-fixes). - scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() (git-fixes). - scsi: core: sysfs: Fix setting device state to SDEV_RUNNING (git-fixes). - scsi: core: sysfs: Fix hang when device state is set via sysfs (git-fixes). - scsi: iscsi: Unblock session then wake up error handler (git-fixes). - scsi: advansys: Fix kernel pointer leak (git-fixes). - scsi: core: Fix shost-&gt;cmd_per_lun calculation in scsi_add_host_with_dma() (git-fixes). - scsi: virtio_scsi: Fix spelling mistake &quot;Unsupport&quot; -&gt; &quot;Unsupported&quot; (git-fixes). - scsi: ses: Fix unsigned comparison with less than zero (git-fixes). - scsi: ufs: Fix illegal offset in UPIU event trace (git-fixes). - scsi: ses: Retry failed Send/Receive Diagnostic commands (git-fixes). - scsi: sd: Free scsi_disk device via put_device() (git-fixes). - scsi: core: Fix hang of freezing queue between blocking and running device (git-fixes). - scsi: core: Fix capacity set to zero after offlinining device (git-fixes). - scsi: sr: Return correct event when media event code is 3 (git-fixes). - scsi: core: Avoid printing an error if target_alloc() returns - ENXIO (git-fixes). - scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() (git-fixes). - scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() (git-fixes). - scsi: qedf: Add check to synchronize abort and flush (git-fixes). - scsi: libsas: Add LUN number check in .slave_alloc callback (git-fixes). - scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 (git-fixes). - scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg() (git-fixes). - scsi: scsi_dh_alua: Check for negative result value (git-fixes). - scsi: qedi: Fix null ref during abort handling (git-fixes). - scsi: iscsi: Fix shost-&gt;max_id use (git-fixes). - scsi: iscsi: Add iscsi_cls_conn refcount helpers (git-fixes). - scsi: megaraid_sas: Handle missing interrupts while re-enabling IRQs (git-fixes). - scsi: megaraid_sas: Early detection of VD deletion through RaidMap update (git-fixes). - scsi: megaraid_sas: Fix resource leak in case of probe failure (git-fixes). - scsi: core: Cap scsi_host cmd_per_lun at can_queue (git-fixes). - scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw() (git-fixes). - scsi: sr: Return appropriate error code when disk is ejected (git-fixes). - scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq (git-fixes). - scsi: vmw_pvscsi: Set correct residual data length (git-fixes). - scsi: bnx2fc: Return failure if io_req is already in ABTS processing (git-fixes). - scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic (git-fixes). - scsi: libfc: Fix a format specifier (git-fixes). - scsi: mpt3sas: Block PCI config access from userspace during reset (git-fixes). - scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg() (git-fixes). - scsi: st: Fix a use after free in st_open() (git-fixes). - scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling (git-fixes). - scsi: fnic: Fix memleak in vnic_dev_init_devcmd2 (git-fixes). - scsi: ufs: Fix tm request when non-fatal error happens (git-fixes). - scsi: sd: Suppress spurious errors when WRITE SAME is being disabled (git-fixes). - scsi: scsi_transport_spi: Set RQF_PM for domain validation commands (git-fixes). - scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk -&gt;poweroff() (git-fixes). - scsi: ufs: Fix wrong print message in dev_err() (git-fixes). - scsi: mpt3sas: Increase IOCInit request timeout to 30s (git-fixes). - commit cf6a959 - scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE (git-fixes). - scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by ufshcd_hold() (git-fixes). - scsi: mpt3sas: Fix timeouts observed while reenabling IRQ (git-fixes). - scsi: hpsa: Fix memory leak in hpsa_init_one() (git-fixes). - scsi: core: Don't start concurrent async scan on same host (git-fixes). - scsi: mvumi: Fix error return in mvumi_io_attach() (git-fixes). - scsi: qedf: Return SUCCESS if stale rport is encountered (git-fixes). - scsi: qedi: Protect active command list to avoid list corruption (git-fixes). - scsi: qedi: Fix list_del corruption while removing active I/O (git-fixes). - scsi: ufs: ufs-qcom: Fix race conditions caused by ufs_qcom_testbus_config() (git-fixes). - commit 0335e79 - sctp: fail if no bound addresses can be used for a given scope (bsc#1206677). - commit dcee4fd - scsi: ufs: Clean up completed request without interrupt notification (git-fixes). - Refresh patches.suse/scsi-ufs-Properly-release-resources-if-a-task-is-aborted-successfully. - commit 0e26434 - KVM: VMX: fix crash cleanup when KVM wasn't used (bsc#1207508). - Refresh patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch. - commit 8d5e108 - scsi: ufs: Improve interrupt handling for shared interrupts (git-fixes). - scsi: ufs: Fix interrupt error message for shared interrupts (git-fixes). - scsi: ufs: Fix possible infinite loop in ufshcd_hold (git-fixes). - scsi: iscsi: Do not put host in iscsi_set_flashnode_param() (git-fixes). - scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices (git-fixes). - scsi: scsi_transport_spi: Fix function pointer check (git-fixes). - scsi: sr: Fix sr_probe() missing deallocate of device minor (git-fixes). - scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj (git-fixes). - scsi: hisi_sas: Do not reset phy timer to wait for stray phy up (git-fixes). - scsi: cxlflash: Fix error return code in cxlflash_probe() (git-fixes). - scsi: core: free sgtables in case command setup fails (git-fixes). - scsi: pm: Balance pm_only counter of request queue during system resume (git-fixes). - scsi: iscsi: Report unbind session event when the target has been removed (git-fixes). - scsi: iscsi: Don't destroy session if there are outstanding connections (git-fixes). - scsi: ufs: Fix a race condition in the tracing code (git-fixes). - scsi: ufs: Make ufshcd_add_command_trace() easier to read (git-fixes). - scsi: aic7xxx: Adjust indentation in ahc_find_syncrate (git-fixes). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (git-fixes). - scsi: iscsi: Don't send data to unbound connection (git-fixes). - scsi: NCR5380: Add disconnect_mask module parameter (git-fixes). - scsi: scsi_debug: num_tgts must be &gt;= 0 (git-fixes). - scsi: ufs: Fix error handing during hibern8 enter (git-fixes). - scsi: ufs: Fix irq return code (git-fixes). - scsi: ufs: Fix up auto hibern8 enablement (git-fixes). - scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE (git-fixes). - scsi: ufs: fix potential bug which ends in system hang (git-fixes). - scsi: hisi_sas: Check sas_port before using it (git-fixes). - scsi: fnic: fix use after free (git-fixes). - scsi: ufs: delete redundant function ufshcd_def_desc_sizes() (git-fixes). - scsi: hisi_sas: Delete the debugfs folder of hisi_sas when the probe fails (git-fixes). - commit e77b62a - scsi: hisi_sas: Replace in_softirq() check in hisi_sas_task_exec() (git-fixes). - Refresh patches.suse/scsi-hisi_sas-Remove-preemptible. - commit ce7bed3 - blacklist.conf: add git-fixes to be skipped - commit cb4a471 - netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits (CVE-2023-0179 bsc#1207034). - commit 9fe77eb - HID: check empty report_list in hid_validate_values() (git-fixes, bsc#1206784). - commit 028641d - HID: check empty report_list in bigben_probe() (git-fixes, bsc#1206784). - commit c479b33 - HID: betop: check shape of output reports (git-fixes, bsc#1207186). - commit f6860d6 - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF (CVE-2023-0266 bsc#1207134). - commit 9014493 - sctp: sysctl: make extra pointers netns aware (bsc#1204760). - commit 580597a - net: sched: disallow noqueue for qdisc classes (bsc#1207237 CVE-2022-47929). - commit e015217 - blacklist.conf: 461ab10ef7e6 (&quot;ceph: switch to vfs_inode_has_locks() to fix file lock bug&quot;) - commit b165b65 - ceph: avoid putting the realm twice when decoding snaps fails (bsc#1207198). - ceph: do not update snapshot context when there is no new snapshot (bsc#1207218). - commit 2f13b5a - ipv6: raw: Deduct extension header length in rawv6_push_pending_frames (bsc#1207168). - commit ad4a091 - rpm/mkspec-dtb: add riscv64 dtb-renesas subpackage - commit 6020754 - Update patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch (bsc#1207036 CVE-2023-23454). - commit 88c4e72 - Update patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch (bsc#1207125 CVE-2023-23455). - commit e595908 - SLE15-SP3 went to LTSS, hand over to L3 - commit c5e6bf0 - mm/memcg: optimize memory.numa_stat like memory.stat (bsc#1206663). - commit d7619da - drbd: destroy workqueue when drbd device was freed (git-fixes). - drbd: use after free in drbd_create_device() (git-fixes). - drbd: remove usage of list iterator variable after loop (git-fixes). - commit ebdddc5 - powerpc/rtas: avoid scheduling in rtas_os_term() (bsc#1065729). - powerpc/rtas: avoid device tree lookups in rtas_os_term() (bsc#1065729). - commit da7ea39 - net: sched: atm: dont intepret cls results when asked to drop (bsc#1207036). - commit 49dc51c - net: sched: cbq: dont intepret cls results when asked to drop (bsc#1207036). - commit 0726009 - ibmveth: Always stop tx queues during close (bsc#1065729). - commit 8b8572d - Refresh patches.suse/btrfs-avoid-unnecessary-lock-and-leaf-splits-when-up.patch. For bsc#1206904, see: https://bugzilla.suse.com/show_bug.cgi?id=1206904#c6 - commit dfcd116 - README.BRANCH: Added myself as co-maintainer And drop Oscars name. - commit 0607a55 - ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference (bsc#1204171 CVE-2022-3435). - commit d2a1bb2 - net: ipv4: fix route with nexthop object delete warning (bsc#1204171 CVE-2022-3435). - commit 51fb670 - module: avoid *goto*s in module_sig_check() (git-fixes). - commit 95dc2c1 - module: merge repetitive strings in module_sig_check() (git-fixes). - commit e890371 - module: set MODULE_STATE_GOING state when a module fails to load (git-fixes). - commit bbf8a43 - modules: lockdep: Suppress suspicious RCU usage warning (git-fixes). - commit a75abac - module: Remove accidental change of module_enable_x() (git-fixes). - commit c1799c7 - tracing: Verify if trace array exists before destroying it (git-fixes). - commit 484ce03 - powerpc/powernv: add missing of_node_put (bsc#1065729). - powerpc/boot: Fixup device-tree on little endian (bsc#1065729). - powerpc/pseries: Stop calling printk in rtas_stop_self() (bsc#1065729). - powerpc: Force inlining of cpu_has_feature() to avoid build failure (bsc#1065729). - powerpc: improve handling of unrecoverable system reset (bsc#1065729). - powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() (bsc#1065729). - powerpc/powernv/smp: Fix spurious DBG() warning (bsc#1065729). - powerpc/crashkernel: Take &quot;mem=&quot; option into account (bsc#1065729). - powerpc/64s/pgtable: fix an undefined behaviour (bsc#1065729). - powerpc/eeh: Only dump stack once if an MMIO loop is detected (bsc#1065729). - powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV (bsc#1065729). - powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number (bsc#1065729). - commit f1282a1 - blacklist.conf: Add reverted commit - commit 1048706 - powerpc: Ensure that swiotlb buffer is allocated from low memory (bsc#1156395). - commit 6657d5f - powerpc/powernv: Avoid re-registration of imc debugfs directory (bsc#1156395). - powerpc/book3s/mm: Update Oops message to print the correct translation in use (bsc#1156395). - commit 1967b85 - powerpc/pseries/cmm: Implement release() function for sysfs device (bsc#1065729). - commit eef87f7 - rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs This makes in-tree KMPs more consistent with externally built KMPs and silences several rpmlint warnings. - commit 02b7735 - mm: fix race between MADV_FREE reclaim and blkdev direct IO read (bsc#1204989,bsc#1205601). - commit b1fad8e - rpm/check-for-config-changes: add OBJTOOL and FTRACE_MCOUNT_USE_* Dummy gcc pretends to support -mrecord-mcount option but actual gcc on ppc64le does not. Therefore ppc64le builds of 6.2-rc1 and later in OBS enable FTRACE_MCOUNT_USE_OBJTOOL and OBJTOOL config options, resulting in check failure. As we already have FTRACE_MCOUNT_USE_CC and FTRACE_MCOUNT_USE_RECORDMCOUNT in the exception list, replace them with a general pattern. And add OBJTOOL as well. - commit 887416f - powerpc/xive/spapr: correct bitmap allocation size (fate#322438 git-fixes). - powerpc/xive: Add a check for memory allocation failure (fate#322438 git-fixes). - commit 2423c59 - arm64: memory: Add missing brackets to untagged_addr() macro (git-fixes) - commit 5dff1e5 - arm64: tags: Preserve tags for addresses translated via TTBR1 (git-fixes) - commit 822d824 - blacklist.conf: (&quot;arm64: lse: Fix LSE atomics with LLVM&quot;) - commit 22e012e - arm64: dts: rockchip: add reg property to brcmf sub-nodes (git-fixes) - commit 82f0058 - arm64: dts: rockchip: fix dwmmc clock name for px30 (git-fixes) - commit 2d24fe0 - arm64: dts: allwinner: H5: Add PMU node (git-fixes) - commit 5f7b503 - arm64: dts: allwinner: H6: Add PMU mode (git-fixes) - commit 3c56f93 - arm64: dts: rockchip: Fix NanoPC-T4 cooling maps (git-fixes) - commit 10890a5 - blacklist.conf: (&quot;arm64: fix alternatives with LLVM's integrated assembler&quot;) - commit a642f3b - blacklist.conf: (&quot;arm64: lse: fix LSE atomics with LLVM's integrated assembler&quot;) - commit 76593cf - blacklist.conf: (&quot;arm64: dts: allwinner: a64: olinuxino: Fix eMMC supply regulator&quot;) - commit 1caef50 - Refresh patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch. Update commit log to prevent patch and quilt from thinking it should apply the example hunks and fail. - commit 78fab3f - NFS: Handle missing attributes in OPEN reply (bsc#1203740). - commit 75c0f21 - NFSv4.x: Fail client initialisation if state manager thread can't run (git-fixes). - SUNRPC: Fix missing release socket in rpc_sockname() (git-fixes). - xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() (git-fixes). - NFS: Fix an Oops in nfs_d_automount() (git-fixes). - NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn (git-fixes). - NFSv4.2: Fix initialisation of struct nfs4_label (git-fixes). - NFSv4.2: Fix a memory stomp in decode_attr_security_label (git-fixes). - NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding (git-fixes). - SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails (git-fixes). - nfsd: don't call nfsd_file_put from client states seqfile display (git-fixes). - nfs4: Fix kmemleak when allocate slot failed (git-fixes). - NFSv4.2: Fixup CLONE dest file size for zero-length count (git-fixes). - NFSv4: Retry LOCK on OLD_STATEID during delegation return (git-fixes). - NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot (git-fixes). - NFSv4.1: Handle RECLAIM_COMPLETE trunking errors (git-fixes). - NFSv4/pNFS: Always return layout stats on layout return for flexfiles (git-fixes). - NFSD: Return nfserr_serverfault if splice_ok but buf-&gt;pages have data (git-fixes). - NFSD: Fix handling of oversized NFSv4 COMPOUND requests (git-fixes). - NFSv4/pnfs: Fix a use-after-free bug in open (git-fixes). - xprtrdma: treat all calls not a bcall when bc_serv is NULL (git-fixes). - NFSv4: Don't hold the layoutget locks across multiple RPC calls (git-fixes). - SUNRPC: Fix socket waits for write buffer space (git-fixes). - NFSv4: Protect the state recovery thread against direct reclaim (git-fixes). - NFSv4 expose nfs_parse_server_name function (git-fixes). - NFSv4 remove zero number of fs_locations entries error check (git-fixes). - NFSv4.1: Fix uninitialised variable in devicenotify (git-fixes). - nfs: nfs4clinet: check the return value of kstrdup() (git-fixes). - NFSv4 only print the label when its queried (git-fixes). - NFSD: Keep existing listeners on portlist error (git-fixes). - lockd: lockd server-side shouldn't set fl_ops (git-fixes). - rpc: fix gss_svc_init cleanup on failure (git-fixes). - NFS: nfs_find_open_context() may only select open files (git-fixes). - NFSD: fix error handling in NFSv4.0 callbacks (git-fixes). - rpc: fix NULL dereference on kmalloc failure (git-fixes). - fs: nfsd: fix kconfig dependency warning for NFSD_V4 (git-fixes). - nfs: we don't support removing system.nfs4_acl (git-fixes). - nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default (git-fixes). - SUNRPC: Handle 0 length opaque XDR object data properly (git-fixes). - SUNRPC: Move simple_get_bytes and simple_get_netobj into private header (git-fixes). - pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process() (git-fixes). - NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode (git-fixes). - NFS4: Fix oops when copy_file_range is attempted with NFS4.0 source (git-fixes). - SUNRPC: Mitigate cond_resched() in xprt_transmit() (git-fixes). - SUNRPC: stop printk reading past end of string (git-fixes). - NFS: Zero-stateid SETATTR should first return delegation (git-fixes). - NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation recall (git-fixes). - svcrdma: Fix another Receive buffer leak (git-fixes). - NFS: nfs_xdr_status should record the procedure name (git-fixes). - net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' (git-fixes). - nfsd: safer handling of corrupted c_type (git-fixes). - nfsd: Fix svc_xprt refcnt leak when setup callback client failed (git-fixes). - sunrpc: check that domain table is empty at module unload (git-fixes). - svcrdma: Fix backchannel return code (git-fixes). - SUNRPC: Don't start a timer on an already queued rpc task (git-fixes). - NFS: Fix memory leaks in nfs_pageio_stop_mirroring() (git-fixes). - NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails (git-fixes). - NFSv4.2: error out when relink swapfile (git-fixes). - NFSv4: Fix races between open and dentry revalidation (git-fixes). - sunrpc: Fix potential leaks in sunrpc_cache_unhash() (git-fixes). - nfsd: Clone should commit src file metadata too (git-fixes). - NFS: Fix memory leaks (git-fixes). - commit 5b3ba89 - memcg, kmem: further deprecate kmem.limit_in_bytes (bsc#1206896). - commit c8d19aa - blacklist.conf: blacklist 6fcbcec9cfc7 - commit de669f1 - arm64: cpu_errata: Add Hisilicon TSV110 to spectre-v2 safe list (git-fixes) - commit b310aa7 - blacklist.conf: (&quot;arm64: dts: ls1028a: fix typo in TMU calibration data&quot;) - commit 716a28c - blacklist.conf: (&quot;arm64: Validate tagged addresses in access_ok() called from kernel&quot;) - commit 9dd7e12 - blacklist.conf: (&quot;arm64: insn: consistently handle exit text&quot;) - commit f816334 - blacklist.conf: blacklist 5c099c4fd - commit 5b0fa49 - blacklist.conf: blacklist c3497fd009ef - commit 359f3b8 - blacklist.conf: blacklist c915fb80eaa - commit 02b35f9 - ext4: avoid BUG_ON when creating xattrs (bsc#1205496). - commit b1bfe2a - ext4: fix uninititialized value in 'ext4_evict_inode' (bsc#1206893). - commit ff976a4 - ext4: fix corruption when online resizing a 1K bigalloc fs (bsc#1206891). - commit 140cef5 - ext4: fix undefined behavior in bit shift for ext4_check_flag_values (bsc#1206890). - commit 0696f69 - ext4: silence the warning when evicting inode with dioread_nolock (bsc#1206889). - commit 8d66379 - ext4: fix use-after-free in ext4_ext_shift_extents (bsc#1206888). - commit 027bd53 - ext4: fix warning in 'ext4_da_release_space' (bsc#1206887). - commit 5134642 - ext4: fix BUG_ON() when directory entry has invalid rec_len (bsc#1206886). - commit 7d14bba - Update tags in patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch. - commit b651ac6 - ext4: make ext4_lazyinit_thread freezable (bsc#1206885). - commit f8a1109 - ext4: fix null-ptr-deref in ext4_write_info (bsc#1206884). - commit 100f2b7 - ext4: avoid crash when inline data creation follows DIO write (bsc#1206883). - commit 05e8ed4 - ext4: continue to expand file system when the target size doesn't reach (bsc#1206882). - commit 1b01bae - ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth &gt; 0 (bsc#1206881). - commit f1f3d4f - blacklist.conf: blacklist 613c5a85898d - commit 48dfb5e - ext4: avoid resizing to a partial cluster size (bsc#1206880). - commit f96243f - blacklist.conf: blacklist b24e77ef1c6d - commit 7ecc9d3 - ext4: correct the misjudgment in ext4_iget_extra_inode (bsc#1206878). - commit b931654 - ext4: correct max_inline_xattr_value_size computing (bsc#1206878). - commit fde0a78 - ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878). - commit a4c76a4 - ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h (bsc#1206878). - commit ecac58a - ext4: fix extent status tree race in writeback error recovery path (bsc#1206877). - commit 35c3734 - ext4: update s_overhead_clusters in the superblock during an on-line resize (bsc#1206876). - commit 4ca9666 - ext4: correct the error path of ext4_write_inline_data_end() (bsc#1206875). - commit 9ad9468 - blacklist.conf: blacklist 5dccdc5a1916 - commit 8417a93 - blacklist.conf: blacklist efc61345274d - commit 8078536 - blacklist.conf: blacklist 5a3b590d4b2d - commit 5590cb0 - ext4: Detect already used quota file early (bsc#1206873). - commit 0136eeb - blacklist.conf: Blacklist 0f5bde1db174 - commit 66ece1b - blacklist.conf: blacklist f25391ebb475 - commit b3ab927 - ext4: avoid race conditions when remounting with options that change dax (bsc#1206860). Refresh patches.suse/ext4-dont-warn-when-enabling-DAX.patch - commit 89b7d84 - blacklist.conf: Add ppc ddw fix only applicable to 5.15 - commit ce185e4 - ext4: convert BUG_ON's to WARN_ON's in mballoc.c (bsc#1206859). - commit c933ca2 - blacklist.conf: blacklist a17a9d935dc4 - commit 267ec30 - ext4: use matching invalidatepage in ext4_writepage (bsc#1206858). - commit 9adbb3f - ext4: mark block bitmap corrupted when found instead of BUGON (bsc#1206857). - commit 0b7c7d5 - ext4: fix a data race at inode-&gt;i_disksize (bsc#1206855). - commit 6032d35 - ext4: choose hardlimit when softlimit is larger than hardlimit in ext4_statfs_project() (bsc#1206854). - commit 1fdf2d9 - blacklist.conf: blacklist 4068664e3cd2 - commit 3a30037 - blacklist.conf: Add active memory.high throttling fixups - d397a45fc741 mm, memcg: fix corruption on 64-bit divisor in memory.high throttling - e26733e0d0ec mm, memcg: throttle allocators based on ancestral memory.high - 9b8b17541f13 mm, memcg: do not high throttle allocators based on wraparound - commit 0508c0b - sched/psi: Fix sampling error and rare div0 crashes with cgroups and high uptime (bsc#1206841). - commit d518fcd - scsi: lpfc: Remove linux/msi.h include (jsc#PED-1445). - scsi: lpfc: Update lpfc version to 14.2.0.9 (jsc#PED-1445). - scsi: lpfc: Fix crash involving race between FLOGI timeout and devloss handler (jsc#PED-1445). - scsi: lpfc: Fix MI capability display in cmf_info sysfs attribute (jsc#PED-1445). - scsi: lpfc: Correct bandwidth logging during receipt of congestion sync WCQE (jsc#PED-1445). - scsi: lpfc: Fix WQ|CQ|EQ resource check (jsc#PED-1445). - scsi: lpfc: Use memset_startat() helper (jsc#PED-1445). - scsi: lpfc: Remove redundant pointer 'lp' (jsc#PED-1445). - string.h: Introduce memset_startat() for wiping trailing members and padding (jsc#PED-1445). - commit 76decfc - scsi: qla2xxx: Fix crash when I/O abort times out (jsc#PED-568). - scsi: qla2xxx: Initialize vha-&gt;unknown_atio_[list, work] for NPIV hosts (jsc#PED-568). - scsi: qla2xxx: Remove duplicate of vha-&gt;iocb_work initialization (jsc#PED-568). - scsi: qla2xxx: Remove unused variable 'found_devs' (jsc#PED-568). - scsi: qla2xxx: Fix set-but-not-used variable warnings (jsc#PED-568). - commit b04c714 - blacklist.conf: pSeries and powernv get dt from firmware - commit 47ec098 - powerpc/pseries/eeh: use correct API for error log size (bsc#1065729). - powerpc/perf: callchain validate kernel stack pointer bounds (bsc#1065729). - powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() (fate#322438 git-fixes). - powerpc/pci: Fix get_phb_number() locking (bsc#1065729). - powerpc/64: Init jump labels before parse_early_param() (bsc#1065729). - commit 3405c6d - powerpc/pseries: unregister VPA when hot unplugging a CPU (bsc#1205695 ltc#200603). - commit 3d8dab2 - Fix kABI breakage in usb.h: struct usb_device: hide new member (bsc#1206664 CVE-2022-4662). - commit a53ec27 - USB: core: Prevent nested device-reset calls (bsc#1206664 CVE-2022-4662). - commit 2d03a85 - drm: mali-dp: potential dereference of null pointer (CVE-2022-3115 bsc#1206393). - commit 9246c67 - wifi: wilc1000: validate pairwise and authentication suite offsets (CVE-2022-47520 bsc#1206515). - commit 10a48d9 - kabi/severities: ignore kABI change for meson driver fix (CVE-2022-3112 bsc#1206399) - commit cecc04a - media: meson: vdec: potential dereference of null pointer (CVE-2022-3112 bsc#1206399). - commit 32c7d25 - Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu (CVE-2022-3564 bsc#1206073). - commit 5495793 - Update patch reference for BT fix (CVE-2022-3564 bsc#1206073) - commit a5136f0 - udf: Fix a slab-out-of-bounds write bug in udf_find_entry() (bsc#1206649). - commit 81eb278 - udf_get_extendedattr() had no boundary checks (bsc#1206648). - commit 2ff0ceb - udf: Fix iocharset=utf8 mount option (bsc#1206647). - commit 6d30f6e - udf: Fix NULL pointer dereference in udf_symlink function (bsc#1206646). - commit aa42b50 - udf: fix silent AED tagLocation corruption (bsc#1206645). - commit a3bf788 - udf: fix the problem that the disc content is not displayed (bsc#1206644). - commit baed6fa - udf: Limit sparing table size (bsc#1206643). - commit 10a39e1 - udf: Avoid accessing uninitialized data on failed inode read (bsc#1206642). - commit 8c98e30 - udf: Fix free space reporting for metadata and virtual partitions (bsc#1206641). - commit 0743d18 - quota: Check next/prev free block number after reading from quota file (bsc#1206640). - commit f8fb63e - blacklist.conf: Blacklist dd5532a4994b - commit 836bdfa - blacklist.conf: Blacklist dfc2d2594e4a - commit dd5297d - blacklist.conf: Blacklist f4c2d372b89a - commit fc7d11b - ext4: iomap that extends beyond EOF should be marked dirty (bsc#1206637). - commit e1b2dad - blacklist.conf: Blacklist 02f03c4206c1 - commit bb8f69f - isofs: joliet: Fix iocharset=utf8 mount option (bsc#1206636). - commit 9374be1 - mm/filemap.c: clear page error before actual read (bsc#1206635). - commit 5e80ff2 - lib/notifier-error-inject: fix error when writing -errno to debugfs file (bsc#1206634). - commit dea9978 - libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value (bsc#1206634). - commit 2504e98 - blacklist.conf: Blacklist 9066e151c379 - commit 966d217 - sbitmap: fix lockup while swapping (bsc#1206602). - commit 008171d - struct usbnet: move new members to end (git-fixes). - commit f647bb2 - net: usb: cdc_ncm: don't spew notifications (git-fixes). - Refresh patches.suse/0002-Add-a-void-suse_kabi_padding-placeholder-to-some-USB.patch. - commit 6bb9cb6 - blacklist.conf: (&quot;arm64: dts: armada-3720-turris-mox: add firmware node&quot;) - commit 77ea716 - arm64: dts: marvell: Add AP806-dual missing CPU clocks (git-fixes) - commit 954a96f - blacklist.conf: (&quot;crypto: arm64/aes-neonbs - add return value of skcipher_walk_done()&quot;) - commit 8dcdb26 - arm64: tegra: Fix 'active-low' warning for Jetson Xavier regulator (git-fixes) - commit c3c7089 - arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill() (git-fixes). - commit ae4388c - net: usb: qmi_wwan: add u-blox 0x1342 composition (git-fixes). - commit 47e48bc - rtc: pcf85063: Fix reading alarm (git-fixes). - commit 3b1fc33 - efi: Add iMac Pro 2017 to uefi skip cert quirk (git-fixes). - commit 1dc7c8f Package krb5 was updated: - Fix vulnerabilities in GSS message token handling, add patch 0013-Fix-vulnerabilities-in-GSS-message-token-handling.patch * CVE-2024-37370, bsc#1227186 * CVE-2024-37371, bsc#1227187 - Fix memory leaks, add patch 0012-Fix-two-unlikely-memory-leaks.patch * CVE-2024-26458, bsc#1220770 * CVE-2024-26461, bsc#1220771 - Ensure array count consistency in kadm5 RPC; (bsc#1214054); (CVE-2023-36054); - Added patches: * 0011-Ensure-array-count-consistency-in-kadm5-RPC.patch - Fix integer overflows in PAC parsing; (CVE-2022-42898); (bso#15203), (bsc#1205126). - Added patches: * 0010-Fix-integer-overflows-in-PAC-parsing.patch Package less was updated: - Fix CVE-2024-32487, mishandling of \n character in paths when LESSOPEN is set leads to OS command execution (CVE-2024-32487, bsc#1222849) * CVE-2024-32487.patch - Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell metacharacters, bsc#1219901 * CVE-2022-48624.patch Package libX11 was updated: - U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch U_0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch U_0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch U_0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch U_0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch * CVE-2023-43785 libX11: out-of-bounds memory access in _XkbReadKeySyms() (boo#1215683) * CVE-2023-43786 libX11: stack exhaustion from infinite recursion in PutSubImage() (boo#1215684) * CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to a heap overflow (boo#1215685) - U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch * Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138) - U_Don-t-try-to-destroy-NULL-condition-variables.patch * fixes regression introduced with security update for CVE-2022-3555 (bsc#1204425, bsc#1208881) - U_fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch * security update for CVE-2022-3554 (bsc#1204422) - U_Fix-two-memory-leaks-in-_XFreeX11XCBStructure.patch * security update for CVE-2022-3555 (bsc#1204425) Package avahi was updated: - Add avahi-CVE-2023-38472.patch: Fix reachable assertion in avahi_rdata_parse (bsc#1216853, CVE-2023-38472). - Add avahi-CVE-2023-38471.patch: Extract host name using avahi_unescape_label (bsc#1216594, CVE-2023-38471). - Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource records (bsc#1216598, CVE-2023-38469). - Add avahi-CVE-2023-38470.patch: Ensure each label is at least one byte long (bsc#1215947, CVE-2023-38470). - Add avahi-CVE-2023-38473.patch: derive alternative host name from its unescaped version (bsc#1216419 CVE-2023-38473). - Add avahi-CVE-2023-1981.patch: emit error if requested service is not found (boo#1210328 CVE-2023-1981). - Add avahi-bsc1163683.patch: do not cache responses generated locally (bsc#1163683). Package util-linux was updated: - fix Xen virtualization type misidentification bsc#1215918 lscpu-fix-parameter-order-for-ul_prefix_fopen.patch - Properly neutralize escape sequences in wall (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085, and its prerequisites: util-linux-fputs_careful1.patch, util-linux-wall-migrate-to-memstream.patch util-linux-fputs_careful2.patch). - Add upstream patch util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch bsc#1207987 gh#util-linux/util-linux@1d98827edde4 - Add upstream patch fix-lib-internal-cache-size.patch bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9 - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). - Add util-linux-fix-tests-when-at-symbol-in-path.patch - libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646). - util-linux-uuidd-prevent-root-owning.patch: Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt does not exist. - Fix file conflict during upgrade (boo#1204211). - libuuid improvements (bsc#1201959, PED-1150): * libuuid: Fix range when parsing UUIDs (util-linux-libuuid-uuid_parse-overrun.patch). * Improve cache handling for short running applications-increment the cache size over runtime (util-linux-libuuid-improve-cache-handling.patch). * Implement continuous clock handling for time based UUIDs (util-linux-libuuid-continuous-clock-handling.patch). * Check clock value from clock file to provide seamless libuuid update (util-linux-libuuid-check-clock-value.patch). Package libcap was updated: - Fixed integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419 / CVE-2023-2603) CVE-2023-2603.patch Package c-ares was updated: - CVE-2024-25629.patch: fix out of bounds read in ares__read_line() (bsc#1220279, CVE-2024-25629) - Update to version 1.19.1 Security: * CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service (bsc#1211604) * CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs (bsc#1211605) * CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() (bsc#1211606) * CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607) Bug fixes: * Fix uninitialized memory warning in test * ares_getaddrinfo() should allow a port of 0 * Fix memory leak in ares_send() on error * Fix comment style in ares_data.h * Fix typo in ares_init_options.3 * Sync ax_pthread.m4 with upstream * Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support - Update to version 1.19.0 Security: * Low. Stack overflow in ares_set_sortlist() which is used during c-ares initialization and typically provided by an administrator and not an end user. (bsc#1208067, CVE-2022-4904) Changes: * Add ARES_OPT_HOSTS_FILE similar to ARES_OPT_RESOLVCONF for specifying a custom hosts file location. Bug fixes: * Fix memory leak in reading /etc/hosts when using localhost fallback. * Fix chain building c-ares when libresolv is already included by another project. * File lookup should not immediately abort as there may be other tries due to search criteria. * Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains. * AutoTools build system referenced bad STDC_HEADERS macro. * Even if one address class returns a failure for ares_getaddrinfo() we should still return the results we have. * Fix ares_getaddrinfo() numerical address resolution with AF_UNSPEC * Fix tools and help information. * Various documentation fixes and cleanups. * Add include guards to ares_data.h * c-ares could try to exceed maximum number of iovec entries supported by system. * The RFC6761 6.3 states localhost subdomains must be offline too - update to 1.18.1. Changes since 1.17.2: * Allow '/' as a valid character for a returned name for CNAME in-addr.arpa delegation * no longer forwards requests for localhost resolution per RFC6761 * During a domain search, treat ARES_ENODATA as ARES_NXDOMAIN so that the search process will continue to the next domain in the search. * Provide ares_nameser.h as a public interface as needed by NodeJS * Add support for URI(Uniform Resource Identifier) records via ares_parse_uri_reply() - disable unit tests for SLE12 since GCC compiler too old to build unit tests - 5c995d5.patch: upstreamed - disable-live-tests.patch: refreshed - new upstream website - drop multibuild - tests do not require static library anymore - spec file cleanup - drop sources that were re-added to upstream distibution (c-ares-config.cmake.in ares_dns.h libcares.pc.cmake) Package libxcrypt was updated: - fix variable name for datamember in 'struct crypt_data' [bsc#1215496]- added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2 + libxcrypt-man-fix-variable-name.patch Package cryptsetup was updated: - luksFormat: Handle system with low memory and no swap space [bsc#1211079] * Check for physical memory available also in PBKDF benchmark. * Try to avoid OOM killer on low-memory systems without swap. * Use only half of detected free memory on systems without swap. * Add patches: - cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch - cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch - cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch Package libeconf was updated: - Additional info for version 0.5.2: * Fixed a stack-buffer-overflow vulnerability in &quot;econf_writeFile&quot; function. (CVE-2023-30078, CVE-2023-32181, bsc#1211078) * Fixed a stack-buffer-overflow vulnerability in &quot;read_file&quot; function. (CVE-2023-30079, CVE-2023-22652, bsc#1211078) - Update to version 0.5.2: * Fixed build for aarch64 and gcc13. * Making the output verbose when a test fails. * Fixed a stack-buffer-overflow vulnerability in &quot;econf_writeFile&quot; function. * Fixed a stack-buffer-overflow vulnerability in &quot;read_file&quot; function. * Added new feature: econf_set_conf_dirs (const char **dir_postfix_list) Sets a list of directory structures (with order) which describes the directories in which the files have to be parsed. E.G. with the given list: {&quot;/conf.d/&quot;, &quot;.d/&quot;, &quot;/&quot;, NULL} files in following directories will be parsed: &quot;&lt;default_dirs&gt;/&lt;project_name&gt;.&lt;suffix&gt;.d/&quot; &quot;&lt;default_dirs&gt;/&lt;project_name&gt;/conf.d/&quot; &quot;&lt;default_dirs&gt;/&lt;project_name&gt;.d/&quot; &quot;&lt;default_dirs&gt;/&lt;project_name&gt;/&quot; The entry &quot;&lt;default_dirs&gt;/&lt;project_name&gt;.&lt;suffix&gt;.d/&quot; will be added automatically. * General code cleanup. - Update to version 0.5.1: * Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless there is a /etc/_example_._suffix_ file. (#175) - Update to version 0.5.0: * API calls econf_read*WithCallback supporting a general (void *) argument for user defined data with which the callback function is called. * Tagged following functions deprecated: econf_requireOwner, econf_requireGroup, econf_requirePermissions, econf_followSymlinks, econf_reset_security_settings Use one of the econf_read*WithCallback functions instead. - Update to version 0.4.9: * libeconf.h: added missing sys/types.h header (#171) * new API calls: econf_readFileWithCallback, econf_readDirsWithCallback, econf_readDirsHistoryWithCallback (#172) * Checking NULL comment parameter in the parsing functions. - Update to version 0.4.8+git20221114.7ff7704: * Parsing files which are containing keys only (#170) All delimiters are allowed now : &quot;&quot;, &quot; =&quot;, &quot; &quot;, &quot;=&quot;. But the user should use &quot;&quot; in order to be distinct. * /usr/etc/shells.d/&lt;file_name&gt; will not be parsed if /etc/shells.d/&lt;file_name&gt; is defined too. * Lto build fixed (#168) * New calls: econf_comment_tag, econf_delimiter_tag, econf_set_comment_tag, econf_set_delimiter_tag * Checking UID,GroupID, permissions,... of the parsed files (#165) New calls: econf_requireOwner, econf_requireGroup, econf_requirePermissions, econf_followSymlinks * Ignoring Group without brackets; Do not hold brackets in the internal data structure. (#164) * Error handling improved for nums and booleans (#163) - Update to version 0.4.6+git20220427.3016f4e: * econftool: * * Parsing error: Reporting file and line nr. * * --delimeters=spaces Taking all kind of spaces for delimiter * libeconf: Fixed bsc#1198165: Parsing files correctly which have space characters AND none space characters as delimiters. - Update to version 0.4.5+git20220406.c9658f2: * econftool: * * New call &quot;syntax&quot; for checking the configuration files only. Returns an error string with line number if an error occurs. * * New options &quot;--comment&quot; and &quot;--delimeters&quot; * * Parsing one file only if needed. Package libfastjson was updated: - fix CVE-2020-12762 integer overflow and out-of-bounds write via a large JSON file (bsc#1171479) add 0001-Fix-CVE-2020-12762.patch Package freetype2 was updated: - Added patch: * CVE-2023-2004.patch + fixes bsc#1210419, CVE-2023-2004: Integer overflow Package gnutls was updated: - Security fix: [bsc#1218865, CVE-2024-0553] * Incomplete fix for CVE-2023-5981. * The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. * Add gnutls-CVE-2024-0553.patch - Security fix: [bsc#1217277, CVE-2023-5981] * Fix timing side-channel inside RSA-PSK key exchange. * auth/rsa_psk: side-step potential side-channel * Add curl-CVE-2023-5981.patch - Security Fix: [bsc#1208143, CVE-2023-0361] * Bleichenbacher oracle in TLS RSA key exchange * Add gnutls-CVE-2023-0361.patch - Validate input when calling fmemopen() [bsc#1204511] * Add gnutls-check-system_priority_buf-input.patch Package libjansson was updated: - Update to 2.14 (boo#1201817): * New Features: + Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the corresponding `nocheck` functions. + Add jansson_version_str() and jansson_version_cmp() for runtime version checking + Add json_object_update_new(), json_object_update_existing_new() and json_object_update_missing_new() functions + Add json_object_update_recursive() + Add `json_pack()` format specifiers s*, o* and O* for values that can be omitted if null (#339). + Add `json_error_code()` to retrieve numeric error codes (#365, #380, #381). + Enable thread safety for `json_dump()` on all systems. Enable thread safe `json_decref()` and `json_incref()` for modern compilers (#389). + Add `json_sprintf()` and `json_vsprintf()` (#393). * Fixes: + Handle `sprintf` corner cases. + Add infinite loop check in json_deep_copy() + Enhance JANSSON_ATTRS macro to support earlier C standard(C89) + Update version detection for sphinx-build + Fix error message in `json_pack()` for NULL object (#409). + Avoid invalid memory read in `json_pack()` (#421). + Call va_end after va_copy in `json_vsprintf()` (#427). + Improve handling of formats with '?' and '*' in `json_pack()` (#438). + Remove inappropriate `jsonp_free()` which caused segmentation fault in error handling (#444). + Fix incorrect report of success from `json_dump_file()` when an error is returned by `fclose()` (#359). + Make json_equal() const-correct (#344). + Fix incomplete stealing of references by `json_pack()` (#374) - Use GitHub as source URLs: Release hasn't been uploaded to digip.org. - Add check section. Package libksba was updated: - Security fix: [bsc#1206579, CVE-2022-47629] * Integer overflow in the CRL signature parser. * Add libksba-CVE-2022-47629.patch Package openldap2 was updated: - bsc#1212260 - crash in libldap when non-ldap data responds * 0245-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch - bsc#1211795 - CVE-2023-2953 - Null pointer deref in ber_memalloc_x * 0244-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch Package ldb was updated: - Remove no longer needed ldb-memory-bug-15096-4.15-ldbonly.patch- Add cve-2023-0614.patch: Address CVE-2023-0614 - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bsc#1209485); (bso#15270); - Update to version 2.4.4 + CVE-2022-32746 ldb: db: Use-after-free occurring in database audit logging module; (bso#15009); (bsc#1201490). Package liblognorm was updated: - Upgrade to liblognorm v2.0.6 (jsc#PED-4883) * 2018-11-02: nitfixes: issues deteced by CodeFactor.com * 2018-11-01: more cleanup of shell scripting * 2018-10-31: cleanup shell scripting * 2018-10-26: implement Checkpoint LEA transfer format * 2018-10-31: fix mising shebangs in test scripts * 2018-10-30: fix some bash style nits * 2018-07-15: fix very theoretic misadressing (gcc-8 warning) * 2018-06-26: string parser: add &quot;lazy&quot; matching mode * 2018-05-30: Update lognormalizer.c * 2018-05-30: Update lognormalizer.c to support case fallthrough * 2018-05-30: Update README * 2018-05-10: Fix for #229 (cisco-interface-spec at end of line) * 2018-03-21: Suppress invalid param error for name to fix #270 - Upgrade to liblognorm v2.0.5 * 2018-04-25: fix potential NULL pointer addressing * 2018-04-07: Add test for nested user types * 2018-04-07: Fix use after free with nested user types (#235) * 2018-04-25: build system: fix gcc warning * 2018-04-25: make &quot;make check&quot; &quot;succeed&quot; on solaris 10 * 2018-04-16: fix build warnings with some newer compilers * 2018-04-16: remove dead code * 2018-04-16: fix potential memory leaks during config processing * 2018-04-16: fix memory leak during config processing * 2018-04-16: csv encoder: fix format error when processing arrays * 2018-03-29: Explicitly list supported whitespace characters * 2018-03-28: &quot;fix&quot; return type of unused dummy function - replaces liblognorm-2.0.4-no-return-in-nonvoid-function.patch * 2018-03-21: Suppress invalid param error for name to fix #270 * 2018-03-19: fix header guard * 2018-03-06: Correct CLI options in the docs * 2018-01-13: AIX port : added compatibility and modified lognormalizer for AIX. * 2017-11-29: codestyle: correct line length to 120 * 2017-11-29: codestyle: set max line length to 120 * 2017-11-25: fix some very bad line length violations * 2017-11-25: travis: temporarily permit longer line length * 2017-10-19: make build with gcc7 * 2017-10-05: es_str2cstr leak in string-to v1 parse Package ncurses was updated: - Add patch ncurses-6.1-bsc1220061.patch (bsc#1220061, CVE-2023-45918) * Backport from ncurses-6.4-20230615.patch improve checks in convert_string() for corrupt terminfo entry - Add patch bsc1218014-cve-2023-50495.patch * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry() (bsc#1218014) - Add patch boo1201384.patch * Do not fully reset serial lines - Modify patch ncurses-6.1.dif * Secure writing terminfo entries by setfs[gu]id in s[gu]id (boo#1210434, CVE-2023-29491) * Reading is done since 2000/01/17 Package nghttp2 was updated: - security update- added patches fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + nghttp2-CVE-2024-28182-1.patch fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + nghttp2-CVE-2024-28182-2.patch - security update - added patches fix CVE-2023-44487 [bsc#1216123], HTTP/2 Rapid Reset Attack + nghttp2-CVE-2023-44487.patch - Fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. [CVE-2023-35945 bsc#1215713] + nghttp2-CVE-2023-35945.patch Package openssl-1_1 was updated: - Apply &quot;openssl-CVE-2024-4741.patch&quot; to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551] - Security fix: [bsc#1222548, CVE-2024-2511] * Fix unconstrained session cache growth in TLSv1.3 * Add openssl-CVE-2024-2511.patch - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch - Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch - Displays &quot;fips&quot; in the version string (bsc#1215215) * Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch - Security fix: (bsc#1213853, CVE-2023-3817) * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Add openssl-1_1-CVE-2023-3817.patch - Dont pass zero length input to EVP_Cipher because assembler optimized AES cannot handle zero size. [bsc#1213517] * Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch - Security fix: [bsc#1213487, CVE-2023-3446] * Fix DH_check() excessive time with over sized modulus. * The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus (&quot;p&quot; parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch - Security Fix: [bsc#1207534, CVE-2022-4304] * Reworked the Fix for the Timing Oracle in RSA Decryption The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case compared to 1.1.1s. * Add openssl-CVE-2022-4304.patch * Removed patches: - openssl-CVE-2022-4304-1of2.patch - openssl-CVE-2022-4304-2of2.patch * Refreshed openssl-CVE-2023-0286.patch - Update further expiring certificates that affect tests [bsc#1201627] * Add openssl-Update-further-expiring-certificates.patch - Security Fix: [CVE-2023-2650, bsc#1211430] * Possible DoS translating ASN.1 object identifiers * Add openssl-CVE-2023-2650.patch - Security Fix: [CVE-2023-0465, bsc#1209878] * Invalid certificate policies in leaf certificates are silently ignored * Add openssl-CVE-2023-0465.patch - Security Fix: [CVE-2023-0466, bsc#1209873] * Certificate policy check not enabled * Add openssl-CVE-2023-0466.patch - Security Fix: [CVE-2023-0464, bsc#1209624] * Excessive Resource Usage Verifying X.509 Policy Constraints * Add openssl-CVE-2023-0464.patch - Security Fix: [bsc#1207533, CVE-2023-0286] * Fix X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address * Add openssl-CVE-2023-0286.patch - Security Fix: [bsc#1207536, CVE-2023-0215] * Use-after-free following BIO_new_NDEF() * Add patches: - openssl-CVE-2023-0215-1of4.patch - openssl-CVE-2023-0215-2of4.patch - openssl-CVE-2023-0215-3of4.patch - openssl-CVE-2023-0215-4of4.patch - Security Fix: [bsc#1207538, CVE-2022-4450] * Double free after calling PEM_read_bio_ex() * Add patches: - openssl-CVE-2022-4450-1of2.patch - openssl-CVE-2022-4450-2of2.patch - Security Fix: [bsc#1207534, CVE-2022-4304] * Timing Oracle in RSA Decryption * Add patches: - openssl-CVE-2022-4304-1of2.patch - openssl-CVE-2022-4304-2of2.patch - FIPS: list only FIPS approved public key algorithms [bsc#1121365, bsc#1198472] * Add openssl-1_1-fips-list-only-approved-pubkey-algorithms.patch Package parted was updated: - fix null pointer dereference (bsc#1193412) - add: parted-fix-check-diskp-in-do_name.patch - update mkpart options in manpage (bsc#1182142) - add: parted-mkpart-manpage.patch Package pciutils was updated: - Apply &quot;lspci-Fixed-buffer-overflows-in-ls-tree.c.patch&quot; to fix a buffer overflow error that would cause lspci to crash on systems with complex topologies. [bsc#1215265] - Add &quot;pciutils.keyring&quot; so that the tarball's signature can be verified at build time. - Use &quot;%license&quot; tag instead of &quot;%doc&quot; to install the package's license file. Package pcre2 was updated: - Security fix: [bsc#1213514, CVE-2022-41409] * Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input. * Add pcre2-CVE-2022-41409.patch Package polkit was updated: Package procps was updated: - Submit latest procps 3.3.17 to SLE-15 tree for jira#PED-3244 and jira#PED-6369 - The patches now upstream had been dropped meanwhile * procps-vmstat-1b9ea611.patch (bsc#1185417) - For support up to 2048 CPU as well * bsc1209122-a6c0795d.patch (bnc#1209122) - allow `-´ as leading character to ignore possible errors on systctl entries * patch procps-ng-3.3.9-bsc1121753-Cpus.patch (bsc#1121753) - was a backport of an upstream fix to get the first CPU summary correct - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Modify patches * procps-ng-3.3.9-w-notruncate.diff * procps-ng-3.3.17-logind.patch to real to not truncate output of w with option -n - procps-ng-3.3.17-logind.patch: Backport from 4.x git, prefer logind over utmp (jsc#PED-3144) - Add patch CVE-2023-4016.patch * CVE-2023-4016: ps buffer overflow (bsc#1214290) - Replace transitional %usrmerged macro with regular version check (boo#1206798) - Extend patch procps-3.3.17-library-bsc1181475.patch (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) - Some older products do not know about /usr/share/man/uk Package protobuf was updated: - Fix a potential DoS issue in protobuf-cpp and protobuf-python, CVE-2022-1941, bsc#1203681 * Add protobuf-CVE-2022-1941.patch - Fix a potential DoS issue when parsing with binary data in protobuf-java, CVE-2022-3171, bsc#1204256 * Add protobuf-CVE-2022-3171.patch - Refresh protobuf-CVE-2021-22570.patch - Backport changes from 3.16.x tree for apply recent CVE patches * Add protobuf-51026d922970e06475f005b39287963594134b96.patch * Add protobuf-6ee16a9c60e734104aeb738503fe3f411c97bd88.patch * Add protobuf-73e0d748b9acdc40b693f2879ce82ecb1a849b81.patch * Add protobuf-7bff8393cab939bfbb9b5c69b3fe76b4d83c41ee.patch * Add protobuf-4f02f056b5cea99052bfdfb6698afe47a3cf2964.patch * Add protobuf-763c3588740b97e8e80b1b1a1a2dc4f417647133.patch * Add protobuf-6c92f9dff1807c142edf6780d775b58a3b078591.patch * Add protobuf-4e93585e8bb234efeacb7737b8d080968c5ab91e.patch * Add protobuf-58d4420e2dd8a3cd354fff9db0052881c25369ce.patch - Reorganize patch set ordering - Fix potential Denial of Service in protobuf-java in the parsing procedure for binary data, CVE-2021-22569, bsc#1194530 * Add protobuf-improve-performance-of-parsing-unknown-fields-in-Java.patch Package python3 was updated: - Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448 (CVE-2024-4032) rearranging definition of private v global IP addresses. - Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch fixing bsc#1226447 (CVE-2024-0397) by removing memory race condition in ssl.SSLContext certificate store methods. - Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109, gh#python/cpython!16557) fixes syslog making default &quot;ident&quot; from sys.argv[0]. - Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that it uses features sniffing, not just comparing version number (bsc#1220664, bsc#1219559, bsc#1221563, bsc#1222075). - Remove support-expat-CVE-2022-25236-patched.patch, which was the previous name of this patch. - Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping failing tests. - Refresh patches: - CVE-2023-27043-email-parsing-errors.patch - fix_configure_rst.patch - skip_if_buildbot-extend.patch - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the &quot;quoted-overlap&quot; zipbomb (from gh#python/cpython!110016). - Add bh42369-thread-safety-zipfile-SharedFile.patch (from gh#python/cpython!26974) required by the previous patch. - Add expat-260-test_xml_etree-reparse-deferral.patch to make the interpreter work with patched libexpat in our distros. - Move all patches from locally sourced to the branch opensuse-3.6 branch at GitHub repo, and move all metadata to commits themselves (readable in the headers of each patch). - Add bpo-41675-modernize-siginterrupt.patch to make Python build cleanly even on more recent SPs of SLE-15 (gh#python/cpython#85841). - Remove patches: - bpo36263-Fix_hashlib_scrypt.patch - fix against bug in OpenSSL fixed in 1.1.1c (gh#openssl/openssl!8483), so this patch is redundant on all SUSE-supported distros - python-3.3.0b1-test-posix_fadvise.patch - protection against the kernel issues which has been fixed in gh#torvalds/linux@3d3727cdb07f, which has been included in all our kernels more recent than SLE-11. - python-3.3.3-skip-distutils-test_sysconfig_module.patch - skips a test, which should be relevant only for testing on Mac OS X systems with universal builds. I have no valid record, that this test would be ever problematic on Linux. - bpo-36576-skip_tests_for_OpenSSL-111.patch, which was included already in Python 3.5. - (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into skip_SSL_tests.patch, and make them include all conditionals. - Refresh CVE-2023-27043-email-parsing-errors.patch to gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). - Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing gh#python/cpython#108310, backport from upstream patch gh#python/cpython#108315 (bsc#1214692, CVE-2023-40217) - Add 99366-patch.dict-can-decorate-async.patch fixing gh#python/cpython#98086 (backport from Python 3.10 patch in gh#python/cpython!99366), fixing bsc#1211158. - Add CVE-2007-4559-filter-tarfile_extractall.patch to fix CVE-2007-4559 (bsc#1203750) by adding the filter for tarfile.extractall (PEP 706). - Use python3 modules to build the documentation. - Add bpo-44434-libgcc_s-for-pthread_cancel.patch which eliminates unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355). - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters - Add bpo27321-email-no-replace-header.patch to stop email.generator.py from replacing a non-existent header (bsc#1208443, gh#python/cpython#71508). - Add bsc1188607-pythreadstate_clear-decref.patch to fix crash in the garbage collection (bsc#1188607). - Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding extremely long domain names. - Add CVE-2022-37454-sha3-buffer-overflow.patch to fix bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer overflow in hashlib.sha3_* implementations (originally from the XKCP library). - Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix CVE-2020-10735 (bsc#1203125) to limit amount of digits converting text to int and vice vera (potential for DoS). Originally by Victor Stinner of Red Hat. Package qrencode was updated: - update to 4.1.1 (jsc#PED-7296): * Some minor bugs in Micro QR Code generation have been fixed. * The data capacity calculations are now correct. These bugs probably did not affect the Micro QR Code generation. - update to 4.1.0: * Command line tool &quot;qrencode&quot; has been improved: * New option &quot;--inline&quot; has been added. (Thanks to @jp-bennett) * New option &quot;--strict-version&quot; has been added. * UTF8 mode now supports ANSI256 color. (Thanks to András Veres- Szentkirályi) * Micro QR Code no longer requires to specify the version number. * 'make check' allows to run the test programs. (Thanks to Jan Tojnar) * Some compile time warnings have been fixed. * Various CMake support improvements. (Thanks to @mgorny and @sdf5) * Some minor bug fixes. (Thanks to Lonnie Abelbeck and Frédéric Wang) * Some documentation/manpage improvements. (Thanks to Dan Jacobson) * Some performance improvements. (Thanks to @4061N and Mika Lindqvist) - remove qrencode-fix-installation.patch (upstream) - Update to version 4.0.2 * Build script fixes. (Thanks to @mgorny) version 4.0.1 * CMake support improved. * New test scripts have been added. * Some compile time warnings have been fixed. - Refreshed qrencode-fix-installation.patch Package libsodium was updated: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Revert previous change about cpuid as previous change rejected in https://build.opensuse.org/request/show/724809 - Disable LTO as bypass boo#1148184 - Add libsodium_configure_cpuid_chg.patch and call autoconf to regenerate configure script with proper CPUID checking. Required at least for PowerPC and ARM now that LTO enabled. - Update to 1.0.18 - Enterprise versions of Visual Studio are now supported. - Visual Studio 2019 is now supported. - 32-bit binaries for Visual Studio 2010 are now provided. - A test designed to trigger an OOM condition didn't work on Linux systems with memory overcommit turned on. It has been removed in order to fix Ansible builds. - Emscripten: print and printErr functions are overridden to send errors to the console, if there is one. - Emscripten: UTF8ToString() is now exported since Pointer_stringify() has been deprecated. - Libsodium version detection has been fixed in the CMake recipe. - Generic hashing got a 10% speedup on AVX2. - New target: WebAssembly/WASI (compile with dist-builds/wasm32-wasi.sh). - New functions to map a hash to an edwards25519 point or get a random point: core_ed25519_from_hash() and core_ed25519_random(). - crypto_core_ed25519_scalar_mul() has been implemented for scalar*scalar (mod L) multiplication. - Support for the Ristretto group has been implemented for interoperability with wasm-crypto. - Improvements have been made to the test suite. - Portability improvements have been made. - getentropy() is now used on systems providing this system call. - randombytes_salsa20 has been renamed to randombytes_internal. - Support for NativeClient has been removed. - Most ((nonnull)) attributes have been relaxed to allow 0-length inputs to be NULL. - The -ftree-vectorize and -ftree-slp-vectorize compiler switches are now used, if available, for optimized builds. - Update to 1.0.17 - Bug fix: sodium_pad() didn't properly support block sizes &gt;= 256 bytes. - JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly module; fall back to Javascript on these. - JS/WebAssembly: compatibility with newer Emscripten versions. - Bug fix: crypto_pwhash_scryptsalsa208sha256_str_verify() and crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()didn't returnEINVAL` on input strings with a short length, unlike their high-level counterpart. - Added a workaround for Visual Studio 2010 bug causing CPU features not to be detected. - Portability improvements. - Test vectors from Project Wycheproof have been added. - New low-level APIs for arithmetic mod the order of the prime order group: - crypto_core_ed25519_scalar_random(), crypto_core_ed25519_scalar_reduce(), - crypto_core_ed25519_scalar_invert(), crypto_core_ed25519_scalar_negate(), - crypto_core_ed25519_scalar_complement(), crypto_core_ed25519_scalar_add() and crypto_core_ed25519_scalar_sub(). - New low-level APIs for scalar multiplication without clamping: crypto_scalarmult_ed25519_base_noclamp() and crypto_scalarmult_ed25519_noclamp(). These new APIs are especially useful for blinding. - sodium_sub() has been implemented. - Support for WatchOS has been added. - getrandom(2) is now used on FreeBSD 12+. - The nonnull attribute has been added to all relevant prototypes. - More reliable AVX512 detection. - Javascript/Webassembly builds now use dynamic memory growth. Package libsolv was updated: - add a conflict to older libsolv-tools to libsolv-tools-base - improve updating of installed multiversion packages - fix decision introspection going into an endless loop in some cases - added experimental lua bindings - bump version to 0.7.29 - split libsolv-tools into libsolv-tools-base [jsc#PED-8153] - build for multiple python versions [jsc#PED-6218] - bump version to 0.7.28 - add zstd support for the installcheck tool - add putinowndirpool cache to make file list handling in repo_write much faster - bump version to 0.7.27 - fix evr roundtrip in testcases - do not use deprecated headerUnload with newer rpm versions - bump version to 0.7.26 - support complex deps in SOLVABLE_PREREQ_IGNOREINST - fix minimization not prefering installed packages in some cases - reduce memory usage in repo_updateinfoxml - fix lock-step interfering with architecture selection - fix choice rule handing for package downgrades - fix complex dependencies with an &quot;else&quot; part sometimes leading to unsolved dependencies - bump version to 0.7.25 - handle learnt rules in solver_alternativeinfo() - support x86_64_v[234] architecture levels - implement decision sorting for package decisionlists - add back findutils requires for the libsolv-tools packagse [bsc#1195633] - bump version to 0.7.24 - fix &quot;keep installed&quot; jobs not disabling &quot;best update&quot; rules - do not autouninstall suse ptf packages - ensure duplinvolvedmap_all is reset when a solver is reused - special case file dependencies in the testcase writer - support stringification of multiple solvables - new weakdep introspection interface similar to ruleinfos - support decision reason queries - support merging of related decissions - support stringification of ruleinfo, decisioninfo and decision reasons - support better info about alternatives - new '-P' and '-W' options for testsolv - bump version to 0.7.23 Package sqlite3 was updated: - Sync version 3.44.0 from Factory * Fixes bsc#1210660, CVE-2023-2137: Heap buffer overflow * sqlite3-rtree-i686.patch: temporary build fix for 32-bit x86. * Obsoletes sqlite-CVE-2022-46908.patch * Obsoletes sqlite-src-3390000-func7-pg-181.patch - bsc#1206337, CVE-2022-46908, sqlite-CVE-2022-46908.patch: relying on --safe for execution of an untrusted CLI script Package libssh was updated: - Fix regression parsing IPv6 addresses provided as hostname (bsc#1227396) - added libssh-fix-ipv6-hostname-regression.patch - Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795] * Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch * Remove patches fixed in the update: - CVE-2019-14889.patch - 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch - Update to version 0.9.8 * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209) * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126) * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186) * Allow @ in usernames when parsing from URI composes - Update to version 0.9.7 * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188) * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) * Fix several memory leaks in GSSAPI handling code - Update to version 0.9.6 (bsc#1189608, CVE-2021-3634) * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6 - Add missing BR for openssh needed for tests - update to 0.9.5 (bsc#1174713, CVE-2020-16135): * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232) * Improve handling of library initialization (T222) * Fix parsing of subsecond times in SFTP (T219) * Make the documentation reproducible * Remove deprecated API usage in OpenSSL * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN * Define version in one place (T226) * Prevent invalid free when using different C runtimes than OpenSSL (T229) * Compatibility improvements to testsuite - Update to version 0.9.4 * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ * Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699) Package systemd was updated: - Fix systemd-coredump to not allow user to access coredumps with changed uid/gid/capabilities (bsc#1205000 CVE-2022-4415) Add 5000-coredump-Fix-format-string-type-mismatch.patch Add 5001-coredump-drop-an-unused-variable.patch Add 5002-coredump-adjust-whitespace.patch Add 5003-coredump-do-not-allow-user-to-access-coredumps-with-.patch - Import commit b83846dc8a5db633cc6cf05a33ddc054f725214e 4d53a5440f udev/net_id: show the correct identifier in the debug output of dev_pci_onboard() f70647a7b7 udev/net_id: add debug logging for construction of device names 48f40fbc8e pid1: set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857) 7e4434d883 docs: $SYSTEMD_NSS_BYPASS_BUS is not honoured anymore, don't document it 2bdfc2d8cf pid1: lookup owning PID of BusName= name of services asynchronously dba888a4d3 pid1: watch bus name always when we have it f524807b89 udev: add one more assertion 8558101c73 udev: drop assertion which is always false 566a66dc5c udev: support by-path devlink for multipath nvme block devices (bsc#1200723) b4c4edaada tests: minor simplification in test-execute 76d510c625 tests: make test-execute pass on openSUSE - Drop the following patches which are part of 'SUSE/v246' now: 6000-udev-net_id-add-debug-logging-for-construction-of-de.patch 6001-udev-net_id-show-the-correct-identifier-in-the-debug.patch - 80-hotplug-cpu-mem.rules: restrict cpu rule to x86_64 (bsc#1204423) Also update the rule files to make use of the &quot;CONST{arch}&quot; syntax (available since v244). - Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2 42a26330fc time-util: fix buffer-over-run (bsc#1204968 CVE-2022-3821) 8a70235d8a core: Add trigger limit for path units 93e544f3a0 core/mount: also add default before dependency for automount mount units 5916a7748c logind: fix crash in logind on user-specified message string - Add 1010-man-describe-the-net-naming-schemes-specific-to-SLE.patch (bsc#1204179) Package libtirpc was updated: - fix sed parsing for libtirpc.pc.in in specfile (boo#1216862) - update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage - update to 1.3.3 (bsc#1201680, CVE-2021-46828): * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c - drop 0001-Fix-DoS-vulnerability-in-libtirpc.patch (upstream) - update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS - Update to libtirpc 1.3.1 * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir Patches replaced by update: binddynport-honor-ip_local_reserved_ports.patch (bsc#1199467) 0001-Fix-DoS-vulnerability-in-libtirpc.patch (bsc#1201680) 0001-fix-parms.r_addr-memory-leak.patch (bsc#1198752) 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch (bsc#1196647), (bsc#1200800), (bsc#1198176) * replaces /etc/netconfig-try-2-first by the environment variable RPCB_V2FIRST - consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467) - add binddynport-honor-ip_local_reserved_ports.patch Package libxml2 was updated: - Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in xmlHTMLPrintFileContext in xmllint.c * Added libxml2-CVE-2024-34459.patch - Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader * Added libxml2-CVE-2024-25062.patch - Security update: * [CVE-2023-45322, bsc#1216129] use-after-free in xmlUnlinkNode() in tree.c - Added file libxml2-CVE-2023-45322.patch - Security update: * [CVE-2023-39615, bsc#1214768] Crafted xml can cause global buffer overflow - Added file libxml2-CVE-2023-39615.patch - Security update: * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings isn't deterministic - Added patch libxml2-CVE-2023-29469.patch * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in xmlSchemaFixupComplexType - Added patch libxml2-CVE-2023-28484-1.patch - Added patch libxml2-CVE-2023-28484-2.patch - Fix changelog entries in both .changes files. - Apply al patches correctly for libxml2 and python-libxml2. - Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz Package libxslt was updated: - Security Fix: [bsc#1208574, CVE-2021-30560] * Use after free in Blink XSLT * Add libxslt-CVE-2021-30560.patch - Fix broken license symlink for libxslt-tools [bsc#1203669] Package libyajl was updated: Package zlib was updated: - Fix CVE-2023-45853, integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6, bsc#1216378 * CVE-2023-45853.patch - Fix deflateBound() before deflateInit(), bsc#1210593 bsc1210593.patch - Add DFLTCC support for using inflate() with a small window, fixes bsc#1206513 * bsc1206513.patch - Follow up fix for bsc#1203652 due to libxml2 breakage * bsc1203652-2.patch - Fix bsc#1203652, inflate() does not update strm.adler if DFLTCC is used * bsc1203652.patch Package zstd was updated: - Fix CVE-2022-4899, bsc#1209533 * Disallow empty --output-dir-flat= - Added patch: * Disallow-empty-output-directory.patch Package libzypp was updated: - zypp-tui: Make sure translated texts use the correct textdomain (fixes #551) - Skip libproxy1 requires for tumbleweed. - version 17.34.1 (34) - don't require libproxy1 on tumbleweed, it is optional now - version 17.34.0 (34) - Fix versioning scheme - version 17.33.4 (35) - add one more missing export for libyui-qt-pkg - Revert eintrSafeCall behavior to setting errno to 0. - version 17.33.3 (34) - fix up requires_eq usage for libsolv-tools-base - add one more missing export for PackageKit - version 17.33.2 - version 17.33.1 (33) - switch to reduced size libsolv-tools-base (jsc#PED-8153) - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - Add ZYPP_API for exported functions and switch to visibility=hidden (jsc#PED-8153) - Dynamically resolve libproxy (jsc#PED-8153) - version 17.33.0 (33) - Fix download from gpgkey URL (bsc#1223430, fixes openSUSE/zypper#546) - version 17.32.6 (32) - Don't try to refresh volatile media as long as raw metadata are present (bsc#1223094) - version 17.32.5 (32) - Fix creation of sibling cache dirs with too restrictive mode (bsc#1222398) Some install workflows in YAST may lead to too restrictive (0700) raw cache directories in case of newly created repos. Later commands running with user privileges may not be able to access these repos. - version 17.32.4 (32) - Update RepoStatus fromCookieFile according to the files mtime (bsc#1222086) - TmpFile: Don't call chmod if makeSibling failed. - version 17.32.3 (32) - Fixup New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) Fixed the name of the keyword to &quot;support_superseded&quot; as it was agreed on in jsc#OBS-301. - version 17.32.2 (32) - Add resolver option 'removeUnneeded' to file weak remove jobs for unneeded packages (bsc#1175678) - version 17.32.1 (32) - Add resolver option 'removeOrphaned' for distupgrade (bsc#1221525) - New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - Tests: fix vsftpd.conf where SUSE and Fedora use different defaults (fixes #522) - Add default stripe minimum (#529) - Don't expose std::optional where YAST/PK explicitly use c++11. - Digest: Avoid using the deprecated OPENSSL_config. - version 17.32.0 (32) - ProblemSolution::skipsPatchesOnly overload to handout the patches. - Remove https-&gt;http redirection exceptions for download.opensuse.org. - version 17.31.32 (22) - tui: allow to access the underlying ostream of out::Info. - Add MLSep: Helper to produce not-NL-terminated multi line output. - version 17.31.31 (22) - applydeltaprm: Create target directory if it does not exist (bsc#1219442) - Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514) - Fix problems with EINTR in ExternalDataSource::getline (fixes bsc#1215698) - version 17.31.30 (22) - CheckAccessDeleted: fix running_in_container detection (bsc#1218782) - Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime (bsc#1218831) - Make Wakeup class EINTR safe. - Add a way to cancel media operations on shutdown (openSUSE/zypper#522) This patch adds a mechanism to signal libzypp that a shutdown was requested, usually when CTRL+C was pressed by the user. Currently only the media backend will utilize this, but can be extended to all code paths that use g_poll() to wait for events. - Manually poll fds for curl in MediaCurl. Using curl_easy_perform does not give us the required control on when we want to cancel a download. Switching to the MultiCurl implementation with a external poll() event loop will give us much more freedom and helps us to improve our Ctrl+C handling. - Move reusable curl poll code to curlhelper.h. - version 17.31.29 (22) - Fix to build with libxml 2.12.x (fixes #505) - version 17.31.28 (22) - CheckAccessDeleted: fix 'running in container' filter (bsc#1218291) - version 17.31.27 (22) - Call zypp commit plugins during transactional update (fixes #506) - Add support for loongarch64 (fixes #504) - Teach MediaMultiCurl to download HTTP Multibyte ranges. - Teach zsync downloads to MultiCurl. - Expand RepoVars in URLs downloading a .repo file (bsc#1212160) Convenient and helps documentation as it may refer to a single command for a bunch of distributions. Like e.g. &quot;zypper ar 'https://server.my/$releasever/my.repo'&quot;. - version 17.31.26 (22) - Fix build issue with zchunk build flags (fixes #500) - version 17.31.25 (22) - Open rpmdb just once during execution of %posttrans scripts (bsc#1216412) - Avoid using select() since it does not support fd numbers &gt; 1024 (fixes #447) - tools/DownloadFiles: use standard zypp progress bar (fixes #489) - Revert &quot;Color download progress bar&quot; (fixes #475) Cyan is already used for the output of RPM scriptlets. Avoid this colorific collision between download progress bar and scriptlet output. - Fix ProgressBar's calculation of the printed tag position (fixes #494) - Switch zypp::Digest to Openssl 3.0 Provider API (fixes #144) - Fix usage of deprecated CURL features (fixes #486) - version 17.31.24 (22) - Stop using boost version 1 timer library (fixes #489, bsc#1215294) - version 17.31.23 (22) - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) This limits the %transfiletrigger(postun|in) support in the default installer if --root is used (as described in bsc#1041742). The chrooted execution of the scripts in 'rpm --runposttrans' broke in rpm-4.18. It's expected to be fixed in rpm-4.19. Then we'll enable the feature again. - fix comment typo on zypp.conf (boo#1215979) - version 17.31.22 (22) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) Decide during installation whether rpm is capable of delayed %posttrans %transfiletrigger(postun|in) execution or whether we can just handle the packages %posttrans. On TW a delayed %transfiletrigger handling is possible since rpm-4.17. - Make sure the old target is deleted before a new one is created (bsc#1203760) - version 17.31.21 (22) - Fixup changes for 17.31.16. Remove faulty reference to a bug actually fixed in 2019. - version 17.31.20 (22) - Fix zypp-tui/output/Out.h to build with clang. - Fix zypp/Arch.h for clang (fixes #478) Clang seems to have issues with picking the overload in std::men_fn if there is a static overload of a member function. We need to explicitely specify the correct type of the function pointer. To make sure this would not break compiling a application with clang that builds against libzypp this patch works around the problem. - version 17.31.19 (22) - SINGLE_RPMTRANS: Respect ZYPP_READONLY_HACK when checking the zypp-rpm lock (fixes openSUSE/openSUSE-repos#29) - version 17.31.18 (22) - Fix wrong filesize exceeded dl abort in zyppng::Downloader (bsc#1213673) In some cases when downloading very small files we can run into issues when the URL is protected by credentials. - version 17.31.17 (22) - Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231) - Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740) - version 17.31.16 (22) - Fix build against protobuf &gt;= 22 (fixes #465, closes #466) Port away from protobuf_generate_cpp. Upstream protobuf does not export protobuf_generate_cpp by default anymore. Use protobuf_generate instead, which is also available on older versions. - Remove SUSE &lt; SLE11 constructs (fixes #464). - version 17.31.15 (22) - build: honor libproxy.pc's includedir (bsc#1212222) - Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins. - version 17.31.14 (22) - curl: Trim user agent string (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. Violation results in curl error: 92: HTTP/2 PROTOCOL_ERROR. - version 17.31.13 (22) - Do not unconditionally release a medium if provideFile failed (bsc#1211661) - libzypp.spec.cmake: remove duplicate file listing. - version 17.31.12 (22) - MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870) Since libzypp-17.31.7 wrong credentials stored in credentials.cat may lead to an endless loop. Rather than asking for the right credentials, the stored ones are used again and again. - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) Maximum time in seconds that you allow the connection phase to the server to take. This only limits the connection phase, it has no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT) - commit: Try to provide /dev fs if not present (fixes #444) - fix build with boost 1.82. - version 17.31.11 (22) - fix build with boost 1.82 - BuildRequires: libsolv-devel &gt;= 0.7.24 for x86_64_v[234] support. - version 17.31.10 (22) - Workround bsc#1195633 while libsolv &lt;= 0.7.23 is used. - Fix potential endless loop in new ZYPP_MEDIANETWORK. - ZYPP_METALINK_DEBUG=1: Log URL and priority of the mirrors parsed from a metalink file. - multicurl: propagate ssl settings stored in repo url (boo#1127591) Closes #335. - Teach MediaNetwork to retry on HTTP2 errors. - fix CapDetail to return Rel::NONE if an EXPRESSION is used as a NAMED cap. - Capability: support parsing richdeps from string. - defaultLoadSystem: default to LS_NOREFRESH if not root. - Detect x86_64_v[234]: Fix LZCNT bit used in detection (fixes [#439]) Merges rpm-software-management/rpm#2412: The bit for LZCNT is in CPUID 0x80000001, not 1. - Detect x86_64_v[234] architecture levels (fixes #439) - Support x86_64_v[234] architecture levels (for #439) - version 17.31.9 (22) - ProgressData: enforce reporting the INIT||END state (bsc#1206949) - ps: fix service detection on newer Tumbleweed systems (bsc#1205636) - version 17.31.8 (22) - Hint to &quot;zypper removeptf&quot; to remove PTFs. - Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF &quot;zypper install - - -PTF&quot; or a dedicated &quot;zypper removeptf PTF&quot; should be used. This will update the installed PTF packages to theit latest version. - version 17.31.7 (22) - Avoid calling getsockopt when we know the info already. This patch hopefully fixes logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections. (for bsc#1178233) - Enhance yaml-cpp detection (fixes #428) - No need to redirect 'history.logfile=/dev/null' into the target. - MultiCurl: Make sure to reset the progress function when falling back. - version 17.31.6 (22) - Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956) - properly reset range requests (bsc#1204548) - version 17.31.5 (22) - Do not clean up MediaSetAccess before using the geoip file (fixes #424) - version 17.31.4 (22) - Improve download of optional files (fixes #416) - Do not use geoip rewrites if the repo has explicit country settings. - Implement geoIP feature for zypp. This patch adds a feature to rewrite request URLs to the repo servers by querying a geoIP file from download.opensuse.org. This file can return a redirection target depending on the clients IP adress, this way we can directly contact a local mirror of d.o.o instead. The redir target stays valid for 24hrs. This feature can be disabled in zypp.conf by setting 'download.use_geoip_mirror = false'. - Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side. - Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls. - version 17.31.3 (22) Package shadow was updated: - bsc#1228770: Fix not copying of skel files Update shadow-CVE-2013-4235.patch - bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition Add shadow-CVE-2013-4235.patch - bsc#1214806 (CVE-2023-4641): Fix potential password leak - Add shadow-CVE-2023-4641.patch - bsc#1213189: Change lock mechanism to file locking to prevent lock files after power interruptions - Add shadow-4.8.1-lock-mechanism.patch - bsc#1206627: Add --prefix support to passwd, chpasswd and chage Needed for YaST - Add shadow-4.8.1-add-prefix-passwd-chpasswd-chage.patch - bsc#1210507 (CVE-2023-29383): Check for control characters - Add shadow-CVE-2023-29383.patch Package man was updated: - Use inverted exit status in exec option of find command to avoid refreshing man database (boo#1155879) - Minor corrections on %ghost /var/cache/man Package mozilla-nspr was updated: - update to version 4.35 * fixes for building with clang * use the number of online processors for the PR_GetNumberOfProcessors() API on some platforms * fix build on mips+musl libc * Add support for the LoongArch 64-bit architecture Package mozilla-nss was updated: - Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh depends on it and will create a broken, empty config, if sed is missing (bsc#1227918) - update to NSS 3.101.2 * bmo#1905691 - ChaChaXor to return after the function - Added nss-fips-safe-memset.patch, fixing bsc#1222811. - Removed some dead code from nss-fips-constructor-self-tests.patch. - Rebased nss-fips-approved-crypto-non-ec.patch on above changes. - Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830. - Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118. - Updated nss-fips-approved-crypto-non-ec.patch and nss-fips-constructor-self-tests.patch, fixing bsc#1222807, bsc#1222828, bsc#1222834. - Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116. - update to NSS 3.101.1 * bmo#1901932 - missing sqlite header. * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. - update to NSS 3.101 * bmo#1900413 - add diagnostic assertions for SFTKObject refcount. * bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed * bmo#1899883 - fix formatting issues. * bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS. * bmo#1899593 - remove invalid acvp fuzz test vectors. * bmo#1898830 - pad short P-384 and P-521 signatures gtests. * bmo#1898627 - remove unused FreeBL ECC code. * bmo#1898830 - pad short P-384 and P-521 signatures. * bmo#1898825 - be less strict about ECDSA private key length. * bmo#1854439 - Integrate HACL* P-521. * bmo#1854438 - Integrate HACL* P-384. * bmo#1898074 - memory leak in create_objects_from_handles. * bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * bmo#1748105 - clean up escape handling * bmo#1896353 - Use lib::pkix as default validator instead of the old-one * bmo#1827444 - Need to add high level support for PQ signing. * bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy * bmo#1893404 - Allow for non-full length ecdsa signature when using softoken * bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects * bmo#1793811 - Implement support for PBMAC1 in PKCS#12 * bmo#1897487 - disable VLA warnings for fuzz builds. * bmo#1895032 - remove redundant AllocItem implementation. * bmo#1893334 - add PK11_ReadDistrustAfterAttribute. * bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update * bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure * bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile. * bmo#1830415 - Switch to the mozillareleases/image_builder image - Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain) - Remove part of nss-fips-zeroization.patch that got removed upstream - update to NSS 3.100 - bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations. - bmo#1893752 - remove ckcapi. - bmo#1893162 - avoid a potential PK11GenericObject memory leak. - bmo#671060 - Remove incomplete ESDH code. - bmo#215997 - Decrypt RSA OAEP encrypted messages. - bmo#1887996 - Fix certutil CRLDP URI code. - bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys. - bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH. - bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c. - bmo#1548723 - Moving the decodedCert allocation to NSS. - bmo#1885404 - Allow developers to speed up repeated local execution of NSS tests that depend on certificates. - update to NSS 3.99 * Removing check for message len in ed25519 (bmo#1325335) * add ed25519 to SECU_ecName2params. (bmo#1884276) * add EdDSA wycheproof tests. (bmo#1325335) * nss/lib layer code for EDDSA. (bmo#1325335) * Adding EdDSA implementation. (bmo#1325335) * Exporting Certificate Compression types (bmo#1881027) * Updating ACVP docker to rust 1.74 (bmo#1880857) * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335) * Add NSS_CMSRecipient_IsSupported. (bmo#1877730) - update to NSS 3.98 * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS * bmo#1879513 - Certificate Compression: enabling the check that the compression was advertised * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha * bmo#1879945 - Remove Email trust bit from OISTE WISeKey Global Root GC CA * bmo#1877344 - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss` * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation * bmo#1875356 - Add valgrind annotations to freebl kyber operations for constant-time execution tests * bmo#1870673 - Set nssckbi version number to 2.66 * bmo#1874017 - Add Telekom Security roots * bmo#1873095 - Add D-Trust 2022 S/MIME roots * bmo#1865450 - Remove expired Security Communication RootCA1 root * bmo#1876179 - move keys to a slot that supports concatenation in PK11_ConcatSymKeys * bmo#1876800 - remove unmaintained tls-interop tests * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim flags * bmo#1874937 - bogo: add support for the -curves shim flag and update Kyber expectations * bmo#1874937 - bogo: adjust expectation for a key usage bit test * bmo#1757758 - mozpkix: add option to ignore invalid subject alternative names * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value * bmo#1876390 - take ownership of ecckilla shims * bmo#1874458 - add valgrind annotations to freebl/ec.c * bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip * bmo#1875965 - Update zlib to 1.3.1 - Use %patch -P N instead of deprecated %patchN. - update to NSS 3.97 * bmo#1875506 - make Xyber768d00 opt-in by policy * bmo#1871631 - add libssl support for xyber768d00 * bmo#1871630 - add PK11_ConcatSymKeys * bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken * bmo#1871152 - add a FreeBL API for Kyber * bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff * bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo * bmo#1835828 - Removing the calls to RSA Blind from loader.* * bmo#1874111 - fix worker type for level3 mac tasks * bmo#1835828 - RSA Blind implementation * bmo#1869642 - Remove DSA selftests * bmo#1873296 - read KWP testvectors from JSON * bmo#1822450 - Backed out changeset dcb174139e4f * bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation * bmo#1871219 - Wrap CC shell commands in gyp expansions - update to NSS 3.96.1 * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups) * bmo#1867408 - add a defensive check for large ssl_DefSend return values * bmo#1869378 - Add dependency to the taskcluster script for Darwin * bmo#1869378 - Upgrade version of the MacOS worker for the CI - add nss-allow-slow-tests-s390x.patch: &quot;certutil dump keys with explicit default trust flags&quot; test needs longer than the allowed 6 seconds on s390x - update to NSS 3.95 * bmo#1842932 - Bump builtins version number. * bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. * bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates * bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS. * bmo#1850982 - Remove Camerfirma root certificates from NSS. * bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional Certificate. * bmo#1860670 - Add four Commscope root certificates to NSS. * bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates. * bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL* * bmo#1861728 - Include P-256 Scalar Validation from HACL*. * bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level * bmo#1837987 - Add means to provide library parameters to C_Initialize * bmo#1573097 - clang format * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection. * bmo#1858241 - Typo in ssl3_AppendHandshakeNumber * bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber * bmo#1573097 - Fix Invalid casts in instance.c - update to NSS 3.94 * bmo#1853737 - Updated code and commit ID for HACL* * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with current NSS * bmo#1827303 - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants * bmo#1774659 - NSS needs a database tool that can dump the low level representation of the database * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp * bmo#1852179 - avoid implicit conversion for ByteString * bmo#1818766 - update rust version for acvp docker * bmo#1852011 - Moving the init function of the mpi_ints before clean-up in ec.c * bmo#1615555 - P-256 ECDH and ECDSA from HACL* * bmo#1840510 - Add ACVP test vectors to the repository * bmo#1849077 - Stop relying on std::basic_string&lt;uint8_t&gt; * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp - rebased patches - added nss-fips-test.patch to fix broken test - Update to NSS 3.93: * bmo#1849471 - Update zlib in NSS to 1.3. * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs. * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980). - Rebase nss-fips-pct-pubkeys.patch. - update to NSS 3.92 * bmo#1822935 - Set nssckbi version number to 2.62 * bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS * bmo#1839992 - Add 4 SSL.com Root CA certificates * bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates * bmo#1840437 - Add LAWtrust Root CA2 (4096) * bmo#1822936 - Remove E-Tugra Certification Authority root * bmo#1827224 - Remove Camerfirma Chambers of Commerce Root. * bmo#1840505 - Remove Hongkong Post Root CA 1 * bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3 * bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux - update to NSS 3.91 * bmo#1837431 - Implementation of the HW support check for ADX instruction * bmo#1836925 - Removing the support of Curve25519 * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData * bmo#1839327 - Adding args to enable-legacy-db build * bmo#1835357 - dbtests.sh failure in &quot;certutil dump keys with explicit default trust flags&quot; * bmo#1837617 - Initialize flags in slot structures * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow * bmo#1829112 - Followup Fixes * bmo#1784253 - avoid processing unexpected inputs by checking for m_exptmod base sign * bmo#1826652 - add a limit check on order_k to avoid infinite loop * bmo#1834851 - Update HACL* to commit 5f6051d2 * bmo#1753026 - add SHA3 to cryptohi and softoken * bmo#1753026 - HACL SHA3 * bmo#1836781 - Disabling ASM C25519 for A but X86_64 - removed upstreamed patch nss-fix-bmo1836925.patch - update to NSS 3.90.3 * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. * bmo#1748105 - clean up escape handling. * bmo#1895032 - remove redundant AllocItem implementation. * bmo#1836925 - Disable ASM support for Curve25519. * bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64. - remove upstreamed nss-fix-bmo1836925.patch - Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox when using FIPS-mode (bsc#1223724). - Added &quot;Provides: nss&quot; so other RPMs that require 'nss' can be installed (jira PED-6358). - update to NSS 3.90.2 * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS. (bsc#1216198) * bmo#1867408 - add a defensive check for large ssl_DefSend return values. - update to NSS 3.90.1 * bmo#1813401 - regenerate NameConstraints test certificates. * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection. - Remove nss-fix-bmo1813401.patch which is now upstream. - Add nss-fix-bmo1813401.patch to fix bsc#1214980 - update to NSS 3.90 * bmo#1623338 - ride along: remove a duplicated doc page * bmo#1623338 - remove a reference to IRC * bmo#1831983 - clang-format lib/freebl/stubs.c * bmo#1831983 - Add a constant time select function * bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. * bmo#1830973 - output early build errors by default * bmo#1804505 - Update the technical constraints for KamuSM * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates * bmo#1790763 - Enable default UBSan Checks * bmo#1786018 - Add explicit handling of zero length records * bmo#1829391 - Tidy up DTLS ACK Error Handling Path * bmo#1786018 - Refactor zero length record tests * bmo#1829112 - Fix compiler warning via correct assert * bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp * bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * bmo#1784163 - Fix reading raw negative numbers * bmo#1748237 - Repairing unreachable code in clang built with gyp * bmo#1783647 - Integrate Vale Curve25519 * bmo#1799468 - Removing unused flags for Hacl* * bmo#1748237 - Adding a better error message * bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 * bmo#1782980 - Fall back to the softokn when writing certificate trust * bmo#1806010 - FIPS-104-3 requires we restart post programmatically * bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13 * bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes * bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files * bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf * bmo#1822076 - fix rst warnings in nss doc * bmo#1821997 - Fix incorrect pygment style * bmo#1821292 - Change GYP directive to apply across platforms * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag - Add nss-fix-bmo1836925.patch to fix build-errors - Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116) - update to NSS 3.89.1 * bmo#1804505 - Update the technical constraints for KamuSM. * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates. - update to NSS 3.89 * bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase * bmo#1820175 - PR_STATIC_ASSERT is cursed * bmo#1767883 - Need to add policy control to keys lengths for signatures * bmo#1820175 - Fix unreachable code warning in fuzz builds * bmo#1820175 - Fix various compiler warnings in NSS * bmo#1820175 - Enable various compiler warnings for clang builds * bmo#1815136 - set PORT error after sftk_HMACCmp failure * bmo#1767883 - Need to add policy control to keys lengths for signatures * bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt * bmo#1804660 - Make high tag number assertion failure an error * bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384 * bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello * bmo#1789436 - Fix build failure on Windows * bmo#1811337 - migrate Win 2012 tasks to Azure * bmo#1810702 - fix title length in doc * bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite * bmo#1570615 - Add presence/absence tests for TLS GREASE * bmo#1804688 - Correct addition of GREASE value to ALPN xtn * bmo#1789436 - CH extension permutation * bmo#1570615 - TLS GREASE (RFC8701) * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types * bmo#1815870 - use a different treeherder symbol for each docker image build task * bmo#1815868 - pin an older version of the ubuntu:18.04 and 20.04 docker images * bmo#1810702 - remove nested table in rst doc * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag * bmo#1812671 - build failure while implicitly casting SECStatus to PRUInt32 - update to NSS 3.88.1 * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types - update to NSS 3.88 * bmo#1815870 - use a different treeherder symbol for each docker image build task * bmo#1815868 - pin an older version of the ubuntu:18.04 and 20.04 docker images * bmo#1810702 - remove nested table in rst doc * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag. * bmo#1812671 - build failure while implicitly casting SECStatus to PRUInt32 * bmo#1212915 - Add check for ClientHello SID max length * bmo#1771100 - Added EarlyData ALPN test support to BoGo shim * bmo#1790357 - ECH client - Discard resumption TLS &lt; 1.3 Session(IDs|Tickets) if ECH configs are setup * bmo#1714245 - On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm * bmo#1789410 - ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test * bmo#1771100 - Added Bogo ECH rejection test support * bmo#1771100 - Added ECH 0Rtt support to BoGo shim * bmo#1747957 - RSA OAEP Wycheproof JSON * bmo#1747957 - RSA decrypt Wycheproof JSON * bmo#1747957 - ECDSA Wycheproof JSON * bmo#1747957 - ECDH Wycheproof JSON * bmo#1747957 - PKCS#1v1.5 wycheproof json * bmo#1747957 - Use X25519 wycheproof json * bmo#1766767 - Move scripts to python3 * bmo#1809627 - Properly link FuzzingEngine for oss-fuzz. * bmo#1805907 - Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384) * bmo#1804091 - NSS needs to move off of DSA for integrity checks * bmo#1805815 - Add initial testing with ACVP vector sets using acvp-rust * bmo#1806369 - Don't clone libFuzzer, rely on clang instead - update to NSS 3.87 * bmo#1803226 - NULL password encoding incorrect * bmo#1804071 - Fix rng stub signature for fuzzing builds * bmo#1803595 - Updating the compiler parsing for build * bmo#1749030 - Modification of supported compilers * bmo#1774654 - tstclnt crashes when accessing gnutls server without a user cert in the database. * bmo#1751707 - Add configuration option to enable source-based coverage sanitizer * bmo#1751705 - Update ECCKiila generated files. * bmo#1730353 - Add support for the LoongArch 64-bit architecture * bmo#1798823 - add checks for zero-length RSA modulus to avoid memory errors and failed assertions later * bmo#1798823 - Additional zero-length RSA modulus checks - Remove nss-fix-bmo1774654.patch which is now upstream - update to NSS 3.86 * bmo#1803190 - conscious language removal in NSS * bmo#1794506 - Set nssckbi version number to 2.60 * bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates * bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS * bmo#1797559 - Remove EC-ACC root cert from NSS * bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS * bmo#1794495 - Remove Network Solutions Certificate Authority * bmo#1802331 - compress docker image artifact with zstd * bmo#1799315 - Migrate nss from AWS to GCP * bmo#1800989 - Enable static builds in the CI * bmo#1765759 - Removing SAW docker from the NSS build system * bmo#1783231 - Initialising variables in the rsa blinding code * bmo#320582 - Implementation of the double-signing of the message for ECDSA * bmo#1783231 - Adding exponent blinding for RSA. - update to NSS 3.85 * bmo#1792821 - Modification of the primes.c and dhe-params.c in order to have better looking tables * bmo#1796815 - Update zlib in NSS to 1.2.13 * bmo#1796504 - Skip building modutil and shlibsign when building in Firefox * bmo#1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard * bmo#1796407 - Fix -Wunused-but-set-variable warning from clang 15 * bmo#1796308 - Fix -Wtautological-constant-out-of-range-compare and -Wtype-limits warnings * bmo#1796281 - Followup: add missing stdint.h include * bmo#1796281 - Fix -Wint-to-void-pointer-cast warnings * bmo#1796280 - Fix -Wunused-{function,variable,but-set-variable} warnings on Windows * bmo#1796079 - Fix -Wstring-conversion warnings * bmo#1796075 - Fix -Wempty-body warnings * bmo#1795242 - Fix unused-but-set-parameter warning * bmo#1795241 - Fix unreachable-code warnings * bmo#1795222 - Mark _nss_version_c unused on clang-cl * bmo#1795668 - Remove redundant variable definitions in lowhashtest * Add note about python executable to build instructions. - update to NSS 3.84 * bmo#1791699 - Bump minimum NSPR version to 4.35 * bmo#1792103 - Add a flag to disable building libnssckbi. - update to NSS 3.83 * bmo#1788875 - Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags * bmo#1563221 - remove older oses that are unused part3/ BeOS * bmo#1563221 - remove older unix support in NSS part 3 Irix * bmo#1563221 - remove support for older unix in NSS part 2 DGUX * bmo#1563221 - remove support for older unix in NSS part 1 OSF * bmo#1778413 - Set nssckbi version number to 2.58 * bmp#1785297 - Add two SECOM root certificates to NSS * bmo#1787075 - Add two DigitalSign root certificates to NSS * bmo#1778412 - Remove Camerfirma Global Chambersign Root from NSS * bmo#1771100 - Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test * bmo#1779361 - Removed skipping of ECH on equality of private and public server name * bmo#1779357 - Added comment and bug reference to ECHRandomHRRExtension bogo test * bmo#1779370 - Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR * bmo#1779234 - Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing * bmo# 1771100 - Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo * bmo#1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs * bmo#1771100 - Update BoGo tests to recent BoringSSL version * bmo#1785846 - Bump minimum NSPR version to 4.34.1 - update to NSS 3.82 * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state * bmo#1735925 - QuickDER: Forbid NULL tags with non-zero length * bmo#1784724 - Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite * bmo#1784191 - Cast the result of GetProcAddress * bmo#1681099 - pk11wrap: Tighten certificate lookup based on PKCS #11 URI. - update to NSS 3.81 * bmo#1762831 - Enable aarch64 hardware crypto support on OpenBSD * bmo#1775359 - make NSS_SecureMemcmp 0/1 valued * bmo#1779285 - Add no_application_protocol alert handler and test client error code is set * bmo#1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity * required for Firefox 104 - raised NSPR requirement to 4.34.1 - changing some Requires from (pre) to generic as (pre) is not sufficient (boo#1202118) - update to NSS 3.80 * bmo#1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. * bmo#1617956 - Add support for asynchronous client auth hooks. * bmo#1497537 - nss-policy-check: make unknown keyword check optional. * bmo#1765383 - GatherBuffer: Reduced plaintext buffer allocations by allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. * bmo#1773022 - Mark 3.79 as an ESR release. * bmo#1764206 - Bump nssckbi version number for June. * bmo#1759815 - Remove Hellenic Academic 2011 Root. * bmo#1770267 - Add E-Tugra Roots. * bmo#1768970 - Add Certainly Roots. * bmo#1764392 - Add DigitCert Roots. * bmo#1759794 - Protect SFTKSlot needLogin with slotLock. * bmo#1366464 - Compare signature and signatureAlgorithm fields in legacy certificate verifier. * bmo#1771497 - Uninitialized value in cert_VerifyCertChainOld. * bmo#1771495 - Unchecked return code in sec_DecodeSigAlg. * bmo#1771498 - Uninitialized value in cert_ComputeCertType. * bmo#1760998 - Avoid data race on primary password change. * bmo#1769063 - Replace ppc64 dcbzl intrinisic. * bmo#1771036 - Allow LDFLAGS override in makefile builds. - Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with fixes to PBKDF2 parameter validation. - Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to validate extra PBKDF2 parameters according to FIPS 140-3. - Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to update session-&gt;lastOpWasFIPS before destroying the key after derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. - Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some excess code. - Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546). - Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency checks. Thanks to Martin for the DHKey parts. - Add manpages to mozilla-nss-tools (bsc#1208242) - update to NSS 3.79.4 (bsc#1208138) * Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. (CVE-2023-0767) - Add upstream patch nss-fix-bmo1774654.patch to fix CVE-2022-3479 (bsc#1204272) - update to NSS 3.79.3 (bsc#1207038) * Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates (CVE-2022-23491) - Update nss-fips-approved-crypto-non-ec.patch to disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298) - Update nss-fips-approved-crypto-non-ec.patch to allow the use SHA keygen mechs (bsc#1191546). - Update nss-fips-constructor-self-tests.patch to ensure abort() is called when the repeat integrity check fails (bsc#1198980). Package netcfg was updated: Package nfs-utils was updated: - Add 0032-exportfs-Ingnore-export-failures-in-nfs-server.seriv.patch Inconsistencies in /etc/exports shouldn't be fatal. (bsc#1212594) - Add 0030-systemd-use-correct-modprobe-d-directory SLE15-SP5 an earlier don't use /usr/lib/modprobe.d (bsc#1200710) - Add 0031-mountd-don-t-advertise-krb5-for-v4root-when-not-conf.patch Avoid unhelpful warning if rpcsec_gss_krb5.ko not installed - Add 0028-mount.nfs-always-include-mountpoint-or-spec-if-error.patch boo#1157881 - Add 0029-nfsd.man-fix-typo-in-section-on-scope.patch bsc#1209859 - Allow scope to be set in sysconfig: NFSD_SCOPE - Rename all drop-in options.conf files as 10-options.conf This makes it easier for other packages to over-ride with a drop-in with a later sequence number. resource-agents does this. (bsc#1207843) - 0026-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch Avoid modprobe errors when sysctl is not installed. (bsc#1200710 bsc#1207022 bsc#1206781) - 0027-nfsd-allow-server-scope-to-be-set-with-config-or-com.patch Add &quot;-S scope&quot; option to rpc.nfsd to simplify fail-over cluster config. (bsc#1203746) - add 0025-nfsdcltrack-getopt_long-fails-on-a-non-x86_64-archs.patch Fix nfsdcltrack bug that affected non-x86 archs. (bsc#1202627) - 0024-systemd-Apply-all-sysctl-settings-when-NFS-related-m.patch Ensure sysctl setting work (bsc#1199856) Package nfsidmap was updated: - 0001-Removed-some-unused-and-set-but-not-used-warnings.patch 0002-Handle-NULL-names-better.patch 0003-Strip-newlines-out-of-IDMAP_LOG-messages.patch 0004-onf_parse_line-Ignore-whitespace-at-the-beginning-of.patch 0005-nss.c-wrong-check-of-return-value.patch 0006-Fixed-a-memory-leak-nss_name_to_gid.patch Various bugfixes and improvemes from upstream In particular, 0001 fixes a crash that can happen when a 'static' mapping is configured. (bnc#1200901) Package openssh was updated: - Add patches from upstream to change the default value of UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled). This makes ssh update the known_hosts stored keys with all published versions by the server (after it's authenticated with an existing key), which will allow to identify the server with a different key if the existing key is considered insecure at some point in the future (bsc#1222831). * 0001-upstream-enable-UpdateHostkeys-by-default-when-the.patch * 0002-upstream-disable-UpdateHostkeys-by-default-if.patch - Add patches openssh-7.7p1-seccomp_getuid.patch and openssh-bsc1216474-s390-leave-fds-open.patch (bsc#1216474, bsc#1218871) - Fix hostbased ssh login failing occasionally with &quot;signature unverified: incorrect signature&quot; by fixing a typo in patch (bsc#1221123): * openssh-7.8p1-role-mls.patch - Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385). This limits the use of shell metacharacters in host- and user names. - Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795). This mitigates a prefix truncation attack that could be used to undermine channel security. - Enhanced SELinux functionality. Added * openssh-7.8p1-role-mls.patch Proper handling of MLS systems and basis for other SELinux improvements * openssh-6.6p1-privsep-selinux.patch Properly set contexts during privilege separation * openssh-6.6p1-keycat.patch Add ssh-keycat command to allow retrival of authorized_keys on MLS setups with polyinstantiation * openssh-6.6.1p1-selinux-contexts.patch Additional changes to set the proper context during privilege separation * openssh-7.6p1-cleanup-selinux.patch Various changes and putting the pieces together For now we don't ship the ssh-keycat command, but we need the patch for the other SELinux infrastructure This change fixes issues like bsc#1214788, where the ssh daemon needs to act on behalf of a user and needs a proper context for this - Add openssh-CVE-2023-38408-PKCS11-execution.patch, Abort if requested to load a PKCS#11 provider that isnt a PKCS#11 provider (bsc#1213504,CVE-2023-38408) - openssh-7.7p1-fips_checks.patch: close the right filedescriptor to avoid fd leads, and also close fdh in read_hmac (bsc#1209536) - Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: This caused invalid and irrelevant environment assignments (bsc#1207014). - Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: Make ssh connections update their dbus environment (bsc#1179465). Package pam-config was updated: - Fix pam_gnome_keyring module for AUTH. [pam-config-fix-pam_gnome_keyring.patch, bsc#1219767] Package pam was updated: - Add missing O_DIRECTORY flag in `protect_dir()` for pam_namespace module. [bsc#1218475, pam-bsc1218475-pam_namespace-O_DIRECTORY-flag.patch] - pam_lastlog: check localtime_r() return value (bsc#1217000) * Added: pam-bsc1217000-pam_lastlog-check-localtime_r-return-value.patch Package perl-Bootloader was updated: - merge gh#openSUSE/perl-bootloader#157- bootloader_entry script can have an optional 'force-default' argument (bsc#1215064) - skip warning about unsupported options when in compat mode - 0.945 - merge gh#openSUSE/perl-bootloader#152 - use signed grub EFI binary when updating grub in default EFI location (bsc#1210799) - check whether grub2-install supports --suse-force-signed option - 0.944 - merge gh#openSUSE/perl-bootloader#147 - UEFI: update also default location, if it is controlled by SUSE (bsc#1210799, bsc#1201399) - 0.943 - merge gh#openSUSE/perl-bootloader#142 - use fw_platform_size to distinguish between 32 bit and 64 bit UEFI platforms (bsc#1208003) - 0.942 - merge gh#openSUSE/perl-bootloader#141 - systemd-boot: easier initial setup - 0.941 - merge gh#openSUSE/perl-bootloader#140 - add basic support for systemd-boot - 0.940 Package perl was updated: - fix space calculation issues in pp_pack.c [bnc#1082216] [CVE-2018-6913] * new patch: perl-pack-overflow.diff - fix heap buffer overflow in regexec.c [bnc#1082233] [CVE-2018-6798] new patch: perl-regexec-heap-overflow.diff - make Net::FTP work with TLS 1.3 [bnc#1213638] new patch: perl-net-ftp-tls13.diff - enable TLS cert verification in CPAN [bnc#1210999] [CVE-2023-31484] new patch: perl-cpan_verify_cert.diff Package permissions was updated: - Update to version 20181225: * Backport postfix to SLE-15-SP2 (bsc#1206738) Package psmisc was updated: Package purge-kernels-service was updated: Package python-Jinja2 was updated: - Add CVE-2024-34064.patch upstream patch (CVE-2024-34064, bsc#1223980, gh#pallets/jinja@0668239dc6b4) Also fixes (CVE-2024-22195, bsc#1218722) Package python-certifi was updated: - remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle certs (bsc#1206212 CVE-2022-23491) - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 - Add removeTrustCor.patch Package python-chardet was updated: Package python-cryptography was updated: - Add CVE-2023-49083.patch to fix A null-pointer-dereference and segfault could occur when loading certificates from a PKCS#7 bundle. bsc#1217592 - Add patch CVE-2023-23931-dont-allow-update-into.patch (bsc#1208036, CVE-2023-23931) * Don't allow update_into to mutate immutable objects - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Update in SLE-15 (bsc#1177083, jsc#PM-2730, jsc#SLE-18312) - Refresh patches for new version + 5507-mitigate-Bleichenbacher-attacks.patch Package python-idna was updated: - Add CVE-2024-3651.patch, backported from upstream commit gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7 (bsc#1222842, CVE-2024-3651) Package python-msgpack was updated: - Loose the filelist for the package info to avoid FTBFS on SLE-15-SP5 (bsc#1203743). Package python-packaging was updated: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Add patch to fix testsuite on big-endian targets + fix-big-endian-build.patch - Ignore python3.6.2 since the test doesn't support it. - update to 21.3: * Add a pp3-none-any tag (gh#pypa/packaging#311) * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion (gh#pypa/packaging#481), (gh#pypa/packaging#486) * Fix a spelling mistake (gh#pypa/packaging#479) - update to 21.2: * Update documentation entry for 21.1. * Update pin to pyparsing to exclude 3.0.0. * PEP 656: musllinux support * Drop support for Python 2.7, Python 3.4 and Python 3.5. * Replace distutils usage with sysconfig * Add support for zip files in ``parse_sdist_filename`` * Use cached ``_hash`` attribute to short-circuit tag equality comparisons * Specify the default value for the ``specifier`` argument to ``SpecifierSet`` * Proper keyword-only &quot;warn&quot; argument in packaging.tags * Correctly remove prerelease suffixes from ~= check * Fix type hints for ``Version.post`` and ``Version.dev`` * Use typing alias ``UnparsedVersion`` * Improve type inference for ``packaging.specifiers.filter()`` * Tighten the return type of ``canonicalize_version()`` - Add Provides: for python*dist(packaging): work around boo#1186870 - skip tests failing because of no-legacyversion-warning.patch - add no-legacyversion-warning.patch to restore compatibility with 20.4 - update to 20.9: * Run [isort](https://pypi.org/project/isort/) over the code base (:issue:`377`) * Add support for the ``macosx_10_*_universal2`` platform tags (:issue:`379`) * Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()`` - update to 20.8: * Revert back to setuptools for compatibility purposes for some Linux distros (:issue:`363`) * Do not insert an underscore in wheel tags when the interpreter version number is more than 2 digits (:issue:`372`) * Fix flit configuration, to include LICENSE files (:issue:`357`) * Make `intel` a recognized CPU architecture for the `universal` macOS platform tag (:issue:`361`) * Add some missing type hints to `packaging.requirements` (issue:`350`) * Officially support Python 3.9 (:issue:`343`) * Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes (:issue:`321`) * Handle ``OSError`` on non-dynamic executables when attempting to resolve the glibc version string. - update to 20.4: * Canonicalize version before comparing specifiers. (:issue:`282`) * Change type hint for ``canonicalize_name`` to return ``packaging.utils.NormalizedName``. This enables the use of static typing tools (like mypy) to detect mixing of normalized and un-normalized names. Package python-psutil was updated: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Fix tests: setuptools changed the builddir library path and does not find the module from it. Use the installed platlib instead and exclude psutil.tests only later. - Refresh skip-obs.patch Package python-pyasn1 was updated: - To avoid users of this package having to recompile bytecode files, change the mtime of any __init__.py. (bsc#1207805) Package python-py was updated: - Remove all traces of py._path.svn{url,wc}. (bsc#1204364, CVE-2022-42969)- Add patch remove-svn-remants.patch to help with that goal. - Refresh pr_222.patch as needed for above. Package python-requests was updated: - Update CVE-2024-35195.patch to allow the usage of &quot;verify&quot; parameter as a directory, bsc#1225912 - Add CVE-2024-35195.patch (CVE-2024-35195, bsc#1224788) - Add httpbin.patch to fix a test failure caused by the previous patch. - Add CVE-2023-32681.patch to fix unintended leak of Proxy-Authorization header (CVE-2023-32681, bsc#1211674) Upstream commit: gh#psf/requests@74ea7cf7a6a2 - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Don't pin idna&lt;3 in the egg-info so that depending packages can install the new idna dropping python2 - update to 2.25.1: - Requests now treats `application/json` as `utf8` by default. Resolving inconsistencies between `r.text` and `r.json` output. (#5673) - Update in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352) - update to 2.25.0: * Added support for NETRC environment variable. (#5643) * Requests now supports urllib3 v1.26. * Requests v2.25.x will be the last release series with support for Python 3.5. - refreshed requests-no-hardcoded-version.patch Package salt was updated: - Speed up salt.matcher.confirm_top by using __context__- Do not call the async wrapper calls with the separate thread - Prevent OOM with high amount of batch async calls (bsc#1216063) - Add missing contextvars dependency in salt.version - Skip tests for unsupported algorithm on old OpenSSL version - Remove redundant `_file_find` call to the master - Prevent possible exception in tornado.concurrent.Future._set_done - Make reactor engine less blocking the EventPublisher - Make salt-master self recoverable on killing EventPublisher - Improve broken events catching and reporting - Make logging calls lighter - Remove unused import causing delays on starting salt-master - Mark python3-CherryPy as recommended package for the testsuite - Added: * add-missing-contextvars-dependency-in-salt.version.patch * make-reactor-engine-less-blocking-the-eventpublisher.patch * prevent-possible-exception-in-tornado.concurrent.fut.patch * skip-tests-for-unsupported-algorithm-on-old-openssl-.patch * remove-unused-import-causing-delays-on-starting-salt.patch * prevent-oom-with-high-amount-of-batch-async-calls-bs.patch * remove-redundant-_file_find-call-to-the-master.patch * make-logging-calls-lighter.patch * improve-broken-events-catching-and-reporting.patch * do-not-call-the-async-wrapper-calls-with-the-separat.patch * make-salt-master-self-recoverable-on-killing-eventpu.patch * speed-up-salt.matcher.confirm_top-by-using-__context.patch - Make &quot;man&quot; a recommended package instead of required - Convert oscap output to UTF-8 - Make Salt compatible with Python 3.11 - Ignore non-ascii chars in oscap output (bsc#1219001) - Fix detected issues in Salt tests when running on VMs - Make importing seco.range thread safe (bsc#1211649) - Fix problematic tests and allow smooth tests executions on containers - Discover Ansible playbook files as &quot;*.yml&quot; or &quot;*.yaml&quot; files (bsc#1211888) - Provide user(salt)/group(salt) capabilities for RPM 4.19 - Extend dependencies for python3-salt-testsuite and python3-salt packages - Improve Salt and testsuite packages multibuild - Enable multibuilld and create test flavor - Prevent exceptions with fileserver.update when called via state (bsc#1218482) - Improve pip target override condition with VENV_PIP_TARGET environment variable (bsc#1216850) - Fixed KeyError in logs when running a state that fails - Added: * fixed-keyerror-in-logs-when-running-a-state-that-fai.patch * fix-salt-warnings-and-testuite-for-python-3.11-635.patch * discover-both-.yml-and-.yaml-playbooks-bsc-1211888.patch * decode-oscap-byte-stream-to-string-bsc-1219001.patch * fix-tests-failures-and-errors-when-detected-on-vm-ex.patch * allow-kwargs-for-fileserver-roots-update-bsc-1218482.patch * improve-pip-target-override-condition-with-venv_pip_.patch * make-importing-seco.range-thread-safe-bsc-1211649.patch * fix-problematic-tests-and-allow-smooth-tests-executi.patch * switch-oscap-encoding-to-utf-8-639.patch - Prevent directory traversal when creating syndic cache directory on the master (CVE-2024-22231, bsc#1219430) - Prevent directory traversal attacks in the master's serve_file method (CVE-2024-22232, bsc#1219431) - Added: * fix-cve-2024-22231-and-cve-2024-22232-bsc-1219430-bs.patch - Ensure that pillar refresh loads beacons from pillar without restart - Fix the aptpkg.py unit test failure - Prefer unittest.mock to python-mock in test suite - Enable &quot;KeepAlive&quot; probes for Salt SSH executions (bsc#1211649) - Revert changes to set Salt configured user early in the stack (bsc#1216284) - Align behavior of some modules when using salt-call via symlink (bsc#1215963) - Fix gitfs &quot;__env__&quot; and improve cache cleaning (bsc#1193948) - Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed - Added: * enable-keepalive-probes-for-salt-ssh-executions-bsc-.patch * update-__pillar__-during-pillar_refresh.patch * fix-gitfs-__env__-and-improve-cache-cleaning-bsc-119.patch * prefer-unittest.mock-for-python-versions-that-are-su.patch * revert-make-sure-configured-user-is-properly-set-by-.patch * fix-the-aptpkg.py-unit-test-failure.patch * dereference-symlinks-to-set-proper-__cli-opt-bsc-121.patch - Randomize pre_flight_script path (CVE-2023-34049 bsc#1215157) - Allow all primitive grain types for autosign_grains (bsc#1214477) - Added: * allow-all-primitive-grain-types-for-autosign_grains-.patch * fix-cve-2023-34049-bsc-1215157.patch - Fix optimization_order opt to prevent testsuite fails - Improve salt.utils.json.find_json to avoid fails (bsc#1213293) - Use salt-call from salt bundle with transactional_update - Only call native_str on curl_debug message in tornado when needed - Implement the calling for batch async from the salt CLI - Fix calculation of SLS context vars when trailing dots on targetted sls/state (bsc#1213518) - Rename salt-tests to python3-salt-testsuite - Added: * only-call-native_str-on-curl_debug-message-in-tornad.patch * fix-calculation-of-sls-context-vars-when-trailing-do.patch * use-salt-call-from-salt-bundle-with-transactional_up.patch * implement-the-calling-for-batch-async-from-the-salt-.patch * improve-salt.utils.json.find_json-bsc-1213293.patch * fix-optimization_order-opt-to-prevent-test-fails.patch - Fix inconsistency in reported version by egg-info metadata (bsc#1215489) - Added: * write-salt-version-before-building-when-using-with-s.patch - Revert usage of long running REQ channel to prevent possible missing responses on requests and dublicated responses (bsc#1213960, bsc#1213630, bsc#1213257) - Fix gitfs cachedir basename to avoid hash collisions (bsc#1193948, bsc#1214797, CVE-2023-20898) - Added: * revert-usage-of-long-running-req-channel-bsc-1213960.patch * fixed-gitfs-cachedir_basename-to-avoid-hash-collisio.patch - Make sure configured user is properly set by Salt (bsc#1210994) - Do not fail on bad message pack message (bsc#1213441, CVE-2023-20897) - Fix broken tests to make them running in the testsuite - Prevent possible exceptions on salt.utils.user.get_group_dict (bsc#1212794) - Create minion_id with reproducible mtime - Fix detection of Salt codename by &quot;salt_version&quot; execution module - Fix regression: multiple values for keyword argument 'saltenv' (bsc#1212844) - Fix the regression of user.present state when group is unset (bsc#1212855) - Fix zypper repositories always being reconfigured - Fix utf8 handling in 'pass' renderer and make it more robust - Added: * fix-regression-multiple-values-for-keyword-argument-.patch * fix-tests-to-make-them-running-with-salt-testsuite.patch * mark-salt-3006-as-released-586.patch * make-sure-configured-user-is-properly-set-by-salt-bs.patch * zypper-pkgrepo-alreadyconfigured-585.patch * prevent-possible-exceptions-on-salt.utils.user.get_g.patch * fix-the-regression-of-user.present-state-when-group-.patch * do-not-fail-on-bad-message-pack-message-bsc-1213441-.patch * fix-utf8-handling-in-pass-renderer-and-make-it-more-.patch - Prevent _pygit2.GitError: error loading known_hosts when $HOME is not set (bsc#1210994) - Fix ModuleNotFoundError and other issues raised by salt-support module (bsc#1211591) - tornado: Fix an open redirect in StaticFileHandler (CVE-2023-28370, bsc#1211741) - Added: * 3006.0-prevent-_pygit2.giterror-error-loading-known_.patch * fix-some-issues-detected-in-salt-support-cli-module-.patch * tornado-fix-an-open-redirect-in-staticfilehandler-cv.patch - Make master_tops compatible with Salt 3000 and older minions (bsc#1212516) (bsc#1212517) - Added: * make-master_tops-compatible-with-salt-3000-and-older.patch - Avoid failures due transactional_update module not available in Salt 3006.0 (bsc#1211754) - Added: * define-__virtualname__-for-transactional_update-modu.patch - Avoid conflicts with Salt dependencies versions (bsc#1211612) - Added: * avoid-conflicts-with-dependencies-versions-bsc-12116.patch - Update to Salt release version 3006.0 (jsc#PED-4360) * See release notes: https://docs.saltproject.io/en/latest/topics/releases/3006.0.html - Add missing patch after rebase to fix collections Mapping issues - Add python3-looseversion as new dependency for salt - Add python3-packaging as new dependency for salt - Allow entrypoint compatibility for &quot;importlib-metadata&gt;=5.0.0&quot; (bsc#1207071) - Create new salt-tests subpackage containing Salt tests - Drop conflictive patch dicarded from upstream - Fix SLS rendering error when Jinja macros are used - Fix version detection and avoid building and testing failures - Prevent deadlocks in salt-ssh executions - Require python3-jmespath runtime dependency (bsc#1209233) - Added: * 3005.1-implement-zypper-removeptf-573.patch * control-the-collection-of-lvm-grains-via-config.patch * fix-version-detection-and-avoid-building-and-testing.patch * make-sure-the-file-client-is-destroyed-upon-used.patch * skip-package-names-without-colon-bsc-1208691-578.patch * use-rlock-to-avoid-deadlocks-in-salt-ssh.patch - Modified: * activate-all-beacons-sources-config-pillar-grains.patch * add-custom-suse-capabilities-as-grains.patch * add-environment-variable-to-know-if-yum-is-invoked-f.patch * add-migrated-state-and-gpg-key-management-functions-.patch * add-publish_batch-to-clearfuncs-exposed-methods.patch * add-salt-ssh-support-with-venv-salt-minion-3004-493.patch * add-sleep-on-exception-handling-on-minion-connection.patch * add-standalone-configuration-file-for-enabling-packa.patch * add-support-for-gpgautoimport-539.patch * allow-vendor-change-option-with-zypper.patch * async-batch-implementation.patch * avoid-excessive-syslogging-by-watchdog-cronjob-58.patch * bsc-1176024-fix-file-directory-user-and-group-owners.patch * change-the-delimeters-to-prevent-possible-tracebacks.patch * debian-info_installed-compatibility-50453.patch * dnfnotify-pkgset-plugin-implementation-3002.2-450.patch * do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch * don-t-use-shell-sbin-nologin-in-requisites.patch * drop-serial-from-event.unpack-in-cli.batch_async.patch * early-feature-support-config.patch * enable-passing-a-unix_socket-for-mysql-returners-bsc.patch * enhance-openscap-module-add-xccdf_eval-call-386.patch * fix-bsc-1065792.patch * fix-for-suse-expanded-support-detection.patch * fix-issue-2068-test.patch * fix-missing-minion-returns-in-batch-mode-360.patch * fix-ownership-of-salt-thin-directory-when-using-the-.patch * fix-regression-with-depending-client.ssh-on-psutil-b.patch * fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch * fix-salt.utils.stringutils.to_str-calls-to-make-it-w.patch * fix-the-regression-for-yumnotify-plugin-456.patch * fix-traceback.print_exc-calls-for-test_pip_state-432.patch * fixes-for-python-3.10-502.patch * include-aliases-in-the-fqdns-grains.patch * info_installed-works-without-status-attr-now.patch * let-salt-ssh-use-platform-python-binary-in-rhel8-191.patch * make-aptpkg.list_repos-compatible-on-enabled-disable.patch * make-setup.py-script-to-not-require-setuptools-9.1.patch * pass-the-context-to-pillar-ext-modules.patch * prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch * prevent-pkg-plugins-errors-on-missing-cookie-path-bs.patch * prevent-shell-injection-via-pre_flight_script_args-4.patch * read-repo-info-without-using-interpolation-bsc-11356.patch * restore-default-behaviour-of-pkg-list-return.patch * return-the-expected-powerpc-os-arch-bsc-1117995.patch * revert-fixing-a-use-case-when-multiple-inotify-beaco.patch * run-salt-api-as-user-salt-bsc-1064520.patch * run-salt-master-as-dedicated-salt-user.patch * save-log-to-logfile-with-docker.build.patch * switch-firewalld-state-to-use-change_interface.patch * temporary-fix-extend-the-whitelist-of-allowed-comman.patch * update-target-fix-for-salt-ssh-to-process-targets-li.patch * use-adler32-algorithm-to-compute-string-checksums.patch * use-salt-bundle-in-dockermod.patch * x509-fixes-111.patch * zypperpkg-ignore-retcode-104-for-search-bsc-1176697-.patch - Removed: * 3003.3-do-not-consider-skipped-targets-as-failed-for.patch * 3003.3-postgresql-json-support-in-pillar-423.patch * add-amazon-ec2-detection-for-virtual-grains-bsc-1195.patch * add-missing-ansible-module-functions-to-whitelist-in.patch * add-rpm_vercmp-python-library-for-version-comparison.patch * add-support-for-name-pkgs-and-diff_attr-parameters-t.patch * adds-explicit-type-cast-for-port.patch * align-amazon-ec2-nitro-grains-with-upstream-pr-bsc-1.patch * backport-syndic-auth-fixes.patch * batch.py-avoid-exception-when-minion-does-not-respon.patch * check-if-dpkgnotify-is-executable-bsc-1186674-376.patch * clarify-pkg.installed-pkg_verify-documentation.patch * detect-module.run-syntax.patch * do-not-crash-when-unexpected-cmd-output-at-listing-p.patch * enhance-logging-when-inotify-beacon-is-missing-pyino.patch * fix-62092-catch-zmq.error.zmqerror-to-set-hwm-for-zm.patch * fix-crash-when-calling-manage.not_alive-runners.patch * fixes-pkg.version_cmp-on-openeuler-systems-and-a-few.patch * fix-exception-in-yumpkg.remove-for-not-installed-pac.patch * fix-for-cve-2022-22967-bsc-1200566.patch * fix-inspector-module-export-function-bsc-1097531-481.patch * fix-ip6_interface-grain-to-not-leak-secondary-ipv4-a.patch * fix-issues-with-salt-ssh-s-extra-filerefs.patch * fix-jinja2-contextfuntion-base-on-version-bsc-119874.patch * fix-multiple-security-issues-bsc-1197417.patch * fix-salt-call-event.send-call-with-grains-and-pillar.patch * fix-salt.states.file.managed-for-follow_symlinks-tru.patch * fix-state.apply-in-test-mode-with-file-state-module-.patch * fix-test_ipc-unit-tests.patch * fix-the-regression-in-schedule-module-releasded-in-3.patch * fix-wrong-test_mod_del_repo_multiline_values-test-af.patch * fixes-56144-to-enable-hotadd-profile-support.patch * fopen-workaround-bad-buffering-for-binary-mode-563.patch * force-zyppnotify-to-prefer-packages.db-than-packages.patch * ignore-erros-on-reading-license-files-with-dpkg_lowp.patch * ignore-extend-declarations-from-excluded-sls-files.patch * ignore-non-utf8-characters-while-reading-files-with-.patch * implementation-of-held-unheld-functions-for-state-pk.patch * implementation-of-suse_ip-execution-module-bsc-10999.patch * improvements-on-ansiblegate-module-354.patch * include-stdout-in-error-message-for-zypperpkg-559.patch * make-pass-renderer-configurable-other-fixes-532.patch * make-sure-saltcacheloader-use-correct-fileclient-519.patch * mock-ip_addrs-in-utils-minions.py-unit-test-443.patch * normalize-package-names-once-with-pkg.installed-remo.patch * notify-beacon-for-debian-ubuntu-systems-347.patch * refactor-and-improvements-for-transactional-updates-.patch * retry-if-rpm-lock-is-temporarily-unavailable-547.patch * set-default-target-for-pip-from-venv_pip_target-envi.patch * state.apply-don-t-check-for-cached-pillar-errors.patch * state.orchestrate_single-does-not-pass-pillar-none-4.patch * support-transactional-systems-microos.patch * wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch - Fix problem with detecting PTF packages (bsc#1208691) - Added: * skip-package-names-without-colon-bsc-1208691-578.patch - Fixes pkg.version_cmp on openEuler systems and a few other OS flavors - Make pkg.remove function from zypperpkg module to handle also PTF packages - Added: * fixes-pkg.version_cmp-on-openeuler-systems-and-a-few.patch * 3004-implement-zypper-removeptf-574.patch - Control the collection of lvm grains via config (bsc#1204939) - Added: * control-the-collection-of-lvm-grains-via-config.patch - Pass the context to pillar ext modules - Align Amazon EC2 (Nitro) grains with upstream (bsc#1203685) - Detect module run syntax version - Implement automated patches alignment for the Salt Bundle - Ignore extend declarations from excluded SLS files (bsc#1203886) - Clarify pkg.installed pkg_verify documentation - Enhance capture of error messages for Zypper calls in zypperpkg module - Make pass renderer configurable and fix detected issues - Workaround fopen line buffering for binary mode (bsc#1203834) - Added: * clarify-pkg.installed-pkg_verify-documentation.patch * make-pass-renderer-configurable-other-fixes-532.patch * fopen-workaround-bad-buffering-for-binary-mode-563.patch * align-amazon-ec2-nitro-grains-with-upstream-pr-bsc-1.patch * detect-module.run-syntax.patch * ignore-extend-declarations-from-excluded-sls-files.patch * include-stdout-in-error-message-for-zypperpkg-559.patch * pass-the-context-to-pillar-ext-modules.patch Package python-setuptools was updated: - Add CVE-2022-40897-ReDos.patch to fix Regular Expression Denial of Service (ReDoS) in package_index.py. bsc#1206667 Package python-urllib3 was updated: - Add CVE-2024-37891.patch (bsc#1226469, CVE-2024-37891) - Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803) gh#urllib3/urllib3@4e98d57809da - Add CVE-2023-43804.patch (bsc#1215968, CVE-2023-43804) gh#urllib3/urllib3#3139 * Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. Package regionServiceClientConfigGCE was updated: - Update to version 4.0.1 (bsc#1217538) + Replace 130.211.242.136.pem and 130.211.88.88.pem certs expiring in 8 years and new length of 4096 These certs will replace the current certs that expire soon Package release-notes-sles was updated: - 15.3.20230301 (tracked in bsc#933411)- Added note about silencing killmode=none (jsc#PED-407) - Added note about by-id/wwn- change (bsc#1188762) - Added note about frr (jsc#SLE-13591) - Added note about ssh-import-id GitHub support (jsc#SLE-20079) - Added note about adcli --dont-expire-password (jsc#SLE-21224) - Added note about NVMe-oF in dracut (jsc#SLE-17091) - Added note about vPMU optimization (jsc#SLE-12687) - Added note about snapper btrfs snapshot cleanup (jsc#SLE-16031) - Added note about redis and bindings (jsc#SLE-11036) - Added note about zram on low-mem devices (jsc#SLE-17630) - Added note about wsmancli moving to basesystem (jsc#SLE-22844) - Added note about scap-security-guide (jsc#SLE-20292) - Added note about libreiserfs removal (jsc#SLE-17723) - Added note about icu 69.1 (jsc#SLE-17893) - Added note about blog 2.26 (jsc#SLE-23233) - Added note about libpwquality-tools (jsc#SLE-23623) - Added note about DFS share failover (jsc#SLE-20042) - Added note about git 2.35.3 (jsc#SLE-23332) - Added note about tcl 8.6.12 (jsc#SLE-21016) - Added note about Rust developer tools (jsc#SLE-23381) - Added note about PostgreSQL 14 (jsc#SLE-20675) - Added note about NodeJS 16 (jsc#SLE-21235) - Added note about strongSwan namespace support (jsc#SLE-17756) - Added note about mariadb-galera (jsc#SLE-22242) - 15.3.20220930 (tracked in bsc#933411) - Added note about SUSEConnect tracking (jsc#SLE-23312) - Added note about BCI minimal container (jsc#SLE-22133) - Added note about BCI containers (jsc#SLE-22144) - Added note about XFS V4 filesystem (bsc#1200646) - 15.3.20220906 (tracked in bsc#933411) - Updated Java lifecycle (jsc#PED-1590) - 15.3.20220831 (tracked in bsc#933411) - Added note about schedutil (bsc#1176440) - Added note about insserv-compat migration failure (bsc#1194837) - Added note about Samba 4.15 (jsc#SLE-23330) Package rsync was updated: - Drop rsync-fix-external-compression.patch, rsync-iconv-segfault.patch - Fix --delay-updates never updates after interruption [bsc#1204538] * Added patch rsync-fix-delay-updates-never-updates-after-interruption.patch Package rsyslog was updated: - fix rsyslog crash in imrelp (bsc#1210286) * add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch - fix segfaults in modExit() of imklog.c (bsc#1211757) * add 0001-imklog-fix-invalid-memory-adressing-could-cause-abor.patch - fix removal of imfile state files (bsc#1213212) * add 0001-fixing-the-deleteStateOnFileDelete-option.patch - fix parsing of legacy config syntax (bsc#1205275) * add: 0001-testbench-add-test-for-legacy-permittedPeer-statemen.patch 0002-imtcp-bugfix-legacy-config-directives-did-no-longer-.patch Package rubygem-nokogiri was updated: - add 003-CVE-2022-24836.patch (CVE-2022-24836, bsc#1198408) fixes possibility to DoS because of inefficient RE in HTML encoding - add 004_CVE-2022-29181.patch (CVE-2022-29181, bsc#1199782) fixes Improper Handling of Unexpected Data Types Package runc was updated: [ This was only ever released for SLES and Leap. ]- Update to runc v1.1.13. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.12&gt;. - Rebase patches: * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch - Backport &lt;https://github.com/opencontainers/runc/pull/3931&gt; to fix a performance issue when running lots of containers, caused by system getting too many mount notifications. bsc#1214960 + 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch - Add upstream patch &lt;https://github.com/opencontainers/runc/pull/4219&gt; to properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050 + 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch + 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch + 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch - Update to runc v1.1.12. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.12&gt;. bsc#1218894 * This release fixes a container breakout vulnerability (CVE-2024-21626). For more details, see the upstream security advisory: &lt;https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv&gt; * Remove upstreamed patches: - CVE-2024-21626.patch * Update runc.keyring to match upstream changes. [ This was only ever released for SLES. ] - Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894 &lt;https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv&gt; + CVE-2024-21626.patch - Update to runc v1.1.11. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.11&gt;. - Update to runc v1.1.10. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.10&gt;. - Update to runc v1.1.9. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.9&gt;. - Update to runc v1.1.8. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.8&gt;. - Update to runc v1.1.7. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.7&gt;. - Update runc.keyring to upstream version. - Update to runc v1.1.6. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.6&gt;. - Update to runc v1.1.5. Upstream changelog is available from &lt;https://github.com/opencontainers/runc/releases/tag/v1.1.5&gt;. Includes fixes for the following CVEs: - CVE-2023-25809 bsc#1209884 - CVE-2023-27561 bsc#1208962 - CVE-2023-28642 bsc#1209888 * Fix the inability to use `/dev/null` when inside a container. bsc#1168481 * Fix changing the ownership of host's `/dev/null` caused by fd redirection (a regression in 1.1.1). bsc#1207004 * Fix rare runc exec/enter unshare error on older kernels. * nsexec: Check for errors in `write_log()`. - Drop version-specific Go requirement. Package samba was updated: - Add &quot;net offlinejoin composeodj&quot; command; (bsc#1214076); - CVE-2023-4091: samba: Client can truncate file with read-only permissions; (bsc#1215904); (bso#15439). - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC, allows blocking sleep on request; (bso#1215905); (bso#15474). - CVE-2023-4154: samba: dirsync allows SYSTEM access with only &quot;GUID_DRS_GET_CHANGES&quot; right, not &quot;GUID_DRS_GET_ALL_CHANGES; (bsc#1215908); (bso#15424). - Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940); - secure channel faulty since Windows 10/11 update 07/2023; (bso#15418); (bsc#1213384). - CVE-2022-2127: lm_resp_len not checked properly in winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174). - CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173). - CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172). - CVE-2023-34968: Spotlight server-side Share Path Disclosure; (bso#15388); (bsc#1213171). - CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords in cleartext; (bso#15315); (bsc#1209481). - CVE-2023-0225: Samba AD DC &quot;dnsHostname&quot; attribute can be deleted by unprivileged authenticated users; (bso#15276); (bsc#1209483). - CVE-2023-0614: samba: Access controlled AD LDAP attributes can be discovered; (bso#15270); (bsc#1209485). - Prevent use after free of messaging_ctdb_fde_ev structs; (bso#15293); (bsc#1207416). - CVE-2022-38023 Additional patches for the PDC role's netlogon server; (bso#15240); (bsc#1206504); - CVE-2021-20251: samba: Bad password count not incremented atomically; (bso#14611); (bsc#1206546). - Update to 4.15.13 * CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers; (bso#15237); (bsc#1205385); * CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC; (bso#15231); (bsc#1205386); * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided; (bso#15240); (bsc#1206504); * filter-subunit is inefficient with large numbers of knownfails; (bso#15258); * The KDC logic arround msDs-supportedEncryptionTypes differs from Windows; (bso#13135); * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue; (bso#15197); - Remove the systemd drop-in file for named service to allow read/write access to the DLZ directory as bind is not using systemd filesystem namespaces but bind-chrootenv; (bsc#1205946); - Install a systemd drop-in file for named service to allow read/write access to the DLZ directory; (bsc#1201689); - Update to 4.15.12 * CVE-2022-42898: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems; (bso#15203); (bsc#1205126). - Update to 4.15.11 * Allow rebuild of Centos 8 images after move to vault for Samba 4.15; (bso#15193). * CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3(); (bso#15134); (bsc#1204254) - Update to 4.15.10 * Possible use after free of connection_struct when iterating smbd_server_connection-&gt;connections; (bso#15128); (bsc#1200102). * smbXsrv_connection_shutdown_send result leaked; (bso#15174). * Spotlight RPC service returns wrong response when Spotlight is disabled on a share; (bso#15086). * acl_xattr VFS module may unintentionally use filesystem permissions instead of ACL from xattr; (bso#15126). * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1; (bso#15153). * assert failed: !is_named_stream(smb_fname)&quot;) at ../../lib/util/fault.c:197; (bso#15161). * Missing READ_LEASE break could cause data corruption; (bso#15148). * rpcclient can crash using setuserinfo(2); (bso#15124). * Samba fails to build with glibc 2.36 caused by including &lt;sys/mount.h&gt; in libreplace; (bso#15132). * SMB1 negotiation can fail to handle connection errors; (bso#15152). * samba-tool domain join segfault when joining a samba ad domain; (bso#15078). - Update to 4.15.9 * CVE-2022-32742:SMB1 code does not correct verify SMB1write, SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085); (bsc#1201496). * CVE-2022-32746: samba: Use-after-free occurring in database audit logging; (bso#15009); (bso#15096); (bsc#1201490). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32745: samba: ldb: AD users can crash the server process with an LDAP add or modify request; (bso#15008); (bso#15096); (bsc#1201492). * CVE-2022-2031: samba, ldb: AD users can bypass certain restrictions associated with changing passwords; (bso#15047); (bsc#1201495); * CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user; (bso#15074); (bso#15047); (bsc#1201493). - CVE-2022-1615: Do not ignore errors in random number generation; (bso#15103); (bsc#1202976); - CVE-2022-32743: Implement validated dnsHostName write rights; (bso#14833); (bsc#1202803); - Fix Use after free when iterating smbd_server_connection-&gt;connections after tree disconnect failure; (bso#15128); (bsc#1200102). Package sed was updated: - 0001-sed-set-correct-umask-on-temporary-files.patch Fix for bsc#1221218 Package 000release-packages:sle-module-basesystem-release was updated: Package 000release-packages:sle-module-public-cloud-release was updated: Package 000release-packages:sle-module-server-applications-release was updated: Package sudo was updated: - Fix NOPASSWD issue introduced by patches for CVE-2023-42465 [bsc#1221151, bsc#1221134] * Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch * Enable running regression selftests during build time. - Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465] * Try to make sudo less vulnerable to ROWHAMMER attacks. * Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch - Fix CVE-2023-28486, sudo does not escape control characters in log messages, (CVE-2023-28486, bsc#1209362) * Add sudo-CVE-2023-28486.patch - Fix CVE-2023-28487, sudo does not escape control characters in sudoreplay output (CVE-2023-28487, bsc#1209361) - sudo-dont-enable-read-after-pty_finish.patch * bsc#1203201 * Do not re-enable the reader when flushing the buffers as part of pty_finish(). * While sudo-observe-SIGCHLD patch applied earlier prevents a race condition from happening, this fixes a related buffer hang. - Added sudo-fix_NULL_deref_RunAs.patch * bsc#1206483 * Fix a situation where &quot;sudo -U otheruser -l&quot; would dereference a NULL pointer. - Added sudo-CVE-2023-22809.patch * CVE-2023-22809 * bsc#1207082 * Prevent '--' in the EDITOR environment variable which can allow users to edit sensitive files as root. - Added sudo-utf8-ldap-schema.patch * Change sudo-ldap schema from ASCII to UTF8. * Fixes bsc#1197998 * Credit to William Brown &lt;william.brown@suse.com&gt; * https://github.com/sudo-project/sudo/pull/163 - Added sudo-observe-SIGCHLD.patch * Make sure SIGCHLD is not ignored when sudo is executed; fixes race condition. * bsc#1203201 * Sourced from https://github.com/sudo-project/sudo/commit/727056e - Added sudo-CVE-2022-43995.patch * CVE-2022-43995 * bsc#1204986 * Fixed a potential heap-based buffer over-read when entering a password of seven characters or fewer and using the crypt() password backend. - Fixed an issue where some redundant entries in a sudo configuration file caused freed memory to be accessed in the error message thus wrong information was output in the error message. * [bsc#1190818] * Added [sudo-1.9.5p2-no_free_alias_name.patch] Sourced from the following git commit hashes: | 9ed14870c Add garbage collection to the sudoers parser to clean up on error. This makes it possible to avoid memory leaks when there is a parse error. | bdb02b1ef Got back to calling alias_free() on alias_add() failure. We now need to remove the name and members from the leak list * before* calling alias_add() since alias_add() will consume them for both success and failure. | b4cabdb39 Don't free the alias name in alias_add() if the alias already exists. We need to be able to display it using alias_error(). Only free what we actually allocated in alias_add() on error and let the caller handle cleanup. Note that we cannot completely fill in the alias until it is inserted. Otherwise, we will have modified the file and members parameters even if there was an error. As a result, we have to remove those from the leak list after alias_add(), not before. Package supportutils-plugin-suse-public-cloud was updated: - Update to version 1.0.9 (bsc#1218762, bsc#1218763) + Remove duplicate data collection for the plugin itself + Collect archive metering data when available + Query billing flavor status - Update to version 1.0.8 (bsc#1213951) + Capture CSP billing adapter config and log (issue#13) + Accept upper case Amazon string in DMI table (issue#12) - Update to version 1.0.7 (bsc#1209026) + Include information about the cached registration data + Collect the data that is sent to the update infrastructure during registration Package supportutils was updated: - Changes in version 3.1.30 + Added -V key:value pair option (bsc#1222021, PED-8211) + Avoid getting duplicate kernel verifications in boot.text (pr#193) + Suppress file descriptor leak warnings from lvm commands (pr#192, bsc#1220082) + Includes container log timestamps (pr#197) - Changes to version 3.1.29 + Extended scaling for performance (bsc#1214713) + Fixed kdumptool output error (bsc#1218632) + Corrected podman ID errors (bsc#1218812) + Duplicate non root podman entries removed (bsc#1218814) + Corrected get_sles_ver for SLE Micro (bsc#1219241) + Check nvidida-persistenced state (bsc#1219639) - Additional changes in version 3.1.28 + ipset - List entries for all sets + ipvsadm - Inspect the virtual server table (pr#185) + Correctly detects Xen Dom0 (bsc#1218201) + Fixed smart disk error (bsc#1218282) - Changes in version 3.1.28 + Inhibit the conversion of port numbers to port names for network files (cherry picked from commit 55f5f716638fb15e3eb1315443949ed98723d250) + powerpc: collect rtas_errd.log and lp_diag.log files (pr#175) + Get list of pam.d file (cherry picked from commit eaf35c77fd4bc039fd7e3d779ec1c2c6521283e2) + Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173) + Added missing klp information to kernel-livepatch.txt (bsc#1216390) + Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388) + Provides long listing for /etc/sssd/sssd.conf (bsc#1211547) + Optimize lsof usage (bsc#1183663) + Added mokutil commands for secureboot (pr#179) + Collects chrony or ntp as needed (bsc#1196293) - Changes in version 3.1.27 + Fixed podman display issue (bsc#1217287) + Added nvme-stas configuration to nvme.txt (bsc#1216049) + Added timed command to fs-files.txt (bsc#1216827) + Collects zypp history file issue#166 (bsc#1216522) + Changed -x OPTION to really be exclude only (issue#146) + Collect HA related rpm package versions in ha.txt (pr#169) - Changes in version 3.1.26 + powerpc plugin to collect the slots and active memory (bsc#1210950) + A Cleartext Storage of Sensitive Information vulnerability CVE-2022-45154 + supportconfig: collect BPF information (pr#154) + Added additional iscsi information (pr#155) - Added run time detection (bsc#1213127) - ha_info sle15 uses /var/log/pacemaker/ (pq#153) - Changes for supportutils version 3.1.25 + Removed iSCSI passwords CVE-2022-45154 (bsc#1207598) + powerpc: Collect lsslot,amsstat, and opal elogs (pr#149) + powerpc: collect invscout logs (pr#150) + powerpc: collect RMC status logs (pr#151) + Added missing nvme nbft commands (bsc#1211599) + Fixed invalid nvme commands (bsc#1211598) + Added missing podman information (PED-1703, bsc#1181477) + Removed dependency on sysfstools + Check for systool use (bsc#1210015) + Added selinux checking (bsc#1209979) + Updated SLES_VER matrix - Fixed missing status detail for apparmor (bsc#1196933) - Corrected invalid argument list in docker.txt (bsc#1206608) - Applies limit equally to sar data and text files (bsc#1207543) - Collects hwinfo hardware logs (bsc#1208928) - Collects lparnumascore logs (issue#148) - Add dependency to `numactl` on ppc64le and `s390x`, this enforces that `numactl --hardware` data is provided in supportconfigs - Changes to supportconfig.rc version 3.1.11-35 + Corrected _sanitize_file to include iscsi.conf and others (bsc#1206402) - Changes to supportconfig version 3.1.11-46.4 + Added plymouth_info - Changes to getappcore version 1.53.02 + The location of chkbin was updated earlier. This documents that change (bsc#1205533, bsc#1204942) - Changes to supportconfig version 3.1.11-46.3 + Added missed sanitation check on crash.txt (bsc#1203818) - Changes to supportconfig.rc version 3.1.11-30 + Added check to _sanitize_file + Using variable for replement text in _sanitize_file - Added lifecycle information (issue#140) - Changes to version 3.1.21 + Added type output with df command in fs-diskio.txt (issue#141) + Gather all files in /etc/security/limits.d/ (issue#142) + Fixed KVM virtualization detection on bare metal (bsc#1184689) + Added logging using journalctl (bsc#1200330) + Passwords correctly removed from email.txt, updates.txt and fs-iscsi.txt (bsc#1203818) + Added system logging configuration and checking in messages_config.txt (issue#103) + If rsyslog not installed collect more from journalctl (issue#120) + Added systemd-status.txt for the status of all service units (issue#125) + autofs includes files in (+dir:&lt;path&gt;) (issue#111) + Get current sar data before collecting files (bsc#1192648) + Collects everything in /etc/multipath/ (bsc#1192252) + Collects power management information in hardware.txt (bsc#1197428) + Checks for suseconnect-ng or SUSEConnect packages (bsc#1202337) + Fixed conf_files and conf_text_files so y2log is gathered (issue#134, bsc#1202269) + Update to nvme_info and block_info #133 (bsc#1202417) + Added IO scheduler (issue#136) + Added includedir directories from /etc/sudoers (bsc#1188086) - Added a listing to /dev/mapper/. #129 Package suse-build-key was updated: - added missing ; in shell script (bsc#1227681) - Added new keys of the SLE Micro 6.0 / SLES 16 series, and auto import them. (bsc#1227429) gpg-pubkey-09d9ea69-645b99ce.asc: Main SLE Micro 6/SLES 16 key gpg-pubkey-73f03759-626bd414.asc: Backup SLE Micro 6/SLES 16 key. - Switch container key to be default RSA 4096bit. (jsc#PED-2777) - run rpm commands in import script only when libzypp is not active. bsc#1219189 bsc#1219123 - run import script also in %posttrans section, but only when libzypp is not active. bsc#1219189 bsc#1219123 - replace libzypp-post-script based installation with a systemd timer and service. - suse-build-key-import.service - suse-build-key-import.timer - add and run a import-suse-build-key scripts, this will be ran after installation with libzypp based installers. (jsc#PED-2777) - Establish multiple new 4096 RSA keys that we will switch to mid of 2023. (jsc#PED-2777) - gpg-pubkey-3fa1d6ce-63c9481c.asc: new 4096 RSA signing key for SLE (RPM+repos). - gpg-pubkey-d588dc46-63c939db.asc: new 4096 RSA reserver key for SLE (RPM+repos). - suse_ptf_key_4096.asc: new 4096 RSA signing key for PTF RPMs. - build-container-8fd6c337-63c94b45.asc/build-container-8fd6c337-63c94b45.pem: new RSA 4096 key for the SUSE registry registry.suse.com, installed as suse-container-key-2023.pem and suse-container-key-2023.asc - suse_ptf_containerkey_2023.asc suse_ptf_containerkey_2023.pem: New PTF container signing key for registry.suse.com/ptf/ space. - added /usr/share/pki/containers directory for container pem keys (cosign/sigstore style), put our PEM key there too (bsc#1204706) Package suse-module-tools was updated: - Update to version 15.3.18: * rpm-script: add symlink /boot/.vmlinuz.hmac (bsc#1217775) - Update to version 15.3.17: * blacklist RNDIS modules (bsc#1205767, jsc#PED-5731, CVE-2023-23559) * modprobe.conf: Blacklist cls_tcindex module (bsc#1210335, CVE-2023-1829) - Update to version 15.3.16: * modprobe.conf: s390x: remove softdep on fbcon (boo#1207853) Package systemd-default-settings was updated: - Import 0.10 5088997 SLE: Disable pids controller limit under user instances (jsc#SLE-10123) - Import 0.9 bb859bf user@.service: Disable controllers by default (jsc#PED-2276) - The usage of drop-ins is now the official way for configuring systemd and its various daemons on Factory/ALP. Hence the early drop-ins SUSE specific &quot;feature&quot; has been abandoned. - Import 0.8 f34372f User priority '26' for SLE-Micro c8b6f0a Revert &quot;Convert more drop-ins into early ones&quot; - Import commit 6b8dde1d4f867aff713af6d6830510a84fad58d2 6b8dde1 Convert more drop-ins into early ones Package systemd-presets-branding-SLE was updated: Package systemd-presets-common-SUSE was updated: - Split hcn-init.service to hcn-init-NetworkManager and hcn-init-wicked (bsc#1200731 ltc#198485 https://github.com/ibm-power-utilities/powerpc-utils/pull/84) Support both the old and new service to avoid complex version interdependency. - Enable systemd-pstore.service by default (jsc#PED-2663) Package tar was updated: - Fix CVE-2023-39804, Incorrectly handled extension attributes in PAX archives can lead to a crash, bsc#1217969 * fix-CVE-2023-39804.patch - Fix CVE-2022-48303, tar has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump (CVE-2022-48303, bsc#1207753) * fix-CVE-2022-48303.patch - Fix hang when unpacking test tarball, bsc#1202436 * remove bsc1202436.patch * bsc1202436-1.patch * bsc1202436-1.patch - Fix hang when unpacking test tarball, bsc#1202436 * bsc1202436.patch - Fix unexpected inconsistency when making directory, bsc#1203600 * tar-avoid-overflow-in-symlinks-tests.patch * tar-fix-extract-unlink.patch - Update race condition fix, bsc#1200657 * tar-fix-race-condition.patch - Refresh bsc1200657.patch Package tcl was updated: - [bsc#1206623], tcl-string-compare.patch: Fix [string compare -length] on big endian and improve [string equal] on little endian. - Fix a race condition in test socket-13.1 (tcl-test-socket-13.1.patch). - Remove the SQLite extension and package it as a subpackage of sqlite3 to have only a single copy and keep it more up to date (bsc#1195773). - Clean up the lib dependencies in tclConfig.sh and tcl.pc. Package timezone was updated: - update to 2024a: * Kazakhstan unifies on UTC+5. This affects Asia/Almaty and Asia/Qostanay which together represent the eastern portion of the country that will transition from UTC+6 on 2024-03-01 at 00:00 to join the western portion. (Thanks to Zhanbolat Raimbekov.) * Palestine springs forward a week later than previously predicted in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward predictions to the second Saturday after Ramadan, not the first; this also affects other predictions starting in 2039. * Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00. (Thanks to Đoàn Trần Công Danh.) * From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00. (Thanks to Chris Walton.) * In 1911 Miquelon adopted standard time on June 15, not May 15. * The FROM and TO columns of Rule lines can no longer be &quot;minimum&quot; or an abbreviation of &quot;minimum&quot;, because TZif files do not support DST rules that extend into the indefinite past - although these rules were supported when TZif files had only 32-bit data, this stopped working when 64-bit TZif files were introduced in 1995. This should not be a problem for realistic data, since DST was first used in the 20th century. As a transition aid, FROM columns like &quot;minimum&quot; are now diagnosed and then treated as if they were the year 1900; this should suffice for TZif files on old systems with only 32-bit time_t, and it is more compatible with bugs in 2023c-and-earlier localtime.c. (Problem reported by Yoshito Umaoka.) * localtime and related functions no longer mishandle some timestamps that occur about 400 years after a switch to a time zone with a DST schedule. In 2023d data this problem was visible for some timestamps in November 2422, November 2822, etc. in America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.) * strftime %s now uses tm_gmtoff if available. (Problem and draft patch reported by Dag-Erling Smørgrav.) * The strftime man page documents which struct tm members affect which conversion specs, and that tzset is called. (Problems reported by Robert Elz and Steve Summit.) - update to 2023d: * Ittoqqortoormiit, Greenland changes time zones on 2024-03-31. * Vostok, Antarctica changed time zones on 2023-12-18. * Casey, Antarctica changed time zones five times since 2020. * Code and data fixes for Palestine timestamps starting in 2072. * A new data file zonenow.tab for timestamps starting now. * Fix predictions for DST transitions in Palestine in 2072-2075, correcting a typo introduced in 2023a. * Vostok, Antarctica changed to +05 on 2023-12-18. It had been at +07 (not +06) for years. * Change data for Casey, Antarctica to agree with timeanddate.com, by adding five time zone changes since 2020. Casey is now at +08 instead of +11. * Much of Greenland, represented by America/Nuuk, changed its standard time from -03 to -02 on 2023-03-25, not on 2023-10-28. * localtime.c no longer mishandles TZif files that contain a single transition into a DST regime. Previously, it incorrectly assumed DST was in effect before the transition too. * tzselect no longer creates temporary files. * tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/. * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments. * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension. * zic no longer mishandles data for Palestine after the year 2075. - Refresh tzdata-china.diff - timezone update 2023c: * Revert changes made in 2023b - timezone update 2023b: * Lebanon delays the start of DST this year. - timezone update 2023a: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later. - Refresh tzdata-china.diff - timezone update 2022g (bsc#1177460): * In the Mexican state of Chihuahua, the border strip near the US will change to agree with nearby US locations on 2022-11-30. The strip's western part, represented by Ciudad Juárez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. A new Zone America/Ciudad_Juarez splits from America/Ojinaga. * Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time. * Changes for pre-1996 northern Canada * Update to past DST transition in Colombia (1993), Singapore (1981) * timegm is now supported by default - timezone update 2022f (bsc#1177460): * Mexico will no longer observe DST except near the US border * Chihuahua moves to year-round -06 on 2022-10-30 * Fiji no longer observes DST * Move links to 'backward' * In vanguard form, GMT is now a Zone and Etc/GMT a link * zic now supports links to links, and vanguard form uses this * Simplify four Ontario zones * Fix a Y2438 bug when reading TZif data * Enable 64-bit time_t on 32-bit glibc platforms * Omit large-file support when no longer needed * In C code, use some C23 features if available * Remove no-longer-needed workaround for Qt bug 53071 - Refreshed patches: * fat.patch * tzdata-china.diff - timezone update 2022e (bsc#1177460): * Jordan and Syria switch from +02/+03 with DST to year-round +03 - timezone update 2022d: * Palestine transitions are now Saturdays at 02:00 * Simplify three Ukraine zones into one - timezone update 2022c: * Work around awk bug * Improve tzselect on intercontinental Zones - timezone update 2022b: * Chile's DST is delayed by a week in September 2022 boo#1202324 * Iran no longer observes DST after 2022 * Rename Europe/Kiev to Europe/Kyiv * New zic -R option * Vanguard form now uses %z * Finish moving duplicate-since-1970 zones to 'backzone' - Refresh tzdata-china.diff - Remove upstreamed bsc1202310.patch Package util-linux-systemd was updated: - Properly neutralize escape sequences in wall (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085, and its prerequisites: util-linux-fputs_careful1.patch, util-linux-wall-migrate-to-memstream.patch util-linux-fputs_careful2.patch). - Add upstream patch util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch bsc#1207987 gh#util-linux/util-linux@1d98827edde4 - Add upstream patch fix-lib-internal-cache-size.patch bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9 - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). - Add util-linux-fix-tests-when-at-symbol-in-path.patch - libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646). - util-linux-uuidd-prevent-root-owning.patch: Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt does not exist. - Fix file conflict during upgrade (boo#1204211). - libuuid improvements (bsc#1201959, PED-1150): * libuuid: Fix range when parsing UUIDs (util-linux-libuuid-uuid_parse-overrun.patch). * Improve cache handling for short running applications-increment the cache size over runtime (util-linux-libuuid-improve-cache-handling.patch). * Implement continuous clock handling for time based UUIDs (util-linux-libuuid-continuous-clock-handling.patch). * Check clock value from clock file to provide seamless libuuid update (util-linux-libuuid-check-clock-value.patch). Package vim was updated: - Updated to version 9.1 with patch level 0330, fixes the following problems * Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1 - refreshed vim-7.3-filetype_spec.patch - refreshed vim-7.3-filetype_ftl.patch - Update spec.skeleton to use autosetup in place of setup macro. - for the complete list of changes see https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330 - Updated to version 9.1 with patch level 0111, fixes the following security problems * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close() * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol() * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111 - Updated to version 9.0 with patch level 2103, fixes the following security problems * Fixing bsc#1215940 (CVE-2023-5344) - VUL-0: CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969. * Fixing bsc#1216001 (CVE-2023-5441) - VUL-0: CVE-2023-5441: vim: segfault in exmode when redrawing * Fixing bsc#1216167 (CVE-2023-5535) - VUL-0: CVE-2023-5535: vim: use-after-free from buf_contents_changed() * Fixing bsc#1216696 (CVE-2023-46246) - VUL-0: CVE-2023-46246: vim: Integer Overflow in :history command - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.1894...v9.0.2103 - Updated to version 9.0 with patch level 1894, fixes the following security problems * Fixing bsc#1214922 (CVE-2023-4738) - VUL-0: CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both * Fixing bsc#1214924 (CVE-2023-4735) - VUL-0: CVE-2023-4735: vim: OOB Write ops.c * Fixing bsc#1214925 (CVE-2023-4734) - VUL-0: CVE-2023-4734: vim: segmentation fault in function f_fullcommand * Fixing bsc#1215004 (CVE-2023-4733) - VUL-0: CVE-2023-4733: vim: use-after-free in function buflist_altfpos * Fixing bsc#1215006 (CVE-2023-4752) - VUL-0: CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp * Fixing bsc#1215033 (CVE-2023-4781) - VUL-0: CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both - drop patches: disable-unreliable-tests.patch ignore-flaky-test-failure.patch vim-8.1.0297-dump3.patch - dropped %check - most of tests didn't work correctly in OBS and maintenance burden of this was getting too big - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.1632...v9.0.1894 - Use app icon generated from vimlogo.eps in source tarball; add higher res icons of sizes 128, 256, and 512px as png sources. Our current icons deviate from upstream flatpaks for example. - Updated to version 9.0 with patch level 1632 - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.1443...v9.0.1632 - Updated to version 9.0 with patch level 1572, fixes the following security problems * Fixing bsc#1210996 (CVE-2023-2426) - VUL-0: CVE-2023-2426: vim: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499. * Fixing bsc#1211256 (CVE-2023-2609) - VUL-1: CVE-2023-2609: vim: NULL Pointer Dereference prior to 9.0.1531 * Fixing bsc#1211257 (CVE-2023-2610) - VUL-1: CVE-2023-2610: vim: Integer Overflow or Wraparound prior to 9.0.1532 - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.1443...v9.0.1572 - Fixing bsc#1211461 - L3: vim &quot;eats&quot; first character from prompt in xterm * Add: reorder-exit-raw-mode.patch * Swaps out_str_t_TE() and cursor_on() during exit to prevent missing characters in xterm prompt on exit. - Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim * Revert the creation standalone xxd packages - Updated to version 9.0 with patch level 1443, fixes the following security problems * Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392 * Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402. * Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown() - drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we remove during %prep anyway. And this breaks quilt setup. - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443 - Updated to version 9.0 with patch level 1386, fixes the following security problems * Fixing bsc#1207780 - (CVE-2023-0512) VUL-0: CVE-2023-0512: vim: Divide By Zero in GitHub repository vim/vim prior to 9.0.1247 * Fixing bsc#1208957 - (CVE-2023-1175) VUL-0: CVE-2023-1175: vim: Incorrect Calculation of Buffer Size * Fixing bsc#1208959 - (CVE-2023-1170) VUL-0: CVE-2023-1170: vim: Heap-based Buffer Overflow in vim prior to 9.0.1376 * Fixing bsc#1208828 - (CVE-2023-1127) VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown() - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386 - Updated to version 9.0 with patch level 1234, fixes the following security problems * Fixing bsc#1207396 VUL-0: CVE-2023-0433: vim: Heap-based Buffer Overflow in vim prior to 9.0.1225 * Fixing bsc#1207162 VUL-1: CVE-2023-0288: vim: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189. * Fixing bsc#1206868 VUL-1: CVE-2023-0054: vim: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145. * Fixing bsc#1206867 VUL-1: CVE-2023-0051: vim: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. * Fixing bsc#1206866 VUL-1: CVE-2023-0049: vim: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143. - refreshed vim-7.4-highlight_fstab.patch - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.1040...v9.0.1234 - Updated to version 9.0 with patch level 1040, fixes the following security problems * Fixing bsc#1206028 VUL-0: CVE-2022-3491: vim: Heap-based Buffer Overflow prior to 9.0.0742 * Fixing bsc#1206071 VUL-0: CVE-2022-3520: vim: Heap-based Buffer Overflow * Fixing bsc#1206072 VUL-0: CVE-2022-3591: vim: Use After Free * Fixing bsc#1206075 VUL-0: CVE-2022-4292: vim: Use After Free in GitHub repository vim/vim prior to 9.0.0882. * Fixing bsc#1206077 VUL-0: CVE-2022-4293: vim: Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804. * Fixing bsc#1205797 VUL-0: CVE-2022-4141: vim: heap-buffer-overflow in alloc.c 246:11 * Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.814...v9.0.1040 - Updated to version 9.0 with patch level 0814, fixes the following problems * Fixing bsc#1192478 VUL-1: CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow * Fixing bsc#1203508 VUL-0: CVE-2022-3234: vim: Heap-based Buffer Overflow prior to 9.0.0483. * Fixing bsc#1203509 VUL-1: CVE-2022-3235: vim: Use After Free in GitHub prior to 9.0.0490. * Fixing bsc#1203820 VUL-0: CVE-2022-3324: vim: Stack-based Buffer Overflow in prior to 9.0.0598. * Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c * Fixing bsc#1203152 VUL-1: CVE-2022-2982: vim: use after free in qf_fill_buffer() * Fixing bsc#1203796 VUL-1: CVE-2022-3296: vim: stack out of bounds read in ex_finally() in ex_eval.c * Fixing bsc#1203797 VUL-1: CVE-2022-3297: vim: use-after-free in process_next_cpt_value() at insexpand.c * Fixing bsc#1203110 VUL-1: CVE-2022-3099: vim: Use After Free in ex_docmd.c * Fixing bsc#1203194 VUL-1: CVE-2022-3134: vim: use after free in do_tag() * Fixing bsc#1203272 VUL-1: CVE-2022-3153: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404. * Fixing bsc#1203799 VUL-1: CVE-2022-3278: vim: NULL pointer dereference in eval_next_non_blank() in eval.c * Fixing bsc#1203924 VUL-1: CVE-2022-3352: vim: vim: use after free * Fixing bsc#1203155 VUL-1: CVE-2022-2980: vim: null pointer dereference in do_mouse() * Fixing bsc#1202962 VUL-1: CVE-2022-3037: vim: Use After Free in vim prior to 9.0.0321 - ignore-flaky-test-failure.patch: Ignore failure of flaky tests - disable-unreliable-tests-arch.patch: Removed - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.0313...v9.0.0814 Package wget was updated: - Fix mishandled semicolons in the userinfo subcomponent could lead to an insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. [bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch] - Update 0001-possibly-truncate-pathname-components.patch * Truncate file name even if no directory structure * [bsc#1204720] Package wicked was updated: - Update to version 0.6.76 - compat-suse: warn user and create missing parent config of infiniband children (gh#openSUSE/wicked#1027) - client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125) - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976) - wireless: add frequency-list in station mode (jsc#PED-8715) - client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664) - man: add supported bonding options to ifcfg-bonding(5) man page (gh#openSUSE/wicked#1021) - arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019) - man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018) - client: warn on interface wait time reached (gh#openSUSE/wicked#1017) - compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces (gh#openSUSE/wicked#1016) - compat-suse: fix infiniband and infiniband child type detection from ifname (gh#openSUSE/wicked#1015) - Removed patches included in the source archive: [- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch] [- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch] - arp: increase arp-send retry value to avoid address configuration failure due to ENOBUF reported by kernel while duplicate address detection with underlying bonding in 802.3ad mode reporting link &quot;up &amp; running&quot; too early (bsc#1218668, gh#openSUSE/wicked#1020, gh#openSUSE/wicked#1020). [+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch] - client: fix ifreload to pull UP ports/links again when the config of their master/lower changed (bsc#1224100,gh#openSUSE/wicked#1014). [+ 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch] - Update to version 0.6.75: - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings - cleanup: fix overflow warnings in a socket testcase on i586 - ifcheck: report new and deleted configs as changed (bsc#1218926) - man: improve ARP configuration options in the wicked-config.5 - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108) - cleanup: fix interface dependencies and shutdown order (bsc#1205604) - Remove port arrays from bond,team,bridge,ovs-bridge (redundant) and consistently use config and state info attached to the port interface as in rtnetlink(7). - Cleanup ifcfg parsing, schema configuration and service properties - Migrate ports in xml config and policies already applied in nanny - Remove &quot;missed config&quot; generation from finite state machine, which is completed while parsing the config or while xml config migration. - Issue a warning when &quot;lower&quot; interface (e.g. eth0) config is missed while parsing config depending on it (e.g. eth0.42 vlan). - Resolve ovs master to the effective bridge in config and wickedd - Implement netif-check-state require checks using system relations from wickedd/kernel instead of config relations for ifdown and add linkDown and deleteDevice checks to all master and lower references. - Add a `wicked &lt;ifup|ifdown|ifreload&gt; --dry-run …` option to show the system/config interface hierarchies as notice with +/- marked interfaces to setup and/or shutdown. - Removed patches included in the source archive: [- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch] [- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch] [- 0003-move-all-attribute-definitions-to-compiler-h.patch] [- 0004-hide-secrets-in-debug-log-bsc-1221194.patch] [- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch] - client: do not convert sec to msec twice (bsc#1222105) [+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch] - addrconf: fix fallback-lease drop (bsc#1220996) [+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch] - extensions/nbft: use upstream `nvme nbft show` (bsc#1221358) [+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch] - hide secrets in debug log (bsc#1221194) [+ 0003-move-all-attribute-definitions-to-compiler-h.patch] [+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch] - update to version 0.6.74 + team: add new options like link_watch_policy (jsc#PED-7183) + Fix memory leaks in dbus variant destroy and fsm free (gh#openSUSE/wicked#1001) + xpath: allow underscore in node identifier (gh#openSUSE/wicked#999) + vxlan: don't format unknown rtnl attrs (bsc#1219751) - removed patches included in the source archive: [- 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch] [- 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch] [- 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch] [- 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch] [- 0005-duid-fix-comment-for-v6time.patch] [- 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch] [- 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch] [- 0002-system-updater-Parse-updater-format-from-XML-configu.patch] [- 0001-fix_arp_notify_loop_and_burst_sending.patch] - ifreload: VLAN changes require device deletion (bsc#1218927) [+ 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch] - ifcheck: fix config changed check (bsc#1218926) [+ 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch] - client: fix exit code for no-carrier status (bsc#1219265) [+ 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch] - dhcp6: omit the SO_REUSEPORT option (bsc#1215692) [+ 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch] - duid: fix comment for v6time (https://github.com/openSUSE/wicked/pull/989) [+ 0005-duid-fix-comment-for-v6time.patch] - rtnl: fix peer address parsing for non ptp-interfaces (https://github.com/openSUSE/wicked/pull/987, https://github.com/openSUSE/wicked/pull/988) [+ 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch] [+ 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch] - system-updater: Parse updater format from XML configuration to ensure install calls can run. (https://github.com/openSUSE/wicked/pull/985) [+ 0002-system-updater-Parse-updater-format-from-XML-configu.patch] - ifconfig: fix arp notify loop (boo#1212806) and burst sending [+ 0001-fix_arp_notify_loop_and_burst_sending.patch] - update to version 0.6.73 - spec: cleanup artefacts and fix some rpmlint warnings - arp: allow verify/notify counter and interval configuration - arp: handle ENOBUFS sending errors (bsc#1203300) - extensions: improve environment variable handling - firmware: refactor firmware extension definition - firmware: enable, disable and revert cli commands - code cleanup: fix memory leaks, add array/list utils - wireless: Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026) - cleanup /var/run leftovers in extension scripts (bsc#1194557) - json: output formatting improvements and Unicode support - bond: workaround 6.1 kernel enslave regression (boo#1206674) - update to version 0.6.72 - client: add `wicked firmware extensions|interfaces|enable|disable` command to improve `ibft`,`nbft`,`redfish` firmware extension and interface handling. - client: improve error handling in netif firmware discovery extension execution and extension definition overrides in the wicked-config. - nanny: fix use-after-free in debug mode (bsc#1206447) - spec: replace transitional `%usrmerged` macro with regular version check (boo#1206798) - client: improve to show `no-carrier` in ifstatus output - linux: cleanup inclusions and update uapi header to 6.0 - ethtool: link mode nwords cleanup and new advertise mode names - update to version 0.6.71 - dhcp: enable raw-ip support for wwan-qmi interfaces (jsc#PED-90) - schema: fix the ip rule to-selector to handle network prefixes - spec: Add /etc/sysconfig/network to file list, no longer in the default list of a cleaned up filesystem package on tumbleweed (https://github.com/openSUSE/wicked/pull/939). - version 0.6.70 - build: Link as Position Independent Executable (bsc#1184124) - dhcp4: Fix issues in reuse of last lease (bsc#1187655) - dhcp6: Add option to refresh lease (jsc#SLE-9492,jsc#SLE-24307) - dhcp6: Remove address before release (USGv6 DHCPv6_1_2_07b) - dhcp6: Ignore lease release status (USGv6 DHCPv6_1_2_07e,1_3_03) - dhcp6: Consider ppp interfaces supported (gh#openSUSE/wicked#924) - team: Fix to configure port priority in teamd (bsc#1200505) - firewall-ext: No config change on ifdown (bsc#1201053,bsc#118950) - wireless: Fix SEGV on supplicant restart (gh#openSUSE/wicked#931) - wireless: Add support for WPA3 and PMF (bsc#1198894) - wireless: Remove libiw dependencies (gh#openSUSE/wicked#910) - client: Fix SEGV on empty xpath results (gh#openSUSE/wicked#919) - client: Add release options to ifdown/ifreload (jsc#SLE-10249) - dbus: Clear string array before append (gh#openSUSE/wicked#913) - socket: Fix SEGV on heavy socket restart errors (bsc#1192508) - systemd: Remove systemd-udev-settle dependency (bsc#1186787) - version 0.6.69 - redfish: decode smbios and setup host interface Add initial support to decode the SMBIOS Management Controller Host Interface (Type 42) structure and expose it as wicked `firmware:redfish` configuration to setup a Host Network Interface (to the BMC) using the `Redfish over IP` protocol allowing access to the Redfish Service (via redfish-localhost in /etc/hosts) used to manage the computer system. Tech Preview (jsc#SLE-17762). - buffer: fix size_t length downcast to uint, add guards to init functions - wireless: fix to not expect colons in 64byte long wpa-psk hex hash string - xml-schema: reference counting fix to not crash at exit on schema errors - compat-suse: match sysctl.d /etc vs. /run read order with systemd-sysctl, remove obsolete (sle11/sysconfig) lines about ifup-sysctl from ifsysctl.5. - compat-suse: fix reading of sysctl addr_gen_mode to wrong variable - auto6: fix to apply DNS from RA rdnss after ifdown/ifup (bsc#1181429) - removed obsolete patch included in the master sources (bsc#1194392) [- 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch] Package xen was updated: - bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86 guest IRQ handling (XSA-458) xsa458.patch - bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch History Injection (XSA-456) Corrections to the following patches xsa456-5.patch xsa456-6.patch - bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch History Injection (XSA-456) xsa456-0a.patch xsa456-0b.patch xsa456-0c.patch xsa456-0d.patch xsa456-0e.patch xsa456-0f.patch xsa456-0g.patch xsa456-0h.patch xsa456-0i.patch xsa456-0j.patch xsa456-0k.patch xsa456-0l.patch xsa456-0m.patch xsa456-0n.patch xsa456-0o.patch xsa456-0p.patch xsa456-1.patch xsa456-2.patch xsa456-3.patch xsa456-4.patch xsa456-5.patch xsa456-6.patch xsa456-7.patch - bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may trigger Xen bug check (XSA-454) xsa454-1.patch xsa454-2.patch - bsc#1222302 - VUL-0: CVE-2024-31142: xen: x86: Incorrect logic for BTC/SRSO mitigations (XSA-455) xsa455.patch - bsc#1221332 - VUL-0: CVE-2023-28746: xen: x86: Register File Data Sampling (XSA-452) xsa452-1.patch xsa452-2.patch xsa452-3.patch xsa452-4.patch xsa452-5.patch xsa452-6.patch xsa452-7.patch - bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative Race Conditions (XSA-453) xsa453-1.patch xsa453-2.patch xsa453-3.patch xsa453-4.patch xsa453-5.patch xsa453-6.patch xsa453-7.patch xsa453-8.patch - Modified xsa451.patch (bsc#1219885) - bsc#1219885 - VUL-0: CVE-2023-46841: xen: x86: shadow stack vs exceptions from emulation stubs (XSA-451) xsa451.patch - bsc#1218851 - VUL-0: CVE-2023-46839: xen: phantom functions assigned to incorrect contexts (XSA-449) xsa449.patch - bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not fully effective (XSA-446) xsa446.patch - bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) xsa445.patch - bsc#1215744 - VUL-0: CVE-2023-34323: xen: xenstored: A transaction conflict can crash C Xenstored (XSA-440) xsa440.patch - bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU TLB flushing (XSA-442) xsa442.patch - bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple vulnerabilities in libfsimage disk handling (XSA-443) xsa443-01.patch xsa443-02.patch xsa443-03.patch xsa443-04.patch xsa443-05.patch xsa443-06.patch xsa443-07.patch xsa443-08.patch xsa443-09.patch xsa443-10.patch xsa443-11.patch - bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD: Debug Mask handling (XSA-444) xsa444-1.patch xsa444-2.patch - bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional execution leak via division by zero (XSA-439) xsa439-01.patch xsa439-02.patch xsa439-03.patch xsa439-04.patch xsa439-05.patch xsa439-06.patch xsa439-07.patch xsa439-08.patch xsa439-09.patch - bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow reference dropped too early for 64-bit PV guests (XSA-438) xsa438.patch - bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed (XSA-433) 64e5b4ac-x86-AMD-extend-Zenbleed-check.patch - Handle potential unaligned access to bitmap in libxc-sr-restore-hvm-legacy-superpage.patch If setting BITS_PER_LONG at once, the initial bit must be aligned - Update to Xen 4.14.6 bug fix release (bsc#1027519) xen-4.14.6-testing-src.tar.bz2 * No upstream changelog found in sources or webpage - bsc#1214082 - VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative Return Stack Overflow (XSA-434) - bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data Sampling (XSA-435) - Dropped patches contained in new tarball 62a1e594-x86-clean-up-_get_page_type.patch 62a1e5b0-x86-ABAC-race-in-_get_page_type.patch 62a1e5d2-x86-introduce-_PAGE_-for-mem-types.patch 62a1e5f0-x86-dont-change-cacheability-of-directmap.patch 62a1e60e-x86-split-cache_flush-out-of-cache_writeback.patch 62a1e62b-x86-AMD-work-around-CLFLUSH-ordering.patch 62a1e649-x86-track-and-flush-non-coherent.patch 62ab0fab-x86-spec-ctrl-VERW-flushing-runtime-cond.patch 62ab0fac-x86-spec-ctrl-enum-for-MMIO-Stale-Data.patch 62ab0fad-x86-spec-ctrl-add-unpriv-mmio.patch 62bdd840-x86-spec-ctrl-only-adjust-idle-with-legacy-IBRS.patch 62bdd841-x86-spec-ctrl-knobs-for-STIBP-and-PSFD.patch 62cc31ee-cmdline-extend-parse_boolean.patch 62cc31ef-x86-spec-ctrl-fine-grained-cmdline-subopts.patch 62cd91d0-x86-spec-ctrl-rework-context-switching.patch 62cd91d1-x86-spec-ctrl-rename-SCF_ist_wrmsr.patch 62cd91d2-x86-spec-ctrl-rename-opt_ibpb.patch 62cd91d3-x86-spec-ctrl-rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch 62cd91d4-x86-spec-ctrl-IBPB-on-entry.patch 62cd91d5-x86-cpuid-BTC_NO-enum.patch 62cd91d6-x86-spec-ctrl-enable-Zen2-chickenbit.patch 62cd91d7-x86-spec-ctrl-mitigate-Branch-Type-Confusion.patch 62dfe40a-x86-mm-gpt-TLB-flush-condition.patch 62f27ebd-x86-expose-more-MSR_ARCH_CAPS-to-hwdom.patch 62f51e16-x86-spec-ctrl-enum-PBRSB_NO.patch 62f523da-AMD-setup_force_cpu_cap-BSP-only.patch 63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch 63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch 63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch 63455fe4-x86-HAP-monitor-table-error-handling.patch 63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch 6345601d-x86-tolerate-shadow_prealloc-failure.patch 6345603a-x86-P2M-refuse-new-alloc-for-dying.patch 63456057-x86-P2M-truly-free-paging-pool-for-dying.patch 63456075-x86-P2M-free-paging-pool-preemptively.patch 63456090-x86-p2m_teardown-preemption.patch 63456175-libxl-per-arch-extra-default-paging-memory.patch 63456177-Arm-construct-P2M-pool-for-guests.patch 6345617a-Arm-XEN_DOMCTL_shadow_op.patch 6345617c-Arm-take-P2M-pages-P2M-pool.patch 634561aa-gnttab-locking-on-transitive-copy-error-path.patch 6351095c-Arm-rework-p2m_init.patch 6351096a-Arm-P2M-populate-pages-for-GICv2-mapping.patch 63569723-x86-shadow-replace-bogus-assertions.patch 636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch 636a9130-x86-spec-ctrl-Mitigate-IBPB-not-flushing-the-RSB-RAS.patch xsa326-01.patch xsa326-02.patch xsa326-03.patch xsa326-04.patch xsa326-05.patch xsa326-06.patch xsa326-07.patch xsa326-08.patch xsa326-09.patch xsa326-10.patch xsa326-11.patch xsa326-12.patch xsa326-13.patch xsa326-14.patch xsa326-15.patch xsa326-16.patch xsa403.patch xsa414.patch xsa415.patch xsa416.patch xsa417.patch xsa418-01.patch xsa418-02.patch xsa418-03.patch xsa418-04.patch xsa418-05.patch xsa418-06.patch xsa419-01.patch xsa419-02.patch xsa419-03.patch xsa421-01.patch xsa421-02.patch xsa427.patch xsa428-1.patch xsa428-2.patch xsa429.patch xsa433.patch - Handle potential off-by-one errors in libxc-sr-xg_sr_bitmap.patch A bit is an index in bitmap, while bits is the allocated size of the bitmap. - bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed (XSA-433) xsa433.patch - Updated fix for XSA-417 (bsc#1204489) 64ba268b-xenstore-fix-XSA-417.patch - bsc#1209017 - VUL-0: CVE-2022-42332: xen: x86 shadow plus log-dirty mode use-after-free (XSA-427) xsa427.patch - bsc#1209018 - VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM pinned cache attributes mis-handling (XSA-428) xsa428-1.patch xsa428-2.patch - bsc#1209019 - VUL-0: CVE-2022-42331: xen: x86: speculative vulnerability in 32bit SYSCALL path (XSA-429) xsa429.patch - Upstream bug fixes (bsc#1027519) 63624fa6-xenstored-call-remove_domid_from_perm-for-special.patch 637b5f4f-efifb-ignore-invalid.patch 63a03e28-x86-high-freq-TSC-overflow.patch - Re-order some patches back into their proper upstream sequence. - bsc#1205209 - VUL-0: CVE-2022-23824: xen: x86: Multiple speculative security issues (XSA-422) 636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch 636a9130-x86-spec-ctrl-Mitigate-IBPB-not-flushing-the-RSB-RAS.patch - bsc#1193923 - VUL-1: xen: Frontends vulnerable to backends (XSA-376) 61dd5f64-limit-support-statement-for-Linux-and-Windows-frontends.patch - bsc#1204482 - VUL-0: CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let xenstored run out of memory (XSA-326) xsa326-10.patch (correction) - bsc#1203806 - VUL-0: CVE-2022-33746: xen: P2M pool freeing may take excessively long (XSA-410) 63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch 63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch 63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch 63455fe4-x86-HAP-monitor-table-error-handling.patch 63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch 6345601d-x86-tolerate-shadow_prealloc-failure.patch 6345603a-x86-P2M-refuse-new-alloc-for-dying.patch 63456057-x86-P2M-truly-free-paging-pool-for-dying.patch 63456075-x86-P2M-free-paging-pool-preemptively.patch 63456090-x86-p2m_teardown-preemption.patch - bcs#1203804 - VUL-0: CVE-2022-33747: xen: unbounded memory consumption for 2nd-level page tables on ARM systems (XSA-409) 63456175-libxl-per-arch-extra-default-paging-memory.patch 63456177-Arm-construct-P2M-pool-for-guests.patch 6345617a-Arm-XEN_DOMCTL_shadow_op.patch 6345617c-Arm-take-P2M-pages-P2M-pool.patch - bsc#1203807 - VUL-0: CVE-2022-33748: xen: lock order inversion in transitive grant copy handling (XSA-411) 634561aa-gnttab-locking-on-transitive-copy-error-path.patch - Upstream bug fixes (bsc#1027519) 6306185f-x86-XSTATE-CPUID-subleaf-1-EBX.patch 6346e404-VMX-correct-error-handling-in-vmx_create_vmcs.patch 6351095c-Arm-rework-p2m_init.patch 6351096a-Arm-P2M-populate-pages-for-GICv2-mapping.patch 635274c0-EFI-dont-convert-runtime-mem-to-RAM.patch 635665fb-sched-fix-restore_vcpu_affinity.patch 63569723-x86-shadow-replace-bogus-assertions.patch - Drop patches replaced by upstream versions: xsa410-01.patch xsa410-02.patch xsa410-03.patch xsa410-04.patch xsa410-05.patch xsa410-06.patch xsa410-07.patch xsa410-08.patch xsa410-09.patch xsa410-10.patch xsa411.patch - bsc#1204482 - VUL-0: CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let xenstored run out of memory (XSA-326) xsa326-01.patch xsa326-02.patch xsa326-03.patch xsa326-04.patch xsa326-05.patch xsa326-06.patch xsa326-07.patch xsa326-08.patch xsa326-09.patch xsa326-10.patch xsa326-11.patch xsa326-12.patch xsa326-13.patch xsa326-14.patch xsa326-15.patch xsa326-16.patch - bsc#1204485 - VUL-0: CVE-2022-42309: xen: Xenstore: Guests can crash xenstored (XSA-414) xsa414.patch - bsc#1204487 - VUL-0: CVE-2022-42310: xen: Xenstore: Guests can create orphaned Xenstore nodes (XSA-415) xsa415.patch - bsc#1204488 - VUL-0: CVE-2022-42319: xen: Xenstore: Guests can cause Xenstore to not free temporary memory (XSA-416) xsa416.patch - bsc#1204489 - VUL-0: CVE-2022-42320: xen: Xenstore: Guests can get access to Xenstore nodes of deleted domains (XSA-417) xsa417.patch - bsc#1204490 - VUL-0: CVE-2022-42321: xen: Xenstore: Guests can crash xenstored via exhausting the stack (XSA-418) xsa418-01.patch xsa418-02.patch xsa418-03.patch xsa418-04.patch xsa418-05.patch xsa418-06.patch - bsc#1204494 - VUL-0: CVE-2022-42322,CVE-2022-42323: xen: Xenstore: cooperating guests can create arbitrary numbers of nodes (XSA-419) xsa419-01.patch xsa419-02.patch xsa419-03.patch - bsc#1204496 - VUL-0: CVE-2022-42325,CVE-2022-42326: xen: Xenstore: Guests can create arbitray number of nodes via transactions (XSA-421) xsa421-01.patch xsa421-02.patch Package yast2-bootloader was updated: - prevent leak of grub2 password to logs(bsc#1201962)- 4.3.32 Package yast2-installation was updated: - AutoYaST SecondStage: Revert changes introduced in 4.3.46 running the initscript service before systemd-user-sessions again once systemd patched logind (bsc#1195059, bsc#1200780) - 4.3.55 - Do not restart services when updating the package (bsc#1199480, bsc#1200274) - 4.3.54 - AutoYaST Second Stage: Added a missing dependency to the service to prevent getty-autogeneration listen on 5901 port (bsc#1199746) - 4.3.53 Package yast2 was updated: - Reimplemented the hardcoded product mapping to support also the migration from SLE_HPC to SLES SP6+ (with the HPC module) (bsc#1220567) - 4.3.70 Package yast2-network was updated: - Guard secret attributes against leaking to the log (bsc#1221194)- 4.3.89 - Fix typo when writing the wireless channel (bsc#1212976) - 4.3.88 - bsc#1211431 - Do not crash installation when storing vlan configuration into NetworkManager - 4.3.87 - Fixed issue when writing the NetworkManager config without a gateway (bsc#1203866) - 4.3.86 - Added a class to generate the configuration needed for a FCoE device being aware of it during the installation (bsc#1199554) - 4.3.85 - AY: Added missing route extrapara element to the networking section (bsc#1201129) - 4.3.84 - Allow more than 6 domains in resolver search list (bsc#1200155). - 4.3.83 Package yast2-online-update was updated: - Fix showing of release notes when we update a rubygem (bsc#1205913) - 4.2.3 Package yast2-packager was updated: - Reimplemented the hardcoded product mapping to support also the migration from SLE_HPC to SLES SP6+ (with the HPC module) (bsc#1220567) - 4.3.27 Package yast2-pkg-bindings was updated: - Fixed repository and service probing with libzypp 7.31.26 and newer, fixes broken repository handling (bsc#1218977, bsc#1218399) - 4.3.13 - Pkg.TargetInitializeOptions() - added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565) - 4.3.12 Package yast2-registration was updated: - Set the new product mapping when upgrading SLE_HPC to SLES SP6+ (with the HPC module), use the old product mapping when upgrading from SLE_HPC-SP3 to SLE_HPC-SP4 (bsc#1220567) - 4.3.29 - Adapted to SCC API change 'base' -&gt; 'isbase' (bsc#1217317): Cherry-picked igonzalezsosa's commit 431d937b78c209c0d35 - 4.3.28 - Switch to the new SUSEConnect-ng (bsc#1212799) - Includes a SSL reload fix (bsc#1195220) - Depends on a new suseconnect-ruby-bindings package instead of the old rubygem-suseconnect - 4.3.27 - Import the SSL certificate from the &lt;reg_server_cert&gt; AutoYaST data also in the self-update step (bsc#1199091, bsc#1198642) - 4.3.26 Package yast2-schema was updated: - Add 'extrapara' to routes in the networking section (bsc#1201129)- 4.3.31 - Support for flatten and nested &quot;category_filter&quot; element in the &quot;online_update_configuration&quot; section (bsc#1198848). - 4.3.30 Package yast2-transfer was updated: - Fixed TFTP download, truncate the target file to avoid garbage at the end of the file when saving to an already existing file (bsc#1208754) - 4.1.1 Package yast2-update was updated: - Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)- 4.3.5 Package zypper was updated: - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - BuildRequires: libzypp-devel &gt;= 17.33.0. - Delay zypp lock until command options are parsed (bsc#1223766) - version 1.14.73 - Unify message format(fixes #485) - version 1.14.72 - switch cmake build type to RelWithDebInfo - modernize spec file (remove Authors section, use proper macros, remove redundant clean section, don't mark man pages as doc) - switch to -O2 -fvisibility=hidden -fpie: * PIC is not needed as no shared lib is built * fstack-protector-strong is default on modern dists and would be downgraded by fstack-protector * default visibility hidden allows better optimisation * O2 is reducing inlining bloat - &gt; 18% reduced binary size - remove procps requires (was only for ZMD which is dropped) (jsc#PED-8153) - Do not try to refresh repo metadata as non-root user (bsc#1222086) Instead show refresh stats and hint how to update them. - man: Explain how to protect orphaned packages by collecting them in a plaindir repo. - packages: Add --autoinstalled and --userinstalled options to list them. - Don't print 'reboot required' message if download-only or dry-run (fixes #529) Instead point out that a reboot would be required if the option was not used. - Resepect zypper.conf option `showAlias` search commands (bsc#1221963) Repository::asUserString (or Repository::label) respects the zypper.conf option, while name/alias return the property. - version 1.14.71 - dup: New option --remove-orphaned to remove all orphaned packages in dup (bsc#1221525) - version 1.14.70 - info,summary: Support VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014) - BuildRequires: libzypp-devel &gt;= 17.32.0. API cleanup and changes for VendorSupportSuperseded. - Show active dry-run/download-only at the commit propmpt. - patch: Add --skip-not-applicable-patches option (closes #514) - Fix printing detailed solver problem description. The problem description() is one rule out possibly many in completeProblemInfo() the solver has chosen to represent the problem. So either description or completeProblemInfo should be printed, but not both. - Fix bash-completion to work with right adjusted numbers in the 1st column too (closes #505) - Set libzypp shutdown request signal on Ctrl+C (fixes #522) - lr REPO: In the detailed view show all baseurls not just the first one (bsc#1218171) - version 1.14.69 - Fix search/info commands ignoring --ignore-unknown (bsc#1217593) The switch makes search commands return 0 rather than 104 for empty search results. - version 1.14.68 - patch: Make sure reboot-needed is remembered until next boot (bsc#1217873) - version 1.14.67 - Return 104 also if info suggests near matches (fixes #504) - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - Fix typo (fixes #484) - version 1.14.66 - Fix some typos and spelling errors found by Lintian (fixes #501) - Prefer unaliased `grep` to avoid unexpected/wrong completions. (#503) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) - Fix typo in changes file. - version 1.14.65 - Fix name of the bash completion script (bsc#1215007) In 1.14.63 the location of the bash completion script was changed to /usr/share/bash-completion/completions/. But the patch failed to also rename the completion script. The original script name zypper.sh is not recognized at the new location. - Update notes about failing signature checks (bsc#1214395) It might be a transient issue if the server is in the midst of receiving new data. Retry after a few minutes might work. - Improve the SIGINT handler to be signal safe (bsc#1214292) This patch updates the SIGINT handling strategy to be signal safe. Meaning the signal handler will do not much more than setting a flag, which we are going to check in the normal program flow as much as possible. - version 1.14.64 - Changed location of bash completion script (bsc#1213854). This changes the location of zypper.sh bash completion script from /usr/share/bash-completion/completions/. - version 1.14.63 - man: revised explanation of --force-resolution (bsc#1213557) Point out that the option not only allows to remove packages but may also violate any other active policy if there is no other way to resolve the job. - Print summary hint if policies were violated due to - -force-resolution (bsc#1213557) - BuildRequires: libzypp-devel &gt;= 17.31.16 (for zypp-tui) - version 1.14.62 - targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261) - targetos: Update help and man page (bsc#1211261) - version 1.14.61 - Fix selecting installed patterns from picklist (bsc#1209406) - man: better explanation of --priority (fixes #480) - version 1.14.60 - BuildRequires: libzypp-devel &gt;= 17.31.7. - Provide &quot;removeptf&quot; command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. But you don't want the dependant packages to be removed together with the PTF, which is what the remove command would do. The removeptf command however will aim to replace the dependant packages by their official update versions. - patterns: Avoid dispylaing superfluous @System entries (bsc#1205570) - version 1.14.59 - Update man page and explain '.no_auto_prune' (bsc#1204956) - Allow to (re)add a service with the same URL (bsc#1203715) - Explain outdatedness of repos (fixes #463) - BuildRequires: libzypp-devel &gt;= 17.31.5 - version 1.14.58 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp3-byos-v20240809-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 aaa_base-84.87+git20180409.04c9dae-150300.10.20.1 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.20.1 autofs-5.1.3-150000.7.20.1 autoyast2-installation-4.3.106-150300.3.56.1 bind-utils-9.16.6-150300.22.47.1 binutils-2.41-150100.7.46.1 blog-2.26-150300.4.6.1 ca-certificates-2+git20240416.98ae794-150300.4.3.3 ca-certificates-mozilla-2.62-150200.30.1 catatonit-0.2.0-150300.10.8.1 chrony-4.1-150300.16.14.3 chrony-pool-suse-4.1-150300.16.14.3 cloud-netconfig-gce-1.14-150000.25.23.1 cloud-regionsrv-client-10.1.7-150000.6.108.1 cloud-regionsrv-client-plugin-gce-1.0.0-150000.6.108.1 containerd-1.7.17-150000.114.1 coreutils-8.32-150300.3.8.1 cpio-2.12-150000.3.12.1 cups-config-2.2.7-150000.3.62.1 curl-7.66.0-150200.4.72.1 dbus-1-1.12.2-150100.8.17.1 device-mapper-2.03.05_1.02.163-150200.8.52.1 dhcp-4.3.6.P1-150000.6.19.1 dhcp-client-4.3.6.P1-150000.6.19.1 dmidecode-3.2-150100.9.16.1 docker-25.0.6_ce-150000.203.1 dracut-049.1+suse.257.gf94c3fd1-150200.3.75.1 elfutils-0.177-150300.11.6.1 fonts-config-20200609+git0.42e2b1b-150000.4.10.1 gawk-4.2.1-150000.3.3.1 glib2-tools-2.62.6-150200.3.18.1 glibc-2.31-150300.83.1 glibc-i18ndata-2.31-150300.83.1 glibc-locale-2.31-150300.83.1 glibc-locale-base-2.31-150300.83.1 google-guest-agent-20240314.00-150400.1.48.7 google-guest-configs-20240307.00-150000.1.31.1 google-guest-oslogin-20240311.00-150400.1.45.7 google-osconfig-agent-20240320.00-150400.1.35.7 gpg2-2.2.27-150300.3.8.1 growpart-rootgrow-1.0.7-150400.1.14.7 grub2-2.04-150300.22.43.1 grub2-i386-pc-2.04-150300.22.43.1 grub2-x86_64-efi-2.04-150300.22.43.1 hwinfo-21.85-150300.3.6.1 irqbalance-1.4.0-150200.12.14.1 iscsiuio-0.7.8.6-150300.32.24.1 issue-generator-1.13-150100.3.3.1 kernel-default-5.3.18-150300.59.167.1 krb5-1.19.2-150300.19.1 krb5-client-1.19.2-150300.19.1 less-530-150000.3.9.1 libX11-6-1.6.5-150000.3.33.1 libX11-data-1.6.5-150000.3.33.1 libasm1-0.177-150300.11.6.1 libassuan0-2.5.5-150000.4.7.1 libavahi-client3-0.7-150100.3.35.1 libavahi-common3-0.7-150100.3.35.1 libbind9-1600-9.16.6-150300.22.47.1 libblkid1-2.36.2-150300.4.44.12 libblogger2-2.26-150300.4.6.1 libcap2-2.26-150000.4.9.1 libcares2-1.19.1-150000.3.26.1 libcrypt1-4.4.15-150300.4.7.1 libcryptsetup12-2.3.7-150300.3.8.1 libctf-nobfd0-2.41-150100.7.46.1 libctf0-2.41-150100.7.46.1 libcups2-2.2.7-150000.3.62.1 libcurl4-7.66.0-150200.4.72.1 libdbus-1-3-1.12.2-150100.8.17.1 libdevmapper-event1_03-2.03.05_1.02.163-150200.8.52.1 libdevmapper1_03-2.03.05_1.02.163-150200.8.52.1 libdns1605-9.16.6-150300.22.47.1 libdw1-0.177-150300.11.6.1 libebl-plugins-0.177-150300.11.6.1 libeconf0-0.5.2-150300.3.11.1 libelf1-0.177-150300.11.6.1 libfastjson4-0.99.8-150000.3.3.1 libfdisk1-2.36.2-150300.4.44.12 libfreetype6-2.10.4-150000.4.15.1 libgcc_s1-13.3.0+git8781-150000.1.12.1 libgio-2_0-0-2.62.6-150200.3.18.1 libglib-2_0-0-2.62.6-150200.3.18.1 libgmodule-2_0-0-2.62.6-150200.3.18.1 libgnutls30-3.6.7-150200.14.31.1 libgobject-2_0-0-2.62.6-150200.3.18.1 libicu-suse65_1-65.1-150200.4.10.1 libicu65_1-ledata-65.1-150200.4.10.1 libirs1601-9.16.6-150300.22.47.1 libisc1606-9.16.6-150300.22.47.1 libisccc1600-9.16.6-150300.22.47.1 libisccfg1600-9.16.6-150300.22.47.1 libjansson4-2.14-150000.3.5.1 libksba8-1.3.5-150000.4.6.1 libldap-2_4-2-2.4.46-150200.14.17.1 libldap-data-2.4.46-150200.14.17.1 libldb2-2.4.4-150300.3.23.1 liblognorm5-2.0.6-150000.3.3.1 liblvm2cmd2_03-2.03.05-150200.8.52.1 libmetalink3-0.1.3-150000.3.2.1 libmount1-2.36.2-150300.4.44.12 libncurses6-6.1-150000.5.24.1 libnghttp2-14-1.40.0-150200.17.1 libns1604-9.16.6-150300.22.47.1 libopeniscsiusr0_2_0-2.1.7-150300.32.24.1 libopenssl1_1-1.1.1d-150200.11.91.1 libparted0-3.2-150300.21.3.1 libpci3-3.5.6-150300.13.6.1 libpcre2-8-0-10.31-150000.3.15.1 libpipeline1-1.4.1-150000.3.2.1 libpolkit0-0.116-150200.3.12.1 libprotobuf-lite20-3.9.2-150200.4.21.1 libpython3_6m1_0-3.6.15-150300.10.65.1 libqrencode4-4.1.1-150000.3.3.1 libruby2_5-2_5-2.5.9-150000.4.29.1 libsmartcols1-2.36.2-150300.4.44.12 libsodium23-1.0.18-150000.4.6.1 libsolv-tools-0.7.29-150200.34.1 libsqlite3-0-3.44.0-150000.3.23.1 libssh4-0.9.8-150200.13.6.2 libstdc++6-13.3.0+git8781-150000.1.12.1 libsystemd0-246.16-150300.7.57.1 libtirpc-netconfig-1.3.4-150300.3.23.1 libtirpc3-1.3.4-150300.3.23.1 libudev1-246.16-150300.7.57.1 libuuid1-2.36.2-150300.4.44.12 libuv1-1.18.0-150000.3.2.1 libxcb1-1.13-150000.3.11.1 libxml2-2-2.9.7-150000.3.70.1 libxslt1-1.1.32-150000.3.14.1 libyajl2-2.1.0-150000.4.6.1 libyui-ncurses-pkg15-4.1.5-150300.3.12.5 libyui-ncurses15-4.1.5-150300.3.12.4 libyui15-4.1.5-150300.3.12.4 libz1-1.2.11-150000.3.48.1 libzstd1-1.4.4-150000.1.9.1 libzypp-17.34.1-150200.106.2 login_defs-4.8.1-150300.4.18.1 lvm2-2.03.05-150200.8.52.1 man-2.7.6-150100.8.5.1 man-pages-4.16-150300.13.5.1 mozilla-nspr-4.35-150000.3.29.1 mozilla-nss-certs-3.101.2-150000.3.120.1 ncurses-utils-6.1-150000.5.24.1 netcfg-11.6-150000.3.6.1 nfs-client-2.1.1-150100.10.37.1 nfs-kernel-server-2.1.1-150100.10.37.1 nfsidmap-0.26-150000.3.7.1 nscd-2.31-150300.83.1 open-iscsi-2.1.7-150300.32.24.1 openldap2-client-2.4.46-150200.14.17.1 openslp-2.0.0-150000.6.17.1 openssh-8.4p1-150300.3.37.1 openssh-clients-8.4p1-150300.3.37.1 openssh-common-8.4p1-150300.3.37.1 openssh-server-8.4p1-150300.3.37.1 openssl-1_1-1.1.1d-150200.11.91.1 pam-1.3.0-150000.6.66.1 pam-config-1.1-150200.3.6.1 parted-3.2-150300.21.3.1 pciutils-3.5.6-150300.13.6.1 perl-5.26.1-150300.17.17.1 perl-Bootloader-0.945-150300.3.12.1 perl-base-5.26.1-150300.17.17.1 permissions-20181225-150200.23.23.1 polkit-0.116-150200.3.12.1 procps-3.3.17-150000.7.39.1 psmisc-23.0-150000.6.25.1 purge-kernels-service-0-150200.8.6.1 python3-3.6.15-150300.10.65.2 python3-Jinja2-2.10.1-150000.3.13.1 python3-apipkg-1.4-150000.3.6.1 python3-base-3.6.15-150300.10.65.1 python3-bind-9.16.6-150300.22.47.1 python3-certifi-2018.1.18-150000.3.3.1 python3-chardet-3.0.4-150000.5.3.1 python3-cryptography-3.3.2-150200.22.1 python3-cssselect-1.0.3-150400.3.7.4 python3-curses-3.6.15-150300.10.65.2 python3-idna-2.6-150000.3.3.1 python3-iniconfig-1.1.1-150000.1.11.1 python3-lxml-4.7.1-150200.3.12.1 python3-msgpack-0.5.6-150100.3.3.1 python3-packaging-21.3-150200.3.3.1 python3-ply-3.10-150000.3.5.1 python3-psutil-5.9.1-150300.3.6.1 python3-py-1.10.0-150100.5.12.1 python3-pyasn1-0.4.2-150000.3.5.1 python3-pyzmq-17.1.2-150000.3.5.2 python3-requests-2.25.1-150300.3.12.2 python3-rpm-4.14.3-150300.55.1 python3-salt-3006.0-150300.53.79.2 python3-setuptools-40.5.0-150100.6.6.1 python3-solv-0.7.29-150200.34.1 python3-urllib3-1.25.10-150300.4.12.1 regionServiceClientConfigGCE-4.0.1-150000.4.12.1 release-notes-sles-15.3.20230301-150300.3.32.1 rpm-ndb-4.14.3-150300.55.1 rsync-3.2.3-150000.4.23.2 rsyslog-8.2106.0-150200.4.43.2 ruby-solv-0.7.29-150200.34.1 ruby2.5-2.5.9-150000.4.29.1 ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 ruby2.5-stdlib-2.5.9-150000.4.29.1 runc-1.1.13-150000.67.1 salt-3006.0-150300.53.79.2 salt-minion-3006.0-150300.53.79.2 samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 screen-4.6.2-150000.5.5.1 sed-4.4-150300.13.3.1 shadow-4.8.1-150300.4.18.1 shim-15.8-150300.4.20.2 sudo-1.9.5p2-150300.3.33.1 supportutils-3.1.30-150300.7.35.30.1 supportutils-plugin-suse-public-cloud-1.0.9-150000.3.20.1 suse-build-key-12.0-150000.8.49.2 suse-module-tools-15.3.18-150300.3.25.1 systemd-246.16-150300.7.57.1 systemd-default-settings-0.10-150300.3.7.1 systemd-default-settings-branding-SLE-0.10-150300.3.7.1 systemd-presets-branding-SLE-15.1-150100.20.14.1 systemd-presets-common-SUSE-15-150100.8.23.1 systemd-sysvinit-246.16-150300.7.57.1 tar-1.34-150000.3.34.1 tcl-8.6.12-150300.14.9.1 terminfo-6.1-150000.5.24.1 terminfo-base-6.1-150000.5.24.1 timezone-2024a-150000.75.28.1 udev-246.16-150300.7.57.1 update-alternatives-1.19.0.4-150000.4.4.1 util-linux-2.36.2-150300.4.44.12 util-linux-systemd-2.36.2-150300.4.44.11 vim-9.1.0330-150000.5.63.1 vim-data-common-9.1.0330-150000.5.63.1 wget-1.20.3-150000.3.20.1 wicked-0.6.76-150300.4.35.1 wicked-service-0.6.76-150300.4.35.1 xen-libs-4.14.6_16-150300.3.75.1 yast2-4.3.70-150300.3.23.3 yast2-bootloader-4.3.32-150300.3.11.1 yast2-installation-4.3.55-150300.3.34.2 yast2-logs-4.3.70-150300.3.23.3 yast2-network-4.3.89-150300.3.41.1 yast2-online-update-4.2.3-150200.3.3.1 yast2-online-update-frontend-4.2.3-150200.3.3.1 yast2-packager-4.3.27-150300.3.15.2 yast2-pkg-bindings-4.3.13-150300.3.10.11 yast2-registration-4.3.29-150300.3.23.2 yast2-schema-4.3.31-150300.3.20.3 yast2-transfer-4.1.1-150100.3.3.1 yast2-update-4.3.5-150300.3.9.1 zypper-1.14.73-150200.81.6 aaa_base-84.87+git20180409.04c9dae-150300.10.20.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.20.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 autofs-5.1.3-150000.7.20.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 autoyast2-installation-4.3.106-150300.3.56.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 bind-utils-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 binutils-2.41-150100.7.46.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 blog-2.26-150300.4.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 ca-certificates-2+git20240416.98ae794-150300.4.3.3 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 ca-certificates-mozilla-2.62-150200.30.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 catatonit-0.2.0-150300.10.8.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 chrony-4.1-150300.16.14.3 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 chrony-pool-suse-4.1-150300.16.14.3 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 cloud-netconfig-gce-1.14-150000.25.23.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 cloud-regionsrv-client-10.1.7-150000.6.108.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 cloud-regionsrv-client-plugin-gce-1.0.0-150000.6.108.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 containerd-1.7.17-150000.114.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 coreutils-8.32-150300.3.8.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 cpio-2.12-150000.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 cups-config-2.2.7-150000.3.62.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 curl-7.66.0-150200.4.72.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 dbus-1-1.12.2-150100.8.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 device-mapper-2.03.05_1.02.163-150200.8.52.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 dhcp-4.3.6.P1-150000.6.19.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 dhcp-client-4.3.6.P1-150000.6.19.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 dmidecode-3.2-150100.9.16.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 docker-25.0.6_ce-150000.203.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 dracut-049.1+suse.257.gf94c3fd1-150200.3.75.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 elfutils-0.177-150300.11.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 fonts-config-20200609+git0.42e2b1b-150000.4.10.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 gawk-4.2.1-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 glib2-tools-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 glibc-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 glibc-i18ndata-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 glibc-locale-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 glibc-locale-base-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 google-guest-agent-20240314.00-150400.1.48.7 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 google-guest-configs-20240307.00-150000.1.31.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 google-guest-oslogin-20240311.00-150400.1.45.7 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 google-osconfig-agent-20240320.00-150400.1.35.7 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 gpg2-2.2.27-150300.3.8.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 growpart-rootgrow-1.0.7-150400.1.14.7 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 grub2-2.04-150300.22.43.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 grub2-i386-pc-2.04-150300.22.43.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 grub2-x86_64-efi-2.04-150300.22.43.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 hwinfo-21.85-150300.3.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 irqbalance-1.4.0-150200.12.14.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 iscsiuio-0.7.8.6-150300.32.24.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 issue-generator-1.13-150100.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 kernel-default-5.3.18-150300.59.167.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 krb5-1.19.2-150300.19.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 krb5-client-1.19.2-150300.19.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 less-530-150000.3.9.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libX11-6-1.6.5-150000.3.33.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libX11-data-1.6.5-150000.3.33.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libasm1-0.177-150300.11.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libassuan0-2.5.5-150000.4.7.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libavahi-client3-0.7-150100.3.35.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libavahi-common3-0.7-150100.3.35.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libbind9-1600-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libblkid1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libblogger2-2.26-150300.4.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libcap2-2.26-150000.4.9.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libcares2-1.19.1-150000.3.26.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libcrypt1-4.4.15-150300.4.7.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libcryptsetup12-2.3.7-150300.3.8.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libctf-nobfd0-2.41-150100.7.46.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libctf0-2.41-150100.7.46.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libcups2-2.2.7-150000.3.62.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libcurl4-7.66.0-150200.4.72.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libdbus-1-3-1.12.2-150100.8.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libdevmapper-event1_03-2.03.05_1.02.163-150200.8.52.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libdevmapper1_03-2.03.05_1.02.163-150200.8.52.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libdns1605-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libdw1-0.177-150300.11.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libebl-plugins-0.177-150300.11.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libeconf0-0.5.2-150300.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libelf1-0.177-150300.11.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libfastjson4-0.99.8-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libfdisk1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libfreetype6-2.10.4-150000.4.15.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libgcc_s1-13.3.0+git8781-150000.1.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libgio-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libglib-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libgmodule-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libgnutls30-3.6.7-150200.14.31.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libgobject-2_0-0-2.62.6-150200.3.18.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libicu-suse65_1-65.1-150200.4.10.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libicu65_1-ledata-65.1-150200.4.10.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libirs1601-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libisc1606-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libisccc1600-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libisccfg1600-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libjansson4-2.14-150000.3.5.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libksba8-1.3.5-150000.4.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libldap-2_4-2-2.4.46-150200.14.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libldap-data-2.4.46-150200.14.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libldb2-2.4.4-150300.3.23.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 liblognorm5-2.0.6-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 liblvm2cmd2_03-2.03.05-150200.8.52.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libmetalink3-0.1.3-150000.3.2.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libmount1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libncurses6-6.1-150000.5.24.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libnghttp2-14-1.40.0-150200.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libns1604-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libopeniscsiusr0_2_0-2.1.7-150300.32.24.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libopenssl1_1-1.1.1d-150200.11.91.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libparted0-3.2-150300.21.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libpci3-3.5.6-150300.13.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libpcre2-8-0-10.31-150000.3.15.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libpipeline1-1.4.1-150000.3.2.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libpolkit0-0.116-150200.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libprotobuf-lite20-3.9.2-150200.4.21.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libpython3_6m1_0-3.6.15-150300.10.65.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libqrencode4-4.1.1-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libruby2_5-2_5-2.5.9-150000.4.29.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libsmartcols1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libsodium23-1.0.18-150000.4.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libsolv-tools-0.7.29-150200.34.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libsqlite3-0-3.44.0-150000.3.23.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libssh4-0.9.8-150200.13.6.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libstdc++6-13.3.0+git8781-150000.1.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libsystemd0-246.16-150300.7.57.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libtirpc-netconfig-1.3.4-150300.3.23.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libtirpc3-1.3.4-150300.3.23.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libudev1-246.16-150300.7.57.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libuuid1-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libuv1-1.18.0-150000.3.2.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libxcb1-1.13-150000.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libxml2-2-2.9.7-150000.3.70.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libxslt1-1.1.32-150000.3.14.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libyajl2-2.1.0-150000.4.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libyui-ncurses-pkg15-4.1.5-150300.3.12.5 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libyui-ncurses15-4.1.5-150300.3.12.4 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libyui15-4.1.5-150300.3.12.4 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libz1-1.2.11-150000.3.48.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libzstd1-1.4.4-150000.1.9.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 libzypp-17.34.1-150200.106.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 login_defs-4.8.1-150300.4.18.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 lvm2-2.03.05-150200.8.52.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 man-2.7.6-150100.8.5.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 man-pages-4.16-150300.13.5.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 mozilla-nspr-4.35-150000.3.29.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 mozilla-nss-certs-3.101.2-150000.3.120.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 ncurses-utils-6.1-150000.5.24.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 netcfg-11.6-150000.3.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 nfs-client-2.1.1-150100.10.37.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 nfs-kernel-server-2.1.1-150100.10.37.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 nfsidmap-0.26-150000.3.7.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 nscd-2.31-150300.83.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 open-iscsi-2.1.7-150300.32.24.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 openldap2-client-2.4.46-150200.14.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 openslp-2.0.0-150000.6.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 openssh-8.4p1-150300.3.37.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 openssh-clients-8.4p1-150300.3.37.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 openssh-common-8.4p1-150300.3.37.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 openssh-server-8.4p1-150300.3.37.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 openssl-1_1-1.1.1d-150200.11.91.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 pam-1.3.0-150000.6.66.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 pam-config-1.1-150200.3.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 parted-3.2-150300.21.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 pciutils-3.5.6-150300.13.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 perl-5.26.1-150300.17.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 perl-Bootloader-0.945-150300.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 perl-base-5.26.1-150300.17.17.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 permissions-20181225-150200.23.23.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 polkit-0.116-150200.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 procps-3.3.17-150000.7.39.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 psmisc-23.0-150000.6.25.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 purge-kernels-service-0-150200.8.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-3.6.15-150300.10.65.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-Jinja2-2.10.1-150000.3.13.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-apipkg-1.4-150000.3.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-base-3.6.15-150300.10.65.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-bind-9.16.6-150300.22.47.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-certifi-2018.1.18-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-chardet-3.0.4-150000.5.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-cryptography-3.3.2-150200.22.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-cssselect-1.0.3-150400.3.7.4 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-curses-3.6.15-150300.10.65.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-idna-2.6-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-iniconfig-1.1.1-150000.1.11.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-lxml-4.7.1-150200.3.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-msgpack-0.5.6-150100.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-packaging-21.3-150200.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-ply-3.10-150000.3.5.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-psutil-5.9.1-150300.3.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-py-1.10.0-150100.5.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-pyasn1-0.4.2-150000.3.5.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-pyzmq-17.1.2-150000.3.5.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-requests-2.25.1-150300.3.12.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-rpm-4.14.3-150300.55.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-salt-3006.0-150300.53.79.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-setuptools-40.5.0-150100.6.6.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-solv-0.7.29-150200.34.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 python3-urllib3-1.25.10-150300.4.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 regionServiceClientConfigGCE-4.0.1-150000.4.12.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 release-notes-sles-15.3.20230301-150300.3.32.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 rpm-ndb-4.14.3-150300.55.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 rsync-3.2.3-150000.4.23.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 rsyslog-8.2106.0-150200.4.43.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 ruby-solv-0.7.29-150200.34.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 ruby2.5-2.5.9-150000.4.29.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 ruby2.5-stdlib-2.5.9-150000.4.29.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 runc-1.1.13-150000.67.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 salt-3006.0-150300.53.79.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 salt-minion-3006.0-150300.53.79.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 screen-4.6.2-150000.5.5.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 sed-4.4-150300.13.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 shadow-4.8.1-150300.4.18.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 shim-15.8-150300.4.20.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 sudo-1.9.5p2-150300.3.33.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 supportutils-3.1.30-150300.7.35.30.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 supportutils-plugin-suse-public-cloud-1.0.9-150000.3.20.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 suse-build-key-12.0-150000.8.49.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 suse-module-tools-15.3.18-150300.3.25.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 systemd-246.16-150300.7.57.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 systemd-default-settings-0.10-150300.3.7.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 systemd-default-settings-branding-SLE-0.10-150300.3.7.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 systemd-presets-branding-SLE-15.1-150100.20.14.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 systemd-presets-common-SUSE-15-150100.8.23.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 systemd-sysvinit-246.16-150300.7.57.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 tar-1.34-150000.3.34.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 tcl-8.6.12-150300.14.9.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 terminfo-6.1-150000.5.24.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 terminfo-base-6.1-150000.5.24.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 timezone-2024a-150000.75.28.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 udev-246.16-150300.7.57.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 update-alternatives-1.19.0.4-150000.4.4.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 util-linux-2.36.2-150300.4.44.12 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 util-linux-systemd-2.36.2-150300.4.44.11 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 vim-9.1.0330-150000.5.63.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 vim-data-common-9.1.0330-150000.5.63.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 wget-1.20.3-150000.3.20.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 wicked-0.6.76-150300.4.35.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 wicked-service-0.6.76-150300.4.35.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 xen-libs-4.14.6_16-150300.3.75.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-4.3.70-150300.3.23.3 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-bootloader-4.3.32-150300.3.11.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-installation-4.3.55-150300.3.34.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-logs-4.3.70-150300.3.23.3 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-network-4.3.89-150300.3.41.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-online-update-4.2.3-150200.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-online-update-frontend-4.2.3-150200.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-packager-4.3.27-150300.3.15.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-pkg-bindings-4.3.13-150300.3.10.11 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-registration-4.3.29-150300.3.23.2 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-schema-4.3.31-150300.3.20.3 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-transfer-4.1.1-150100.3.3.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 yast2-update-4.3.5-150300.3.9.1 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 zypper-1.14.73-150200.81.6 as a component of Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64 Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. CVE-2007-4559 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees CVE-2013-4235 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:login_defs-4.8.1-150300.4.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:shadow-4.8.1-150300.4.18.1 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. CVE-2017-5753 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important 4.7 AV:L/AC:M/Au:N/C:C/I:N/A:N An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure. CVE-2018-6798 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:perl-5.26.1-150300.17.17.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:perl-base-5.26.1-150300.17.17.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count. CVE-2018-6913 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:perl-5.26.1-150300.17.17.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:perl-base-5.26.1-150300.17.17.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened. CVE-2019-1010204 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. CVE-2019-14889 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C In the Linux kernel, the following vulnerability has been resolved: i2c: Fix a potential use after free Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. [wsa: added comment to the code, added Fixes tag] CVE-2019-25162 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key. CVE-2020-10135 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 4.8 AV:A/AC:L/Au:N/C:P/I:P/A:N A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability. CVE-2020-10735 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 important json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. CVE-2020-12762 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libfastjson4-0.99.8-150000.3.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access. CVE-2020-12912 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL. CVE-2020-16135 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability. CVE-2020-1730 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service. CVE-2020-19726 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 important Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B through 5.2 may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN. CVE-2020-26555 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 4.8 AV:A/AC:L/Au:N/C:P/I:P/A:N An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference. CVE-2020-36691 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel before 5.8.6. drivers/media/cec/core/cec-api.c leaks one byte of kernel memory on specific hardware to unprivileged users, because of directly assigning log_addrs with a hole in the struct. CVE-2020-36766 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: Fix memory leak in dvb_media_device_free() dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn` before setting it to NULL, as documented in include/media/media-device.h: "The media_entity instance itself must be freed explicitly by the driver if required." CVE-2020-36777 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: i2c: sprd: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in sprd_i2c_master_xfer() and sprd_i2c_remove(). However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36780 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: imx: fix reference leak when pm_runtime_get_sync fails In i2c_imx_xfer() and i2c_imx_remove(), the pm reference count is not expected to be incremented on return. However, pm_runtime_get_sync will increment pm reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36781 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in lpi2c_imx_master_enable. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36782 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: img-scb: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions img_i2c_xfer and img_i2c_init. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36783 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions cdns_i2c_master_xfer and cdns_reg_slave. However, pm_runtime_get_sync will increment pm usage counter even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2020-36784 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: avoid a use-after-free when BO init fails nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code back to the caller. On failures, ttm_bo_init() invokes the provided destructor which should de-initialize and free the memory. Thus, when nouveau_bo_init() returns an error the gem object has already been released and the memory freed by nouveau_bo_del_ttm(). CVE-2020-36788 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2020-8694 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. CVE-2020-8695 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N A flaw was found in samba. A race condition in the password lockout code may lead to the risk of brute force attacks being successful if special conditions are met. CVE-2021-20251 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. CVE-2021-22569 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libprotobuf-lite20-3.9.2-150200.4.21.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. CVE-2021-22570 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libprotobuf-lite20-3.9.2-150200.4.21.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. CVE-2021-23134 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. CVE-2021-29155 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf. CVE-2021-29650 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30560 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libxslt1-1.1.32-150000.3.14.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c. CVE-2021-32256 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low Integer Overflow or Wraparound vulnerability in openEuler kernel on Linux (filesystem modules) allows Forced Integer Overflow.This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from 5.10.0-60.18.0 before 5.10.0-183.0.0. CVE-2021-33631 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange. CVE-2021-3634 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 low 4 AV:N/AC:L/Au:S/C:N/I:N/A:P DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-3530. Reason: This candidate is a reservation duplicate of CVE-2021-3530. Notes: All CVE users should reference CVE-2021-3530 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2021-3648 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low An out-of-bounds (OOB) memory read flaw was found in the Qualcomm IPC router protocol in the Linux kernel. A missing sanity check allows a local attacker to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. CVE-2021-3743 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol. CVE-2021-3826 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. CVE-2021-38297 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:google-guest-agent-20240314.00-150400.1.48.7 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:google-osconfig-agent-20240320.00-150400.1.35.7 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms. CVE-2021-3923 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low vim is vulnerable to Use of Uninitialized Variable CVE-2021-3928 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel CVE-2021-39698 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the handling of the SRR1 register values. CVE-2021-43056 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. CVE-2021-43389 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P In the Linux kernel, the following vulnerability has been resolved: isdn: cpai: check ctr->cnr to avoid array index out of bound The cmtp_add_connection() would add a cmtp session to a controller and run a kernel thread to process cmtp. __module_get(THIS_MODULE); session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", session->num); During this process, the kernel thread would call detach_capi_ctr() to detach a register controller. if the controller was not attached yet, detach_capi_ctr() would trigger an array-index-out-bounds bug. [ 46.866069][ T6479] UBSAN: array-index-out-of-bounds in drivers/isdn/capi/kcapi.c:483:21 [ 46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]' [ 46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted 5.15.0-rc2+ #8 [ 46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [ 46.870107][ T6479] Call Trace: [ 46.870473][ T6479] dump_stack_lvl+0x57/0x7d [ 46.870974][ T6479] ubsan_epilogue+0x5/0x40 [ 46.871458][ T6479] __ubsan_handle_out_of_bounds.cold+0x43/0x48 [ 46.872135][ T6479] detach_capi_ctr+0x64/0xc0 [ 46.872639][ T6479] cmtp_session+0x5c8/0x5d0 [ 46.873131][ T6479] ? __init_waitqueue_head+0x60/0x60 [ 46.873712][ T6479] ? cmtp_add_msgpart+0x120/0x120 [ 46.874256][ T6479] kthread+0x147/0x170 [ 46.874709][ T6479] ? set_kthread_struct+0x40/0x40 [ 46.875248][ T6479] ret_from_fork+0x1f/0x30 [ 46.875773][ T6479] CVE-2021-4439 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699. CVE-2021-45078 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources. CVE-2021-46195 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections. CVE-2021-46828 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libtirpc-netconfig-1.3.4-150300.3.23.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libtirpc3-1.3.4-150300.3.23.1 important In the Linux kernel, the following vulnerability has been resolved: net: hso: fix null-ptr-deref during tty device unregistration Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref. The get_free_serial_index() function returns an available minor number but doesn't assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number. Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call. CVE-2021-46904 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl(). CVE-2021-46906 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()"), the PCI code will call the IRQ mapping function whenever a PCI driver is probed. If these are marked as __init, this causes an oops if a PCI driver is loaded or bound after the kernel has initialised. CVE-2021-46909 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ch_ktls: Fix kernel panic Taking page refcount is not ideal and causes kernel panic sometimes. It's better to take tx_ctx lock for the complete skb transmit, to avoid page cleanup if ACK received in middle. CVE-2021-46911 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix unbalanced device enable/disable in suspend/resume pci_disable_device() called in __ixgbe_shutdown() decreases dev->enable_cnt by 1. pci_enable_device_mem() which increases dev->enable_cnt by 1, was removed from ixgbe_resume() in commit 6f82b2558735 ("ixgbe: use generic power management"). This caused unbalanced increase/decrease. So add pci_enable_device_mem() back. Fix the following call trace. ixgbe 0000:17:00.1: disabling already-disabled device Call Trace: __ixgbe_shutdown+0x10a/0x1e0 [ixgbe] ixgbe_suspend+0x32/0x70 [ixgbe] pci_pm_suspend+0x87/0x160 ? pci_pm_freeze+0xd0/0xd0 dpm_run_callback+0x42/0x170 __device_suspend+0x114/0x460 async_suspend+0x1f/0xa0 async_run_entry_fn+0x3c/0xf0 process_one_work+0x1dd/0x410 worker_thread+0x34/0x3f0 ? cancel_delayed_work+0x90/0x90 kthread+0x14c/0x170 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30 CVE-2021-46914 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-46915 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq cleanup of WQCFG registers A pre-release silicon erratum workaround where wq reset does not clear WQCFG registers was leaked into upstream code. Use wq reset command instead of blasting the MMIO region. This also address an issue where we clobber registers in future devices. CVE-2021-46917 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: clear MSIX permission entry on shutdown Add disabling/clearing of MSIX permission entries on device shutdown to mirror the enabling of the MSIX entries on probe. Current code left the MSIX enabled and the pasid entries still programmed at device shutdown. CVE-2021-46918 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq size store permission state WQ size can only be changed when the device is disabled. Current code allows change when device is enabled but wq is disabled. Change the check to detect device state. CVE-2021-46919 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback Current code blindly writes over the SWERR and the OVERFLOW bits. Write back the bits actually read instead so the driver avoids clobbering the OVERFLOW bit that comes after the register is read. CVE-2021-46920 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_lock. The writer side loops checking the value with the atomic_cond_read_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isn't ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired. We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it. Writer | Reader -------------------------------------------------------------------------------- ep_scan_ready_list() | |- write_lock_irq() | |- queued_write_lock_slowpath() | |- atomic_cond_read_acquire() | | read_lock_irqsave(&ep->lock, flags); --> (observes value before unlock) | chain_epi_lockless() | | epi->next = xchg(&ep->ovflist, epi); | | read_unlock_irqrestore(&ep->lock, flags); | | | atomic_cmpxchg_relaxed() | |-- READ_ONCE(ep->ovflist); | A core can order the read of the ovflist ahead of the atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomic_cond_read can be switched to use relaxed semantics. [peterz: use try_cmpxchg()] CVE-2021-46921 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for seal and unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/ But somehow got rebased so that the tpm_try_get_ops() in tpm2_seal_trusted() got lost. This causes an imbalanced put of the TPM ops and causes oopses on TIS based hardware. This fix puts back the lost tpm_try_get_ops() CVE-2021-46922 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to free in the error handling path and remove path, this cause memory leak as follows: unreferenced object 0xffff88800bc06800 (size 512): comm "8", pid 11775, jiffies 4295159829 (age 9.032s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450 [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0 [<000000005fea522c>] __alloc_skb+0x124/0x380 [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2 Fix it by freeing 'pending_skb' in error and remove. CVE-2021-46924 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix list_head check warning This is caused by uninitialization of list_head. BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4 Call trace: dump_backtrace+0x0/0x298 show_stack+0x24/0x34 dump_stack+0x130/0x1a8 print_address_description+0x88/0x56c __kasan_report+0x1b8/0x2a0 kasan_report+0x14/0x20 __asan_load8+0x9c/0xa0 __list_del_entry_valid+0x34/0xe4 mtu3_req_complete+0x4c/0x300 [mtu3] mtu3_gadget_stop+0x168/0x448 [mtu3] usb_gadget_unregister_driver+0x204/0x3a0 unregister_gadget_item+0x44/0xa4 CVE-2021-46930 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Wrap the tx reporter dump callback to extract the sq Function mlx5e_tx_reporter_dump_sq() casts its void * argument to struct mlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actually of type struct mlx5e_tx_timeout_ctx *. mlx5_core 0000:08:00.1 enp8s0f1: TX timeout detected mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ: 0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans: 21565000 BUG: stack guard page was hit at 0000000093f1a2de (stack is 00000000b66ea0dc..000000004d932dae) kernel stack overflow (page fault): 0000 [#1] SMP NOPTI CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE 5.13.0_mlnx #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5e mlx5e_tx_timeout_work [mlx5_core] RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 [mlx5_core] Call Trace: mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core] devlink_health_do_dump.part.91+0x71/0xd0 devlink_health_report+0x157/0x1b0 mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core] ? mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0 [mlx5_core] ? mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core] ? update_load_avg+0x19b/0x550 ? set_next_entity+0x72/0x80 ? pick_next_task_fair+0x227/0x340 ? finish_task_switch+0xa2/0x280 mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core] process_one_work+0x1de/0x3a0 worker_thread+0x2d/0x3c0 ? process_one_work+0x3a0/0x3a0 kthread+0x115/0x130 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30 --[ end trace 51ccabea504edaff ]--- RIP: 0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 PKRU: 55555554 Kernel panic - not syncing: Fatal exception Kernel Offset: disabled end Kernel panic - not syncing: Fatal exception To fix this bug add a wrapper for mlx5e_tx_reporter_dump_sq() which extracts the sq from struct mlx5e_tx_timeout_ctx and set it as the TX-timeout-recovery flow dump callback. CVE-2021-46931 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device CVE-2021-46932 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 and then unmounts f_fs. If userland provided an eventfd along with function's USB descriptors, it ends up calling eventfd_ctx_put as many times, causing a refcount underflow. NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. Also, set epfiles to NULL right after de-allocating it, for readability. For completeness, ffs_data_clear actually ends up being called thrice, the last call being before the whole ffs structure gets freed, so when this specific sequence happens there is a second underflow happening (but not being reported): /sys/kernel/debug/tracing# modprobe usb_f_fs /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter /sys/kernel/debug/tracing# echo function > current_tracer /sys/kernel/debug/tracing# echo 1 > tracing_on (setup gadget, run and kill function userland process, teardown gadget) /sys/kernel/debug/tracing# echo 0 > tracing_on /sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put Warning output corresponding to above trace: [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c [ 1946.293094] refcount_t: underflow; use-after-free. [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 [ 1946.417950] Hardware name: BCM2835 [ 1946.425442] Backtrace: [ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24) [ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c [ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30) [ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154) [ 1946.482067] r5:c04a948c r4:c0a71dc8 [ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4) [ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 [ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c) [ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 [ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74) [ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) [ 1946.582664] r5:c3b84c00 r4:c2695b00 [ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) [ 1946.609608] r5:bf54d014 r4:c2695b00 [ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) [ 1946.636217] r7:c0dfcb ---truncated--- CVE-2021-46933 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: validate user data in compat ioctl Wrong user data may cause warning in i2c_transfer(), ex: zero msgs. Userspace should not be able to trigger warnings, so this patch adds validation checks for user data in compact ioctl to prevent reported warnings CVE-2021-46934 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device, and the allocation/initialization of the blk_mq_tag_set for the device fails, a following device remove will cause a double free. E.g. (dmesg): device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device device-mapper: ioctl: unable to set up device queue for new table. Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0305e098835de000 TEID: 0305e098835de803 Fault in home space mode while using kernel ASCE. AS:000000025efe0007 R3:0000000000000024 Oops: 0038 ilc:3 [#1] SMP Modules linked in: ... lots of modules ... Supported: Yes, External CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3 Hardware name: IBM 8561 T01 7I2 (LPAR) Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8 Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58 #000000025e368ec4: e3b010000008 ag %r11,0(%r1) >000000025e368eca: e310b0080004 lg %r1,8(%r11) 000000025e368ed0: a7110001 tmll %r1,1 000000025e368ed4: a7740129 brc 7,25e369126 000000025e368ed8: e320b0080004 lg %r2,8(%r11) 000000025e368ede: b904001b lgr %r1,%r11 Call Trace: [<000000025e368eca>] kfree+0x42/0x330 [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8 [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod] [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod] [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod] [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod] [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod] [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod] [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0 [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40 [<000000025e8c15ac>] system_call+0xd8/0x2c8 Last Breaking-Event-Address: [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8 Kernel panic - not syncing: Fatal exception: panic_on_oops When allocation/initialization of the blk_mq_tag_set fails in dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer is not reset to NULL; so when dev_remove() later gets into dm_mq_cleanup_mapped_device() it sees the pointer and tries to uninitialize and free it again. Fix this by setting the pointer to NULL in dm_mq_init_request_queue() error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device(). CVE-2021-46938 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Restructure trace_clock_global() to never block It was reported that a fix to the ring buffer recursion detection would cause a hung machine when performing suspend / resume testing. The following backtrace was extracted from debugging that case: Call Trace: trace_clock_global+0x91/0xa0 __rb_reserve_next+0x237/0x460 ring_buffer_lock_reserve+0x12a/0x3f0 trace_buffer_lock_reserve+0x10/0x50 __trace_graph_return+0x1f/0x80 trace_graph_return+0xb7/0xf0 ? trace_clock_global+0x91/0xa0 ftrace_return_to_handler+0x8b/0xf0 ? pv_hash+0xa0/0xa0 return_to_handler+0x15/0x30 ? ftrace_graph_caller+0xa0/0xa0 ? trace_clock_global+0x91/0xa0 ? __rb_reserve_next+0x237/0x460 ? ring_buffer_lock_reserve+0x12a/0x3f0 ? trace_event_buffer_lock_reserve+0x3c/0x120 ? trace_event_buffer_reserve+0x6b/0xc0 ? trace_event_raw_event_device_pm_callback_start+0x125/0x2d0 ? dpm_run_callback+0x3b/0xc0 ? pm_ops_is_empty+0x50/0x50 ? platform_get_irq_byname_optional+0x90/0x90 ? trace_device_pm_callback_start+0x82/0xd0 ? dpm_run_callback+0x49/0xc0 With the following RIP: RIP: 0010:native_queued_spin_lock_slowpath+0x69/0x200 Since the fix to the recursion detection would allow a single recursion to happen while tracing, this lead to the trace_clock_global() taking a spin lock and then trying to take it again: ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* lock taken */ (something else gets traced by function graph tracer) ring_buffer_lock_reserve() { trace_clock_global() { arch_spin_lock() { queued_spin_lock_slowpath() { /* DEAD LOCK! */ Tracing should *never* block, as it can lead to strange lockups like the above. Restructure the trace_clock_global() code to instead of simply taking a lock to update the recorded "prev_time" simply use it, as two events happening on two different CPUs that calls this at the same time, really doesn't matter which one goes first. Use a trylock to grab the lock for updating the prev_time, and if it fails, simply try again the next time. If it failed to be taken, that means something else is already updating it. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212761 CVE-2021-46939 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix set_fmt error handling If there in an error during a set_fmt, do not overwrite the previous sizes with the invalid config. Without this patch, v4l2-compliance ends up allocating 4GiB of RAM and causing the following OOPs [ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes) [ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0 [ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP CVE-2021-46943 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix memory leak in imu_fmt We are losing the reference to an allocated memory if try. Change the order of the check to avoid that. CVE-2021-46944 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid1: properly indicate failure when ending a failed write request This patch addresses a data corruption bug in raid1 arrays using bitmaps. Without this fix, the bitmap bits for the failed I/O end up being cleared. Since we are in the failure leg of raid1_end_write_request, the request either needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded). CVE-2021-46950 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: tpm: efi: Use local variable for calculating final log size When tpm_read_log_efi is called multiple times, which happens when one loads and unloads a TPM2 driver multiple times, then the global variable efi_tpm_final_log_size will at some point become a negative number due to the subtraction of final_events_preboot_size occurring each time. Use a local variable to avoid this integer underflow. The following issue is now resolved: Mar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Mar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy] Mar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20 Mar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 Mar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206 Mar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f Mar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d Mar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073 Mar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5 Mar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018 Mar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000 Mar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Mar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0 Mar 8 15:35:12 hibinst kernel: Call Trace: Mar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7 Mar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0 Mar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260 Mar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy] Mar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370 Mar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0 Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370 CVE-2021-46951 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure When failing the driver probe because of invalid firmware properties, the GTDT driver unmaps the interrupt that it mapped earlier. However, it never checks whether the mapping of the interrupt actially succeeded. Even more, should the firmware report an illegal interrupt number that overlaps with the GIC SGI range, this can result in an IPI being unmapped, and subsequent fireworks (as reported by Dann Frazier). Rework the driver to have a slightly saner behaviour and actually check whether the interrupt has been mapped before unmapping things. CVE-2021-46953 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below. CVE-2021-46955 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: virtiofs: fix memory leak in virtio_fs_probe() When accidentally passing twice the same tag to qemu, kmemleak ended up reporting a memory leak in virtiofs. Also, looking at the log I saw the following error (that's when I realised the duplicated tag): virtiofs: probe of virtio5 failed with error -17 Here's the kmemleak log for reference: unreferenced object 0xffff888103d47800 (size 1024): comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................ backtrace: [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs] [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210 [<000000004d6baf3c>] really_probe+0xea/0x430 [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0 [<00000000196f47a7>] __driver_attach+0x98/0x140 [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0 [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0 [<0000000032b09ba7>] driver_register+0x8f/0xe0 [<00000000cdd55998>] 0xffffffffa002c013 [<000000000ea196a2>] do_one_initcall+0x64/0x2e0 [<0000000008f727ce>] do_init_module+0x5c/0x260 [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120 [<00000000ad2f48c6>] do_syscall_64+0x33/0x40 [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-46956 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free There is a race between a task aborting a transaction during a commit, a task doing an fsync and the transaction kthread, which leads to an use-after-free of the log root tree. When this happens, it results in a stack trace like the following: BTRFS info (device dm-0): forced readonly BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5) BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 BTRFS error (device dm-0): error writing primary super block to device 1 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10 BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers) BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x139/0xa40 Code: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002 RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 Code: 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- The steps that lead to this crash are the following: 1) We are at transaction N; 2) We have two tasks with a transaction handle attached to transaction N. Task A and Task B. Task B is doing an fsync; 3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree into a local variable named 'log_root_tree' at the top of btrfs_sync_log(). Task B is about to call write_all_supers(), but before that... 4) Task A calls btrfs_commit_transaction(), and after it sets the transaction state to TRANS_STATE_COMMIT_START, an error happens before it w ---truncated--- CVE-2021-46958 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: Fix use-after-free with devm_spi_alloc_* We can't rely on the contents of the devres list during spi_unregister_controller(), as the list is already torn down at the time we perform devres_find() for devm_spi_release_controller. This causes devices registered with devm_spi_alloc_{master,slave}() to be mistakenly identified as legacy, non-devm managed devices and have their reference counters decremented below 0. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174 [<b0396f04>] (refcount_warn_saturate) from [<b03c56a4>] (kobject_put+0x90/0x98) [<b03c5614>] (kobject_put) from [<b0447b4c>] (put_device+0x20/0x24) r4:b6700140 [<b0447b2c>] (put_device) from [<b07515e8>] (devm_spi_release_controller+0x3c/0x40) [<b07515ac>] (devm_spi_release_controller) from [<b045343c>] (release_nodes+0x84/0xc4) r5:b6700180 r4:b6700100 [<b04533b8>] (release_nodes) from [<b0454160>] (devres_release_all+0x5c/0x60) r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10 [<b0454104>] (devres_release_all) from [<b044e41c>] (__device_release_driver+0x144/0x1ec) r5:b117ad94 r4:b163dc10 [<b044e2d8>] (__device_release_driver) from [<b044f70c>] (device_driver_detach+0x84/0xa0) r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10 [<b044f688>] (device_driver_detach) from [<b044d274>] (unbind_store+0xe4/0xf8) Instead, determine the devm allocation state as a flag on the controller which is guaranteed to be stable during cleanup. CVE-2021-46959 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: Return correct error code from smb2_get_enc_key Avoid a warning if the error percolates back up: [440700.376476] CIFS VFS: \\otters.example.com crypt_message: Could not get encryption key [440700.386947] ------------[ cut here ]------------ [440700.386948] err = 1 [440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4.0/lib/errseq.c:74 errseq_set+0x5c/0x70 ... [440700.397304] CPU: 11 PID: 2733 Comm: tar Tainted: G OE 5.4.0-70-generic #78~18.04.1-Ubuntu ... [440700.397334] Call Trace: [440700.397346] __filemap_set_wb_err+0x1a/0x70 [440700.397419] cifs_writepages+0x9c7/0xb30 [cifs] [440700.397426] do_writepages+0x4b/0xe0 [440700.397444] __filemap_fdatawrite_range+0xcb/0x100 [440700.397455] filemap_write_and_wait+0x42/0xa0 [440700.397486] cifs_setattr+0x68b/0xf30 [cifs] [440700.397493] notify_change+0x358/0x4a0 [440700.397500] utimes_common+0xe9/0x1c0 [440700.397510] do_utimes+0xc5/0x150 [440700.397520] __x64_sys_utimensat+0x88/0xd0 CVE-2021-46960 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Do not enable irqs when handling spurious interrups We triggered the following error while running our 4.19 kernel with the pseudo-NMI patches backported to it: [ 14.816231] ------------[ cut here ]------------ [ 14.816231] kernel BUG at irq.c:99! [ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP [ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____)) [ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14 [ 14.816233] Hardware name: evb (DT) [ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 14.816234] pc : asm_nmi_enter+0x94/0x98 [ 14.816235] lr : asm_nmi_enter+0x18/0x98 [ 14.816235] sp : ffff000008003c50 [ 14.816235] pmr_save: 00000070 [ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0 [ 14.816238] x27: 0000000000000000 x26: ffff000008004000 [ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000 [ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc [ 14.816241] x21: ffff000008003da0 x20: 0000000000000060 [ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff [ 14.816243] x17: 0000000000000008 x16: 003d090000000000 [ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40 [ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000 [ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5 [ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f [ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e [ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000 [ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000 [ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0 [ 14.816251] Call trace: [ 14.816251] asm_nmi_enter+0x94/0x98 [ 14.816251] el1_irq+0x8c/0x180 (IRQ C) [ 14.816252] gic_handle_irq+0xbc/0x2e4 [ 14.816252] el1_irq+0xcc/0x180 (IRQ B) [ 14.816253] arch_timer_handler_virt+0x38/0x58 [ 14.816253] handle_percpu_devid_irq+0x90/0x240 [ 14.816253] generic_handle_irq+0x34/0x50 [ 14.816254] __handle_domain_irq+0x68/0xc0 [ 14.816254] gic_handle_irq+0xf8/0x2e4 [ 14.816255] el1_irq+0xcc/0x180 (IRQ A) [ 14.816255] arch_cpu_idle+0x34/0x1c8 [ 14.816255] default_idle_call+0x24/0x44 [ 14.816256] do_idle+0x1d0/0x2c8 [ 14.816256] cpu_startup_entry+0x28/0x30 [ 14.816256] rest_init+0xb8/0xc8 [ 14.816257] start_kernel+0x4c8/0x4f4 [ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000) [ 14.816258] Modules linked in: start_dp(O) smeth(O) [ 15.103092] ---[ end trace 701753956cb14aa8 ]--- [ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt [ 15.103099] SMP: stopping secondary CPUs [ 15.103100] Kernel Offset: disabled [ 15.103100] CPU features: 0x36,a2400218 [ 15.103100] Memory Limit: none which is cause by a 'BUG_ON(in_nmi())' in nmi_enter(). From the call trace, we can find three interrupts (noted A, B, C above): interrupt (A) is preempted by (B), which is further interrupted by (C). Subsequent investigations show that (B) results in nmi_enter() being called, but that it actually is a spurious interrupt. Furthermore, interrupts are reenabled in the context of (B), and (C) fires with NMI priority. We end-up with a nested NMI situation, something we definitely do not want to (and cannot) handle. The bug here is that spurious interrupts should never result in any state change, and we should just return to the interrupted context. Moving the handling of spurious interrupts as early as possible in the GICv3 handler fixes this issue. [maz: rewrote commit message, corrected Fixes: tag] CVE-2021-46961 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mmc: uniphier-sd: Fix a resource leak in the remove function A 'tmio_mmc_host_free()' call is missing in the remove function, in order to balance a 'tmio_mmc_host_alloc()' call in the probe. This is done in the error handling path of the probe, but not in the remove function. Add the missing call. CVE-2021-46962 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() RIP: 0010:kmem_cache_free+0xfa/0x1b0 Call Trace: qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx] scsi_queue_rq+0x5e2/0xa40 __blk_mq_try_issue_directly+0x128/0x1d0 blk_mq_request_issue_directly+0x4e/0xb0 Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now allocated by upper layers. This fixes smatch warning of srb unintended free. CVE-2021-46963 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Reserve extra IRQ vectors Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs. That breaks vector allocation assumptions in qla83xx_iospace_config(), qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions computes maximum number of qpairs as: ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default response queue) - 1 (ATIO, in dual or pure target mode) max_qpairs is set to zero in case of two CPUs and initiator mode. The number is then used to allocate ha->queue_pair_map inside qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is left NULL but the driver thinks there are queue pairs available. qla2xxx_queuecommand() tries to find a qpair in the map and crashes: if (ha->mqenable) { uint32_t tag; uint16_t hwq; struct qla_qpair *qpair = NULL; tag = blk_mq_unique_tag(cmd->request); hwq = blk_mq_unique_tag_to_hwq(tag); qpair = ha->queue_pair_map[hwq]; # <- HERE if (qpair) return qla2xxx_mqueuecommand(host, cmd, qpair); } BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] Call Trace: scsi_queue_rq+0x58c/0xa60 blk_mq_dispatch_rq_list+0x2b7/0x6f0 ? __sbitmap_get_word+0x2a/0x80 __blk_mq_sched_dispatch_requests+0xb8/0x170 blk_mq_sched_dispatch_requests+0x2b/0x50 __blk_mq_run_hw_queue+0x49/0xb0 __blk_mq_delay_run_hw_queue+0xfb/0x150 blk_mq_sched_insert_request+0xbe/0x110 blk_execute_rq+0x45/0x70 __scsi_execute+0x10e/0x250 scsi_probe_and_add_lun+0x228/0xda0 __scsi_scan_target+0xf4/0x620 ? __pm_runtime_resume+0x4f/0x70 scsi_scan_target+0x100/0x110 fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] process_one_work+0x1ea/0x3b0 worker_thread+0x28/0x3b0 ? process_one_work+0x3b0/0x3b0 kthread+0x112/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 The driver should allocate enough vectors to provide every CPU it's own HW queue and still handle reserved (MB, RSP, ATIO) interrupts. The change fixes the crash on dual core VM and prevents unbalanced QP allocation where nr_hw_queues is two less than the number of CPUs. CVE-2021-46964 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: custom_method: fix potential use-after-free issue In cm_write(), buf is always freed when reaching the end of the function. If the requested count is less than table.length, the allocated buffer will be freed but subsequent calls to cm_write() will still try to access it. Remove the unconditional kfree(buf) at the end of the function and set the buf to NULL in the -EINVAL error path to match the rest of function. CVE-2021-46966 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/zcrypt: fix zcard and zqueue hot-unplug memleak Tests with kvm and a kmemdebug kernel showed, that on hot unplug the zcard and zqueue structs for the unplugged card or queue are not properly freed because of a mismatch with get/put for the embedded kref counter. This fix now adjusts the handling of the kref counters. With init the kref counter starts with 1. This initial value needs to drop to zero with the unregister of the card or queue to trigger the release and free the object. CVE-2021-46968 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix unconditional security_locked_down() call Currently, the lockdown state is queried unconditionally, even though its result is used only if the PERF_SAMPLE_REGS_INTR bit is set in attr.sample_type. While that doesn't matter in case of the Lockdown LSM, it causes trouble with the SELinux's lockdown hook implementation. SELinux implements the locked_down hook with a check whether the current task's type has the corresponding "lockdown" class permission ("integrity" or "confidentiality") allowed in the policy. This means that calling the hook when the access control decision would be ignored generates a bogus permission check and audit record. Fix this by checking sample_type first and only calling the hook when its result would be honored. CVE-2021-46971 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: bpf: Fix masking negation logic upon negative dst register The negation logic for the case where the off_reg is sitting in the dst register is not correct given then we cannot just invert the add to a sub or vice versa. As a fix, perform the final bitwise and-op unconditionally into AX from the off_reg, then move the pointer from the src to dst and finally use AX as the source for the original pointer arithmetic operation such that the inversion yields a correct result. The single non-AX mov in between is possible given constant blinding is retaining it as it's not an immediate based operation. CVE-2021-46974 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix crash in auto_retire The retire logic uses the 2 lower bits of the pointer to the retire function to store flags. However, the auto_retire function is not guaranteed to be aligned to a multiple of 4, which causes crashes as we jump to the wrong address, for example like this: 2021-04-24T18:03:53.804300Z WARNING kernel: [ 516.876901] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI 2021-04-24T18:03:53.804310Z WARNING kernel: [ 516.876906] CPU: 7 PID: 146 Comm: kworker/u16:6 Tainted: G U 5.4.105-13595-g3cd84167b2df #1 2021-04-24T18:03:53.804311Z WARNING kernel: [ 516.876907] Hardware name: Google Volteer2/Volteer2, BIOS Google_Volteer2.13672.76.0 02/22/2021 2021-04-24T18:03:53.804312Z WARNING kernel: [ 516.876911] Workqueue: events_unbound active_work 2021-04-24T18:03:53.804313Z WARNING kernel: [ 516.876914] RIP: 0010:auto_retire+0x1/0x20 2021-04-24T18:03:53.804314Z WARNING kernel: [ 516.876916] Code: e8 01 f2 ff ff eb 02 31 db 48 89 d8 5b 5d c3 0f 1f 44 00 00 55 48 89 e5 f0 ff 87 c8 00 00 00 0f 88 ab 47 4a 00 31 c0 5d c3 0f <1f> 44 00 00 55 48 89 e5 f0 ff 8f c8 00 00 00 0f 88 9a 47 4a 00 74 2021-04-24T18:03:53.804319Z WARNING kernel: [ 516.876918] RSP: 0018:ffff9b4d809fbe38 EFLAGS: 00010286 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876919] RAX: 0000000000000007 RBX: ffff927915079600 RCX: 0000000000000007 2021-04-24T18:03:53.804320Z WARNING kernel: [ 516.876921] RDX: ffff9b4d809fbe40 RSI: 0000000000000286 RDI: ffff927915079600 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876922] RBP: ffff9b4d809fbe68 R08: 8080808080808080 R09: fefefefefefefeff 2021-04-24T18:03:53.804321Z WARNING kernel: [ 516.876924] R10: 0000000000000010 R11: ffffffff92e44bd8 R12: ffff9279150796a0 2021-04-24T18:03:53.804322Z WARNING kernel: [ 516.876925] R13: ffff92791c368180 R14: ffff927915079640 R15: 000000001c867605 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876926] FS: 0000000000000000(0000) GS:ffff92791ffc0000(0000) knlGS:0000000000000000 2021-04-24T18:03:53.804323Z WARNING kernel: [ 516.876928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 2021-04-24T18:03:53.804324Z WARNING kernel: [ 516.876929] CR2: 0000239514955000 CR3: 00000007f82da001 CR4: 0000000000760ee0 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876930] PKRU: 55555554 2021-04-24T18:03:53.804325Z WARNING kernel: [ 516.876931] Call Trace: 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876935] __active_retire+0x77/0xcf 2021-04-24T18:03:53.804326Z WARNING kernel: [ 516.876939] process_one_work+0x1da/0x394 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876941] worker_thread+0x216/0x375 2021-04-24T18:03:53.804327Z WARNING kernel: [ 516.876944] kthread+0x147/0x156 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876946] ? pr_cont_work+0x58/0x58 2021-04-24T18:03:53.804335Z WARNING kernel: [ 516.876948] ? kthread_blkcg+0x2e/0x2e 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876950] ret_from_fork+0x1f/0x40 2021-04-24T18:03:53.804336Z WARNING kernel: [ 516.876952] Modules linked in: cdc_mbim cdc_ncm cdc_wdm xt_cgroup rfcomm cmac algif_hash algif_skcipher af_alg xt_MASQUERADE uinput snd_soc_rt5682_sdw snd_soc_rt5682 snd_soc_max98373_sdw snd_soc_max98373 snd_soc_rl6231 regmap_sdw snd_soc_sof_sdw snd_soc_hdac_hdmi snd_soc_dmic snd_hda_codec_hdmi snd_sof_pci snd_sof_intel_hda_common intel_ipu6_psys snd_sof_xtensa_dsp soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core soundwire_bus snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core intel_ipu6_isys videobuf2_dma_contig videobuf2_v4l2 videobuf2_common videobuf2_memops mei_hdcp intel_ipu6 ov2740 ov8856 at24 sx9310 dw9768 v4l2_fwnode cros_ec_typec intel_pmc_mux roles acpi_als typec fuse iio_trig_sysfs cros_ec_light_prox cros_ec_lid_angle cros_ec_sensors cros ---truncated--- CVE-2021-46976 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 commit 4dbc6a4ef06d ("usb: typec: ucsi: save power data objects in PD mode") introduced retrieval of the PDOs when connected to a PD-capable source. But only the first 4 PDOs are received since that is the maximum number that can be fetched at a time given the MESSAGE_IN length limitation (16 bytes). However, as per the PD spec a connected source may advertise up to a maximum of 7 PDOs. If such a source is connected it's possible the PPM could have negotiated a power contract with one of the PDOs at index greater than 4, and would be reflected in the request data object's (RDO) object position field. This would result in an out-of-bounds access when the rdo_index() is used to index into the src_pdos array in ucsi_psy_get_voltage_now(). With the help of the UBSAN -fsanitize=array-bounds checker enabled this exact issue is revealed when connecting to a PD source adapter that advertise 5 PDOs and the PPM enters a contract having selected the 5th one. [ 151.545106][ T70] Unexpected kernel BRK exception at EL1 [ 151.545112][ T70] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP ... [ 151.545499][ T70] pc : ucsi_psy_get_prop+0x208/0x20c [ 151.545507][ T70] lr : power_supply_show_property+0xc0/0x328 ... [ 151.545542][ T70] Call trace: [ 151.545544][ T70] ucsi_psy_get_prop+0x208/0x20c [ 151.545546][ T70] power_supply_uevent+0x1a4/0x2f0 [ 151.545550][ T70] dev_uevent+0x200/0x384 [ 151.545555][ T70] kobject_uevent_env+0x1d4/0x7e8 [ 151.545557][ T70] power_supply_changed_work+0x174/0x31c [ 151.545562][ T70] process_one_work+0x244/0x6f0 [ 151.545564][ T70] worker_thread+0x3e0/0xa64 We can resolve this by instead retrieving and storing up to the maximum of 7 PDOs in the con->src_pdos array. This would involve two calls to the GET_PDOS command. CVE-2021-46980 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nbd: Fix NULL pointer in flush_workqueue Open /dev/nbdX first, the config_refs will be 1 and the pointers in nbd_device are still null. Disconnect /dev/nbdX, then reference a null recv_workq. The protection by config_refs in nbd_genl_disconnect is useless. [ 656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 656.368943] #PF: supervisor write access in kernel mode [ 656.369844] #PF: error_code(0x0002) - not-present page [ 656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0 [ 656.371693] Oops: 0002 [#1] SMP [ 656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1 [ 656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ 656.375904] RIP: 0010:mutex_lock+0x29/0x60 [ 656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 <f0> 48 0f b1 55 d [ 656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246 [ 656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020 [ 656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318 [ 656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40 [ 656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00 [ 656.382166] FS: 00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000 [ 656.382806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0 [ 656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 656.384927] Call Trace: [ 656.385111] flush_workqueue+0x92/0x6c0 [ 656.385395] nbd_disconnect_and_put+0x81/0xd0 [ 656.385716] nbd_genl_disconnect+0x125/0x2a0 [ 656.386034] genl_family_rcv_msg_doit.isra.0+0x102/0x1b0 [ 656.386422] genl_rcv_msg+0xfc/0x2b0 [ 656.386685] ? nbd_ioctl+0x490/0x490 [ 656.386954] ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0 [ 656.387354] netlink_rcv_skb+0x62/0x180 [ 656.387638] genl_rcv+0x34/0x60 [ 656.387874] netlink_unicast+0x26d/0x590 [ 656.388162] netlink_sendmsg+0x398/0x6c0 [ 656.388451] ? netlink_rcv_skb+0x180/0x180 [ 656.388750] ____sys_sendmsg+0x1da/0x320 [ 656.389038] ? ____sys_recvmsg+0x130/0x220 [ 656.389334] ___sys_sendmsg+0x8e/0xf0 [ 656.389605] ? ___sys_recvmsg+0xa2/0xf0 [ 656.389889] ? handle_mm_fault+0x1671/0x21d0 [ 656.390201] __sys_sendmsg+0x6d/0xe0 [ 656.390464] __x64_sys_sendmsg+0x23/0x30 [ 656.390751] do_syscall_64+0x45/0x70 [ 656.391017] entry_SYSCALL_64_after_hwframe+0x44/0xa9 To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put(). CVE-2021-46981 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet-rdma: Fix NULL deref when SEND is completed with error When running some traffic and taking down the link on peer, a retry counter exceeded error is received. This leads to nvmet_rdma_error_comp which tried accessing the cq_context to obtain the queue. The cq_context is no longer valid after the fix to use shared CQ mechanism and should be obtained similar to how it is obtained in other functions from the wc->qp. [ 905.786331] nvmet_rdma: SEND for CQE 0x00000000e3337f90 failed with status transport retry counter exceeded (12). [ 905.832048] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [ 905.839919] PGD 0 P4D 0 [ 905.842464] Oops: 0000 1 SMP NOPTI [ 905.846144] CPU: 13 PID: 1557 Comm: kworker/13:1H Kdump: loaded Tainted: G OE --------- - - 4.18.0-304.el8.x86_64 #1 [ 905.872135] RIP: 0010:nvmet_rdma_error_comp+0x5/0x1b [nvmet_rdma] [ 905.878259] Code: 19 4f c0 e8 89 b3 a5 f6 e9 5b e0 ff ff 0f b7 75 14 4c 89 ea 48 c7 c7 08 1a 4f c0 e8 71 b3 a5 f6 e9 4b e0 ff ff 0f 1f 44 00 00 <48> 8b 47 48 48 85 c0 74 08 48 89 c7 e9 98 bf 49 00 e9 c3 e3 ff ff [ 905.897135] RSP: 0018:ffffab601c45fe28 EFLAGS: 00010246 [ 905.902387] RAX: 0000000000000065 RBX: ffff9e729ea2f800 RCX: 0000000000000000 [ 905.909558] RDX: 0000000000000000 RSI: ffff9e72df9567c8 RDI: 0000000000000000 [ 905.916731] RBP: ffff9e729ea2b400 R08: 000000000000074d R09: 0000000000000074 [ 905.923903] R10: 0000000000000000 R11: ffffab601c45fcc0 R12: 0000000000000010 [ 905.931074] R13: 0000000000000000 R14: 0000000000000010 R15: ffff9e729ea2f400 [ 905.938247] FS: 0000000000000000(0000) GS:ffff9e72df940000(0000) knlGS:0000000000000000 [ 905.938249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 905.950067] nvmet_rdma: SEND for CQE 0x00000000c7356cca failed with status transport retry counter exceeded (12). [ 905.961855] CR2: 0000000000000048 CR3: 000000678d010004 CR4: 00000000007706e0 [ 905.961855] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 905.961856] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 905.961857] PKRU: 55555554 [ 906.010315] Call Trace: [ 906.012778] __ib_process_cq+0x89/0x170 [ib_core] [ 906.017509] ib_cq_poll_work+0x26/0x80 [ib_core] [ 906.022152] process_one_work+0x1a7/0x360 [ 906.026182] ? create_worker+0x1a0/0x1a0 [ 906.030123] worker_thread+0x30/0x390 [ 906.033802] ? create_worker+0x1a0/0x1a0 [ 906.037744] kthread+0x116/0x130 [ 906.040988] ? kthread_flush_work_fn+0x10/0x10 [ 906.045456] ret_from_fork+0x1f/0x40 CVE-2021-46983 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: kyber: fix out of bounds access when preempted __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blk_mq_get_ctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->index_hw[hctx->type] > hctx->nr_ctx). This manifested as this UBSAN array index out of bounds error reported by Jakub: UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dump_stack+0xa4/0xe5 ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34 queued_spin_lock_slowpath+0x476/0x480 do_raw_spin_lock+0x1c2/0x1d0 kyber_bio_merge+0x112/0x180 blk_mq_submit_bio+0x1f5/0x1100 submit_bio_noacct+0x7b0/0x870 submit_bio+0xc2/0x3a0 btrfs_map_bio+0x4f0/0x9d0 btrfs_submit_data_bio+0x24e/0x310 submit_one_bio+0x7f/0xb0 submit_extent_page+0xc4/0x440 __extent_writepage_io+0x2b8/0x5e0 __extent_writepage+0x28d/0x6e0 extent_write_cache_pages+0x4d7/0x7a0 extent_writepages+0xa2/0x110 do_writepages+0x8f/0x180 __writeback_single_inode+0x99/0x7f0 writeback_sb_inodes+0x34e/0x790 __writeback_inodes_wb+0x9e/0x120 wb_writeback+0x4d2/0x660 wb_workfn+0x64d/0xa10 process_one_work+0x53a/0xa80 worker_thread+0x69/0x5b0 kthread+0x20b/0x240 ret_from_fork+0x1f/0x30 Only Kyber uses the hctx, so fix it by passing the request_queue to ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch. CVE-2021-46984 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: userfaultfd: release page in error path to avoid BUG_ON Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning. CVE-2021-46988 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check. CVE-2021-46989 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix crashes when toggling entry flush barrier The entry flush mitigation can be enabled/disabled at runtime via a debugfs file (entry_flush), which causes the kernel to patch itself to enable/disable the relevant mitigations. However depending on which mitigation we're using, it may not be safe to do that patching while other CPUs are active. For example the following crash: sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20 Shows that we returned to userspace with a corrupted LR that points into the kernel, due to executing the partially patched call to the fallback entry flush (ie. we missed the LR restore). Fix it by doing the patching under stop machine. The CPUs that aren't doing the patching will be spinning in the core of the stop machine logic. That is currently sufficient for our purposes, because none of the patching we do is to that code or anywhere in the vicinity. CVE-2021-46990 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix use-after-free in i40e_client_subtask() Currently the call to i40e_client_del_instance frees the object pf->cinst, however pf->cinst->lan_info is being accessed after the free. Fix this by adding the missing return. Addresses-Coverity: ("Read from pointer after free") CVE-2021-46991 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). My patch makes enic_queue_wq_skb() return error and goto spin_unlock() incase of error. The solution is provided by Govind. See https://lkml.org/lkml/2021/4/30/961. CVE-2021-46998 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: fix inode leak on getattr error in __fh_to_dentry CVE-2021-47000 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Fix cwnd update ordering After a reconnect, the reply handler is opening the cwnd (and thus enabling more RPC Calls to be sent) /before/ rpcrdma_post_recvs() can post enough Receive WRs to receive their replies. This causes an RNR and the new connection is lost immediately. The race is most clearly exposed when KASAN and disconnect injection are enabled. This slows down rpcrdma_rep_create() enough to allow the send side to post a bunch of RPC Calls before the Receive completion handler can invoke ib_post_recv(). CVE-2021-47001 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix potential null dereference on pointer status There are calls to idxd_cmd_exec that pass a null status pointer however a recent commit has added an assignment to *status that can end up with a null pointer dereference. The function expects a null status pointer sometimes as there is a later assignment to *status where status is first null checked. Fix the issue by null checking status before making the assignment. Addresses-Coverity: ("Explicit null dereferenced") CVE-2021-47003 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix NULL pointer dereference for ->get_features() get_features ops of pci_epc_ops may return NULL, causing NULL pointer dereference in pci_epf_test_alloc_space function. Let us add a check for pci_epc_feature pointer in pci_epf_test_bind before we access it to avoid any such NULL pointer dereference and return -ENOTSUPP in case pci_epc_feature is not found. When the patch is not applied and EPC features is not implemented in the platform driver, we see the following dump due to kernel NULL pointer dereference. Call trace: pci_epf_test_bind+0xf4/0x388 pci_epf_bind+0x3c/0x80 pci_epc_epf_link+0xa8/0xcc configfs_symlink+0x1a4/0x48c vfs_symlink+0x104/0x184 do_symlinkat+0x80/0xd4 __arm64_sys_symlinkat+0x1c/0x24 el0_svc_common.constprop.3+0xb8/0x170 el0_svc_handler+0x70/0x88 el0_svc+0x8/0x640 Code: d2800581 b9403ab9 f9404ebb 8b394f60 (f9400400) ---[ end trace a438e3c5a24f9df0 ]--- CVE-2021-47005 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook The commit 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") set a default event->overflow_handler in perf_event_alloc(), and replace the check event->overflow_handler with is_default_overflow_handler(), but one is missing. Currently, the bp->overflow_handler can not be NULL. As a result, enable_single_step() is always not invoked. Comments from Zhen Lei: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/ CVE-2021-47006 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak on object td Two error return paths are neglecting to free allocated object td, causing a memory leak. Fix this by returning via the error return path that securely kfree's td. Fixes clang scan-build warning: security/keys/trusted-keys/trusted_tpm1.c:496:10: warning: Potential memory leak [unix.Malloc] CVE-2021-47009 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix a use after free in siw_alloc_mr Our code analyzer reported a UAF. In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr). My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {} section, to avoid the uaf. CVE-2021-47012 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, thus my patch assigns skb->len to 'len' before the possible free and use 'len' instead of skb->len later. CVE-2021-47013 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: fix wild memory access when clearing fragments while testing re-assembly/re-fragmentation using act_ct, it's possible to observe a crash like the following one: KASAN: maybe wild-memory-access in range [0x0001000000000448-0x000100000000044f] CPU: 50 PID: 0 Comm: swapper/50 Tainted: G S 5.12.0-rc7+ #424 Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 RIP: 0010:inet_frag_rbtree_purge+0x50/0xc0 Code: 00 fc ff df 48 89 c3 31 ed 48 89 df e8 a9 7a 38 ff 4c 89 fe 48 89 df 49 89 c6 e8 5b 3a 38 ff 48 8d 7b 40 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 59 48 8d bb d0 00 00 00 4c 8b 6b 40 48 89 f8 48 RSP: 0018:ffff888c31449db8 EFLAGS: 00010203 RAX: 0000200000000089 RBX: 000100000000040e RCX: ffffffff989eb960 RDX: 0000000000000140 RSI: ffffffff97cfb977 RDI: 000100000000044e RBP: 0000000000000900 R08: 0000000000000000 R09: ffffed1186289350 R10: 0000000000000003 R11: ffffed1186289350 R12: dffffc0000000000 R13: 000100000000040e R14: 0000000000000000 R15: ffff888155e02160 FS: 0000000000000000(0000) GS:ffff888c31440000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005600cb70a5b8 CR3: 0000000a2c014005 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> inet_frag_destroy+0xa9/0x150 call_timer_fn+0x2d/0x180 run_timer_softirq+0x4fe/0xe70 __do_softirq+0x197/0x5a0 irq_exit_rcu+0x1de/0x200 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> when act_ct temporarily stores an IP fragment, restoring the skb qdisc cb results in putting random data in FRAG_CB(), and this causes those "wild" memory accesses later, when the rbtree is purged. Never overwrite the skb cb in case tcf_ct_handle_fragments() returns -EINPROGRESS. CVE-2021-47014 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RX consumer index logic in the error path. In bnxt_rx_pkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxt_discard_rx() is not correct. We should be passing the current index (tmp_raw_cons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this: #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978 #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5 [exception RIP: bnxt_rx_pkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 CVE-2021-47015 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ath10k: Fix a use after free in ath10k_htc_send_bundle In ath10k_htc_send_bundle, the bundle_skb could be freed by dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later by bundle_skb->len. As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to skb_len after the bundle_skb was freed. CVE-2021-47017 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: soundwire: stream: fix memory leak in stream config error path When stream config is failed, master runtime will release all slave runtime in the slave_rt_list, but slave runtime is not added to the list at this time. This patch frees slave runtime in the config error path to fix the memory leak. CVE-2021-47020 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats") This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status. CVE-2021-47026 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [<c000000000bf8e5c>] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T ---truncated--- CVE-2021-47034 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove WO permissions on second-level paging entries When the first level page table is used for IOVA translation, it only supports Read-Only and Read-Write permissions. The Write-Only permission is not supported as the PRESENT bit (implying Read permission) should always set. When using second level, we still give separate permissions that allows WriteOnly which seems inconsistent and awkward. We want to have consistent behavior. After moving to 1st level, we don't want things to work sometimes, and break if we use 2nd level for the same mappings. Hence remove this configuration. CVE-2021-47035 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid deadlock between hci_dev->lock and socket lock Commit eab2404ba798 ("Bluetooth: Add BT_PHY socket option") added a dependency between socket lock and hci_dev->lock that could lead to deadlock. It turns out that hci_conn_get_phy() is not in any way relying on hdev being immutable during the runtime of this function, neither does it even look at any of the members of hdev, and as such there is no need to hold that lock. This fixes the lockdep splat below: ====================================================== WARNING: possible circular locking dependency detected 5.12.0-rc1-00026-g73d464503354 #10 Not tainted ------------------------------------------------------ bluetoothd/1118 is trying to acquire lock: ffff8f078383c078 (&hdev->lock){+.+.}-{3:3}, at: hci_conn_get_phy+0x1c/0x150 [bluetooth] but task is already holding lock: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}: lock_sock_nested+0x72/0xa0 l2cap_sock_ready_cb+0x18/0x70 [bluetooth] l2cap_config_rsp+0x27a/0x520 [bluetooth] l2cap_sig_channel+0x658/0x1330 [bluetooth] l2cap_recv_frame+0x1ba/0x310 [bluetooth] hci_rx_work+0x1cc/0x640 [bluetooth] process_one_work+0x244/0x5f0 worker_thread+0x3c/0x380 kthread+0x13e/0x160 ret_from_fork+0x22/0x30 -> #2 (&chan->lock#2/1){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x33a/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #1 (&conn->chan_lock){+.+.}-{3:3}: __mutex_lock+0xa3/0xa10 l2cap_chan_connect+0x322/0x940 [bluetooth] l2cap_sock_connect+0x141/0x2a0 [bluetooth] __sys_connect+0x9b/0xc0 __x64_sys_connect+0x16/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #0 (&hdev->lock){+.+.}-{3:3}: __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 __mutex_lock+0xa3/0xa10 hci_conn_get_phy+0x1c/0x150 [bluetooth] l2cap_sock_getsockopt+0x5a9/0x610 [bluetooth] __sys_getsockopt+0xcc/0x200 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae other info that might help us debug this: Chain exists of: &hdev->lock --> &chan->lock#2/1 --> sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&chan->lock#2/1); lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP); lock(&hdev->lock); *** DEADLOCK *** 1 lock held by bluetoothd/1118: #0: ffff8f07e831d920 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_getsockopt+0x8b/0x610 [bluetooth] stack backtrace: CPU: 3 PID: 1118 Comm: bluetoothd Not tainted 5.12.0-rc1-00026-g73d464503354 #10 Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017 Call Trace: dump_stack+0x7f/0xa1 check_noncircular+0x105/0x120 ? __lock_acquire+0x147a/0x1a50 __lock_acquire+0x147a/0x1a50 lock_acquire+0x277/0x3d0 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? __lock_acquire+0x2e1/0x1a50 ? lock_is_held_type+0xb4/0x120 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] __mutex_lock+0xa3/0xa10 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] ? lock_acquire+0x277/0x3d0 ? mark_held_locks+0x49/0x70 ? mark_held_locks+0x49/0x70 ? hci_conn_get_phy+0x1c/0x150 [bluetooth] hci_conn_get_phy+0x ---truncated--- CVE-2021-47038 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix incorrect locking in state_change sk callback We are not changing anything in the TCP connection state so we should not take a write_lock but rather a read lock. This caused a deadlock when running nvmet-tcp and nvme-tcp on the same system, where state_change callbacks on the host and on the controller side have causal relationship and made lockdep report on this with blktests: ================================ WARNING: inconsistent lock state 5.12.0-rc3 #1 Tainted: G I -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-R} usage. nvme/1324 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888363151000 (clock-AF_INET){++-?}-{2:2}, at: nvme_tcp_state_change+0x21/0x150 [nvme_tcp] {IN-SOFTIRQ-W} state was registered at: __lock_acquire+0x79b/0x18d0 lock_acquire+0x1ca/0x480 _raw_write_lock_bh+0x39/0x80 nvmet_tcp_state_change+0x21/0x170 [nvmet_tcp] tcp_fin+0x2a8/0x780 tcp_data_queue+0xf94/0x1f20 tcp_rcv_established+0x6ba/0x1f00 tcp_v4_do_rcv+0x502/0x760 tcp_v4_rcv+0x257e/0x3430 ip_protocol_deliver_rcu+0x69/0x6a0 ip_local_deliver_finish+0x1e2/0x2f0 ip_local_deliver+0x1a2/0x420 ip_rcv+0x4fb/0x6b0 __netif_receive_skb_one_core+0x162/0x1b0 process_backlog+0x1ff/0x770 __napi_poll.constprop.0+0xa9/0x5c0 net_rx_action+0x7b3/0xb30 __do_softirq+0x1f0/0x940 do_softirq+0xa1/0xd0 __local_bh_enable_ip+0xd8/0x100 ip_finish_output2+0x6b7/0x18a0 __ip_queue_xmit+0x706/0x1aa0 __tcp_transmit_skb+0x2068/0x2e20 tcp_write_xmit+0xc9e/0x2bb0 __tcp_push_pending_frames+0x92/0x310 inet_shutdown+0x158/0x300 __nvme_tcp_stop_queue+0x36/0x270 [nvme_tcp] nvme_tcp_stop_queue+0x87/0xb0 [nvme_tcp] nvme_tcp_teardown_admin_queue+0x69/0xe0 [nvme_tcp] nvme_do_delete_ctrl+0x100/0x10c [nvme_core] nvme_sysfs_delete.cold+0x8/0xd [nvme_core] kernfs_fop_write_iter+0x2c7/0x460 new_sync_write+0x36c/0x610 vfs_write+0x5c0/0x870 ksys_write+0xf9/0x1d0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae irq event stamp: 10687 hardirqs last enabled at (10687): [<ffffffff9ec376bd>] _raw_spin_unlock_irqrestore+0x2d/0x40 hardirqs last disabled at (10686): [<ffffffff9ec374d8>] _raw_spin_lock_irqsave+0x68/0x90 softirqs last enabled at (10684): [<ffffffff9f000608>] __do_softirq+0x608/0x940 softirqs last disabled at (10649): [<ffffffff9cdedd31>] do_softirq+0xa1/0xd0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(clock-AF_INET); <Interrupt> lock(clock-AF_INET); *** DEADLOCK *** 5 locks held by nvme/1324: #0: ffff8884a01fe470 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0xf9/0x1d0 #1: ffff8886e435c090 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x216/0x460 #2: ffff888104d90c38 (kn->active#255){++++}-{0:0}, at: kernfs_remove_self+0x22d/0x330 #3: ffff8884634538d0 (&queue->queue_lock){+.+.}-{3:3}, at: nvme_tcp_stop_queue+0x52/0xb0 [nvme_tcp] #4: ffff888363150d30 (sk_lock-AF_INET){+.+.}-{0:0}, at: inet_shutdown+0x59/0x300 stack backtrace: CPU: 26 PID: 1324 Comm: nvme Tainted: G I 5.12.0-rc3 #1 Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.10.0 11/12/2020 Call Trace: dump_stack+0x93/0xc2 mark_lock_irq.cold+0x2c/0xb3 ? verify_lock_unused+0x390/0x390 ? stack_trace_consume_entry+0x160/0x160 ? lock_downgrade+0x100/0x100 ? save_trace+0x88/0x5e0 ? _raw_spin_unlock_irqrestore+0x2d/0x40 mark_lock+0x530/0x1470 ? mark_lock_irq+0x1d10/0x1d10 ? enqueue_timer+0x660/0x660 mark_usage+0x215/0x2a0 __lock_acquire+0x79b/0x18d0 ? tcp_schedule_loss_probe.part.0+0x38c/0x520 lock_acquire+0x1ca/0x480 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? rcu_read_unlock+0x40/0x40 ? tcp_mtu_probe+0x1ae0/0x1ae0 ? kmalloc_reserve+0xa0/0xa0 ? sysfs_file_ops+0x170/0x170 _raw_read_lock+0x3d/0xa0 ? nvme_tcp_state_change+0x21/0x150 [nvme_tcp] nvme_tcp_state_change+0x21/0x150 [nvme_tcp] ? sysfs_file_ops ---truncated--- CVE-2021-47041 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix shift-out-of-bounds in load_balance() Syzbot reported a handful of occurrences where an sd->nr_balance_failed can grow to much higher values than one would expect. A successful load_balance() resets it to 0; a failed one increments it. Once it gets to sd->cache_nice_tries + 3, this *should* trigger an active balance, which will either set it to sd->cache_nice_tries+1 or reset it to 0. However, in case the to-be-active-balanced task is not allowed to run on env->dst_cpu, then the increment is done without any further modification. This could then be repeated ad nauseam, and would explain the absurdly high values reported by syzbot (86, 149). VincentG noted there is value in letting sd->cache_nice_tries grow, so the shift itself should be fixed. That means preventing: """ If the value of the right operand is negative or is greater than or equal to the width of the promoted left operand, the behavior is undefined. """ Thus we need to cap the shift exponent to BITS_PER_TYPE(typeof(lefthand)) - 1. I had a look around for other similar cases via coccinelle: @expr@ position pos; expression E1; expression E2; @@ ( E1 >> E2@pos | E1 >> E2@pos ) @cst depends on expr@ position pos; expression expr.E1; constant cst; @@ ( E1 >> cst@pos | E1 << cst@pos ) @script:python depends on !cst@ pos << expr.pos; exp << expr.E2; @@ # Dirty hack to ignore constexpr if exp.upper() != exp: coccilib.report.print_report(pos[0], "Possible UB shift here") The only other match in kernel/sched is rq_clock_thermal() which employs sched_thermal_decay_shift, and that exponent is already capped to 10, so that one is fine. CVE-2021-47044 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() It is possible to call lpfc_issue_els_plogi() passing a did for which no matching ndlp is found. A call is then made to lpfc_prep_els_iocb() with a null pointer to a lpfc_nodelist structure resulting in a null pointer dereference. Fix by returning an error status if no valid ndlp is found. Fix up comments regarding ndlp reference counting. CVE-2021-47045 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix off by one in hdmi_14_process_transaction() The hdcp_i2c_offsets[] array did not have an entry for HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one read overflow. I added an entry and copied the 0x0 value for the offset from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c. I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX entries. This doesn't change the code, but it's just a belt and suspenders approach to try future proof the code. CVE-2021-47046 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Use after free in __vmbus_open() The "open_info" variable is added to the &vmbus_connection.chn_msg_list, but the error handling frees "open_info" without removing it from the list. This will result in a use after free. First remove it from the list, and then free it. CVE-2021-47049 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. Fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. CVE-2021-47051 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bus: qcom: Put child node before return Put child node before return to fix potential reference count leak. Generally, the reference count of child is incremented and decremented automatically in the macro for_each_available_child_of_node() and should be decremented manually if the loop is broken in loop body. CVE-2021-47054 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: mtd: require write permissions for locking and badblock ioctls MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require write permission. Depending on the hardware MEMLOCK might even be write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK is always write-once. MEMSETBADBLOCK modifies the bad block table. CVE-2021-47055 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown() before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the vf2pf_lock is initialized in adf_dev_init(), which can fail and when it fail, the vf2pf_lock is either not initialized or destroyed, a subsequent use of vf2pf_lock will cause issue. To fix this issue, only set this flag if adf_dev_init() returns 0. [ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0 [ 7.180345] Call Trace: [ 7.182576] mutex_lock+0xc9/0xd0 [ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat] [ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat] [ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat] [ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf] CVE-2021-47056 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: regmap: set debugfs_name to NULL after it is freed There is a upstream commit cffa4b2122f5("regmap:debugfs: Fix a memory leak when calling regmap_attach_dev") that adds a if condition when create name for debugfs_name. With below function invoking logical, debugfs_name is freed in regmap_debugfs_exit(), but it is not created again because of the if condition introduced by above commit. regmap_reinit_cache() regmap_debugfs_exit() ... regmap_debugfs_init() So, set debugfs_name to NULL after it is freed. CVE-2021-47058 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Stop looking for coalesced MMIO zones if the bus is destroyed Abort the walk of coalesced MMIO zones if kvm_io_bus_unregister_dev() fails to allocate memory for the new instance of the bus. If it can't instantiate a new bus, unregister_dev() destroys all devices _except_ the target device. But, it doesn't tell the caller that it obliterated the bus and invoked the destructor for all devices that were on the bus. In the coalesced MMIO case, this can result in a deleted list entry dereference due to attempting to continue iterating on coalesced_zones after future entries (in the walk) have been deleted. Opportunistically add curly braces to the for-loop, which encompasses many lines but sneaks by without braces due to the guts being a single if statement. CVE-2021-47060 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU If allocating a new instance of an I/O bus fails when unregistering a device, wait to destroy the device until after all readers are guaranteed to see the new null bus. Destroying devices before the bus is nullified could lead to use-after-free since readers expect the devices on their reference of the bus to remain valid. CVE-2021-47061 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block CVE-2021-47063 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: rtw88: Fix array overrun in rtw_get_tx_power_params() Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the following array overrun is logged: ================================================================================ UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 index 5 is out of range for type 'u8 [5]' CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 Workqueue: phy0 ieee80211_scan_work [mac80211] Call Trace: dump_stack+0x64/0x7c ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold+0x43/0x48 rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core] ? rtw_pci_read16+0x20/0x20 [rtw_pci] ? check_hw_ready+0x50/0x90 [rtw_core] rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core] rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core] rtw_set_channel+0xab/0x110 [rtw_core] rtw_ops_config+0x87/0xc0 [rtw_core] ieee80211_hw_config+0x9d/0x130 [mac80211] ieee80211_scan_state_set_channel+0x81/0x170 [mac80211] ieee80211_scan_work+0x19f/0x2a0 [mac80211] process_one_work+0x1dd/0x3a0 worker_thread+0x49/0x330 ? rescuer_thread+0x3a0/0x3a0 kthread+0x134/0x150 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x22/0x30 ================================================================================ The statement where an array is being overrun is shown in the following snippet: if (rate <= DESC_RATE11M) tx_power = pwr_idx_2g->cck_base[group]; else ====> tx_power = pwr_idx_2g->bw40_base[group]; The associated arrays are defined in main.h as follows: struct rtw_2g_txpwr_idx { u8 cck_base[6]; u8 bw40_base[5]; struct rtw_2g_1s_pwr_idx_diff ht_1s_diff; struct rtw_2g_ns_pwr_idx_diff ht_2s_diff; struct rtw_2g_ns_pwr_idx_diff ht_3s_diff; struct rtw_2g_ns_pwr_idx_diff ht_4s_diff; }; The problem arises because the value of group is 5 for channel 14. The trivial increase in the dimension of bw40_base fails as this struct must match the layout of efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set the group for channel 14 to 4 if rate <= DESC_RATE11M. This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines") CVE-2021-47065 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry do_mq_timedreceive calls wq_sleep with a stack local address. The sender (do_mq_timedsend) uses this address to later call pipelined_send. This leads to a very hard to trigger race where a do_mq_timedreceive call might return and leave do_mq_timedsend to rely on an invalid address, causing the following crash: RIP: 0010:wake_q_add_safe+0x13/0x60 Call Trace: __x64_sys_mq_timedsend+0x2a9/0x490 do_syscall_64+0x80/0x680 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5928e40343 The race occurs as: 1. do_mq_timedreceive calls wq_sleep with the address of `struct ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it holds a valid `struct ext_wait_queue *` as long as the stack has not been overwritten. 2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call __pipelined_op. 3. Sender calls __pipelined_op::smp_store_release(&this->state, STATE_READY). Here is where the race window begins. (`this` is `ewq_addr`.) 4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it will see `state == STATE_READY` and break. 5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's stack. (Although the address may not get overwritten until another function happens to touch it, which means it can persist around for an indefinite time.) 6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a `struct ext_wait_queue *`, and uses it to find a task_struct to pass to the wake_q_add_safe call. In the lucky case where nothing has overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct. In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a bogus address as the receiver's task_struct causing the crash. do_mq_timedsend::__pipelined_op() should not dereference `this` after setting STATE_READY, as the receiver counterpart is now free to return. Change __pipelined_op to call wake_q_add_safe on the receiver's task_struct returned by get_task_struct, instead of dereferencing `this` which sits on the receiver's stack. As Manfred pointed out, the race potentially also exists in ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix those in the same way. CVE-2021-47069 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix another memory leak in error handling paths Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function. CVE-2021-47070 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix a memory leak in error handling paths If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be updated and 'hv_uio_cleanup()' in the error handling path will not be able to free the corresponding buffer. In such a case, we need to free the buffer explicitly. CVE-2021-47071 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems where the Dell WMI interface is supported. While exit_dell_smbios_wmi() unregisters it unconditionally, this leads to the following oops: [ 175.722921] ------------[ cut here ]------------ [ 175.722925] Unexpected driver unregister! [ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40 ... [ 175.723089] Call Trace: [ 175.723094] cleanup_module+0x5/0xedd [dell_smbios] ... [ 175.723148] ---[ end trace 064c34e1ad49509d ]--- Make the unregister happen on the same condition the register happens to fix this. CVE-2021-47073 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-loop: fix memory leak in nvme_loop_create_ctrl() When creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl() fails, the loop ctrl should be freed before jumping to the "out" label. CVE-2021-47074 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Return CQE error if invalid lkey was supplied RXE is missing update of WQE status in LOCAL_WRITE failures. This caused the following kernel panic if someone sent an atomic operation with an explicitly wrong lkey. [leonro@vm ~]$ mkt test test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff RSP: 0018:ffff8880158af090 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0xb11/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_responder+0x5532/0x7620 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0x9c8/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_requester+0x1efd/0x58c0 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_post_send+0x998/0x1860 [rdma_rxe] ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs] ib_uverbs_write+0x847/0xc80 [ib_uverbs] vfs_write+0x1c5/0x840 ksys_write+0x176/0x1d0 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-47076 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Add pointer checks in qedf_update_link_speed() The following trace was observed: [ 14.042059] Call Trace: [ 14.042061] <IRQ> [ 14.042068] qedf_link_update+0x144/0x1f0 [qedf] [ 14.042117] qed_link_update+0x5c/0x80 [qed] [ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed] [ 14.042155] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042170] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042186] ? qed_rd+0x13/0x40 [qed] [ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed] [ 14.042221] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed] [ 14.042245] tasklet_action_common.isra.14+0x5a/0x100 [ 14.042250] __do_softirq+0xe4/0x2f8 [ 14.042253] irq_exit+0xf7/0x100 [ 14.042255] do_IRQ+0x7f/0xd0 [ 14.042257] common_interrupt+0xf/0xf [ 14.042259] </IRQ> API qedf_link_update() is getting called from QED but by that time shost_data is not initialised. This results in a NULL pointer dereference when we try to dereference shost_data while updating supported_speeds. Add a NULL pointer check before dereferencing shost_data. CVE-2021-47077 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Clear all QP fields if creation failed rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly created ones, but in case rxe_qp_from_init() failed it was filled with garbage and caused tot the following error. refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800 R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000 FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805 execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327 rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391 kref_put include/linux/kref.h:65 [inline] rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425 _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline] ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231 ib_create_qp include/rdma/ib_verbs.h:3644 [inline] create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920 ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline] ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092 add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717 enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331 ib_register_device drivers/infiniband/core/device.c:1413 [inline] ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365 rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147 rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247 rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503 rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline] rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250 nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555 rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0 ---truncated--- CVE-2021-47078 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: mediatek: fix global-out-of-bounds issue When eint virtual eint number is greater than gpio number, it maybe produce 'desc[eint_n]' size globle-out-of-bounds issue. CVE-2021-47083 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix incorrect page free bug Pointer to the allocated pages (struct page *page) has already progressed towards the end of allocation. It is incorrect to perform __free_pages(page, order) using this pointer as we would free any arbitrary pages. Fix this by stop modifying the page pointer. CVE-2021-47087 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipmi: ssif: initialize ssif_info->client early During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This causes following kernel crash if an error path is taken: [ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present [ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 ... [ 30.657723][ T674] pc : __dev_printk+0x28/0xa0 [ 30.657732][ T674] lr : _dev_err+0x7c/0xa0 ... [ 30.657772][ T674] Call trace: [ 30.657775][ T674] __dev_printk+0x28/0xa0 [ 30.657778][ T674] _dev_err+0x7c/0xa0 [ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] [ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0 ... Initialize ssif_info->client before any error path can be taken. Clear i2c_client data in the error path to prevent the dangling pointer from leaking. CVE-2021-47095 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: elantech - fix stack out of bound access in elantech_change_report_id() The array param[] in elantech_change_report_id() must be at least 3 bytes, because elantech_read_reg_params() is calling ps2_command() with PSMOUSE_CMD_GETINFO, that is going to access 3 bytes from param[], but it's defined in the stack as an array of 2 bytes, therefore we have a potential stack out-of-bounds access here, also confirmed by KASAN: [ 6.512374] BUG: KASAN: stack-out-of-bounds in __ps2_command+0x372/0x7e0 [ 6.512397] Read of size 1 at addr ffff8881024d77c2 by task kworker/2:1/118 [ 6.512416] CPU: 2 PID: 118 Comm: kworker/2:1 Not tainted 5.13.0-22-generic #22+arighi20211110 [ 6.512428] Hardware name: LENOVO 20T8000QGE/20T8000QGE, BIOS R1AET32W (1.08 ) 08/14/2020 [ 6.512436] Workqueue: events_long serio_handle_event [ 6.512453] Call Trace: [ 6.512462] show_stack+0x52/0x58 [ 6.512474] dump_stack+0xa1/0xd3 [ 6.512487] print_address_description.constprop.0+0x1d/0x140 [ 6.512502] ? __ps2_command+0x372/0x7e0 [ 6.512516] __kasan_report.cold+0x7d/0x112 [ 6.512527] ? _raw_write_lock_irq+0x20/0xd0 [ 6.512539] ? __ps2_command+0x372/0x7e0 [ 6.512552] kasan_report+0x3c/0x50 [ 6.512564] __asan_load1+0x6a/0x70 [ 6.512575] __ps2_command+0x372/0x7e0 [ 6.512589] ? ps2_drain+0x240/0x240 [ 6.512601] ? dev_printk_emit+0xa2/0xd3 [ 6.512612] ? dev_vprintk_emit+0xc5/0xc5 [ 6.512621] ? __kasan_check_write+0x14/0x20 [ 6.512634] ? mutex_lock+0x8f/0xe0 [ 6.512643] ? __mutex_lock_slowpath+0x20/0x20 [ 6.512655] ps2_command+0x52/0x90 [ 6.512670] elantech_ps2_command+0x4f/0xc0 [psmouse] [ 6.512734] elantech_change_report_id+0x1e6/0x256 [psmouse] [ 6.512799] ? elantech_report_trackpoint.constprop.0.cold+0xd/0xd [psmouse] [ 6.512863] ? ps2_command+0x7f/0x90 [ 6.512877] elantech_query_info.cold+0x6bd/0x9ed [psmouse] [ 6.512943] ? elantech_setup_ps2+0x460/0x460 [psmouse] [ 6.513005] ? psmouse_reset+0x69/0xb0 [psmouse] [ 6.513064] ? psmouse_attr_set_helper+0x2a0/0x2a0 [psmouse] [ 6.513122] ? phys_pmd_init+0x30e/0x521 [ 6.513137] elantech_init+0x8a/0x200 [psmouse] [ 6.513200] ? elantech_init_ps2+0xf0/0xf0 [psmouse] [ 6.513249] ? elantech_query_info+0x440/0x440 [psmouse] [ 6.513296] ? synaptics_send_cmd+0x60/0x60 [psmouse] [ 6.513342] ? elantech_query_info+0x440/0x440 [psmouse] [ 6.513388] ? psmouse_try_protocol+0x11e/0x170 [psmouse] [ 6.513432] psmouse_extensions+0x65d/0x6e0 [psmouse] [ 6.513476] ? psmouse_try_protocol+0x170/0x170 [psmouse] [ 6.513519] ? mutex_unlock+0x22/0x40 [ 6.513526] ? ps2_command+0x7f/0x90 [ 6.513536] ? psmouse_probe+0xa3/0xf0 [psmouse] [ 6.513580] psmouse_switch_protocol+0x27d/0x2e0 [psmouse] [ 6.513624] psmouse_connect+0x272/0x530 [psmouse] [ 6.513669] serio_driver_probe+0x55/0x70 [ 6.513679] really_probe+0x190/0x720 [ 6.513689] driver_probe_device+0x160/0x1f0 [ 6.513697] device_driver_attach+0x119/0x130 [ 6.513705] ? device_driver_attach+0x130/0x130 [ 6.513713] __driver_attach+0xe7/0x1a0 [ 6.513720] ? device_driver_attach+0x130/0x130 [ 6.513728] bus_for_each_dev+0xfb/0x150 [ 6.513738] ? subsys_dev_iter_exit+0x10/0x10 [ 6.513748] ? _raw_write_unlock_bh+0x30/0x30 [ 6.513757] driver_attach+0x2d/0x40 [ 6.513764] serio_handle_event+0x199/0x3d0 [ 6.513775] process_one_work+0x471/0x740 [ 6.513785] worker_thread+0x2d2/0x790 [ 6.513794] ? process_one_work+0x740/0x740 [ 6.513802] kthread+0x1b4/0x1e0 [ 6.513809] ? set_kthread_struct+0x80/0x80 [ 6.513816] ret_from_fork+0x22/0x30 [ 6.513832] The buggy address belongs to the page: [ 6.513838] page:00000000bc35e189 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d7 [ 6.513847] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) [ 6.513860] raw: 0 ---truncated--- CVE-2021-47097 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Hi, When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko, the system crashed. The log as follows: [ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a [ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0 [ 141.087464] Oops: 0010 [#1] SMP NOPTI [ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47 [ 141.088009] Workqueue: events 0xffffffffc09b3a40 [ 141.088009] RIP: 0010:0xffffffffc09b3a5a [ 141.088009] Code: Bad RIP value. [ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246 [ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000 [ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1 [ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700 [ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8 [ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000 [ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0 [ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 141.088009] PKRU: 55555554 [ 141.088009] Call Trace: [ 141.088009] ? process_one_work+0x195/0x390 [ 141.088009] ? worker_thread+0x30/0x390 [ 141.088009] ? process_one_work+0x390/0x390 [ 141.088009] ? kthread+0x10d/0x130 [ 141.088009] ? kthread_flush_work_fn+0x10/0x10 [ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a [ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0 [ 200.223464] Oops: 0010 [#1] SMP NOPTI [ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46 [ 200.224008] Workqueue: events 0xffffffffc0b28a40 [ 200.224008] RIP: 0010:0xffffffffc0b28a5a [ 200.224008] Code: Bad RIP value. [ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246 [ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000 [ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 [ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5 [ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700 [ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8 [ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000 [ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0 [ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 200.224008] PKRU: 55555554 [ 200.224008] Call Trace: [ 200.224008] ? process_one_work+0x195/0x390 [ 200.224008] ? worker_thread+0x30/0x390 [ 200.224008] ? process_one_work+0x390/0x390 [ 200.224008] ? kthread+0x10d/0x130 [ 200.224008] ? kthread_flush_work_fn+0x10/0x10 [ 200.224008] ? ret_from_fork+0x35/0x40 [ 200.224008] kernel fault(0x1) notification starting on CPU 63 [ 200.224008] kernel fault(0x1) notification finished on CPU 63 [ 200.224008] CR2: ffffffffc0b28a5a [ 200.224008] ---[ end trace c82a412d93f57412 ]--- The reason is as follows: T1: rmmod ipmi_si. ->ipmi_unregister_smi() -> ipmi_bmc_unregister() -> __ipmi_bmc_unregister() -> kref_put(&bmc->usecount, cleanup_bmc_device); -> schedule_work(&bmc->remove_work); T2: rmmod ipmi_msghandl ---truncated--- CVE-2021-47100 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized. Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 CVE-2021-47101 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: neighbour: allow NUD_NOARP entries to be forced GCed IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to fill up the neighbour table with enough entries that it will overflow for valid connections after that. This behaviour is more prevalent after commit 58956317c8de ("neighbor: Improve garbage collection") is applied, as it prevents removal from entries that are not NUD_FAILED, unless they are more than 5s old. CVE-2021-47109 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown Currenly, we disable kvmclock from machine_shutdown() hook and this only happens for boot CPU. We need to disable it for all CPUs to guard against memory corruption e.g. on restore from hibernate. Note, writing '0' to kvmclock MSR doesn't clear memory location, it just prevents hypervisor from updating the location so for the short while after write and while CPU is still alive, the clock remains usable and correct so we don't need to switch to some other clocksource. CVE-2021-47110 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Teardown PV features on boot CPU as well Various PV features (Async PF, PV EOI, steal time) work through memory shared with hypervisor and when we restore from hibernation we must properly teardown all these features to make sure hypervisor doesn't write to stale locations after we jump to the previously hibernated kernel (which can try to place anything there). For secondary CPUs the job is already done by kvm_cpu_down_prepare(), register syscore ops to do the same for boot CPU. CVE-2021-47112 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: btrfs: abort in rename_exchange if we fail to insert the second ref Error injection stress uncovered a problem where we'd leave a dangling inode ref if we failed during a rename_exchange. This happens because we insert the inode ref for one side of the rename, and then for the other side. If this second inode ref insert fails we'll leave the first one dangling and leave a corrupt file system behind. Fix this by aborting if we did the insert for the first inode ref. CVE-2021-47113 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption by fallocate When fallocate punches holes out of inode size, if original isize is in the middle of last cluster, then the part from isize to the end of the cluster will be zeroed with buffer write, at that time isize is not yet updated to match the new size, if writeback is kicked in, it will invoke ocfs2_writepage()->block_write_full_page() where the pages out of inode size will be dropped. That will cause file corruption. Fix this by zero out eof blocks when extending the inode size. Running the following command with qemu-image 4.2.1 can get a corrupted coverted image file easily. qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ -O qcow2 -o compat=1.1 $qcow_image.conv The usage of fallocate in qemu is like this, it first punches holes out of inode size, then extend the inode size. fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 fallocate(11, 0, 2276196352, 65536) = 0 v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/ CVE-2021-47114 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed We got follow bug_on when run fsstress with injecting IO fault: [130747.323114] kernel BUG at fs/ext4/extents_status.c:762! [130747.323117] Internal error: Oops - BUG: 0 [#1] SMP ...... [130747.334329] Call trace: [130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] [130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] [130747.335368] ext4_find_extent+0x300/0x330 [ext4] [130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] [130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] [130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] [130747.336995] ext4_readpage+0x54/0x100 [ext4] [130747.337359] generic_file_buffered_read+0x410/0xae8 [130747.337767] generic_file_read_iter+0x114/0x190 [130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] [130747.338556] __vfs_read+0x11c/0x188 [130747.338851] vfs_read+0x94/0x150 [130747.339110] ksys_read+0x74/0xf0 This patch's modification is according to Jan Kara's suggestion in: https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ "I see. Now I understand your patch. Honestly, seeing how fragile is trying to fix extent tree after split has failed in the middle, I would probably go even further and make sure we fix the tree properly in case of ENOSPC and EDQUOT (those are easily user triggerable). Anything else indicates a HW problem or fs corruption so I'd rather leave the extent tree as is and don't try to fix it (which also means we will not create overlapping extents)." CVE-2021-47117 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. Later on, we may change `cad_pid` via a sysctl, and when this happens proc_do_cad_pid() will increment the refcount on the new pid via get_pid(), and will decrement the refcount on the old pid via put_pid(). As we never called get_pid() when we initialized `cad_pid`, we decrement a reference we never incremented, can therefore free the init task's struct pid early. As there can be dangling references to the struct pid, we can later encounter a use-after-free (e.g. when delivering signals). This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to have been around since the conversion of `cad_pid` to struct pid in commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the pre-KASAN stone age of v2.6.19. Fix this by getting a reference to the init task's struct pid when we assign it to `cad_pid`. Full KASAN splat below. ================================================================== BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 Hardware name: linux,dummy-virt (DT) Call trace: ns_of_pid include/linux/pid.h:153 [inline] task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 do_notify_parent+0x308/0xe60 kernel/signal.c:1950 exit_notify kernel/exit.c:682 [inline] do_exit+0x2334/0x2bd0 kernel/exit.c:845 do_group_exit+0x108/0x2c8 kernel/exit.c:922 get_signal+0x4e4/0x2a88 kernel/signal.c:2781 do_signal arch/arm64/kernel/signal.c:882 [inline] do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 work_pending+0xc/0x2dc Allocated by task 0: slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2915 [inline] kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 alloc_pid+0xdc/0xc00 kernel/pid.c:180 copy_process+0x2794/0x5e18 kernel/fork.c:2129 kernel_clone+0x194/0x13c8 kernel/fork.c:2500 kernel_thread+0xd4/0x110 kernel/fork.c:2552 rest_init+0x44/0x4a0 init/main.c:687 arch_call_rest_init+0x1c/0x28 start_kernel+0x520/0x554 init/main.c:1064 0x0 Freed by task 270: slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 put_pid+0x30/0x48 kernel/pid.c:109 proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 call_write_iter include/linux/fs.h:1977 [inline] new_sync_write+0x3ac/0x510 fs/read_write.c:518 vfs_write fs/read_write.c:605 [inline] vfs_write+0x9c4/0x1018 fs/read_write.c:585 ksys_write+0x124/0x240 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 The buggy address belongs to the object at ffff23794dda0000 which belongs to the cache pid of size 224 The buggy address is located 4 bytes inside of 224-byte region [ff ---truncated--- CVE-2021-47118 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_fill_super Buffer head references must be released before calling kill_bdev(); otherwise the buffer head (and its page referenced by b_data) will not be freed by kill_bdev, and subsequently that bh will be leaked. If blocksizes differ, sb_set_blocksize() will kill current buffers and page cache by using kill_bdev(). And then super block will be reread again but using correct blocksize this time. sb_set_blocksize() didn't fully free superblock page and buffer head, and being busy, they were not freed and instead leaked. This can easily be reproduced by calling an infinite loop of: systemctl start <ext4_on_lvm>.mount, and systemctl stop <ext4_on_lvm>.mount ... since systemd creates a cgroup for each slice which it mounts, and the bh leak get amplified by a dying memory cgroup that also never gets freed, and memory consumption is much more easily noticed. CVE-2021-47119 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: fix NULL-deref on disconnect Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic Trackpad 2") added a sanity check for an Apple trackpad but returned success instead of -ENODEV when the check failed. This means that the remove callback will dereference the never-initialised driver data pointer when the driver is later unbound (e.g. on USB disconnect). CVE-2021-47120 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet: fix freeing unallocated p2pmem In case p2p device was found but the p2p pool is empty, the nvme target is still trying to free the sgl from the p2p pool instead of the regular sgl pool and causing a crash (BUG() is called). Instead, assign the p2p_dev for the request only if it was allocated from p2p pool. This is the crash that was caused: [Sun May 30 19:13:53 2021] ------------[ cut here ]------------ [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! [Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI ... [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! ... [Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0 ... [Sun May 30 19:13:53 2021] Call Trace: [Sun May 30 19:13:53 2021] ------------[ cut here ]------------ [Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70 [Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80 [Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet] [Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! [Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma] [Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma] CVE-2021-47130 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS context. This commit addresses this bug by keeping the context alive until its normal destruction, and implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS mode. On the TX side tls_sw_fallback is used to encrypt all packets. The RX side already has all the necessary fallbacks, because receiving non-decrypted packets is supported. The thing needed on the RX side is to block resync requests, which are normally produced after receiving non-decrypted packets. The necessary synchronization is implemented for a graceful teardown: first the fallbacks are deployed, then the driver resources are released (it used to be possible to have a tls_dev_resync after tls_dev_del). A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback mode. It's used to skip the RX resync logic completely, as it becomes useless, and some objects may be released (for example, resync_async, which is allocated and freed by the driver). CVE-2021-47131 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: net: zero-initialize tc skb extension on allocation Function skb_ext_add() doesn't initialize created skb extension with any value and leaves it up to the user. However, since extension of type TC_SKB_EXT originally contained only single value tc_skb_ext->chain its users used to just assign the chain value without setting whole extension memory to zero first. This assumption changed when TC_SKB_EXT extension was extended with additional fields but not all users were updated to initialize the new fields which leads to use of uninitialized memory afterwards. UBSAN log: [ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28 [ 778.301495] load of value 107 is not a valid value for type '_Bool' [ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2 [ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 778.307901] Call Trace: [ 778.308680] <IRQ> [ 778.309358] dump_stack+0xbb/0x107 [ 778.310307] ubsan_epilogue+0x5/0x40 [ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48 [ 778.312454] ? memset+0x20/0x40 [ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch] [ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch] [ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch] [ 778.317188] ? create_prof_cpu_mask+0x20/0x20 [ 778.318220] ? arch_stack_walk+0x82/0xf0 [ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb [ 778.320399] ? stack_trace_save+0x91/0xc0 [ 778.321362] ? stack_trace_consume_entry+0x160/0x160 [ 778.322517] ? lock_release+0x52e/0x760 [ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch] [ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch] [ 778.325950] __netif_receive_skb_core+0x771/0x2db0 [ 778.327067] ? lock_downgrade+0x6e0/0x6f0 [ 778.328021] ? lock_acquire+0x565/0x720 [ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0 [ 778.329902] ? inet_gro_receive+0x2a7/0x10a0 [ 778.330914] ? lock_downgrade+0x6f0/0x6f0 [ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0 [ 778.332876] ? lock_release+0x52e/0x760 [ 778.333808] ? dev_gro_receive+0xcc8/0x2380 [ 778.334810] ? lock_downgrade+0x6f0/0x6f0 [ 778.335769] __netif_receive_skb_list_core+0x295/0x820 [ 778.336955] ? process_backlog+0x780/0x780 [ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core] [ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0 [ 778.341033] ? kvm_clock_get_cycles+0x14/0x20 [ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0 [ 778.343288] ? __kasan_kmalloc+0x7a/0x90 [ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core] [ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core] [ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820 [ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core] [ 778.349688] ? napi_gro_flush+0x26c/0x3c0 [ 778.350641] napi_complete_done+0x188/0x6b0 [ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core] [ 778.352853] __napi_poll+0x9f/0x510 [ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core] [ 778.355158] net_rx_action+0x34c/0xa40 [ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0 [ 778.357083] ? sched_clock_cpu+0x18/0x190 [ 778.358041] ? __common_interrupt+0x8e/0x1a0 [ 778.359045] __do_softirq+0x1ce/0x984 [ 778.359938] __irq_exit_rcu+0x137/0x1d0 [ 778.360865] irq_exit_rcu+0xa/0x20 [ 778.361708] common_interrupt+0x80/0xa0 [ 778.362640] </IRQ> [ 778.363212] asm_common_interrupt+0x1e/0x40 [ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10 [ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00 [ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246 [ 778.370570] RAX ---truncated--- CVE-2021-47136 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: lantiq: fix memory corruption in RX ring In a situation where memory allocation or dma mapping fails, an invalid address is programmed into the descriptor. This can lead to memory corruption. If the memory allocation fails, DMA should reuse the previous skb and mapping and drop the packet. This patch also increments rx drop counter. CVE-2021-47137 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxgb4: avoid accessing registers when clearing filters Hardware register having the server TID base can contain invalid values when adapter is in bad state (for example, due to AER fatal error). Reading these invalid values in the register can lead to out-of-bound memory access. So, fix by using the saved server TID base when clearing filters. CVE-2021-47138 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: put off calling register_netdev() until client initialize complete Currently, the netdevice is registered before client initializing complete. So there is a timewindow between netdevice available and usable. In this case, if user try to change the channel number or ring param, it may cause the hns3_set_rx_cpu_rmap() being called twice, and report bug. [47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0 [47199.430340] hns3 0000:35:00.0 eth1: already uninitialized [47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1 [47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1 [47200.163524] ------------[ cut here ]------------ [47200.171674] kernel BUG at lib/cpu_rmap.c:142! [47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge] [47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1 [47200.215601] Hardware name: , xxxxxx 02/04/2021 [47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [47200.230188] pc : cpu_rmap_add+0x38/0x40 [47200.237472] lr : irq_cpu_rmap_add+0x84/0x140 [47200.243291] sp : ffff800010e93a30 [47200.247295] x29: ffff800010e93a30 x28: ffff082100584880 [47200.254155] x27: 0000000000000000 x26: 0000000000000000 [47200.260712] x25: 0000000000000000 x24: 0000000000000004 [47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 [47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 [47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 [47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0 [47200.293456] x15: fffffc2082990600 x14: dead000000000122 [47200.300059] x13: ffffffffffffffff x12: 000000000000003e [47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000 [47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700 [47200.319682] x7 : 0000000000000000 x6 : 000000000000003f [47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20 [47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80 [47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004 [47200.346058] Call trace: [47200.349324] cpu_rmap_add+0x38/0x40 [47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] [47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3] [47200.370049] hns3_change_channels+0x40/0xb0 [hns3] [47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] [47200.383353] ethtool_set_channels+0x140/0x250 [47200.389772] dev_ethtool+0x714/0x23d0 [47200.394440] dev_ioctl+0x4cc/0x640 [47200.399277] sock_do_ioctl+0x100/0x2a0 [47200.404574] sock_ioctl+0x28c/0x470 [47200.409079] __arm64_sys_ioctl+0xb4/0x100 [47200.415217] el0_svc_common.constprop.0+0x84/0x210 [47200.422088] do_el0_svc+0x28/0x34 [47200.426387] el0_svc+0x28/0x70 [47200.431308] el0_sync_handler+0x1a4/0x1b0 [47200.436477] el0_sync+0x174/0x180 [47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000) [47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- The process is like below: excuting hns3_client_init | register_netdev() | hns3_set_channels() | | hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() | | | quit without calling function | hns3_free_rx_cpu_rmap for flag | HNS3_NIC_STATE_INITED is unset. | | | hns3_reset_notify_init_enet() | | set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash Fix it by calling register_netdev() at the end of function hns3_client_init(). CVE-2021-47139 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: gve: Add NULL pointer checks when freeing irqs. When freeing notification blocks, we index priv->msix_vectors. If we failed to allocate priv->msix_vectors (see abort_with_msix_vectors) this could lead to a NULL pointer dereference if the driver is unloaded. CVE-2021-47141 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix a use-after-free looks like we forget to set ttm->sg to NULL. Hit panic below [ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 1235.989074] Call Trace: [ 1235.991751] sg_free_table+0x17/0x20 [ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu] [ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu] [ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm] [ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm] [ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm] [ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm] [ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu] [ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu] [ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu] [ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu] CVE-2021-47142 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2021-47144 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fec: fix the potential memory leak in fec_enet_init() If the memory allocated for cbd_base is failed, it should free the memory allocated for the queues, otherwise it causes memory leak. And if the memory allocated for the queues is failed, it can return error directly. CVE-2021-47150 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Don't generate an interrupt on bus reset Now that the i2c-i801 driver supports interrupts, setting the KILL bit in a attempt to recover from a timed out transaction triggers an interrupt. Unfortunately, the interrupt handler (i801_isr) is not prepared for this situation and will try to process the interrupt as if it was signaling the end of a successful transaction. In the case of a block transaction, this can result in an out-of-range memory access. This condition was reproduced several times by syzbot: https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 So disable interrupts while trying to reset the bus. Interrupts will be enabled again for the following transaction. CVE-2021-47153 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: mt7530: fix VLAN traffic leaks PCR_MATRIX field was set to all 1's when VLAN filtering is enabled, but was not reset when it is disabled, which may cause traffic leaks: ip link add br0 type bridge vlan_filtering 1 ip link add br1 type bridge vlan_filtering 1 ip link set swp0 master br0 ip link set swp1 master br1 ip link set br0 type bridge vlan_filtering 0 ip link set br1 type bridge vlan_filtering 0 # traffic in br0 and br1 will start leaking to each other As port_bridge_{add,del} have set up PCR_MATRIX properly, remove the PCR_MATRIX write from mt7530_port_set_vlan_aware. CVE-2021-47160 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-dspi: Fix a resource leak in an error handling path 'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the error handling path of the probe function, as already done in the remove function CVE-2021-47161 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix null deref accessing lag dev It could be the lag dev is null so stop processing the event. In bond_enslave() the active/backup slave being set before setting the upper dev so first event is without an upper dev. After setting the upper dev with bond_master_upper_dev_link() there is a second event and in that event we have an upper dev. CVE-2021-47164 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/meson: fix shutdown crash when component not probed When main component is not probed, by example when the dw-hdmi module is not loaded yet or in probe defer, the following crash appears on shutdown: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 ... pc : meson_drv_shutdown+0x24/0x50 lr : platform_drv_shutdown+0x20/0x30 ... Call trace: meson_drv_shutdown+0x24/0x50 platform_drv_shutdown+0x20/0x30 device_shutdown+0x158/0x360 kernel_restart_prepare+0x38/0x48 kernel_restart+0x18/0x68 __do_sys_reboot+0x224/0x250 __arm64_sys_reboot+0x24/0x30 ... Simply check if the priv struct has been allocated before using it. CVE-2021-47165 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce() The value of mirror->pg_bytes_written should only be updated after a successful attempt to flush out the requests on the list. CVE-2021-47166 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: Fix an Oopsable condition in __nfs_pageio_add_request() Ensure that nfs_pageio_error_cleanup() resets the mirror array contents, so that the structure reflects the fact that it is now empty. Also change the test in nfs_pageio_do_add_request() to be more robust by checking whether or not the list is empty rather than relying on the value of pg_count. CVE-2021-47167 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: fix an incorrect limit in filelayout_decode_layout() The "sizeof(struct nfs_fh)" is two bytes too large and could lead to memory corruption. It should be NFS_MAXFHSIZE because that's the size of the ->data[] buffer. I reversed the size of the arguments to put the variable on the left. CVE-2021-47168 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' In 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls 'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the firmware don't exists, function just return without initializing ports of 'rp2_card'. But now the interrupt handler function has been registered, and when an interrupt comes, 'rp2_uart_interrupt' may access those ports then causing NULL pointer dereference or other bugs. Because the driver does some initialization work in 'rp2_fw_cb', in order to make the driver ready to handle interrupts, 'request_firmware' should be used instead of asynchronous 'request_firmware_nowait'. This report reveals it: INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xec/0x156 lib/dump_stack.c:118 assign_lock_key kernel/locking/lockdep.c:727 [inline] register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753 __lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303 lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline] rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493 rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 </IRQ> RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8 8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200 RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840 R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002 R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline] RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline] RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c: 493 Co ---truncated--- CVE-2021-47169 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: usbfs: Don't WARN about excessively large memory allocations Syzbot found that the kernel generates a WARNing if the user tries to submit a bulk transfer through usbfs with a buffer that is way too large. This isn't a bug in the kernel; it's merely an invalid request from the user and the usbfs code does handle it correctly. In theory the same thing can happen with async transfers, or with the packet descriptor table for isochronous transfers. To prevent the MM subsystem from complaining about these bad allocation requests, add the __GFP_NOWARN flag to the kmalloc calls for these buffers. CVE-2021-47170 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: fix memory leak in smsc75xx_bind Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation. backtrace: [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline] [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline] [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728 CVE-2021-47171 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers Channel numbering must start at 0 and then not have any holes, or it is possible to overflow the available storage. Note this bug was introduced as part of a fix to ensure we didn't rely on the ordering of child nodes. So we need to support arbitrary ordering but they all need to be there somewhere. Note I hit this when using qemu to test the rest of this series. Arguably this isn't the best fix, but it is probably the most minimal option for backporting etc. Alexandru's sign-off is here because he carried this patch in a larger set that Jonathan then applied. CVE-2021-47172 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc/uss720: fix memory leak in uss720_probe uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. Fix this by decreasing the refcount of usbdev by usb_put_dev. BUG: memory leak unreferenced object 0xffff888101113800 (size 2048): comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) hex dump (first 32 bytes): ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ backtrace: [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 CVE-2021-47173 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version Arturo reported this backtrace: [709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0 [709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod [709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common [709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1 [709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020 [709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0 [709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb [709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202 [709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001 [709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003 [709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462 [709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960 [709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660 [709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000 [709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0 [709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [709732.359003] PKRU: 55555554 [709732.359005] Call Trace: [709732.359009] <IRQ> [709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables] [709732.359046] ? sched_clock+0x5/0x10 [709732.359054] ? sched_clock_cpu+0xc/0xb0 [709732.359061] ? record_times+0x16/0x80 [709732.359068] ? plist_add+0xc1/0x100 [709732.359073] ? psi_group_change+0x47/0x230 [709732.359079] ? skb_clone+0x4d/0xb0 [709732.359085] ? enqueue_task_rt+0x22b/0x310 [709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en] [709732.359102] ? packet_rcv+0x40/0x4a0 [709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359133] nft_do_chain+0x350/0x500 [nf_tables] [709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables] [709732.359172] ? fib4_rule_action+0x6d/0x80 [709732.359178] ? fib_rules_lookup+0x107/0x250 [709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat] [709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat] [709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat] [709732.359207] nf_hook_slow+0x44/0xc0 [709732.359214] ip_output+0xd2/0x100 [709732.359221] ? __ip_finish_output+0x210/0x210 [709732.359226] ip_forward+0x37d/0x4a0 [709732.359232] ? ip4_key_hashfn+0xb0/0xb0 [709732.359238] ip_subli ---truncated--- CVE-2021-47174 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: fq_pie: fix OOB access in the traffic path the following script: # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2 # tc qdisc add dev eth0 clsact # tc filter add dev eth0 egress matchall action skbedit priority 0x10002 # ping 192.0.2.2 -I eth0 -c2 -w1 -q produces the following splat: BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] Read of size 4 at addr ffff888171306924 by task ping/942 CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] __dev_queue_xmit+0x1034/0x2b10 ip_finish_output2+0xc62/0x2120 __ip_finish_output+0x553/0xea0 ip_output+0x1ca/0x4d0 ip_send_skb+0x37/0xa0 raw_sendmsg+0x1c4b/0x2d00 sock_sendmsg+0xdb/0x110 __sys_sendto+0x1d7/0x2b0 __x64_sys_sendto+0xdd/0x1b0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fe69735c3eb Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89 RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003 RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260 R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0 Allocated by task 917: kasan_save_stack+0x19/0x40 __kasan_kmalloc+0x7f/0xa0 __kmalloc_node+0x139/0x280 fq_pie_init+0x555/0x8e8 [sch_fq_pie] qdisc_create+0x407/0x11b0 tc_modify_qdisc+0x3c2/0x17e0 rtnetlink_rcv_msg+0x346/0x8e0 netlink_rcv_skb+0x120/0x380 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888171306800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 36 bytes to the right of 256-byte region [ffff888171306800, ffff888171306900) The buggy address belongs to the page: page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306 head:00000000bcfb624e order:1 compound_mapcount:0 flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fix fq_pie traffic path to avoid selecting 'q->flows + q->flows_cnt' as a valid flow: it's an address beyond the allocated memory. CVE-2021-47175 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: add missing discipline function Fix crash with illegal operation exception in dasd_device_tasklet. Commit b72949328869 ("s390/dasd: Prepare for additional path event handling") renamed the verify_path function for ECKD but not for FBA and DIAG. This leads to a panic when the path verification function is called for a FBA or DIAG device. Fix by defining a wrapper function for dasd_generic_verify_path(). CVE-2021-47176 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix sysfs leak in alloc_iommu() iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent errors. CVE-2021-47177 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() Commit de144ff4234f changes _pnfs_return_layout() to call pnfs_mark_matching_lsegs_return() passing NULL as the struct pnfs_layout_range argument. Unfortunately, pnfs_mark_matching_lsegs_return() doesn't check if we have a value here before dereferencing it, causing an oops. I'm able to hit this crash consistently when running connectathon basic tests on NFS v4.1/v4.2 against Ontap. CVE-2021-47179 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: nci: fix memory leak in nci_allocate_device nfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev. Fix this by freeing hci_dev in nci_free_device. BUG: memory leak unreferenced object 0xffff888111ea6800 (size 1024): comm "kworker/1:0", pid 19, jiffies 4294942308 (age 13.580s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff .........`...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000004bc25d43>] kmalloc include/linux/slab.h:552 [inline] [<000000004bc25d43>] kzalloc include/linux/slab.h:682 [inline] [<000000004bc25d43>] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784 [<00000000c59cff92>] nci_allocate_device net/nfc/nci/core.c:1170 [inline] [<00000000c59cff92>] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132 [<00000000006e0a8e>] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153 [<000000004da1b57e>] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345 [<00000000d506aed9>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554 [<00000000f5009125>] driver_probe_device+0x84/0x100 drivers/base/dd.c:740 [<000000000ce658ca>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846 [<000000007067d05f>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<00000000f8e13372>] __device_attach+0x122/0x250 drivers/base/dd.c:914 [<000000009cf68860>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<00000000359c965a>] device_add+0x5be/0xc30 drivers/base/core.c:3109 [<00000000086e4bd3>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164 [<00000000ca036872>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<00000000d40d36f6>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<00000000bc632c92>] really_probe+0x159/0x4a0 drivers/base/dd.c:554 CVE-2021-47180 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: musb: tusb6010: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. CVE-2021-47181 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix link down processing to address NULL pointer dereference If an FC link down transition while PLOGIs are outstanding to fabric well known addresses, outstanding ABTS requests may result in a NULL pointer dereference. Driver unload requests may hang with repeated "2878" log messages. The Link down processing results in ABTS requests for outstanding ELS requests. The Abort WQEs are sent for the ELSs before the driver had set the link state to down. Thus the driver is sending the Abort with the expectation that an ABTS will be sent on the wire. The Abort request is stalled waiting for the link to come up. In some conditions the driver may auto-complete the ELSs thus if the link does come up, the Abort completions may reference an invalid structure. Fix by ensuring that Abort set the flag to avoid link traffic if issued due to conditions where the link failed. CVE-2021-47183 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL ptr dereference on VSI filter sync Remove the reason of null pointer dereference in sync VSI filters. Added new I40E_VSI_RELEASING flag to signalize deleting and releasing of VSI resources to sync this thread with sync filters subtask. Without this patch it is possible to start update the VSI filter list after VSI is removed, that's causing a kernel oops. CVE-2021-47184 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc When running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup, which look like this one: Workqueue: events_unbound flush_to_ldisc Call trace: dump_backtrace+0x0/0x1ec show_stack+0x24/0x30 dump_stack+0xd0/0x128 panic+0x15c/0x374 watchdog_timer_fn+0x2b8/0x304 __run_hrtimer+0x88/0x2c0 __hrtimer_run_queues+0xa4/0x120 hrtimer_interrupt+0xfc/0x270 arch_timer_handler_phys+0x40/0x50 handle_percpu_devid_irq+0x94/0x220 __handle_domain_irq+0x88/0xf0 gic_handle_irq+0x84/0xfc el1_irq+0xc8/0x180 slip_unesc+0x80/0x214 [slip] tty_ldisc_receive_buf+0x64/0x80 tty_port_default_receive_buf+0x50/0x90 flush_to_ldisc+0xbc/0x110 process_one_work+0x1d4/0x4b0 worker_thread+0x180/0x430 kthread+0x11c/0x120 In the testcase pty04, The first process call the write syscall to send data to the pty master. At the same time, the workqueue will do the flush_to_ldisc to pop data in a loop until there is no more data left. When the sender and workqueue running in different core, the sender sends data fastly in full time which will result in workqueue doing work in loop for a long time and occuring softlockup in flush_to_ldisc with kernel configured without preempt. So I add need_resched check and cond_resched in the flush_to_ldisc loop to avoid it. CVE-2021-47185 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory ordering between normal and ordered work functions Ordered work functions aren't guaranteed to be handled by the same thread which executed the normal work functions. The only way execution between normal/ordered functions is synchronized is via the WORK_DONE_BIT, unfortunately the used bitops don't guarantee any ordering whatsoever. This manifested as seemingly inexplicable crashes on ARM64, where async_chunk::inode is seen as non-null in async_cow_submit which causes submit_compressed_extents to be called and crash occurs because async_chunk::inode suddenly became NULL. The call trace was similar to: pc : submit_compressed_extents+0x38/0x3d0 lr : async_cow_submit+0x50/0xd0 sp : ffff800015d4bc20 <registers omitted for brevity> Call trace: submit_compressed_extents+0x38/0x3d0 async_cow_submit+0x50/0xd0 run_ordered_work+0xc8/0x280 btrfs_work_helper+0x98/0x250 process_one_work+0x1f0/0x4ac worker_thread+0x188/0x504 kthread+0x110/0x114 ret_from_fork+0x10/0x18 Fix this by adding respective barrier calls which ensure that all accesses preceding setting of WORK_DONE_BIT are strictly ordered before setting the flag. At the same time add a read barrier after reading of WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads would be strictly ordered after reading the bit. This in turn ensures are all accesses before WORK_DONE_BIT are going to be strictly ordered before any access that can occur in ordered_func. CVE-2021-47189 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after offlinining device") The problem is that after iSCSI recovery, iscsid will call into the kernel to set the dev's state to running, and with that patch we now call scsi_rescan_device() with the state_mutex held. If the SCSI error handler thread is just starting to test the device in scsi_send_eh_cmnd() then it's going to try to grab the state_mutex. We are then stuck, because when scsi_rescan_device() tries to send its I/O scsi_queue_rq() calls -> scsi_host_queue_ready() -> scsi_host_in_recovery() which will return true (the host state is still in recovery) and I/O will just be requeued. scsi_send_eh_cmnd() will then never be able to grab the state_mutex to finish error handling. To prevent the deadlock move the rescan-related code to after we drop the state_mutex. This also adds a check for if we are already in the running state. This prevents extra scans and helps the iscsid case where if the transport class has already onlined the device during its recovery process then we don't need userspace to do it again plus possibly block that daemon. CVE-2021-47192 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cfg80211: call cfg80211_stop_ap when switch from P2P_GO type If the userspace tools switch from NL80211_IFTYPE_P2P_GO to NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it does not call the cleanup cfg80211_stop_ap(), this leads to the initialization of in-use data. For example, this path re-init the sdata->assigned_chanctx_list while it is still an element of assigned_vifs list, and makes that linked list corrupt. CVE-2021-47194 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine An error is detected with the following report when unloading the driver: "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b" The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the flag is not cleared upon completion of the login. This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set to LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used as an rpi_ids array index. Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in lpfc_mbx_cmpl_fc_reg_login(). CVE-2021-47198 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap drm_gem_ttm_mmap() drops a reference to the gem object on success. If the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that drop will free the gem object, and the subsequent drm_gem_object_get() will be a UAF. Fix by grabbing a reference before calling the mmap helper. This issue was forseen when the reference dropping was adding in commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): "For that to work properly the drm_gem_object_get() call in drm_gem_ttm_mmap() must be moved so it happens before calling obj->funcs->mmap(), otherwise the gem refcount would go down to zero." CVE-2021-47200 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iavf: free q_vectors before queues in iavf_disable_vf iavf_free_queues() clears adapter->num_active_queues, which iavf_free_q_vectors() relies on, so swap the order of these two function calls in iavf_disable_vf(). This resolves a panic encountered when the interface is disabled and then later brought up again after PF communication is restored. CVE-2021-47201 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: thermal: Fix NULL pointer dereferences in of_thermal_ functions of_parse_thermal_zones() parses the thermal-zones node and registers a thermal_zone device for each subnode. However, if a thermal zone is consuming a thermal sensor and that thermal sensor device hasn't probed yet, an attempt to set trip_point_*_temp for that thermal zone device can cause a NULL pointer dereference. Fix it. console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp ... Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... Call trace: of_thermal_set_trip_temp+0x40/0xc4 trip_point_temp_store+0xc0/0x1dc dev_attr_store+0x38/0x88 sysfs_kf_write+0x64/0xc0 kernfs_fop_write_iter+0x108/0x1d0 vfs_write+0x2f4/0x368 ksys_write+0x7c/0xec __arm64_sys_write+0x20/0x30 el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc do_el0_svc+0x28/0xa0 el0_svc+0x14/0x24 el0_sync_handler+0x88/0xec el0_sync+0x1c0/0x200 While at it, fix the possible NULL pointer dereference in other functions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(), of_thermal_get_trend(). CVE-2021-47202 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() When parsing the txq list in lpfc_drain_txq(), the driver attempts to pass the requests to the adapter. If such an attempt fails, a local "fail_msg" string is set and a log message output. The job is then added to a completions list for cancellation. Processing of any further jobs from the txq list continues, but since "fail_msg" remains set, jobs are added to the completions list regardless of whether a wqe was passed to the adapter. If successfully added to txcmplq, jobs are added to both lists resulting in list corruption. Fix by clearing the fail_msg string after adding a job to the completions list. This stops the subsequent jobs from being added to the completions list unless they had an appropriate failure. CVE-2021-47203 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: host: ohci-tmio: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. CVE-2021-47206 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: gus: fix null pointer dereference on pointer block The pointer block return from snd_gf1_dma_next_block could be null, so there is a potential null pointer dereference issue. Fix this by adding a null check before dereference. CVE-2021-47207 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. In this case, when a destroy command is being executed, it should return MLX5_CMD_STAT_OK. Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK instead of EIO. This fixes a call trace in the umem release process - [ 2633.536695] Call Trace: [ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] [ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] [ 2633.539641] disable_device+0x8c/0x130 [ib_core] [ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] [ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] [ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] [ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] [ 2633.544661] device_release_driver_internal+0x103/0x1f0 [ 2633.545679] bus_remove_device+0xf7/0x170 [ 2633.546640] device_del+0x181/0x410 [ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] [ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] [ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] [ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] [ 2633.551819] pci_device_remove+0x3b/0xc0 [ 2633.552731] device_release_driver_internal+0x103/0x1f0 [ 2633.553746] unbind_store+0xf6/0x130 [ 2633.554657] kernfs_fop_write+0x116/0x190 [ 2633.555567] vfs_write+0xa5/0x1a0 [ 2633.556407] ksys_write+0x4f/0xb0 [ 2633.557233] do_syscall_64+0x5b/0x1a0 [ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca [ 2633.559018] RIP: 0033:0x7f9977132648 [ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 [ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 [ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 [ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 [ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 [ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c [ 2633.568725] ---[ end trace 10b4fe52945e544d ]--- CVE-2021-47212 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: advansys: Fix kernel pointer leak Pointers should be printed with %p or %px rather than cast to 'unsigned long' and printed with %lx. Change %lx to %p to print the hashed pointer. CVE-2021-47216 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2021-47220 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Prevent state corruption in __fpu__restore_sig() The non-compacted slowpath uses __copy_from_user() and copies the entire user buffer into the kernel buffer, verbatim. This means that the kernel buffer may now contain entirely invalid state on which XRSTOR will #GP. validate_user_xstate_header() can detect some of that corruption, but that leaves the onus on callers to clear the buffer. Prior to XSAVES support, it was possible just to reinitialize the buffer, completely, but with supervisor states that is not longer possible as the buffer clearing code split got it backwards. Fixing that is possible but not corrupting the state in the first place is more robust. Avoid corruption of the kernel XSAVE buffer by using copy_user_to_xstate() which validates the XSAVE header contents before copying the actual states to the kernel. copy_user_to_xstate() was previously only called for compacted-format kernel buffers, but it works for both compacted and non-compacted forms. Using it for the non-compacted form is slower because of multiple __copy_from_user() operations, but that cost is less important than robust code in an already slow path. [ Changelog polished by Dave Hansen ] CVE-2021-47227 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/ioremap: Map EFI-reserved memory as encrypted for SEV Some drivers require memory that is marked as EFI boot services data. In order for this memory to not be re-used by the kernel after ExitBootServices(), efi_mem_reserve() is used to preserve it by inserting a new EFI memory descriptor and marking it with the EFI_MEMORY_RUNTIME attribute. Under SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to be mapped encrypted by Linux, otherwise the kernel might crash at boot like below: EFI Variables Facility v0.08 2004-May-17 general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:efi_mokvar_entry_next [...] Call Trace: efi_mokvar_sysfs_init ? efi_mokvar_table_init do_one_initcall ? __kmalloc kernel_init_freeable ? rest_init kernel_init ret_from_fork Expand the __ioremap_check_other() function to additionally check for this other type of boot data reserved at runtime and indicate that it should be mapped encrypted for an SEV guest. [ bp: Massage commit message. ] CVE-2021-47228 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: PCI: aardvark: Fix kernel panic during PIO transfer Trying to start a new PIO transfer by writing value 0 in PIO_START register when previous transfer has not yet completed (which is indicated by value 1 in PIO_START) causes an External Abort on CPU, which results in kernel panic: SError Interrupt on CPU0, code 0xbf000002 -- SError Kernel panic - not syncing: Asynchronous SError Interrupt To prevent kernel panic, it is required to reject a new PIO transfer when previous one has not finished yet. If previous PIO transfer is not finished yet, the kernel may issue a new PIO request only if the previous PIO transfer timed out. In the past the root cause of this issue was incorrectly identified (as it often happens during link retraining or after link down event) and special hack was implemented in Trusted Firmware to catch all SError events in EL3, to ignore errors with code 0xbf000002 and not forwarding any other errors to kernel and instead throw panic from EL3 Trusted Firmware handler. Links to discussion and patches about this issue: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50 https://lore.kernel.org/linux-pci/20190316161243.29517-1-repk@triplefau.lt/ https://lore.kernel.org/linux-pci/971be151d24312cc533989a64bd454b4@www.loen.fr/ https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1541 But the real cause was the fact that during link retraining or after link down event the PIO transfer may take longer time, up to the 1.44s until it times out. This increased probability that a new PIO transfer would be issued by kernel while previous one has not finished yet. After applying this change into the kernel, it is possible to revert the mentioned TF-A hack and SError events do not have to be caught in TF-A EL3. CVE-2021-47229 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Immediately reset the MMU context when the SMM flag is cleared Immediately reset the MMU context when the vCPU's SMM flag is cleared so that the SMM flag in the MMU role is always synchronized with the vCPU's flag. If RSM fails (which isn't correctly emulated), KVM will bail without calling post_leave_smm() and leave the MMU in a bad state. The bad MMU role can lead to a NULL pointer dereference when grabbing a shadow page's rmap for a page fault as the initial lookups for the gfn will happen with the vCPU's SMM flag (=0), whereas the rmap lookup will use the shadow page's SMM flag, which comes from the MMU (=1). SMM has an entirely different set of memslots, and so the initial lookup can find a memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1). general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline] RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947 Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44 RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002 R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000 R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000 FS: 000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline] mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604 __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline] direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769 kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline] kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065 vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122 vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428 vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494 kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722 kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:1069 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x440ce9 CVE-2021-47230 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: fix memory leak in mcba_usb Syzbot reported memory leak in SocketCAN driver for Microchip CAN BUS Analyzer Tool. The problem was in unfreed usb_coherent. In mcba_usb_start() 20 coherent buffers are allocated and there is nothing, that frees them: 1) In callback function the urb is resubmitted and that's all 2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER is not set (see mcba_usb_start) and this flag cannot be used with coherent buffers. Fail log: | [ 1354.053291][ T8413] mcba_usb 1-1:0.0 can0: device disconnected | [ 1367.059384][ T8420] kmemleak: 20 new suspected memory leaks (see /sys/kernel/debug/kmem) So, all allocated buffers should be freed with usb_free_coherent() explicitly NOTE: The same pattern for allocating and freeing coherent buffers is used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c CVE-2021-47231 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: fix potential use-after-free in ec_bhf_remove static void ec_bhf_remove(struct pci_dev *dev) { ... struct ec_bhf_priv *priv = netdev_priv(net_dev); unregister_netdev(net_dev); free_netdev(net_dev); pci_iounmap(dev, priv->dma_io); pci_iounmap(dev, priv->io); ... } priv is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing priv pointer. So, fix it by moving free_netdev() after pci_iounmap() calls. CVE-2021-47235 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: cdc_eem: fix tx fixup skb leak when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), if skb_copy_expand() failed, it return NULL, usbnet_start_xmit() will have no chance to free original skb. fix it by free orginal skb in eem_tx_fixup() first, then check skb clone status, if failed, return NULL to usbnet. CVE-2021-47236 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: fix possible use-after-free in smsc75xx_bind The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") fails to clean up the work scheduled in smsc75xx_reset-> smsc75xx_set_multicast, which leads to use-after-free if the work is scheduled to start after the deallocation. In addition, this patch also removes a dangling pointer - dev->data[0]. This patch calls cancel_work_sync to cancel the scheduled work and set the dangling pointer to NULL. CVE-2021-47239 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ethtool: strset: fix message length calculation Outer nest for ETHTOOL_A_STRSET_STRINGSETS is not accounted for. This may result in ETHTOOL_MSG_STRSET_GET producing a warning like: calculated message payload length (684) not sufficient WARNING: CPU: 0 PID: 30967 at net/ethtool/netlink.c:369 ethnl_default_doit+0x87a/0xa20 and a splat. As usually with such warnings three conditions must be met for the warning to trigger: - there must be no skb size rounding up (e.g. reply_size of 684); - string set must be per-device (so that the header gets populated); - the device name must be at least 12 characters long. all in all with current user space it looks like reading priv flags is the only place this could potentially happen. Or with syzbot :) CVE-2021-47241 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix page reclaim for dead peer hairpin When adding a hairpin flow, a firmware-side send queue is created for the peer net device, which claims some host memory pages for its internal ring buffer. If the peer net device is removed/unbound before the hairpin flow is deleted, then the send queue is not destroyed which leads to a stack trace on pci device remove: [ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource [ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110 [ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0 [ 748.002171] ------------[ cut here ]------------ [ 748.001177] FW pages counter is 4 after reclaiming all pages [ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core] [ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1 [ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9 [ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286 [ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000 [ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51 [ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8 [ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30 [ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000 [ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000 [ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0 [ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 748.001654] Call Trace: [ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core] [ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core] [ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core] [ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core] [ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core] [ 748.001200] remove_one+0x5f/0xc0 [mlx5_core] [ 748.001075] pci_device_remove+0x9f/0x1d0 [ 748.000833] device_release_driver_internal+0x1e0/0x490 [ 748.001207] unbind_store+0x19f/0x200 [ 748.000942] ? sysfs_file_ops+0x170/0x170 [ 748.001000] kernfs_fop_write_iter+0x2bc/0x450 [ 748.000970] new_sync_write+0x373/0x610 [ 748.001124] ? new_sync_read+0x600/0x600 [ 748.001057] ? lock_acquire+0x4d6/0x700 [ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 748.001126] ? fd_install+0x1c9/0x4d0 [ 748.000951] vfs_write+0x4d0/0x800 [ 748.000804] ksys_write+0xf9/0x1d0 [ 748.000868] ? __x64_sys_read+0xb0/0xb0 [ 748.000811] ? filp_open+0x50/0x50 [ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50 [ 748.001223] do_syscall_64+0x3f/0x80 [ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 748.00 ---truncated--- CVE-2021-47246 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free of encap entry in neigh update handler Function mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock removal from TC filter update path and properly handle concurrent encap entry insertion/deletion which can lead to following use-after-free: [23827.464923] ================================================================== [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635 [23827.472251] [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5 [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core] [23827.476731] Call Trace: [23827.477260] dump_stack+0xbb/0x107 [23827.477906] print_address_description.constprop.0+0x18/0x140 [23827.478896] ? mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.479879] ? mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.480905] kasan_report.cold+0x7c/0xd8 [23827.481701] ? mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.482744] kasan_check_range+0x145/0x1a0 [23827.493112] mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.494054] ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core] [23827.495296] mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core] [23827.496338] ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core] [23827.497486] ? read_word_at_a_time+0xe/0x20 [23827.498250] ? strscpy+0xa0/0x2a0 [23827.498889] process_one_work+0x8ac/0x14e0 [23827.499638] ? lockdep_hardirqs_on_prepare+0x400/0x400 [23827.500537] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [23827.501359] ? rwlock_bug.part.0+0x90/0x90 [23827.502116] worker_thread+0x53b/0x1220 [23827.502831] ? process_one_work+0x14e0/0x14e0 [23827.503627] kthread+0x328/0x3f0 [23827.504254] ? _raw_spin_unlock_irq+0x24/0x40 [23827.505065] ? __kthread_bind_mask+0x90/0x90 [23827.505912] ret_from_fork+0x1f/0x30 [23827.506621] [23827.506987] Allocated by task 28248: [23827.507694] kasan_save_stack+0x1b/0x40 [23827.508476] __kasan_kmalloc+0x7c/0x90 [23827.509197] mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core] [23827.510194] mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core] [23827.511218] __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core] [23827.512234] mlx5e_configure_flower+0x191c/0x4870 [mlx5_core] [23827.513298] tc_setup_cb_add+0x1d5/0x420 [23827.514023] fl_hw_replace_filter+0x382/0x6a0 [cls_flower] [23827.514975] fl_change+0x2ceb/0x4a51 [cls_flower] [23827.515821] tc_new_tfilter+0x89a/0x2070 [23827.516548] rtnetlink_rcv_msg+0x644/0x8c0 [23827.517300] netlink_rcv_skb+0x11d/0x340 [23827.518021] netlink_unicast+0x42b/0x700 [23827.518742] netlink_sendmsg+0x743/0xc20 [23827.519467] sock_sendmsg+0xb2/0xe0 [23827.520131] ____sys_sendmsg+0x590/0x770 [23827.520851] ___sys_sendmsg+0xd8/0x160 [23827.521552] __sys_sendmsg+0xb7/0x140 [23827.522238] do_syscall_64+0x3a/0x70 [23827.522907] entry_SYSCALL_64_after_hwframe+0x44/0xae [23827.523797] [23827.524163] Freed by task 25948: [23827.524780] kasan_save_stack+0x1b/0x40 [23827.525488] kasan_set_track+0x1c/0x30 [23827.526187] kasan_set_free_info+0x20/0x30 [23827.526968] __kasan_slab_free+0xed/0x130 [23827.527709] slab_free_freelist_hook+0xcf/0x1d0 [23827.528528] kmem_cache_free_bulk+0x33a/0x6e0 [23827.529317] kfree_rcu_work+0x55f/0xb70 [23827.530024] process_one_work+0x8ac/0x14e0 [23827.530770] worker_thread+0x53b/0x1220 [23827.531480] kthread+0x328/0x3f0 [23827.532114] ret_from_fork+0x1f/0x30 [23827.532785] [23827.533147] Last potentially related work creation: [23827.534007] kasan_save_stack+0x1b/0x40 [23827.534710] kasan_record_aux_stack+0xab/0xc0 [23827.535492] kvfree_call_rcu+0x31/0x7b0 [23827.536206] mlx5e_tc_del ---truncated--- CVE-2021-47247 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid WARN_ON timing related checks The soft/batadv interface for a queued OGM can be changed during the time the OGM was queued for transmission and when the OGM is actually transmitted by the worker. But WARN_ON must be used to denote kernel bugs and not to print simple warnings. A warning can simply be printed using pr_warn. CVE-2021-47252 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix potential memory leak in DMUB hw_init [Why] On resume we perform DMUB hw_init which allocates memory: dm_resume->dm_dmub_hw_init->dc_dmub_srv_create->kzalloc That results in memory leak in suspend/resume scenarios. [How] Allocate memory for the DC wrapper to DMUB only if it was not allocated before. No need to reallocate it on suspend/resume. CVE-2021-47253 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in gfs2_glock_shrink_scan The GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to remove the glock from the lru list in __gfs2_glock_put(). On the shrink scan path, the same flag is cleared under lru_lock but because of cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the put side can be made without deleting the glock from the lru list. Keep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to ensure correct behavior on both sides - clear GLF_LRU after list_del under lru_lock. CVE-2021-47254 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: kvm: LAPIC: Restore guard to prevent illegal APIC register access Per the SDM, "any access that touches bytes 4 through 15 of an APIC register may cause undefined behavior and must not be executed." Worse, such an access in kvm_lapic_reg_read can result in a leak of kernel stack contents. Prior to commit 01402cf81051 ("kvm: LAPIC: write down valid APIC registers"), such an access was explicitly disallowed. Restore the guard that was removed in that commit. CVE-2021-47255 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix error handling of scsi_host_alloc() After device is initialized via device_initialize(), or its name is set via dev_set_name(), the device has to be freed via put_device(). Otherwise device name will be leaked because it is allocated dynamically in dev_set_name(). Fix the leak by replacing kfree() with put_device(). Since scsi_host_dev_release() properly handles IDA and kthread removal, remove special-casing these from the error handling as well. CVE-2021-47258 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: NFS: Fix use-after-free in nfs4_init_client() KASAN reports a use-after-free when attempting to mount two different exports through two different NICs that belong to the same server. Olga was able to hit this with kernels starting somewhere between 5.7 and 5.10, but I traced the patch that introduced the clear_bit() call to 4.13. So something must have changed in the refcounting of the clp pointer to make this call to nfs_put_client() the very last one. CVE-2021-47259 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a potential NULL dereference in nfs_get_client() None of the callers are expecting NULL returns from nfs_get_client() so this code will lead to an Oops. It's better to return an error pointer. I expect that this is dead code so hopefully no one is affected. CVE-2021-47260 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix initializing CQ fragments buffer The function init_cq_frag_buf() can be called to initialize the current CQ fragments buffer cq->buf, or the temporary cq->resize_buf that is filled during CQ resize operation. However, the offending commit started to use function get_cqe() for getting the CQEs, the issue with this change is that get_cqe() always returns CQEs from cq->buf, which leads us to initialize the wrong buffer, and in case of enlarging the CQ we try to access elements beyond the size of the current cq->buf and eventually hit a kernel panic. [exception RIP: init_cq_frag_buf+103] [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib] [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core] [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt] [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt] [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt] [ffff9f799ddcbec8] kthread at ffffffffa66c5da1 [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that takes the correct source buffer as a parameter. CVE-2021-47261 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: gpio: wcd934x: Fix shift-out-of-bounds error bit-mask for pins 0 to 4 is BIT(0) to BIT(4) however we ended up with BIT(n - 1) which is not right, and this was caught by below usban check UBSAN: shift-out-of-bounds in drivers/gpio/gpio-wcd934x.c:34:14 CVE-2021-47263 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA: Verify port when creating flow rule Validate port value provided by the user and with that remove no longer needed validation by the driver. The missing check in the mlx5_ib driver could cause to the below oops. Call trace: _create_flow_rule+0x2d4/0xf28 [mlx5_ib] mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib] ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs] ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs] ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs] do_vfs_ioctl+0xd0/0xaf0 ksys_ioctl+0x84/0xb4 __arm64_sys_ioctl+0x28/0xc4 el0_svc_common.constprop.3+0xa4/0x254 el0_svc_handler+0x84/0xa0 el0_svc+0x10/0x26c Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a) CVE-2021-47265 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: fix various gadget panics on 10gbps cabling usb_assign_descriptors() is called with 5 parameters, the last 4 of which are the usb_descriptor_header for: full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps), high-speed (USB2.0 - 480Mbps), super-speed (USB3.0 - 5Gbps), super-speed-plus (USB3.1 - 10Gbps). The differences between full/high/super-speed descriptors are usually substantial (due to changes in the maximum usb block size from 64 to 512 to 1024 bytes and other differences in the specs), while the difference between 5 and 10Gbps descriptors may be as little as nothing (in many cases the same tuning is simply good enough). However if a gadget driver calls usb_assign_descriptors() with a NULL descriptor for super-speed-plus and is then used on a max 10gbps configuration, the kernel will crash with a null pointer dereference, when a 10gbps capable device port + cable + host port combination shows up. (This wouldn't happen if the gadget max-speed was set to 5gbps, but it of course defaults to the maximum, and there's no real reason to artificially limit it) The fix is to simply use the 5gbps descriptor as the 10gbps descriptor, if a 10gbps descriptor wasn't provided. Obviously this won't fix the problem if the 5gbps descriptor is also NULL, but such cases can't be so trivially solved (and any such gadgets are unlikely to be used with USB3 ports any way). CVE-2021-47267 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: ep0: fix NULL pointer exception There is no validation of the index from dwc3_wIndex_to_dep() and we might be referring a non-existing ep and trigger a NULL pointer exception. In certain configurations we might use fewer eps and the index might wrongly indicate a larger ep index than existing. By adding this validation from the patch we can actually report a wrong index back to the caller. In our usecase we are using a composite device on an older kernel, but upstream might use this fix also. Unfortunately, I cannot describe the hardware for others to reproduce the issue as it is a proprietary implementation. [ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4 [ 82.966891] Mem abort info: [ 82.969663] ESR = 0x96000006 [ 82.972703] Exception class = DABT (current EL), IL = 32 bits [ 82.978603] SET = 0, FnV = 0 [ 82.981642] EA = 0, S1PTW = 0 [ 82.984765] Data abort info: [ 82.987631] ISV = 0, ISS = 0x00000006 [ 82.991449] CM = 0, WnR = 0 [ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc [ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 [ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP [ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c) [ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1 [ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) [ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c [ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 ... [ 83.141788] Call trace: [ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c [ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94 [ 83.181546] ---[ end trace aac6b5267d84c32f ]--- CVE-2021-47269 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: fix various gadgets null ptr deref on 10gbps cabling. This avoids a null pointer dereference in f_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm} by simply reusing the 5gbps config for 10gbps. CVE-2021-47270 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Correct the length check which causes memory corruption We've suffered from severe kernel crashes due to memory corruption on our production environment, like, Call Trace: [1640542.554277] general protection fault: 0000 [#1] SMP PTI [1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G [1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190 [1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286 [1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX: 0000000006e931bf [1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI: ffff9a45ff004300 [1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09: 0000000000000000 [1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9a20608d [1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15: 696c662f65636976 [1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000) knlGS:0000000000000000 [1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4: 00000000003606e0 [1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1640542.566742] Call Trace: [1640542.567009] anon_vma_clone+0x5d/0x170 [1640542.567417] __split_vma+0x91/0x1a0 [1640542.567777] do_munmap+0x2c6/0x320 [1640542.568128] vm_munmap+0x54/0x70 [1640542.569990] __x64_sys_munmap+0x22/0x30 [1640542.572005] do_syscall_64+0x5b/0x1b0 [1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [1640542.575642] RIP: 0033:0x7f45d6e61e27 James Wang has reproduced it stably on the latest 4.19 LTS. After some debugging, we finally proved that it's due to ftrace buffer out-of-bound access using a debug tool as follows: [ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000 [ 86.780806] no_context+0xdf/0x3c0 [ 86.784327] __do_page_fault+0x252/0x470 [ 86.788367] do_page_fault+0x32/0x140 [ 86.792145] page_fault+0x1e/0x30 [ 86.795576] strncpy_from_unsafe+0x66/0xb0 [ 86.799789] fetch_memory_string+0x25/0x40 [ 86.804002] fetch_deref_string+0x51/0x60 [ 86.808134] kprobe_trace_func+0x32d/0x3a0 [ 86.812347] kprobe_dispatcher+0x45/0x50 [ 86.816385] kprobe_ftrace_handler+0x90/0xf0 [ 86.820779] ftrace_ops_assist_func+0xa1/0x140 [ 86.825340] 0xffffffffc00750bf [ 86.828603] do_sys_open+0x5/0x1f0 [ 86.832124] do_syscall_64+0x5b/0x1b0 [ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9 commit b220c049d519 ("tracing: Check length before giving out the filter buffer") adds length check to protect trace data overflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent overflow entirely, the length check should also take the sizeof entry->array[0] into account, since this array[0] is filled the length of trace data and occupy addtional space and risk overflow. CVE-2021-47274 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bcache: avoid oversized read request in cache missing code path In the cache missing code path of cached device, if a proper location from the internal B+ tree is matched for a cache miss range, function cached_dev_cache_miss() will be called in cache_lookup_fn() in the following code block, [code block 1] 526 unsigned int sectors = KEY_INODE(k) == s->iop.inode 527 ? min_t(uint64_t, INT_MAX, 528 KEY_START(k) - bio->bi_iter.bi_sector) 529 : INT_MAX; 530 int ret = s->d->cache_miss(b, s, bio, sectors); Here s->d->cache_miss() is the call backfunction pointer initialized as cached_dev_cache_miss(), the last parameter 'sectors' is an important hint to calculate the size of read request to backing device of the missing cache data. Current calculation in above code block may generate oversized value of 'sectors', which consequently may trigger 2 different potential kernel panics by BUG() or BUG_ON() as listed below, 1) BUG_ON() inside bch_btree_insert_key(), [code block 2] 886 BUG_ON(b->ops->is_extents && !KEY_SIZE(k)); 2) BUG() inside biovec_slab(), [code block 3] 51 default: 52 BUG(); 53 return NULL; All the above panics are original from cached_dev_cache_miss() by the oversized parameter 'sectors'. Inside cached_dev_cache_miss(), parameter 'sectors' is used to calculate the size of data read from backing device for the cache missing. This size is stored in s->insert_bio_sectors by the following lines of code, [code block 4] 909 s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada); Then the actual key inserting to the internal B+ tree is generated and stored in s->iop.replace_key by the following lines of code, [code block 5] 911 s->iop.replace_key = KEY(s->iop.inode, 912 bio->bi_iter.bi_sector + s->insert_bio_sectors, 913 s->insert_bio_sectors); The oversized parameter 'sectors' may trigger panic 1) by BUG_ON() from the above code block. And the bio sending to backing device for the missing data is allocated with hint from s->insert_bio_sectors by the following lines of code, [code block 6] 926 cache_bio = bio_alloc_bioset(GFP_NOWAIT, 927 DIV_ROUND_UP(s->insert_bio_sectors, PAGE_SECTORS), 928 &dc->disk.bio_split); The oversized parameter 'sectors' may trigger panic 2) by BUG() from the agove code block. Now let me explain how the panics happen with the oversized 'sectors'. In code block 5, replace_key is generated by macro KEY(). From the definition of macro KEY(), [code block 7] 71 #define KEY(inode, offset, size) \ 72 ((struct bkey) { \ 73 .high = (1ULL << 63) | ((__u64) (size) << 20) | (inode), \ 74 .low = (offset) \ 75 }) Here 'size' is 16bits width embedded in 64bits member 'high' of struct bkey. But in code block 1, if "KEY_START(k) - bio->bi_iter.bi_sector" is very probably to be larger than (1<<16) - 1, which makes the bkey size calculation in code block 5 is overflowed. In one bug report the value of parameter 'sectors' is 131072 (= 1 << 17), the overflowed 'sectors' results the overflowed s->insert_bio_sectors in code block 4, then makes size field of s->iop.replace_key to be 0 in code block 5. Then the 0- sized s->iop.replace_key is inserted into the internal B+ tree as cache missing check key (a special key to detect and avoid a racing between normal write request and cache missing read request) as, [code block 8] 915 ret = bch_btree_insert_check_key(b, &s->op, &s->iop.replace_key); Then the 0-sized s->iop.replace_key as 3rd parameter triggers the bkey size check BUG_ON() in code block 2, and causes the kernel panic 1). Another ke ---truncated--- CVE-2021-47275 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not blindly read the ip address in ftrace_bug() It was reported that a bug on arm64 caused a bad ip address to be used for updating into a nop in ftrace_init(), but the error path (rightfully) returned -EINVAL and not -EFAULT, as the bug caused more than one error to occur. But because -EINVAL was returned, the ftrace_bug() tried to report what was at the location of the ip address, and read it directly. This caused the machine to panic, as the ip was not pointing to a valid memory address. Instead, read the ip address with copy_from_kernel_nofault() to safely access the memory, and if it faults, report that the address faulted, otherwise report what was in that location. CVE-2021-47276 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm: Fix use-after-free read in drm_getunique() There is a time-of-check-to-time-of-use error in drm_getunique() due to retrieving file_priv->master prior to locking the device's master mutex. An example can be seen in the crash report of the use-after-free error found by Syzbot: https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803 In the report, the master pointer was used after being freed. This is because another process had acquired the device's master mutex in drm_setmaster_ioctl(), then overwrote fpriv->master in drm_new_set_master(). The old value of fpriv->master was subsequently freed before the mutex was unlocked. To fix this, we lock the device's master mutex before retrieving the pointer from from fpriv->master. This patch passes the Syzbot reproducer test. CVE-2021-47280 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: Fix race of snd_seq_timer_open() The timer instance per queue is exclusive, and snd_seq_timer_open() should have managed the concurrent accesses. It looks as if it's checking the already existing timer instance at the beginning, but it's not right, because there is no protection, hence any later concurrent call of snd_seq_timer_open() may override the timer instance easily. This may result in UAF, as the leftover timer instance can keep running while the queue itself gets closed, as spotted by syzkaller recently. For avoiding the race, add a proper check at the assignment of tmr->timeri again, and return -EBUSY if it's been already registered. CVE-2021-47281 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: netjet: Fix crash in nj_probe: 'nj_setup' in netjet.c might fail with -EIO and in this case 'card->irq' is initialized and is bigger than zero. A subsequent call to 'nj_release' will free the irq that has not been requested. Fix this bug by deleting the previous assignment to 'card->irq' and just keep the assignment before 'request_irq'. The KASAN's log reveals it: [ 3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826 free_irq+0x100/0x480 [ 3.355112 ] Modules linked in: [ 3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc1-00144-g25a1298726e #13 [ 3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.356552 ] RIP: 0010:free_irq+0x100/0x480 [ 3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80 [ 3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082 [ 3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX: 0000000000000000 [ 3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI: 00000000ffffffff [ 3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09: 0000000000000000 [ 3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12: 0000000000000000 [ 3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15: ffff888104dc80a8 [ 3.360652 ] FS: 0000000000000000(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 [ 3.361170 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4: 00000000000006f0 [ 3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3.362175 ] Call Trace: [ 3.362175 ] nj_release+0x51/0x1e0 [ 3.362175 ] nj_probe+0x450/0x950 [ 3.362175 ] ? pci_device_remove+0x110/0x110 [ 3.362175 ] local_pci_probe+0x45/0xa0 [ 3.362175 ] pci_device_probe+0x12b/0x1d0 [ 3.362175 ] really_probe+0x2a9/0x610 [ 3.362175 ] driver_probe_device+0x90/0x1d0 [ 3.362175 ] ? mutex_lock_nested+0x1b/0x20 [ 3.362175 ] device_driver_attach+0x68/0x70 [ 3.362175 ] __driver_attach+0x124/0x1b0 [ 3.362175 ] ? device_driver_attach+0x70/0x70 [ 3.362175 ] bus_for_each_dev+0xbb/0x110 [ 3.362175 ] ? rdinit_setup+0x45/0x45 [ 3.362175 ] driver_attach+0x27/0x30 [ 3.362175 ] bus_add_driver+0x1eb/0x2a0 [ 3.362175 ] driver_register+0xa9/0x180 [ 3.362175 ] __pci_register_driver+0x82/0x90 [ 3.362175 ] ? w6692_init+0x38/0x38 [ 3.362175 ] nj_init+0x36/0x38 [ 3.362175 ] do_one_initcall+0x7f/0x3d0 [ 3.362175 ] ? rdinit_setup+0x45/0x45 [ 3.362175 ] ? rcu_read_lock_sched_held+0x4f/0x80 [ 3.362175 ] kernel_init_freeable+0x2aa/0x301 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] kernel_init+0x18/0x190 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] ? rest_init+0x2c0/0x2c0 [ 3.362175 ] ret_from_fork+0x1f/0x30 [ 3.362175 ] Kernel panic - not syncing: panic_on_warn set ... [ 3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc1-00144-g25a1298726e #13 [ 3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 3.362175 ] Call Trace: [ 3.362175 ] dump_stack+0xba/0xf5 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] panic+0x15a/0x3f2 [ 3.362175 ] ? __warn+0xf2/0x150 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] __warn+0x108/0x150 [ 3.362175 ] ? free_irq+0x100/0x480 [ 3.362175 ] report_bug+0x119/0x1c0 [ 3.362175 ] handle_bug+0x3b/0x80 [ 3.362175 ] exc_invalid_op+0x18/0x70 [ 3.362175 ] asm_exc_invalid_op+0x12/0x20 [ 3.362175 ] RIP: 0010:free_irq+0x100 ---truncated--- CVE-2021-47284 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2021-47285 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() Fix an 11-year old bug in ngene_command_config_free_buf() while addressing the following warnings caught with -Warray-bounds: arch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds] arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds] The problem is that the original code is trying to copy 6 bytes of data into a one-byte size member _config_ of the wrong structue FW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a legitimate compiler warning because memcpy() overruns the length of &com.cmd.ConfigureBuffers.config. It seems that the right structure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains 6 more members apart from the header _hdr_. Also, the name of the function ngene_command_config_free_buf() suggests that the actual intention is to ConfigureFreeBuffers, instead of ConfigureBuffers (which takes place in the function ngene_command_config_buf(), above). Fix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as the destination address, instead of &com.cmd.ConfigureBuffers.config, when calling memcpy(). This also helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). CVE-2021-47288 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: fix NULL pointer dereference Commit 71f642833284 ("ACPI: utils: Fix reference counting in for_each_acpi_dev_match()") started doing "acpi_dev_put()" on a pointer that was possibly NULL. That fails miserably, because that helper inline function is not set up to handle that case. Just make acpi_dev_put() silently accept a NULL pointer, rather than calling down to put_device() with an invalid offset off that NULL pointer. CVE-2021-47289 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak vcpu_put is not called if the user copy fails. This can result in preempt notifier corruption and crashes, among other issues. CVE-2021-47296 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: igb: Fix use-after-free error during reset Cleans the next descriptor to watch (next_to_watch) when cleaning the TX ring. Failure to do so can cause invalid memory accesses. If igb_poll() runs while the controller is reset this can lead to the driver try to free a skb that was already freed. (The crash is harder to reproduce with the igb driver, but the same potential problem exists as the code is identical to igc) CVE-2021-47301 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: igc: Fix use-after-free error during reset Cleans the next descriptor to watch (next_to_watch) when cleaning the TX ring. Failure to do so can cause invalid memory accesses. If igc_poll() runs while the controller is being reset this can lead to the driver try to free a skb that was already freed. Log message: [ 101.525242] refcount_t: underflow; use-after-free. [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0 [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E) ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E) rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E) soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E) iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E) soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E) [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E) e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E) usbcore(E) drm(E) button(E) video(E) [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017 [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0 [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3 [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286 [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001 [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50 [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00 [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40 [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000 [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0 [ 101.525343] Call Trace: [ 101.525346] sock_wfree+0x9c/0xa0 [ 101.525353] unix_destruct_scm+0x7b/0xa0 [ 101.525358] skb_release_head_state+0x40/0x90 [ 101.525362] skb_release_all+0xe/0x30 [ 101.525364] napi_consume_skb+0x57/0x160 [ 101.525367] igc_poll+0xb7/0xc80 [igc] [ 101.525376] ? sched_clock+0x5/0x10 [ 101.525381] ? sched_clock_cpu+0xe/0x100 [ 101.525385] net_rx_action+0x14c/0x410 [ 101.525388] __do_softirq+0xe9/0x2f4 [ 101.525391] __local_bh_enable_ip+0xe3/0x110 [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0 [ 101.525398] irq_forced_thread_fn+0x6a/0x80 [ 101.525401] irq_thread+0xe8/0x180 [ 101.525403] ? wake_threads_waitq+0x30/0x30 [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0 [ 101.525408] kthread+0x183/0x1a0 [ 101.525412] ? kthread_park+0x80/0x80 [ 101.525415] ret_from_fork+0x22/0x30 CVE-2021-47302 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-buf/sync_file: Don't leak fences on merge failure Each add_fence() call does a dma_fence_get() on the relevant fence. In the error path, we weren't calling dma_fence_put() so all those fences got leaked. Also, in the krealloc_array failure case, we weren't freeing the fences array. Instead, ensure that i and fences are always zero-initialized and dma_fence_put() all the fences and kfree(fences) on every error path. CVE-2021-47305 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL deref in cifs_compose_mount_options() The optional @ref parameter might contain an NULL node_name, so prevent dereferencing it in cifs_compose_mount_options(). Addresses-Coverity: 1476408 ("Explicit null dereferenced") CVE-2021-47307 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: libfc: Fix array index out of bound exception Fix array index out of bound exception in fc_rport_prli_resp(). CVE-2021-47308 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: qcom/emac: fix UAF in emac_remove adpt is netdev private data and it cannot be used after free_netdev() call. Using adpt after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. CVE-2021-47311 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: memory: fsl_ifc: fix leak of private memory on probe failure On probe error the driver should free the memory allocated for private structure. Fix this by using resource-managed allocation. CVE-2021-47314 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: memory: fsl_ifc: fix leak of IO mapping on probe failure On probe error the driver should unmap the IO memory. Smatch reports: drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298. CVE-2021-47315 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: nfs: fix acl memory leak of posix_acl_create() When looking into another nfs xfstests report, I found acl and default_acl in nfs3_proc_create() and nfs3_proc_mknod() error paths are possibly leaked. Fix them in advance. CVE-2021-47320 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: watchdog: Fix possible use-after-free by calling del_timer_sync() This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. CVE-2021-47321 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. CVE-2021-47323 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: watchdog: Fix possible use-after-free in wdt_startup() This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. CVE-2021-47324 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi: Fix conn use after free during resets If we haven't done a unbind target call we can race where iscsi_conn_teardown wakes up the EH thread and then frees the conn while those threads are still accessing the conn ehwait. We can only do one TMF per session so this just moves the TMF fields from the conn to the session. We can then rely on the iscsi_session_teardown->iscsi_remove_session->__iscsi_unbind_session call to remove the target and it's devices, and know after that point there is no device or scsi-ml callout trying to access the session. CVE-2021-47328 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix resource leak in case of probe failure The driver doesn't clean up all the allocated resources properly when scsi_add_host(), megasas_start_aen() function fails during the PCI device probe. Clean up all those resources. CVE-2021-47329 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: tty: serial: 8250: serial_cs: Fix a memory leak in error handling path In the probe function, if the final 'serial_config()' fails, 'info' is leaking. Add a resource handling path to free this memory. CVE-2021-47330 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y: Don't call free_pages_exact() with NULL address Unlike some other functions, we can't pass NULL pointer to free_pages_exact(). Add a proper NULL check for avoiding possible Oops. CVE-2021-47332 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge There is an issue with the ASPM(optional) capability checking function. A device might be attached to root complex directly, in this case, bus->self(bridge) will be NULL, thus priv->parent_pdev is NULL. Since alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's ASPM capability and populate parent_cap_off, which will be used later by alcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do here is to avoid checking the capability if we are on the root complex. This will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply return when bring called, effectively disable ASPM for the device. [ 1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40 [ 1.253998] Call Trace: [ 1.254131] ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci] [ 1.254476] alcor_pci_probe+0x169/0x2d5 [alcor_pci] CVE-2021-47333 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: misc/libmasm/module: Fix two use after free in ibmasm_init_one In ibmasm_init_one, it calls ibmasm_init_remote_input_dev(). Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are allocated by input_allocate_device(), and assigned to sp->remote.mouse_dev and sp->remote.keybd_dev respectively. In the err_free_devices error branch of ibmasm_init_one, mouse_dev and keybd_dev are freed by input_free_device(), and return error. Then the execution runs into error_send_message error branch of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev. My patch add a "error_init_remote" label to handle the error of ibmasm_init_remote_input_dev(), to avoid the uaf bugs. CVE-2021-47334 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid Commit 66a834d09293 ("scsi: core: Fix error handling of scsi_host_alloc()") changed the allocation logic to call put_device() to perform host cleanup with the assumption that IDA removal and stopping the kthread would properly be performed in scsi_host_dev_release(). However, in the unlikely case that the error handler thread fails to spawn, shost->ehandler is set to ERR_PTR(-ENOMEM). The error handler cleanup code in scsi_host_dev_release() will call kthread_stop() if shost->ehandler != NULL which will always be the case whether the kthread was successfully spawned or not. In the case that it failed to spawn this has the nasty side effect of trying to dereference an invalid pointer when kthread_stop() is called. The following splat provides an example of this behavior in the wild: scsi host11: error handler thread failed to spawn, error = -4 Kernel attempted to read user page (10c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x0000010c Faulting instruction address: 0xc00000000818e9a8 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: ibmvscsi(+) scsi_transport_srp dm_multipath dm_mirror dm_region hash dm_log dm_mod fuse overlay squashfs loop CPU: 12 PID: 274 Comm: systemd-udevd Not tainted 5.13.0-rc7 #1 NIP: c00000000818e9a8 LR: c0000000089846e8 CTR: 0000000000007ee8 REGS: c000000037d12ea0 TRAP: 0300 Not tainted (5.13.0-rc7) MSR: 800000000280b033 &lt;SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE&gt; CR: 28228228 XER: 20040001 CFAR: c0000000089846e4 DAR: 000000000000010c DSISR: 40000000 IRQMASK: 0 GPR00: c0000000089846e8 c000000037d13140 c000000009cc1100 fffffffffffffffc GPR04: 0000000000000001 0000000000000000 0000000000000000 c000000037dc0000 GPR08: 0000000000000000 c000000037dc0000 0000000000000001 00000000fffff7ff GPR12: 0000000000008000 c00000000a049000 c000000037d13d00 000000011134d5a0 GPR16: 0000000000001740 c0080000190d0000 c0080000190d1740 c000000009129288 GPR20: c000000037d13bc0 0000000000000001 c000000037d13bc0 c0080000190b7898 GPR24: c0080000190b7708 0000000000000000 c000000033bb2c48 0000000000000000 GPR28: c000000046b28280 0000000000000000 000000000000010c fffffffffffffffc NIP [c00000000818e9a8] kthread_stop+0x38/0x230 LR [c0000000089846e8] scsi_host_dev_release+0x98/0x160 Call Trace: [c000000033bb2c48] 0xc000000033bb2c48 (unreliable) [c0000000089846e8] scsi_host_dev_release+0x98/0x160 [c00000000891e960] device_release+0x60/0x100 [c0000000087e55c4] kobject_release+0x84/0x210 [c00000000891ec78] put_device+0x28/0x40 [c000000008984ea4] scsi_host_alloc+0x314/0x430 [c0080000190b38bc] ibmvscsi_probe+0x54/0xad0 [ibmvscsi] [c000000008110104] vio_bus_probe+0xa4/0x4b0 [c00000000892a860] really_probe+0x140/0x680 [c00000000892aefc] driver_probe_device+0x15c/0x200 [c00000000892b63c] device_driver_attach+0xcc/0xe0 [c00000000892b740] __driver_attach+0xf0/0x200 [c000000008926f28] bus_for_each_dev+0xa8/0x130 [c000000008929ce4] driver_attach+0x34/0x50 [c000000008928fc0] bus_add_driver+0x1b0/0x300 [c00000000892c798] driver_register+0x98/0x1a0 [c00000000810eb60] __vio_register_driver+0x80/0xe0 [c0080000190b4a30] ibmvscsi_module_init+0x9c/0xdc [ibmvscsi] [c0000000080121d0] do_one_initcall+0x60/0x2d0 [c000000008261abc] do_init_module+0x7c/0x320 [c000000008265700] load_module+0x2350/0x25b0 [c000000008265cb4] __do_sys_finit_module+0xd4/0x160 [c000000008031110] system_call_exception+0x150/0x2d0 [c00000000800d35c] system_call_common+0xec/0x278 Fix this be nulling shost->ehandler when the kthread fails to spawn. CVE-2021-47337 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbmem: Do not delete the mode that is still in use The execution of fb_delete_videomode() is not based on the result of the previous fbcon_mode_deleted(). As a result, the mode is directly deleted, regardless of whether it is still in use, which may cause UAF. ================================================================== BUG: KASAN: use-after-free in fb_mode_is_equal+0x36e/0x5e0 \ drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff88807e0ddb1c by task syz-executor.0/18962 CPU: 2 PID: 18962 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ... Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:118 print_address_description+0x6c/0x640 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x13d/0x1e0 mm/kasan/report.c:562 fb_mode_is_equal+0x36e/0x5e0 drivers/video/fbdev/core/modedb.c:924 fbcon_mode_deleted+0x16a/0x220 drivers/video/fbdev/core/fbcon.c:2746 fb_set_var+0x1e1/0xdb0 drivers/video/fbdev/core/fbmem.c:975 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 18960: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x108/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1541 [inline] slab_free_freelist_hook+0xd6/0x1a0 mm/slub.c:1574 slab_free mm/slub.c:3139 [inline] kfree+0xca/0x3d0 mm/slub.c:4121 fb_delete_videomode+0x56a/0x820 drivers/video/fbdev/core/modedb.c:1104 fb_set_var+0x1f3/0xdb0 drivers/video/fbdev/core/fbmem.c:978 do_fb_ioctl+0x4d9/0x6e0 drivers/video/fbdev/core/fbmem.c:1108 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 CVE-2021-47338 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix GPF in diFree Avoid passing inode with JFS_SBI(inode->i_sb)->ipimap == NULL to diFree()[1]. GFP will appear: struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap; struct inomap *imap = JFS_IP(ipimap)->i_imap; JFS_IP() will return invalid pointer when ipimap == NULL Call Trace: diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 evict+0x2ed/0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [inline] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 CVE-2021-47340 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 Read of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269 CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x110/0x164 lib/dump_stack.c:118 print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x148/0x1e4 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:183 [inline] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Allocated by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 kmem_cache_alloc_trace include/linux/slab.h:450 [inline] kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146 kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670 Freed by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x38/0x6c mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline] slab_free mm/slub.c:3142 [inline] kfree+0x104/0x38c mm/slub.c:4124 coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102 kvm_iodevice_destructor include/kvm/iodev.h:61 [inline] kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374 kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/sys ---truncated--- CVE-2021-47341 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm btree remove: assign new_root only when removal succeeds remove_raw() in dm_btree_remove() may fail due to IO read error (e.g. read the content of origin block fails during shadowing), and the value of shadow_spine::root is uninitialized, but the uninitialized value is still assign to new_root in the end of dm_btree_remove(). For dm-thin, the value of pmd->details_root or pmd->root will become an uninitialized value, so if trying to read details_info tree again out-of-bound memory may occur as showed below: general protection fault, probably for non-canonical address 0x3fdcb14c8d7520 CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6 Hardware name: QEMU Standard PC RIP: 0010:metadata_ll_load_ie+0x14/0x30 Call Trace: sm_metadata_count_is_more_than_one+0xb9/0xe0 dm_tm_shadow_block+0x52/0x1c0 shadow_step+0x59/0xf0 remove_raw+0xb2/0x170 dm_btree_remove+0xf4/0x1c0 dm_pool_delete_thin_device+0xc3/0x140 pool_message+0x218/0x2b0 target_message+0x251/0x290 ctl_ioctl+0x1c4/0x4d0 dm_ctl_ioctl+0xe/0x20 __x64_sys_ioctl+0x7b/0xb0 do_syscall_64+0x40/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixing it by only assign new_root when removal succeeds CVE-2021-47343 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: zr364xx: fix memory leak in zr364xx_start_readpipe syzbot reported memory leak in zr364xx driver. The problem was in non-freed urb in case of usb_submit_urb() fail. backtrace: [<ffffffff82baedf6>] kmalloc include/linux/slab.h:561 [inline] [<ffffffff82baedf6>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74 [<ffffffff82f7cce8>] zr364xx_start_readpipe+0x78/0x130 drivers/media/usb/zr364xx/zr364xx.c:1022 [<ffffffff84251dfc>] zr364xx_board_init drivers/media/usb/zr364xx/zr364xx.c:1383 [inline] [<ffffffff84251dfc>] zr364xx_probe+0x6a3/0x851 drivers/media/usb/zr364xx/zr364xx.c:1516 [<ffffffff82bb6507>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff826018a9>] really_probe+0x159/0x500 drivers/base/dd.c:576 CVE-2021-47344 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: wl1251: Fix possible buffer overflow in wl1251_cmd_scan Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size. CVE-2021-47347 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid HDCP over-read and corruption Instead of reading the desired 5 bytes of the actual target field, the code was reading 8. This could result in a corrupted value if the trailing 3 bytes were non-zero, so instead use an appropriately sized and zero-initialized bounce buffer, and read only 5 bytes before casting to u64. CVE-2021-47348 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix lockup on kernel exec fault The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3. CVE-2021-47350 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: udf: Fix NULL pointer dereference in udf_symlink function In function udf_symlink, epos.bh is assigned with the value returned by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c and returns the value of sb_getblk function that could be NULL. Then, epos.bh is used without any check, causing a possible NULL pointer dereference when sb_getblk fails. This fix adds a check to validate the value of epos.bh. CVE-2021-47353 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/sched: Avoid data corruptions Wait for all dependencies of a job to complete before killing it to avoid data corruptions. CVE-2021-47354 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mISDN: fix possible use-after-free in HFC_cleanup() This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. CVE-2021-47356 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: enetc: Fix illegal access when reading affinity_hint irq_set_affinity_hit() stores a reference to the cpumask_t parameter in the irq descriptor, and that reference can be accessed later from irq_affinity_hint_proc_show(). Since the cpu_mask parameter passed to irq_set_affinity_hit() has only temporary storage (it's on the stack memory), later accesses to it are illegal. Thus reads from the corresponding procfs affinity_hint file can result in paging request oops. The issue is fixed by the get_cpu_mask() helper, which provides a permanent storage for the cpumask_t parameter. CVE-2021-47368 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix NULL deref in qeth_clear_working_pool_list() When qeth_set_online() calls qeth_clear_working_pool_list() to roll back after an error exit from qeth_hardsetup_card(), we are at risk of accessing card->qdio.in_q before it was allocated by qeth_alloc_qdio_queues() via qeth_mpc_initialize(). qeth_clear_working_pool_list() then dereferences NULL, and by writing to queue->bufs[i].pool_entry scribbles all over the CPU's lowcore. Resulting in a crash when those lowcore areas are used next (eg. on the next machine-check interrupt). Such a scenario would typically happen when the device is first set online and its queues aren't allocated yet. An early IO error or certain misconfigs (eg. mismatched transport mode, bad portno) then cause us to error out from qeth_hardsetup_card() with card->qdio.in_q still being NULL. Fix it by checking the pointer for NULL before accessing it. Note that we also have (rare) paths inside qeth_mpc_initialize() where a configuration change can cause us to free the existing queues, expecting that subsequent code will allocate them again. If we then error out before that re-allocation happens, the same bug occurs. Root-caused-by: Heiko Carstens <hca@linux.ibm.com> CVE-2021-47369 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use after free on rmmod plat_dev->dev->platform_data is released by platform_device_unregister(), use of pclk and hclk is a use-after-free. Since device unregister won't need a clk device we adjust the function call sequence to fix this issue. [ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] [ 31.275563] Freed by task 306: [ 30.276782] platform_device_release+0x25/0x80 CVE-2021-47372 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: blktrace: Fix uaf in blk_trace access after removing by sysfs There is an use-after-free problem triggered by following process: P1(sda) P2(sdb) echo 0 > /sys/block/sdb/trace/enable blk_trace_remove_queue synchronize_rcu blk_trace_free relay_close rcu_read_lock __blk_add_trace trace_note_tsk (Iterate running_trace_list) relay_close_buf relay_destroy_buf kfree(buf) trace_note(sdb's bt) relay_reserve buf->offset <- nullptr deference (use-after-free) !!! rcu_read_unlock [ 502.714379] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 502.715260] #PF: supervisor read access in kernel mode [ 502.715903] #PF: error_code(0x0000) - not-present page [ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 [ 502.717252] Oops: 0000 [#1] SMP [ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 [ 502.732872] Call Trace: [ 502.733193] __blk_add_trace.cold+0x137/0x1a3 [ 502.733734] blk_add_trace_rq+0x7b/0xd0 [ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 [ 502.734755] blk_mq_start_request+0xde/0x1b0 [ 502.735287] scsi_queue_rq+0x528/0x1140 ... [ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 [ 502.747501] sg_ioctl+0x466/0x1100 Reproduce method: ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sda, BLKTRACESTART) ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) ioctl(/dev/sdb, BLKTRACESTART) echo 0 > /sys/block/sdb/trace/enable & // Add delay(mdelay/msleep) before kernel enters blk_trace_free() ioctl$SG_IO(/dev/sda, SG_IO, ...) // Enters trace_note_tsk() after blk_trace_free() returned // Use mdelay in rcu region rather than msleep(which may schedule out) Remove blk_trace from running_list before calling blk_trace_free() by sysfs if blk_trace is at Blktrace_running state. CVE-2021-47375 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: destroy cm id before destroy qp to avoid use after free We should always destroy cm_id before destroy qp to avoid to get cma event after qp was destroyed, which may lead to use after free. In RDMA connection establishment error flow, don't destroy qp in cm event handler.Just report cm_error to upper level, qp will be destroy in nvme_rdma_alloc_queue() after destroy cm id. CVE-2021-47378 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd KASAN reports a use-after-free report when doing fuzz test: [693354.104835] ================================================================== [693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160 [693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338 [693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 [693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 [693354.105612] Call Trace: [693354.105621] dump_stack+0xf1/0x19b [693354.105626] ? show_regs_print_info+0x5/0x5 [693354.105634] ? printk+0x9c/0xc3 [693354.105638] ? cpumask_weight+0x1f/0x1f [693354.105648] print_address_description+0x70/0x360 [693354.105654] kasan_report+0x1b2/0x330 [693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160 [693354.105670] bfq_io_set_weight_legacy+0xd3/0x160 [693354.105675] ? bfq_cpd_init+0x20/0x20 [693354.105683] cgroup_file_write+0x3aa/0x510 [693354.105693] ? ___slab_alloc+0x507/0x540 [693354.105698] ? cgroup_file_poll+0x60/0x60 [693354.105702] ? 0xffffffff89600000 [693354.105708] ? usercopy_abort+0x90/0x90 [693354.105716] ? mutex_lock+0xef/0x180 [693354.105726] kernfs_fop_write+0x1ab/0x280 [693354.105732] ? cgroup_file_poll+0x60/0x60 [693354.105738] vfs_write+0xe7/0x230 [693354.105744] ksys_write+0xb0/0x140 [693354.105749] ? __ia32_sys_read+0x50/0x50 [693354.105760] do_syscall_64+0x112/0x370 [693354.105766] ? syscall_return_slowpath+0x260/0x260 [693354.105772] ? do_page_fault+0x9b/0x270 [693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0 [693354.105784] ? enter_from_user_mode+0x30/0x30 [693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.105875] Allocated by task 1453337: [693354.106001] kasan_kmalloc+0xa0/0xd0 [693354.106006] kmem_cache_alloc_node_trace+0x108/0x220 [693354.106010] bfq_pd_alloc+0x96/0x120 [693354.106015] blkcg_activate_policy+0x1b7/0x2b0 [693354.106020] bfq_create_group_hierarchy+0x1e/0x80 [693354.106026] bfq_init_queue+0x678/0x8c0 [693354.106031] blk_mq_init_sched+0x1f8/0x460 [693354.106037] elevator_switch_mq+0xe1/0x240 [693354.106041] elevator_switch+0x25/0x40 [693354.106045] elv_iosched_store+0x1a1/0x230 [693354.106049] queue_attr_store+0x78/0xb0 [693354.106053] kernfs_fop_write+0x1ab/0x280 [693354.106056] vfs_write+0xe7/0x230 [693354.106060] ksys_write+0xb0/0x140 [693354.106064] do_syscall_64+0x112/0x370 [693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106114] Freed by task 1453336: [693354.106225] __kasan_slab_free+0x130/0x180 [693354.106229] kfree+0x90/0x1b0 [693354.106233] blkcg_deactivate_policy+0x12c/0x220 [693354.106238] bfq_exit_queue+0xf5/0x110 [693354.106241] blk_mq_exit_sched+0x104/0x130 [693354.106245] __elevator_exit+0x45/0x60 [693354.106249] elevator_switch_mq+0xd6/0x240 [693354.106253] elevator_switch+0x25/0x40 [693354.106257] elv_iosched_store+0x1a1/0x230 [693354.106261] queue_attr_store+0x78/0xb0 [693354.106264] kernfs_fop_write+0x1ab/0x280 [693354.106268] vfs_write+0xe7/0x230 [693354.106271] ksys_write+0xb0/0x140 [693354.106275] do_syscall_64+0x112/0x370 [693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca [693354.106329] The buggy address belongs to the object at ffff888be0a35580 which belongs to the cache kmalloc-1k of size 1024 [693354.106736] The buggy address is located 228 bytes inside of 1024-byte region [ffff888be0a35580, ffff888be0a35980) [693354.107114] The buggy address belongs to the page: [693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 [693354.107606] flags: 0x17ffffc0008100(slab|head) [693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 [693354.108020] r ---truncated--- CVE-2021-47379 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Fix DSP oops stack dump output contents Fix @buf arg given to hex_dump_to_buffer() and stack address used in dump error output. CVE-2021-47381 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix deadlock during failing recovery Commit 0b9902c1fcc5 ("s390/qeth: fix deadlock during recovery") removed taking discipline_mutex inside qeth_do_reset(), fixing potential deadlocks. An error path was missed though, that still takes discipline_mutex and thus has the original deadlock potential. Intermittent deadlocks were seen when a qeth channel path is configured offline, causing a race between qeth_do_reset and ccwgroup_remove. Call qeth_set_offline() directly in the qeth_do_reset() error case and then a new variant of ccwgroup_set_offline(), without taking discipline_mutex. CVE-2021-47382 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tty: Fix out-of-bound vmalloc access in imageblit This issue happens when a userspace program does an ioctl FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct containing only the fields xres, yres, and bits_per_pixel with values. If this struct is the same as the previous ioctl, the vc_resize() detects it and doesn't call the resize_screen(), leaving the fb_var_screeninfo incomplete. And this leads to the updatescrollmode() calculates a wrong value to fbcon_display->vrows, which makes the real_y() return a wrong value of y, and that value, eventually, causes the imageblit to access an out-of-bound address value. To solve this issue I made the resize_screen() be called even if the screen does not need any resizing, so it will "fix and fill" the fb_var_screeninfo independently. CVE-2021-47383 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: cpufreq: schedutil: Use kobject release() method to free sugov_tunables The struct sugov_tunables is protected by the kobject, so we can't free it directly. Otherwise we would get a call trace like this: ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30 WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100 Modules linked in: CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507 Hardware name: Marvell OcteonTX CN96XX board (DT) pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) pc : debug_print_object+0xb8/0x100 lr : debug_print_object+0xb8/0x100 sp : ffff80001ecaf910 x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80 x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000 x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20 x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010 x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365 x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69 x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0 x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001 x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000 x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000 Call trace: debug_print_object+0xb8/0x100 __debug_check_no_obj_freed+0x1c0/0x230 debug_check_no_obj_freed+0x20/0x88 slab_free_freelist_hook+0x154/0x1c8 kfree+0x114/0x5d0 sugov_exit+0xbc/0xc0 cpufreq_exit_governor+0x44/0x90 cpufreq_set_policy+0x268/0x4a8 store_scaling_governor+0xe0/0x128 store+0xc0/0xf0 sysfs_kf_write+0x54/0x80 kernfs_fop_write_iter+0x128/0x1c0 new_sync_write+0xf0/0x190 vfs_write+0x2d4/0x478 ksys_write+0x74/0x100 __arm64_sys_write+0x24/0x30 invoke_syscall.constprop.0+0x54/0xe0 do_el0_svc+0x64/0x158 el0_svc+0x2c/0xb0 el0t_64_sync_handler+0xb0/0xb8 el0t_64_sync+0x198/0x19c irq event stamp: 5518 hardirqs last enabled at (5517): [<ffff8000100cbd7c>] console_unlock+0x554/0x6c8 hardirqs last disabled at (5518): [<ffff800010fc0638>] el1_dbg+0x28/0xa0 softirqs last enabled at (5504): [<ffff8000100106e0>] __do_softirq+0x4d0/0x6c0 softirqs last disabled at (5483): [<ffff800010049548>] irq_exit+0x1b0/0x1b8 So split the original sugov_tunables_free() into two functions, sugov_clear_global_tunables() is just used to clear the global_tunables and the new sugov_tunables_free() is used as kobj_type::release to release the sugov_tunables safely. CVE-2021-47387 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211: fix use-after-free in CCMP/GCMP RX When PN checking is done in mac80211, for fragmentation we need to copy the PN to the RX struct so we can later use it to do a comparison, since commit bf30ca922a0c ("mac80211: check defrag PN against current frame"). Unfortunately, in that commit I used the 'hdr' variable without it being necessarily valid, so use-after-free could occur if it was necessary to reallocate (parts of) the frame. Fix this by reloading the variable after the code that results in the reallocations, if any. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401. CVE-2021-47388 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice. CPU 1 CPU 2 rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1 process_one_req(): for #1 addr_handler(): RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND mutex_unlock(&id_priv->handler_mutex); [.. handler still running ..] rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel() // process_one_req() self removes it spin_lock_bh(&lock); cancel_delayed_work(&req->work); if (!list_empty(&req->list)) == true ! rdma_addr_cancel() returns after process_on_req #1 is done kfree(id_priv) process_one_req(): for #2 addr_handler(): mutex_lock(&id_priv->handler_mutex); !! Use after free on id_priv rdma_addr_cancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the req_list can have two reqs for the same "handle" but rdma_addr_cancel() only cancels the first one. The second req remains active beyond rdma_destroy_id() and will use-after-free id_priv once it inevitably triggers. Fix this by remembering if the id_priv has called rdma_resolve_ip() and always cancel before calling it again. This ensures the req_list never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path. CVE-2021-47391 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure If cma_listen_on_all() fails it leaves the per-device ID still on the listen_list but the state is not set to RDMA_CM_ADDR_BOUND. When the cmid is eventually destroyed cma_cancel_listens() is not called due to the wrong state, however the per-device IDs are still holding the refcount preventing the ID from being destroyed, thus deadlocking: task:rping state:D stack: 0 pid:19605 ppid: 47036 flags:0x00000084 Call Trace: __schedule+0x29a/0x780 ? free_unref_page_commit+0x9b/0x110 schedule+0x3c/0xa0 schedule_timeout+0x215/0x2b0 ? __flush_work+0x19e/0x1e0 wait_for_completion+0x8d/0xf0 _destroy_id+0x144/0x210 [rdma_cm] ucma_close_id+0x2b/0x40 [rdma_ucm] __destroy_id+0x93/0x2c0 [rdma_ucm] ? __xa_erase+0x4a/0xa0 ucma_destroy_id+0x9a/0x120 [rdma_ucm] ucma_write+0xb8/0x130 [rdma_ucm] vfs_write+0xb4/0x250 ksys_write+0xb5/0xd0 ? syscall_trace_enter.isra.19+0x123/0x190 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Ensure that cma_listen_on_all() atomically unwinds its action under the lock during error. CVE-2021-47392 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs Fan speed minimum can be enforced from sysfs. For example, setting current fan speed to 20 is used to enforce fan speed to be at 100% speed, 19 - to be not below 90% speed, etcetera. This feature provides ability to limit fan speed according to some system wise considerations, like absence of some replaceable units or high system ambient temperature. Request for changing fan minimum speed is configuration request and can be set only through 'sysfs' write procedure. In this situation value of argument 'state' is above nominal fan speed maximum. Return non-zero code in this case to avoid thermal_cooling_device_stats_update() call, because in this case statistics update violates thermal statistics table range. The issues is observed in case kernel is configured with option CONFIG_THERMAL_STATISTICS. Here is the trace from KASAN: [ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444 [ 159.545625] Call Trace: [ 159.548366] dump_stack+0x92/0xc1 [ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.635869] thermal_zone_device_update+0x345/0x780 [ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0 [ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core] [ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core] [ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core] [ 160.070233] RIP: 0033:0x7fd995909970 [ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff .. [ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970 [ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001 [ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700 [ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013 [ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013 [ 160.143671] [ 160.145338] Allocated by task 2924: [ 160.149242] kasan_save_stack+0x19/0x40 [ 160.153541] __kasan_kmalloc+0x7f/0xa0 [ 160.157743] __kmalloc+0x1a2/0x2b0 [ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0 [ 160.167687] __thermal_cooling_device_register+0x1b5/0x500 [ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0 [ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan] [ 160.248140] [ 160.249807] The buggy address belongs to the object at ffff888116163400 [ 160.249807] which belongs to the cache kmalloc-1k of size 1024 [ 160.263814] The buggy address is located 64 bytes to the right of [ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800) [ 160.277536] The buggy address belongs to the page: [ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160 [ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0 [ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0 [ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000 [ 160.327033] page dumped because: kasan: bad access detected [ 160.333270] [ 160.334937] Memory state around the buggy address: [ 160.356469] >ffff888116163800: fc .. CVE-2021-47393 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap routine in order to fix the following warning reported by syzbot: WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 Modules linked in: CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline] RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244 RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216 RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000 RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003 RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100 R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8 R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004 FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740 netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089 __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165 __bpf_tx_skb net/core/filter.c:2114 [inline] __bpf_redirect_no_mac net/core/filter.c:2139 [inline] __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162 ____bpf_clone_redirect net/core/filter.c:2429 [inline] bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401 bpf_prog_eeb6f53a69e5c6a2+0x59/0x234 bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline] __bpf_prog_run include/linux/filter.h:624 [inline] bpf_prog_run include/linux/filter.h:631 [inline] bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119 bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663 bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline] __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline] __se_sys_bpf kernel/bpf/syscall.c:4689 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 CVE-2021-47395 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211-hwsim: fix late beacon hrtimer handling Thomas explained in https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx that our handling of the hrtimer here is wrong: If the timer fires late (e.g. due to vCPU scheduling, as reported by Dmitry/syzbot) then it tries to actually rearm the timer at the next deadline, which might be in the past already: 1 2 3 N N+1 | | | ... | | ^ intended to fire here (1) ^ next deadline here (2) ^ actually fired here The next time it fires, it's later, but will still try to schedule for the next deadline (now 3), etc. until it catches up with N, but that might take a long time, causing stalls etc. Now, all of this is simulation, so we just have to fix it, but note that the behaviour is wrong even per spec, since there's no value then in sending all those beacons unaligned - they should be aligned to the TBTT (1, 2, 3, ... in the picture), and if we're a bit (or a lot) late, then just resume at that point. Therefore, change the code to use hrtimer_forward_now() which will ensure that the next firing of the timer would be at N+1 (in the picture), i.e. the next interval point after the current time. CVE-2021-47396 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup The ixgbe driver currently generates a NULL pointer dereference with some machine (online cpus < 63). This is due to the fact that the maximum value of num_xdp_queues is nr_cpu_ids. Code is in "ixgbe_set_rss_queues"". Here's how the problem repeats itself: Some machine (online cpus < 63), And user set num_queues to 63 through ethtool. Code is in the "ixgbe_set_channels", adapter->ring_feature[RING_F_FDIR].limit = count; It becomes 63. When user use xdp, "ixgbe_set_rss_queues" will set queues num. adapter->num_rx_queues = rss_i; adapter->num_tx_queues = rss_i; adapter->num_xdp_queues = ixgbe_xdp_queues(adapter); And rss_i's value is from f = &adapter->ring_feature[RING_F_FDIR]; rss_i = f->indices = f->limit; So "num_rx_queues" > "num_xdp_queues", when run to "ixgbe_xdp_setup", for (i = 0; i < adapter->num_rx_queues; i++) if (adapter->xdp_ring[i]->xsk_umem) It leads to panic. Call trace: [exception RIP: ixgbe_xdp+368] RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90 RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000 R10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000 R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc 8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808 9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235 10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384 11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd 12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb 13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88 14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319 15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290 16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8 17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64 18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9 19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c So I fix ixgbe_max_channels so that it will not allow a setting of queues to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup, take the smaller value of num_rx_queues and num_xdp_queues. CVE-2021-47399 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: flower: protect fl_walk() with rcu Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep. KASAN trace: [ 352.773640] ================================================================== [ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987 [ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 352.781022] Call Trace: [ 352.781573] dump_stack_lvl+0x46/0x5a [ 352.782332] print_address_description.constprop.0+0x1f/0x140 [ 352.783400] ? fl_walk+0x159/0x240 [cls_flower] [ 352.784292] ? fl_walk+0x159/0x240 [cls_flower] [ 352.785138] kasan_report.cold+0x83/0xdf [ 352.785851] ? fl_walk+0x159/0x240 [cls_flower] [ 352.786587] kasan_check_range+0x145/0x1a0 [ 352.787337] fl_walk+0x159/0x240 [cls_flower] [ 352.788163] ? fl_put+0x10/0x10 [cls_flower] [ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.790102] tcf_chain_dump+0x231/0x450 [ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170 [ 352.791833] ? __might_sleep+0x2e/0xc0 [ 352.792594] ? tfilter_notify+0x170/0x170 [ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.794477] tc_dump_tfilter+0x385/0x4b0 [ 352.795262] ? tc_new_tfilter+0x1180/0x1180 [ 352.796103] ? __mod_node_page_state+0x1f/0xc0 [ 352.796974] ? __build_skb_around+0x10e/0x130 [ 352.797826] netlink_dump+0x2c0/0x560 [ 352.798563] ? netlink_getsockopt+0x430/0x430 [ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.800542] __netlink_dump_start+0x356/0x440 [ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550 [ 352.802190] ? tc_new_tfilter+0x1180/0x1180 [ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.803668] ? tc_new_tfilter+0x1180/0x1180 [ 352.804344] ? _copy_from_iter_nocache+0x800/0x800 [ 352.805202] ? kasan_set_track+0x1c/0x30 [ 352.805900] netlink_rcv_skb+0xc6/0x1f0 [ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0 [ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.808324] ? netlink_ack+0x4d0/0x4d0 [ 352.809086] ? netlink_deliver_tap+0x62/0x3d0 [ 352.809951] netlink_unicast+0x353/0x480 [ 352.810744] ? netlink_attachskb+0x430/0x430 [ 352.811586] ? __alloc_skb+0xd7/0x200 [ 352.812349] netlink_sendmsg+0x396/0x680 [ 352.813132] ? netlink_unicast+0x480/0x480 [ 352.813952] ? __import_iovec+0x192/0x210 [ 352.814759] ? netlink_unicast+0x480/0x480 [ 352.815580] sock_sendmsg+0x6c/0x80 [ 352.816299] ____sys_sendmsg+0x3a5/0x3c0 [ 352.817096] ? kernel_sendmsg+0x30/0x30 [ 352.817873] ? __ia32_sys_recvmmsg+0x150/0x150 [ 352.818753] ___sys_sendmsg+0xd8/0x140 [ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110 [ 352.820402] ? ___sys_recvmsg+0xf4/0x1a0 [ 352.821110] ? __copy_msghdr_from_user+0x260/0x260 [ 352.821934] ? _raw_spin_lock+0x81/0xd0 [ 352.822680] ? __handle_mm_fault+0xef3/0x1b20 [ 352.823549] ? rb_insert_color+0x2a/0x270 [ 352.824373] ? copy_page_range+0x16b0/0x16b0 [ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0 [ 352.826190] ? __fget_light+0xd9/0xf0 [ 352.826941] __sys_sendmsg+0xb3/0x130 [ 352.827613] ? __sys_sendmsg_sock+0x20/0x20 [ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0 [ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60 [ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160 [ 352.830845] do_syscall_64+0x35/0x80 [ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated--- CVE-2021-47402 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: betop: fix slab-out-of-bounds Write in betop_probe Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver. The problem is the driver assumes the device must have an input report but some malicious devices violate this assumption. So this patch checks hid_device's input is non empty before it's been used. CVE-2021-47404 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: free raw_report buffers in usbhid_stop Free the unsent raw_report buffers when the device is removed. Fixes a memory leak reported by syzbot at: https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47 CVE-2021-47405 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. CVE-2021-47409 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: ci_hdrc_imx: Also search for 'phys' phandle When passing 'phys' in the devicetree to describe the USB PHY phandle (which is the recommended way according to Documentation/devicetree/bindings/usb/ci-hdrc-usb2.txt) the following NULL pointer dereference is observed on i.MX7 and i.MX8MM: [ 1.489344] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 [ 1.498170] Mem abort info: [ 1.500966] ESR = 0x96000044 [ 1.504030] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.509356] SET = 0, FnV = 0 [ 1.512416] EA = 0, S1PTW = 0 [ 1.515569] FSC = 0x04: level 0 translation fault [ 1.520458] Data abort info: [ 1.523349] ISV = 0, ISS = 0x00000044 [ 1.527196] CM = 0, WnR = 1 [ 1.530176] [0000000000000098] user address but active_mm is swapper [ 1.536544] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 1.542125] Modules linked in: [ 1.545190] CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.14.0-dirty #3 [ 1.551901] Hardware name: Kontron i.MX8MM N801X S (DT) [ 1.557133] Workqueue: events_unbound deferred_probe_work_func [ 1.562984] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) [ 1.568998] pc : imx7d_charger_detection+0x3f0/0x510 [ 1.573973] lr : imx7d_charger_detection+0x22c/0x510 This happens because the charger functions check for the phy presence inside the imx_usbmisc_data structure (data->usb_phy), but the chipidea core populates the usb_phy passed via 'phys' inside 'struct ci_hdrc' (ci->usb_phy) instead. This causes the NULL pointer dereference inside imx7d_charger_detection(). Fix it by also searching for 'phys' in case 'fsl,usbphy' is not found. Tested on a imx7s-warp board. CVE-2021-47413 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: phy: mdio: fix memory leak Syzbot reported memory leak in MDIO bus interface, the problem was in wrong state logic. MDIOBUS_ALLOCATED indicates 2 states: 1. Bus is only allocated 2. Bus allocated and __mdiobus_register() fails, but device_register() was called In case of device_register() has been called we should call put_device() to correctly free the memory allocated for this device, but mdiobus_free() calls just kfree(dev) in case of MDIOBUS_ALLOCATED state To avoid this behaviour we need to set bus->state to MDIOBUS_UNREGISTERED _before_ calling device_register(), because put_device() should be called even in case of device_register() failure. CVE-2021-47416 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/kms/nv50-: fix file release memory leak When using single_open() for opening, single_release() should be called, otherwise the 'op' allocated in single_open() will be leaked. CVE-2021-47422 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/debugfs: fix file release memory leak When using single_open() for opening, single_release() should be called, otherwise the 'op' allocated in single_open() will be leaked. CVE-2021-47423 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: i40e: Fix freeing of uninitialized misc IRQ vector When VSI set up failed in i40e_probe() as part of PF switch set up driver was trying to free misc IRQ vectors in i40e_clear_interrupt_scheme and produced a kernel Oops: Trying to free already-free IRQ 266 WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300 Workqueue: events work_for_cpu_fn RIP: 0010:__free_irq+0x9a/0x300 Call Trace: ? synchronize_irq+0x3a/0xa0 free_irq+0x2e/0x60 i40e_clear_interrupt_scheme+0x53/0x190 [i40e] i40e_probe.part.108+0x134b/0x1a40 [i40e] ? kmem_cache_alloc+0x158/0x1c0 ? acpi_ut_update_ref_count.part.1+0x8e/0x345 ? acpi_ut_update_object_reference+0x15e/0x1e2 ? strstr+0x21/0x70 ? irq_get_irq_data+0xa/0x20 ? mp_check_pin_attr+0x13/0xc0 ? irq_get_irq_data+0xa/0x20 ? mp_map_pin_to_irq+0xd3/0x2f0 ? acpi_register_gsi_ioapic+0x93/0x170 ? pci_conf1_read+0xa4/0x100 ? pci_bus_read_config_word+0x49/0x70 ? do_pci_enable_device+0xcc/0x100 local_pci_probe+0x41/0x90 work_for_cpu_fn+0x16/0x20 process_one_work+0x1a7/0x360 worker_thread+0x1cf/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x112/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x1f/0x40 The problem is that at that point misc IRQ vectors were not allocated yet and we get a call trace that driver is trying to free already free IRQ vectors. Add a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED PF state before calling i40e_free_misc_vector. This state is set only if misc IRQ vectors were properly initialized. CVE-2021-47424 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: acpi: fix resource leak in reconfiguration device addition acpi_i2c_find_adapter_by_handle() calls bus_find_device() which takes a reference on the adapter which is never released which will result in a reference count leak and render the adapter unremovable. Make sure to put the adapter after creating the client in the same manner that we do for OF. [wsa: fixed title] CVE-2021-47425 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, s390: Fix potential memory leak about jit_data Make sure to free jit_data through kfree() in the error path. CVE-2021-47426 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: fix program check interrupt emergency stack path Emergency stack path was jumping into a 3: label inside the __GEN_COMMON_BODY macro for the normal path after it had finished, rather than jumping over it. By a small miracle this is the correct place to build up a new interrupt frame with the existing stack pointer, so things basically worked okay with an added weird looking 700 trap frame on top (which had the wrong ->nip so it didn't decode bug messages either). Fix this by avoiding using numeric labels when jumping over non-trivial macros. Before: LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 88 Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637 NIP: 7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0 REGS: c0000000fffb3a50 TRAP: 0700 Not tainted MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 00000700 XER: 20040000 CFAR: c0000000000098b0 IRQMASK: 0 GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800 0000000000000000 GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299 GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8 GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001 GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8 GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158 GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300 GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80 NIP [7265677368657265] 0x7265677368657265 LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10 Call Trace: [c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0 (unreliable) --- interrupt: 700 at decrementer_common_virt+0xb8/0x230 NIP: c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0 REGS: c0000000fffb3d60 TRAP: 0700 Not tainted MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 22424282 XER: 20040000 CFAR: c0000000000098b0 IRQMASK: 0 GPR00: c00000000006c964 0000000000002400 c000000001513800 0000000000000000 GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299 GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8 GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001 GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8 GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158 GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300 GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80 NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230 LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10 --- interrupt: 700 Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX ---[ end trace 6d28218e0cc3c949 ]--- After: ------------[ cut here ]------------ kernel BUG at arch/powerpc/kernel/exceptions-64s.S:491! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 88 Comm: login Not tainted 5.15.0-rc2-00034-ge057cdade6e5-dirty #2638 NIP: c0000000000098b8 LR: c00000000006bf04 CTR: c0000000000097f0 REGS: c0000000fffb3d60 TRAP: 0700 Not tainted MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 24482227 XER: 00040000 CFAR: c0000000000098b0 IRQMASK: 0 GPR00: c00000000006bf04 0000000000002400 c000000001513800 c000000001271868 GPR04: 00000000100f0d29 0000000042000000 0000000000000007 0000000000000009 GPR08: 00000000100f0d29 0000000024482227 0000000000002710 c000000000181b3c GPR12: 9000000000009033 c0000000016b0000 00000000100f0d29 c000000005b22f00 GPR16: 00000000ffff0000 0000000000000001 0000000000000009 00000000100eed90 GPR20: 00000000100eed90 00000 ---truncated--- CVE-2021-47428 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix gart.bo pin_count leak gmc_v{9,10}_0_gart_disable() isn't called matched with correspoding gart_enbale function in SRIOV case. This will lead to gart.bo pin_count leak on driver unload. CVE-2021-47431 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: xhci: Fix command ring pointer corruption while aborting a command The command ring pointer is located at [6:63] bits of the command ring control register (CRCR). All the control bits like command stop, abort are located at [0:3] bits. While aborting a command, we read the CRCR and set the abort bit and write to the CRCR. The read will always give command ring pointer as all zeros. So we essentially write only the control bits. Since we split the 64 bit write into two 32 bit writes, there is a possibility of xHC command ring stopped before the upper dword (all zeros) is written. If that happens, xHC updates the upper dword of its internal command ring pointer with all zeros. Next time, when the command ring is restarted, we see xHC memory access failures. Fix this issue by only writing to the lower dword of CRCR where all control bits are located. CVE-2021-47434 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm: fix mempool NULL pointer race when completing IO dm_io_dec_pending() calls end_io_acct() first and will then dec md in-flight pending count. But if a task is swapping DM table at same time this can result in a crash due to mempool->elements being NULL: task1 task2 do_resume ->do_suspend ->dm_wait_for_completion bio_endio ->clone_endio ->dm_io_dec_pending ->end_io_acct ->wakeup task1 ->dm_swap_table ->__bind ->__bind_mempools ->bioset_exit ->mempool_exit ->free_io [ 67.330330] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ...... [ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 67.330510] pc : mempool_free+0x70/0xa0 [ 67.330515] lr : mempool_free+0x4c/0xa0 [ 67.330520] sp : ffffff8008013b20 [ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004 [ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8 [ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 [ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 [ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80 [ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c [ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd [ 67.330563] x15: 000000000093b41e x14: 0000000000000010 [ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 [ 67.330574] x11: 0000000000000001 x10: 0000000000000001 [ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000 [ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a [ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001 [ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8 [ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970 [ 67.330609] Call trace: [ 67.330616] mempool_free+0x70/0xa0 [ 67.330627] bio_put+0xf8/0x110 [ 67.330638] dec_pending+0x13c/0x230 [ 67.330644] clone_endio+0x90/0x180 [ 67.330649] bio_endio+0x198/0x1b8 [ 67.330655] dec_pending+0x190/0x230 [ 67.330660] clone_endio+0x90/0x180 [ 67.330665] bio_endio+0x198/0x1b8 [ 67.330673] blk_update_request+0x214/0x428 [ 67.330683] scsi_end_request+0x2c/0x300 [ 67.330688] scsi_io_completion+0xa0/0x710 [ 67.330695] scsi_finish_command+0xd8/0x110 [ 67.330700] scsi_softirq_done+0x114/0x148 [ 67.330708] blk_done_softirq+0x74/0xd0 [ 67.330716] __do_softirq+0x18c/0x374 [ 67.330724] irq_exit+0xb4/0xb8 [ 67.330732] __handle_domain_irq+0x84/0xc0 [ 67.330737] gic_handle_irq+0x148/0x1b0 [ 67.330744] el1_irq+0xe8/0x190 [ 67.330753] lpm_cpuidle_enter+0x4f8/0x538 [ 67.330759] cpuidle_enter_state+0x1fc/0x398 [ 67.330764] cpuidle_enter+0x18/0x20 [ 67.330772] do_idle+0x1b4/0x290 [ 67.330778] cpu_startup_entry+0x20/0x28 [ 67.330786] secondary_start_kernel+0x160/0x170 Fix this by: 1) Establishing pointers to 'struct dm_io' members in dm_io_dec_pending() so that they may be passed into end_io_acct() _after_ free_io() is called. 2) Moving end_io_acct() after free_io(). CVE-2021-47435 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: musb: dsps: Fix the probe error path Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after initializing musb") has inverted the calls to dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without updating correctly the error path. dsps_create_musb_pdev() allocates and registers a new platform device which must be unregistered and freed with platform_device_unregister(), and this is missing upon dsps_setup_optional_vbus_irq() error. While on the master branch it seems not to trigger any issue, I observed a kernel crash because of a NULL pointer dereference with a v5.10.70 stable kernel where the patch mentioned above was backported. With this kernel version, -EPROBE_DEFER is returned the first time dsps_setup_optional_vbus_irq() is called which triggers the probe to error out without unregistering the platform device. Unfortunately, on the Beagle Bone Black Wireless, the platform device still living in the system is being used by the USB Ethernet gadget driver, which during the boot phase triggers the crash. My limited knowledge of the musb world prevents me to revert this commit which was sent to silence a robot warning which, as far as I understand, does not make sense. The goal of this patch was to prevent an IRQ to fire before the platform device being registered. I think this cannot ever happen due to the fact that enabling the interrupts is done by the ->enable() callback of the platform musb device, and this platform device must be already registered in order for the core or any other user to use this callback. Hence, I decided to fix the error path, which might prevent future errors on mainline kernels while also fixing older ones. CVE-2021-47436 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: thermal: Fix out-of-bounds memory accesses Currently, mlxsw allows cooling states to be set above the maximum cooling state supported by the driver: # cat /sys/class/thermal/thermal_zone2/cdev0/type mlxsw_fan # cat /sys/class/thermal/thermal_zone2/cdev0/max_state 10 # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state # echo $? 0 This results in out-of-bounds memory accesses when thermal state transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the transition table is accessed with a too large index (state) [1]. According to the thermal maintainer, it is the responsibility of the driver to reject such operations [2]. Therefore, return an error when the state to be set exceeds the maximum cooling state supported by the driver. To avoid dead code, as suggested by the thermal maintainer [3], partially revert commit a421ce088ac8 ("mlxsw: core: Extend cooling device with cooling levels") that tried to interpret these invalid cooling states (above the maximum) in a special way. The cooling levels array is not removed in order to prevent the fans going below 20% PWM, which would cause them to get stuck at 0% PWM. [1] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290 Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122 Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016 Workqueue: events_freezable_power_ thermal_zone_device_check Call Trace: dump_stack_lvl+0x8b/0xb3 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x7f/0x11b thermal_cooling_device_stats_update+0x271/0x290 __thermal_cdev_update+0x15e/0x4e0 thermal_cdev_update+0x9f/0xe0 step_wise_throttle+0x770/0xee0 thermal_zone_device_update+0x3f6/0xdf0 process_one_work+0xa42/0x1770 worker_thread+0x62f/0x13e0 kthread+0x3ee/0x4e0 ret_from_fork+0x1f/0x30 Allocated by task 1: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 thermal_cooling_device_setup_sysfs+0x153/0x2c0 __thermal_cooling_device_register.part.0+0x25b/0x9c0 thermal_cooling_device_register+0xb3/0x100 mlxsw_thermal_init+0x5c5/0x7e0 __mlxsw_core_bus_device_register+0xcb3/0x19c0 mlxsw_core_bus_device_register+0x56/0xb0 mlxsw_pci_probe+0x54f/0x710 local_pci_probe+0xc6/0x170 pci_device_probe+0x2b2/0x4d0 really_probe+0x293/0xd10 __driver_probe_device+0x2af/0x440 driver_probe_device+0x51/0x1e0 __driver_attach+0x21b/0x530 bus_for_each_dev+0x14c/0x1d0 bus_add_driver+0x3ac/0x650 driver_register+0x241/0x3d0 mlxsw_sp_module_init+0xa2/0x174 do_one_initcall+0xee/0x5f0 kernel_init_freeable+0x45a/0x4de kernel_init+0x1f/0x210 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff8881052f7800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 1016 bytes inside of 1024-byte region [ffff8881052f7800, ffff8881052f7c00) The buggy address belongs to the page: page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0 head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67- ---truncated--- CVE-2021-47441 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: digital: fix possible memory leak in digital_in_send_sdd_req() 'skb' is allocated in digital_in_send_sdd_req(), but not free when digital_in_send_cmd() failed, which will cause memory leak. Fix it by freeing 'skb' if digital_in_send_cmd() return failed. CVE-2021-47442 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() 'params' is allocated in digital_tg_listen_mdaa(), but not free when digital_send_cmd() failed, which will cause memory leak. Fix it by freeing 'params' if digital_send_cmd() return failed. CVE-2021-47443 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read In commit e11f5bd8228f ("drm: Add support for DP 1.4 Compliance edid corruption test") the function connector_bad_edid() started assuming that the memory for the EDID passed to it was big enough to hold `edid[0x7e] + 1` blocks of data (1 extra for the base block). It completely ignored the fact that the function was passed `num_blocks` which indicated how much memory had been allocated for the EDID. Let's fix this by adding a bounds check. This is important for handling the case where there's an error in the first block of the EDID. In that case we will call connector_bad_edid() without having re-allocated memory based on `edid[0x7e]`. CVE-2021-47444 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix null pointer dereference on pointer edp The initialization of pointer dev dereferences pointer edp before edp is null checked, so there is a potential null pointer deference issue. Fix this by only dereferencing edp after edp has been null checked. Addresses-Coverity: ("Dereference before null check") CVE-2021-47445 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value Currently, when the rule related to IDLETIMER is added, idletimer_tg timer structure is initialized by kmalloc on executing idletimer_tg_create function. However, in this process timer->timer_type is not defined to a specific value. Thus, timer->timer_type has garbage value and it occurs kernel panic. So, this commit fixes the panic by initializing timer->timer_type using kzalloc instead of kmalloc. Test commands: # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test $ cat /sys/class/xt_idletimer/timers/test Killed Splat looks like: BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70 Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917 CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x9c kasan_report.cold+0x112/0x117 ? alarm_expires_remaining+0x49/0x70 __asan_load8+0x86/0xb0 alarm_expires_remaining+0x49/0x70 idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] dev_attr_show+0x3c/0x60 sysfs_kf_seq_show+0x11d/0x1f0 ? device_remove_bin_file+0x20/0x20 kernfs_seq_show+0xa4/0xb0 seq_read_iter+0x29c/0x750 kernfs_fop_read_iter+0x25a/0x2c0 ? __fsnotify_parent+0x3d1/0x570 ? iov_iter_init+0x70/0x90 new_sync_read+0x2a7/0x3d0 ? __x64_sys_llseek+0x230/0x230 ? rw_verify_area+0x81/0x150 vfs_read+0x17b/0x240 ksys_read+0xd9/0x180 ? vfs_write+0x460/0x460 ? do_syscall_64+0x16/0xc0 ? lockdep_hardirqs_on+0x79/0x120 __x64_sys_read+0x43/0x50 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0cdc819142 Code: c0 e9 c2 fe ff ff 50 48 8d 3d 3a ca 0a 00 e8 f5 19 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 RSP: 002b:00007fff28eee5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f0cdc819142 RDX: 0000000000020000 RSI: 00007f0cdc032000 RDI: 0000000000000003 RBP: 00007f0cdc032000 R08: 00007f0cdc031010 R09: 0000000000000000 R10: 0000000000000022 R11: 0000000000000246 R12: 00005607e9ee31f0 R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 CVE-2021-47451 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: peak_pci: peak_pci_remove(): fix UAF When remove the module peek_pci, referencing 'chan' again after releasing 'dev' will cause UAF. Fix this by releasing 'dev' later. The following log reveals it: [ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 [ 35.965513 ] Call Trace: [ 35.965718 ] dump_stack_lvl+0xa8/0xd1 [ 35.966028 ] print_address_description+0x87/0x3b0 [ 35.966420 ] kasan_report+0x172/0x1c0 [ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170 [ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967945 ] __asan_report_load8_noabort+0x14/0x20 [ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.968752 ] pci_device_remove+0xa9/0x250 CVE-2021-47456 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: mount fails with buffer overflow in strlen Starting with kernel 5.11 built with CONFIG_FORTIFY_SOURCE mouting an ocfs2 filesystem with either o2cb or pcmk cluster stack fails with the trace below. Problem seems to be that strings for cluster stack and cluster name are not guaranteed to be null terminated in the disk representation, while strlcpy assumes that the source string is always null terminated. This causes a read outside of the source string triggering the buffer overflow detection. detected buffer overflow in strlen ------------[ cut here ]------------ kernel BUG at lib/string.c:1149! invalid opcode: 0000 [#1] SMP PTI CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1 Debian 5.14.6-2 RIP: 0010:fortify_panic+0xf/0x11 ... Call Trace: ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2] ocfs2_fill_super+0x359/0x19b0 [ocfs2] mount_bdev+0x185/0x1b0 legacy_get_tree+0x27/0x40 vfs_get_tree+0x25/0xb0 path_mount+0x454/0xa20 __x64_sys_mount+0x103/0x140 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae CVE-2021-47458 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption after conversion from inline format Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") uncovered a latent bug in ocfs2 conversion from inline inode format to a normal inode format. The code in ocfs2_convert_inline_data_to_extents() attempts to zero out the whole cluster allocated for file data by grabbing, zeroing, and dirtying all pages covering this cluster. However these pages are beyond i_size, thus writeback code generally ignores these dirty pages and no blocks were ever actually zeroed on the disk. This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero pages past i_size.") for standard ocfs2 write path, inline conversion path was apparently forgotten; the commit log also has a reasoning why the zeroing actually is not needed. After commit 6dbf7bb55598, things became worse as writeback code stopped invalidating buffers on pages beyond i_size and thus these pages end up with clean PageDirty bit but with buffers attached to these pages being still dirty. So when a file is converted from inline format, then writeback triggers, and then the file is grown so that these pages become valid, the invalid dirtiness state is preserved, mark_buffer_dirty() does nothing on these pages (buffers are already dirty) but page is never written back because it is clean. So data written to these pages is lost once pages are reclaimed. Simple reproducer for the problem is: xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \ -c "pwrite 4000 2000" ocfs2_file After unmounting and mounting the fs again, you can observe that end of 'ocfs2_file' has lost its contents. Fix the problem by not doing the pointless zeroing during conversion from inline format similarly as in the standard write path. [akpm@linux-foundation.org: fix whitespace, per Joseph] CVE-2021-47460 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: audit: fix possible null-pointer dereference in audit_filter_rules Fix possible null-pointer dereference in audit_filter_rules. audit_filter_rules() error: we previously assumed 'ctx' could be null CVE-2021-47464 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest() In commit 10d91611f426 ("powerpc/64s: Reimplement book3s idle code in C") kvm_start_guest() became idle_kvm_start_guest(). The old code allocated a stack frame on the emergency stack, but didn't use the frame to store anything, and also didn't store anything in its caller's frame. idle_kvm_start_guest() on the other hand is written more like a normal C function, it creates a frame on entry, and also stores CR/LR into its callers frame (per the ABI). The problem is that there is no caller frame on the emergency stack. The emergency stack for a given CPU is allocated with: paca_ptrs[i]->emergency_sp = alloc_stack(limit, i) + THREAD_SIZE; So emergency_sp actually points to the first address above the emergency stack allocation for a given CPU, we must not store above it without first decrementing it to create a frame. This is different to the regular kernel stack, paca->kstack, which is initialised to point at an initial frame that is ready to use. idle_kvm_start_guest() stores the backchain, CR and LR all of which write outside the allocation for the emergency stack. It then creates a stack frame and saves the non-volatile registers. Unfortunately the frame it creates is not large enough to fit the non-volatiles, and so the saving of the non-volatile registers also writes outside the emergency stack allocation. The end result is that we corrupt whatever is at 0-24 bytes, and 112-248 bytes above the emergency stack allocation. In practice this has gone unnoticed because the memory immediately above the emergency stack happens to be used for other stack allocations, either another CPUs mc_emergency_sp or an IRQ stack. See the order of calls to irqstack_early_init() and emergency_stack_init(). The low addresses of another stack are the top of that stack, and so are only used if that stack is under extreme pressue, which essentially never happens in practice - and if it did there's a high likelyhood we'd crash due to that stack overflowing. Still, we shouldn't be corrupting someone else's stack, and it is purely luck that we aren't corrupting something else. To fix it we save CR/LR into the caller's frame using the existing r1 on entry, we then create a SWITCH_FRAME_SIZE frame (which has space for pt_regs) on the emergency stack with the backchain pointing to the existing stack, and then finally we switch to the new frame on the emergency stack. CVE-2021-47465 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: Fix sleeping function called from invalid context The driver can call card->isac.release() function from an atomic context. Fix this by calling this function after releasing the lock. The following log reveals it: [ 44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018 [ 44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe [ 44.169574 ] INFO: lockdep is turned off. [ 44.169899 ] irq event stamp: 0 [ 44.170160 ] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 44.170627 ] hardirqs last disabled at (0): [<ffffffff814209ed>] copy_process+0x132d/0x3e00 [ 44.171240 ] softirqs last enabled at (0): [<ffffffff81420a1a>] copy_process+0x135a/0x3e00 [ 44.171852 ] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 44.172318 ] Preemption disabled at: [ 44.172320 ] [<ffffffffa009b0a9>] nj_release+0x69/0x500 [netjet] [ 44.174441 ] Call Trace: [ 44.174630 ] dump_stack_lvl+0xa8/0xd1 [ 44.174912 ] dump_stack+0x15/0x17 [ 44.175166 ] ___might_sleep+0x3a2/0x510 [ 44.175459 ] ? nj_release+0x69/0x500 [netjet] [ 44.175791 ] __might_sleep+0x82/0xe0 [ 44.176063 ] ? start_flush_work+0x20/0x7b0 [ 44.176375 ] start_flush_work+0x33/0x7b0 [ 44.176672 ] ? trace_irq_enable_rcuidle+0x85/0x170 [ 44.177034 ] ? kasan_quarantine_put+0xaa/0x1f0 [ 44.177372 ] ? kasan_quarantine_put+0xaa/0x1f0 [ 44.177711 ] __flush_work+0x11a/0x1a0 [ 44.177991 ] ? flush_work+0x20/0x20 [ 44.178257 ] ? lock_release+0x13c/0x8f0 [ 44.178550 ] ? __kasan_check_write+0x14/0x20 [ 44.178872 ] ? do_raw_spin_lock+0x148/0x360 [ 44.179187 ] ? read_lock_is_recursive+0x20/0x20 [ 44.179530 ] ? __kasan_check_read+0x11/0x20 [ 44.179846 ] ? do_raw_spin_unlock+0x55/0x900 [ 44.180168 ] ? ____kasan_slab_free+0x116/0x140 [ 44.180505 ] ? _raw_spin_unlock_irqrestore+0x41/0x60 [ 44.180878 ] ? skb_queue_purge+0x1a3/0x1c0 [ 44.181189 ] ? kfree+0x13e/0x290 [ 44.181438 ] flush_work+0x17/0x20 [ 44.181695 ] mISDN_freedchannel+0xe8/0x100 [ 44.182006 ] isac_release+0x210/0x260 [mISDNipac] [ 44.182366 ] nj_release+0xf6/0x500 [netjet] [ 44.182685 ] nj_remove+0x48/0x70 [netjet] [ 44.182989 ] pci_device_remove+0xa9/0x250 CVE-2021-47468 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() Commit 8c0eb596baa5 ("[SCSI] qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()"), intended to change: bsg_job->request->msgcode == FC_BSG_HST_ELS_NOLOGIN bsg_job->request->msgcode != FC_BSG_RPT_ELS but changed it to: bsg_job->request->msgcode == FC_BSG_RPT_ELS instead. Change the == to a != to avoid leaking the fcport structure or freeing unallocated memory. CVE-2021-47473 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: isofs: Fix out of bound access for corrupted isofs image When isofs image is suitably corrupted isofs_read_inode() can read data beyond the end of buffer. Sanity-check the directory entry length before using it. CVE-2021-47478 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: Put LLD module refcnt after SCSI device is released SCSI host release is triggered when SCSI device is freed. We have to make sure that the low-level device driver module won't be unloaded before SCSI host instance is released because shost->hostt is required in the release handler. Make sure to put LLD module refcnt after SCSI device is released. Fixes a kernel panic of 'BUG: unable to handle page fault for address' reported by Changhui and Yi. CVE-2021-47480 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: batman-adv: fix error handling Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was in wrong error handling in batadv_mesh_init(). Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case of any batadv_*_init() calls failure. This approach may work well, when there is some kind of indicator, which can tell which parts of batadv are initialized; but there isn't any. All written above lead to cleaning up uninitialized fields. Even if we hide ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1] To fix these bugs we can unwind batadv_*_init() calls one by one. It is good approach for 2 reasons: 1) It fixes bugs on error handling path 2) It improves the performance, since we won't call unneeded batadv_*_free() functions. So, this patch makes all batadv_*_init() clean up all allocated memory before returning with an error to no call correspoing batadv_*_free() and open-codes batadv_mesh_free() with proper order to avoid touching uninitialized fields. CVE-2021-47482 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: regmap: Fix possible double-free in regcache_rbtree_exit() In regcache_rbtree_insert_to_block(), when 'present' realloc failed, the 'blk' which is supposed to assign to 'rbnode->block' will be freed, so 'rbnode->block' points a freed memory, in the error handling path of regcache_rbtree_init(), 'rbnode->block' will be freed again in regcache_rbtree_exit(), KASAN will report double-free as follows: BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390 Call Trace: slab_free_freelist_hook+0x10d/0x240 kfree+0xce/0x390 regcache_rbtree_exit+0x15d/0x1a0 regcache_rbtree_init+0x224/0x2c0 regcache_init+0x88d/0x1310 __regmap_init+0x3151/0x4a80 __devm_regmap_init+0x7d/0x100 madera_spi_probe+0x10f/0x333 [madera_spi] spi_probe+0x183/0x210 really_probe+0x285/0xc30 To fix this, moving up the assignment of rbnode->block to immediately after the reallocation has succeeded so that the data structure stays valid even if the second reallocation fails. CVE-2021-47483 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Overflowing either addrlimit or bytes_togo can allow userspace to trigger a buffer overflow of kernel memory. Check for overflows in all the places doing math on user controlled buffers. CVE-2021-47485 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix race between searching chunks and release journal_head from buffer_head Encountered a race between ocfs2_test_bg_bit_allocatable() and jbd2_journal_put_journal_head() resulting in the below vmcore. PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: "loop3" Call trace: panic oops_end no_context __bad_area_nosemaphore bad_area_nosemaphore __do_page_fault do_page_fault page_fault [exception RIP: ocfs2_block_group_find_clear_bits+316] ocfs2_block_group_find_clear_bits [ocfs2] ocfs2_cluster_group_search [ocfs2] ocfs2_search_chain [ocfs2] ocfs2_claim_suballoc_bits [ocfs2] __ocfs2_claim_clusters [ocfs2] ocfs2_claim_clusters [ocfs2] ocfs2_local_alloc_slide_window [ocfs2] ocfs2_reserve_local_alloc_bits [ocfs2] ocfs2_reserve_clusters_with_limit [ocfs2] ocfs2_reserve_clusters [ocfs2] ocfs2_lock_refcount_allocators [ocfs2] ocfs2_make_clusters_writable [ocfs2] ocfs2_replace_cow [ocfs2] ocfs2_refcount_cow [ocfs2] ocfs2_file_write_iter [ocfs2] lo_rw_aio loop_queue_work kthread_worker_fn kthread ret_from_fork When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and released the jounal head from the buffer head. Needed to take bit lock for the bit 'BH_JournalHead' to fix this race. CVE-2021-47493 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cfg80211: fix management registrations locking The management registrations locking was broken, the list was locked for each wdev, but cfg80211_mgmt_registrations_update() iterated it without holding all the correct spinlocks, causing list corruption. Rather than trying to fix it with fine-grained locking, just move the lock to the wiphy/rdev (still need the list on each wdev), we already need to hold the wdev lock to change it, so there's no contention on the lock in any case. This trivially fixes the bug since we hold one wdev's lock already, and now will hold the lock that protects all lists. CVE-2021-47494 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usbnet: sanity check for maxpacket maxpacket of 0 makes no sense and oopses as we need to divide by it. Give up. V2: fixed typo in log and stylistic issues CVE-2021-47495 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix flipped sign in tls_err_abort() calls sk->sk_err appears to expect a positive value, a convention that ktls doesn't always follow and that leads to memory corruption in other code. For instance, [kworker] tls_encrypt_done(..., err=<negative error from crypto request>) tls_err_abort(.., err) sk->sk_err = err; [task] splice_from_pipe_feed ... tls_sw_do_sendpage if (sk->sk_err) { ret = -sk->sk_err; // ret is positive splice_from_pipe_feed (continued) ret = actor(...) // ret is still positive and interpreted as bytes // written, resulting in underflow of buf->len and // sd->len, leading to huge buf->offset and bogus // addresses computed in later calls to actor() Fix all tls_err_abort() callers to pass a negative error code consistently and centralize the error-prone sign flip there, throwing in a warning to catch future misuse and uninlining the function so it really does only warn once. CVE-2021-47496 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we subtract one from that making a large number that is then shifted more than the number of bits that fit into an unsigned long. UBSAN reports this problem: UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8 shift exponent 64 is too large for 64-bit type 'unsigned long' CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9 Hardware name: Google Lazor (rev3+) with KB Backlight (DT) Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x0/0x170 show_stack+0x24/0x30 dump_stack_lvl+0x64/0x7c dump_stack+0x18/0x38 ubsan_epilogue+0x10/0x54 __ubsan_handle_shift_out_of_bounds+0x180/0x194 __nvmem_cell_read+0x1ec/0x21c nvmem_cell_read+0x58/0x94 nvmem_cell_read_variable_common+0x4c/0xb0 nvmem_cell_read_variable_le_u32+0x40/0x100 a6xx_gpu_init+0x170/0x2f4 adreno_bind+0x174/0x284 component_bind_all+0xf0/0x264 msm_drm_bind+0x1d8/0x7a0 try_to_bring_up_master+0x164/0x1ac __component_add+0xbc/0x13c component_add+0x20/0x2c dp_display_probe+0x340/0x384 platform_probe+0xc0/0x100 really_probe+0x110/0x304 __driver_probe_device+0xb8/0x120 driver_probe_device+0x4c/0xfc __device_attach_driver+0xb0/0x128 bus_for_each_drv+0x90/0xdc __device_attach+0xc8/0x174 device_initial_probe+0x20/0x2c bus_probe_device+0x40/0xa4 deferred_probe_work_func+0x7c/0xb8 process_one_work+0x128/0x21c process_scheduled_works+0x40/0x54 worker_thread+0x1ec/0x2a8 kthread+0x138/0x158 ret_from_fork+0x10/0x20 Fix it by making sure there are any bits to mask out. CVE-2021-47497 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm rq: don't queue request to blk-mq during DM suspend DM uses blk-mq's quiesce/unquiesce to stop/start device mapper queue. But blk-mq's unquiesce may come from outside events, such as elevator switch, updating nr_requests or others, and request may come during suspend, so simply ask for blk-mq to requeue it. Fixes one kernel panic issue when running updating nr_requests and dm-mpath suspend/resume stress test. CVE-2021-47498 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the memory allocated by iio_triggered_buffer_setup() will not be freed, and cause memory leak as follows: unreferenced object 0xffff888009551400 (size 512): comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s) hex dump (first 32 bytes): 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ ....... backtrace: [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360 [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf] [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer] [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013] Fix it by remove data->dready_trig condition in probe and remove. CVE-2021-47499 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: mma8452: Fix trigger reference couting The mma8452 driver directly assigns a trigger to the struct iio_dev. The IIO core when done using this trigger will call `iio_trigger_put()` to drop the reference count by 1. Without the matching `iio_trigger_get()` in the driver the reference count can reach 0 too early, the trigger gets freed while still in use and a use-after-free occurs. Fix this by getting a reference to the trigger before assigning it to the IIO device. CVE-2021-47500 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc When trying to dump VFs VSI RX/TX descriptors using debugfs there was a crash due to NULL pointer dereference in i40e_dbg_dump_desc. Added a check to i40e_dbg_dump_desc that checks if VSI type is correct for dumping RX/TX descriptors. CVE-2021-47501 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd934x: handle channel mappping list correctly Currently each channel is added as list to dai channel list, however there is danger of adding same channel to multiple dai channel list which endups corrupting the other list where its already added. This patch ensures that the channel is actually free before adding to the dai channel list and also ensures that the channel is on the list before deleting it. This check was missing previously, and we did not hit this issue as we were testing very simple usecases with sequence of amixer commands. CVE-2021-47502 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc() Calling scsi_remove_host() before scsi_add_host() results in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000108 RIP: 0010:device_del+0x63/0x440 Call Trace: device_unregister+0x17/0x60 scsi_remove_host+0xee/0x2a0 pm8001_pci_probe+0x6ef/0x1b90 [pm80xx] local_pci_probe+0x3f/0x90 We cannot call scsi_remove_host() in pm8001_alloc() because scsi_add_host() has not been called yet at that point in time. Function call tree: pm8001_pci_probe() | `- pm8001_pci_alloc() | | | `- pm8001_alloc() | | | `- scsi_remove_host() | `- scsi_add_host() CVE-2021-47503 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: fix use-after-free due to delegation race A delegation break could arrive as soon as we've called vfs_setlease. A delegation break runs a callback which immediately (in nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we then exit nfs4_set_delegation without hashing the delegation, it will be freed as soon as the callback is done with it, without ever being removed from del_recall_lru. Symptoms show up later as use-after-free or list corruption warnings, usually in the laundromat thread. I suspect aba2072f4523 "nfsd: grant read delegations to clients holding writes" made this bug easier to hit, but I looked as far back as v3.0 and it looks to me it already had the same problem. So I'm not sure where the bug was introduced; it may have been there from the beginning. CVE-2021-47506 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix nsfd startup race (again) Commit bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") has re-opened rpc_pipefs_event() race against nfsd_net_id registration (register_pernet_subsys()) which has been fixed by commit bb7ffbf29e76 ("nfsd: fix nsfd startup race triggering BUG_ON"). Restore the order of register_pernet_subsys() vs register_cld_notifier(). Add WARN_ON() to prevent a future regression. Crash info: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000012 CPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1 pc : rpc_pipefs_event+0x54/0x120 [nfsd] lr : rpc_pipefs_event+0x48/0x120 [nfsd] Call trace: rpc_pipefs_event+0x54/0x120 [nfsd] blocking_notifier_call_chain rpc_fill_super get_tree_keyed rpc_fs_get_tree vfs_get_tree do_mount ksys_mount __arm64_sys_mount el0_svc_handler el0_svc CVE-2021-47507 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Limit the period size to 16MB Set the practical limit to the period size (the fragment shift in OSS) instead of a full 31bit; a too large value could lead to the exhaust of memory as we allocate temporary buffers of the period size, too. As of this patch, we set to 16MB limit, which should cover all use cases. CVE-2021-47509 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix negative period/buffer sizes The period size calculation in OSS layer may receive a negative value as an error, but the code there assumes only the positive values and handle them with size_t. Due to that, a too big value may be passed to the lower layers. This patch changes the code to handle with ssize_t and adds the proper error checks appropriately. CVE-2021-47511 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: net/sched: fq_pie: prevent dismantle issue For some reason, fq_pie_destroy() did not copy working code from pie_destroy() and other qdiscs, thus causing elusive bug. Before calling del_timer_sync(&q->adapt_timer), we need to ensure timer will not rearm itself. rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579 (t=10501 jiffies g=13085 q=3989) NMI backtrace for cpu 0 CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111 nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline] rcu_dump_cpu_stacks+0x25e/0x3f0 kernel/rcu/tree_stall.h:343 print_cpu_stall kernel/rcu/tree_stall.h:627 [inline] check_cpu_stall kernel/rcu/tree_stall.h:711 [inline] rcu_pending kernel/rcu/tree.c:3878 [inline] rcu_sched_clock_irq.cold+0x9d/0x746 kernel/rcu/tree.c:2597 update_process_times+0x16d/0x200 kernel/time/timer.c:1785 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226 tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749 hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline] __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:write_comp_data kernel/kcov.c:221 [inline] RIP: 0010:__sanitizer_cov_trace_const_cmp1+0x1d/0x80 kernel/kcov.c:273 Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 <e8> 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00 RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000 RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003 RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000 pie_calculate_probability+0x405/0x7c0 net/sched/sch_pie.c:418 fq_pie_timer+0x170/0x2a0 net/sched/sch_fq_pie.c:383 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> CVE-2021-47512 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfp: Fix memory leak in nfp_cpp_area_cache_add() In line 800 (#1), nfp_cpp_area_alloc() allocates and initializes a CPP area structure. But in line 807 (#2), when the cache is allocated failed, this CPP area structure is not freed, which will result in memory leak. We can fix it by freeing the CPP area when the cache is allocated failed (#2). 792 int nfp_cpp_area_cache_add(struct nfp_cpp *cpp, size_t size) 793 { 794 struct nfp_cpp_area_cache *cache; 795 struct nfp_cpp_area *area; 800 area = nfp_cpp_area_alloc(cpp, NFP_CPP_ID(7, NFP_CPP_ACTION_RW, 0), 801 0, size); // #1: allocates and initializes 802 if (!area) 803 return -ENOMEM; 805 cache = kzalloc(sizeof(*cache), GFP_KERNEL); 806 if (!cache) 807 return -ENOMEM; // #2: missing free 817 return 0; 818 } CVE-2021-47516 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done The done() netlink callback nfc_genl_dump_ses_done() should check if received argument is non-NULL, because its allocation could fail earlier in dumpit() (nfc_genl_dump_ses()). CVE-2021-47518 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: sja1000: fix use after free in ems_pcmcia_add_card() If the last channel is not available then "dev" is freed. Fortunately, we can just use "pdev->irq" instead. Also we should check if at least one channel was set up. CVE-2021-47521 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr This buffer is currently allocated in hfi1_init(): if (reinit) ret = init_after_reset(dd); else ret = loadtime_init(dd); if (ret) goto done; /* allocate dummy tail memory for all receive contexts */ dd->rcvhdrtail_dummy_kvaddr = dma_alloc_coherent(&dd->pcidev->dev, sizeof(u64), &dd->rcvhdrtail_dummy_dma, GFP_KERNEL); if (!dd->rcvhdrtail_dummy_kvaddr) { dd_dev_err(dd, "cannot allocate dummy tail memory\n"); ret = -ENOMEM; goto done; } The reinit triggered path will overwrite the old allocation and leak it. Fix by moving the allocation to hfi1_alloc_devdata() and the deallocation to hfi1_free_devdata(). CVE-2021-47523 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: serial: core: fix transmit-buffer reset and memleak Commit 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") converted serial core to use tty_port_close() but failed to notice that the transmit buffer still needs to be freed on final close. Not freeing the transmit buffer means that the buffer is no longer cleared on next open so that any ioctl() waiting for the buffer to drain might wait indefinitely (e.g. on termios changes) or that stale data can end up being transmitted in case tx is restarted. Furthermore, the buffer of any port that has been opened would leak on driver unbind. Note that the port lock is held when clearing the buffer pointer due to the ldisc race worked around by commit a5ba1d95e46e ("uart: fix race between uart_put_char() and uart_shutdown()"). Also note that the tty-port shutdown() callback is not called for console ports so it is not strictly necessary to free the buffer page after releasing the lock (cf. d72402145ace ("tty/serial: do not free trasnmit buffer page under port lock")). CVE-2021-47527 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Allocate enough space for GMU registers In commit 142639a52a01 ("drm/msm/a6xx: fix crashstate capture for A650") we changed a6xx_get_gmu_registers() to read 3 sets of registers. Unfortunately, we didn't change the memory allocation for the array. That leads to a KASAN warning (this was on the chromeos-5.4 kernel, which has the problematic commit backported to it): BUG: KASAN: slab-out-of-bounds in _a6xx_get_gmu_registers+0x144/0x430 Write of size 8 at addr ffffff80c89432b0 by task A618-worker/209 CPU: 5 PID: 209 Comm: A618-worker Tainted: G W 5.4.156-lockdep #22 Hardware name: Google Lazor Limozeen without Touchscreen (rev5 - rev8) (DT) Call trace: dump_backtrace+0x0/0x248 show_stack+0x20/0x2c dump_stack+0x128/0x1ec print_address_description+0x88/0x4a0 __kasan_report+0xfc/0x120 kasan_report+0x10/0x18 __asan_report_store8_noabort+0x1c/0x24 _a6xx_get_gmu_registers+0x144/0x430 a6xx_gpu_state_get+0x330/0x25d4 msm_gpu_crashstate_capture+0xa0/0x84c recover_worker+0x328/0x838 kthread_worker_fn+0x32c/0x574 kthread+0x2dc/0x39c ret_from_fork+0x10/0x18 Allocated by task 209: __kasan_kmalloc+0xfc/0x1c4 kasan_kmalloc+0xc/0x14 kmem_cache_alloc_trace+0x1f0/0x2a0 a6xx_gpu_state_get+0x164/0x25d4 msm_gpu_crashstate_capture+0xa0/0x84c recover_worker+0x328/0x838 kthread_worker_fn+0x32c/0x574 kthread+0x2dc/0x39c ret_from_fork+0x10/0x18 CVE-2021-47535 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: fix wrong list_del in smc_lgr_cleanup_early smc_lgr_cleanup_early() meant to delete the link group from the link group list, but it deleted the list head by mistake. This may cause memory corruption since we didn't remove the real link group from the list and later memseted the link group structure. We got a list corruption panic when testing: [ 231.277259] list_del corruption. prev->next should be ffff8881398a8000, but was 0000000000000000 [ 231.278222] ------------[ cut here ]------------ [ 231.278726] kernel BUG at lib/list_debug.c:53! [ 231.279326] invalid opcode: 0000 [#1] SMP NOPTI [ 231.279803] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.10.46+ #435 [ 231.280466] Hardware name: Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014 [ 231.281248] Workqueue: events smc_link_down_work [ 231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90 [ 231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c 60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00 <0f> 0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc [ 231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292 [ 231.284685] RAX: 0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000 [ 231.285415] RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040 [ 231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09: 0000000000000001 [ 231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90 R12: 0000000000000001 [ 231.287606] R13: 0000000000000000 R14: ffff8881398a8000 R15: 0000000000000003 [ 231.288337] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 [ 231.289160] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.289754] CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0 [ 231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 231.291940] Call Trace: [ 231.292211] smc_lgr_terminate_sched+0x53/0xa0 [ 231.292677] smc_switch_conns+0x75/0x6b0 [ 231.293085] ? update_load_avg+0x1a6/0x590 [ 231.293517] ? ttwu_do_wakeup+0x17/0x150 [ 231.293907] ? update_load_avg+0x1a6/0x590 [ 231.294317] ? newidle_balance+0xca/0x3d0 [ 231.294716] smcr_link_down+0x50/0x1a0 [ 231.295090] ? __wake_up_common_lock+0x77/0x90 [ 231.295534] smc_link_down_work+0x46/0x60 [ 231.295933] process_one_work+0x18b/0x350 CVE-2021-47536 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() Need to call rxrpc_put_local() for peer candidate before kfree() as it holds a ref to rxrpc_local. [DH: v2: Changed to abstract the peer freeing code out into a function] CVE-2021-47538 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode Fix the following NULL pointer dereference in mt7915_get_phy_mode routine adding an ibss interface to the mt7915 driver. [ 101.137097] wlan0: Trigger new scan to find an IBSS to join [ 102.827039] wlan0: Creating new IBSS network, BSSID 26:a4:50:1a:6e:69 [ 103.064756] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 103.073670] Mem abort info: [ 103.076520] ESR = 0x96000005 [ 103.079614] EC = 0x25: DABT (current EL), IL = 32 bits [ 103.084934] SET = 0, FnV = 0 [ 103.088042] EA = 0, S1PTW = 0 [ 103.091215] Data abort info: [ 103.094104] ISV = 0, ISS = 0x00000005 [ 103.098041] CM = 0, WnR = 0 [ 103.101044] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000460b1000 [ 103.107565] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 103.116590] Internal error: Oops: 96000005 [#1] SMP [ 103.189066] CPU: 1 PID: 333 Comm: kworker/u4:3 Not tainted 5.10.75 #0 [ 103.195498] Hardware name: MediaTek MT7622 RFB1 board (DT) [ 103.201124] Workqueue: phy0 ieee80211_iface_work [mac80211] [ 103.206695] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--) [ 103.212705] pc : mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 103.218103] lr : mt7915_mcu_add_bss_info+0x11c/0x760 [mt7915e] [ 103.223927] sp : ffffffc011cdb9e0 [ 103.227235] x29: ffffffc011cdb9e0 x28: ffffff8006563098 [ 103.232545] x27: ffffff8005f4da22 x26: ffffff800685ac40 [ 103.237855] x25: 0000000000000001 x24: 000000000000011f [ 103.243165] x23: ffffff8005f4e260 x22: ffffff8006567918 [ 103.248475] x21: ffffff8005f4df80 x20: ffffff800685ac58 [ 103.253785] x19: ffffff8006744400 x18: 0000000000000000 [ 103.259094] x17: 0000000000000000 x16: 0000000000000001 [ 103.264403] x15: 000899c3a2d9d2e4 x14: 000899bdc3c3a1c8 [ 103.269713] x13: 0000000000000000 x12: 0000000000000000 [ 103.275024] x11: ffffffc010e30c20 x10: 0000000000000000 [ 103.280333] x9 : 0000000000000050 x8 : ffffff8006567d88 [ 103.285642] x7 : ffffff8006563b5c x6 : ffffff8006563b44 [ 103.290952] x5 : 0000000000000002 x4 : 0000000000000001 [ 103.296262] x3 : 0000000000000001 x2 : 0000000000000001 [ 103.301572] x1 : 0000000000000000 x0 : 0000000000000011 [ 103.306882] Call trace: [ 103.309328] mt7915_get_phy_mode+0x68/0x120 [mt7915e] [ 103.314378] mt7915_bss_info_changed+0x198/0x200 [mt7915e] [ 103.319941] ieee80211_bss_info_change_notify+0x128/0x290 [mac80211] [ 103.326360] __ieee80211_sta_join_ibss+0x308/0x6c4 [mac80211] [ 103.332171] ieee80211_sta_create_ibss+0x8c/0x10c [mac80211] [ 103.337895] ieee80211_ibss_work+0x3dc/0x614 [mac80211] [ 103.343185] ieee80211_iface_work+0x388/0x3f0 [mac80211] [ 103.348495] process_one_work+0x288/0x690 [ 103.352499] worker_thread+0x70/0x464 [ 103.356157] kthread+0x144/0x150 [ 103.359380] ret_from_fork+0x10/0x18 [ 103.362952] Code: 394008c3 52800220 394000e4 7100007f (39400023) CVE-2021-47540 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv(). After that mlx4_en_alloc_resources() is called and there is a dereference of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to a use after free problem on failure of mlx4_en_copy_priv(). Fix this bug by adding a check of mlx4_en_copy_priv() This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_MLX4_EN=m show no new warnings, and our static analyzer no longer warns about this code. CVE-2021-47541 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() In qlcnic_83xx_add_rings(), the indirect function of ahw->hw_ops->alloc_mbx_args will be called to allocate memory for cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(), which could lead to a NULL pointer dereference on failure of the indirect function like qlcnic_83xx_alloc_mbx_args(). Fix this bug by adding a check of alloc_mbx_args(), this patch imitates the logic of mbx_cmd()'s failure handling. This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_QLCNIC=m show no new warnings, and our static analyzer no longer warns about this code. CVE-2021-47542 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux, a bug is reported: ================================================================== BUG: Unable to handle kernel data access on read at 0x80000800805b502c Oops: Kernel access of bad area, sig: 11 [#1] NIP [c0000000000388a4] .ioread32+0x4/0x20 LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl] Call Trace: .free_irq+0x1c/0x4e0 (unreliable) .ata_host_stop+0x74/0xd0 [libata] .release_nodes+0x330/0x3f0 .device_release_driver_internal+0x178/0x2c0 .driver_detach+0x64/0xd0 .bus_remove_driver+0x70/0xf0 .driver_unregister+0x38/0x80 .platform_driver_unregister+0x14/0x30 .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl] .__se_sys_delete_module+0x1ec/0x2d0 .system_call_exception+0xfc/0x1f0 system_call_common+0xf8/0x200 ================================================================== The triggering of the BUG is shown in the following stack: driver_detach device_release_driver_internal __device_release_driver drv->remove(dev) --> platform_drv_remove/platform_remove drv->remove(dev) --> sata_fsl_remove iounmap(host_priv->hcr_base); <---- unmap kfree(host_priv); <---- free devres_release_all release_nodes dr->node.release(dev, dr->data) --> ata_host_stop ap->ops->port_stop(ap) --> sata_fsl_port_stop ioread32(hcr_base + HCONTROL) <---- UAF host->ops->host_stop(host) The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should not be executed in drv->remove. These functions should be executed in host_stop after port_stop. Therefore, we move these functions to the new function sata_fsl_host_stop and bind the new function to host_stop. CVE-2021-47549 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't peek at classes beyond 'nbands' when the number of DRR classes decreases, the round-robin active list can contain elements that have already been freed in ets_qdisc_change(). As a consequence, it's possible to see a NULL dereference crash, caused by the attempt to call cl->qdisc->ops->peek(cl->qdisc) when cl->qdisc is NULL: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 910 Comm: mausezahn Not tainted 5.16.0-rc1+ #475 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: 0010:ets_qdisc_dequeue+0x129/0x2c0 [sch_ets] Code: c5 01 41 39 ad e4 02 00 00 0f 87 18 ff ff ff 49 8b 85 c0 02 00 00 49 39 c4 0f 84 ba 00 00 00 49 8b ad c0 02 00 00 48 8b 7d 10 <48> 8b 47 18 48 8b 40 38 0f ae e8 ff d0 48 89 c3 48 85 c0 0f 84 9d RSP: 0000:ffffbb36c0b5fdd8 EFLAGS: 00010287 RAX: ffff956678efed30 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffffffff9b938dc9 RDI: 0000000000000000 RBP: ffff956678efed30 R08: e2f3207fe360129c R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff956678efeac0 R13: ffff956678efe800 R14: ffff956611545000 R15: ffff95667ac8f100 FS: 00007f2aa9120740(0000) GS:ffff95667b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000011070c000 CR4: 0000000000350ee0 Call Trace: <TASK> qdisc_peek_dequeued+0x29/0x70 [sch_ets] tbf_dequeue+0x22/0x260 [sch_tbf] __qdisc_run+0x7f/0x630 net_tx_action+0x290/0x4c0 __do_softirq+0xee/0x4f8 irq_exit_rcu+0xf4/0x130 sysvec_apic_timer_interrupt+0x52/0xc0 asm_sysvec_apic_timer_interrupt+0x12/0x20 RIP: 0033:0x7f2aa7fc9ad4 Code: b9 ff ff 48 8b 54 24 18 48 83 c4 08 48 89 ee 48 89 df 5b 5d e9 ed fc ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa <53> 48 83 ec 10 48 8b 05 10 64 33 00 48 8b 00 48 85 c0 0f 85 84 00 RSP: 002b:00007ffe5d33fab8 EFLAGS: 00000202 RAX: 0000000000000002 RBX: 0000561f72c31460 RCX: 0000561f72c31720 RDX: 0000000000000002 RSI: 0000561f72c31722 RDI: 0000561f72c31720 RBP: 000000000000002a R08: 00007ffe5d33fa40 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 0000561f7187e380 R13: 0000000000000000 R14: 0000000000000000 R15: 0000561f72c31460 </TASK> Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt intel_rapl_msr iTCO_vendor_support intel_rapl_common joydev virtio_balloon lpc_ich i2c_i801 i2c_smbus pcspkr ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel ahci libahci ghash_clmulni_intel serio_raw libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod CR2: 0000000000000018 Ensuring that 'alist' was never zeroed [1] was not sufficient, we need to remove from the active list those elements that are no more SP nor DRR. [1] https://lore.kernel.org/netdev/60d274838bf09777f0371253416e8af71360bc08.1633609148.git.dcaratti@redhat.com/ v3: fix race between ets_qdisc_change() and ets_qdisc_dequeue() delisting DRR classes beyond 'nbands' in ets_qdisc_change() with the qdisc lock acquired, thanks to Cong Wang. v2: when a NULL qdisc is found in the DRR active list, try to dequeue skb from the next list item. CVE-2021-47557 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix vsi->txq_map sizing The approach of having XDP queue per CPU regardless of user's setting exposed a hidden bug that could occur in case when Rx queue count differ from Tx queue count. Currently vsi->txq_map's size is equal to the doubled vsi->alloc_txq, which is not correct due to the fact that XDP rings were previously based on the Rx queue count. Below splat can be seen when ethtool -L is used and XDP rings are configured: [ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f [ 682.883403] #PF: supervisor read access in kernel mode [ 682.889345] #PF: error_code(0x0000) - not-present page [ 682.895289] PGD 0 P4D 0 [ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI [ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1 [ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 682.923380] RIP: 0010:devres_remove+0x44/0x130 [ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8 [ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002 [ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370 [ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000 [ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000 [ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60 [ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c [ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000 [ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0 [ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 683.038336] Call Trace: [ 683.041167] devm_kfree+0x33/0x50 [ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice] [ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice] [ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice] [ 683.060697] ice_set_channels+0x14f/0x290 [ice] [ 683.065962] ethnl_set_channels+0x333/0x3f0 [ 683.070807] genl_family_rcv_msg_doit+0xea/0x150 [ 683.076152] genl_rcv_msg+0xde/0x1d0 [ 683.080289] ? channels_prepare_data+0x60/0x60 [ 683.085432] ? genl_get_cmd+0xd0/0xd0 [ 683.089667] netlink_rcv_skb+0x50/0xf0 [ 683.094006] genl_rcv+0x24/0x40 [ 683.097638] netlink_unicast+0x239/0x340 [ 683.102177] netlink_sendmsg+0x22e/0x470 [ 683.106717] sock_sendmsg+0x5e/0x60 [ 683.110756] __sys_sendto+0xee/0x150 [ 683.114894] ? handle_mm_fault+0xd0/0x2a0 [ 683.119535] ? do_user_addr_fault+0x1f3/0x690 [ 683.134173] __x64_sys_sendto+0x25/0x30 [ 683.148231] do_syscall_64+0x3b/0xc0 [ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae Fix this by taking into account the value that num_possible_cpus() yields in addition to vsi->alloc_txq instead of doubling the latter. CVE-2021-47562 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: avoid bpf_prog refcount underflow Ice driver has the routines for managing XDP resources that are shared between ndo_bpf op and VSI rebuild flow. The latter takes place for example when user changes queue count on an interface via ethtool's set_channels(). There is an issue around the bpf_prog refcounting when VSI is being rebuilt - since ice_prepare_xdp_rings() is called with vsi->xdp_prog as an argument that is used later on by ice_vsi_assign_bpf_prog(), same bpf_prog pointers are swapped with each other. Then it is also interpreted as an 'old_prog' which in turn causes us to call bpf_prog_put on it that will decrement its refcount. Below splat can be interpreted in a way that due to zero refcount of a bpf_prog it is wiped out from the system while kernel still tries to refer to it: [ 481.069429] BUG: unable to handle page fault for address: ffffc9000640f038 [ 481.077390] #PF: supervisor read access in kernel mode [ 481.083335] #PF: error_code(0x0000) - not-present page [ 481.089276] PGD 100000067 P4D 100000067 PUD 1001cb067 PMD 106d2b067 PTE 0 [ 481.097141] Oops: 0000 [#1] PREEMPT SMP PTI [ 481.101980] CPU: 12 PID: 3339 Comm: sudo Tainted: G OE 5.15.0-rc5+ #1 [ 481.110840] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 481.122021] RIP: 0010:dev_xdp_prog_id+0x25/0x40 [ 481.127265] Code: 80 00 00 00 00 0f 1f 44 00 00 89 f6 48 c1 e6 04 48 01 fe 48 8b 86 98 08 00 00 48 85 c0 74 13 48 8b 50 18 31 c0 48 85 d2 74 07 <48> 8b 42 38 8b 40 20 c3 48 8b 96 90 08 00 00 eb e8 66 2e 0f 1f 84 [ 481.148991] RSP: 0018:ffffc90007b63868 EFLAGS: 00010286 [ 481.155034] RAX: 0000000000000000 RBX: ffff889080824000 RCX: 0000000000000000 [ 481.163278] RDX: ffffc9000640f000 RSI: ffff889080824010 RDI: ffff889080824000 [ 481.171527] RBP: ffff888107af7d00 R08: 0000000000000000 R09: ffff88810db5f6e0 [ 481.179776] R10: 0000000000000000 R11: ffff8890885b9988 R12: ffff88810db5f4bc [ 481.188026] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 481.196276] FS: 00007f5466d5bec0(0000) GS:ffff88903fb00000(0000) knlGS:0000000000000000 [ 481.205633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 481.212279] CR2: ffffc9000640f038 CR3: 000000014429c006 CR4: 00000000003706e0 [ 481.220530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 481.228771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 481.237029] Call Trace: [ 481.239856] rtnl_fill_ifinfo+0x768/0x12e0 [ 481.244602] rtnl_dump_ifinfo+0x525/0x650 [ 481.249246] ? __alloc_skb+0xa5/0x280 [ 481.253484] netlink_dump+0x168/0x3c0 [ 481.257725] netlink_recvmsg+0x21e/0x3e0 [ 481.262263] ____sys_recvmsg+0x87/0x170 [ 481.266707] ? __might_fault+0x20/0x30 [ 481.271046] ? _copy_from_user+0x66/0xa0 [ 481.275591] ? iovec_from_user+0xf6/0x1c0 [ 481.280226] ___sys_recvmsg+0x82/0x100 [ 481.284566] ? sock_sendmsg+0x5e/0x60 [ 481.288791] ? __sys_sendto+0xee/0x150 [ 481.293129] __sys_recvmsg+0x56/0xa0 [ 481.297267] do_syscall_64+0x3b/0xc0 [ 481.301395] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 481.307238] RIP: 0033:0x7f5466f39617 [ 481.311373] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bd 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 [ 481.342944] RSP: 002b:00007ffedc7f4308 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 481.361783] RAX: ffffffffffffffda RBX: 00007ffedc7f5460 RCX: 00007f5466f39617 [ 481.380278] RDX: 0000000000000000 RSI: 00007ffedc7f5360 RDI: 0000000000000003 [ 481.398500] RBP: 00007ffedc7f53f0 R08: 0000000000000000 R09: 000055d556f04d50 [ 481.416463] R10: 0000000000000077 R11: 0000000000000246 R12: 00007ffedc7f5360 [ 481.434131] R13: 00007ffedc7f5350 R14: 00007ffedc7f5344 R15: 0000000000000e98 [ 481.451520] Modules linked in: ice ---truncated--- CVE-2021-47563 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix kernel panic during drive powercycle test While looping over shost's sdev list it is possible that one of the drives is getting removed and its sas_target object is freed but its sdev object remains intact. Consequently, a kernel panic can occur while the driver is trying to access the sas_address field of sas_target object without also checking the sas_target object for NULL. CVE-2021-47565 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() The free_rtllib() function frees the "dev" pointer so there is use after free on the next line. Re-arrange things to avoid that. CVE-2021-47571 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() In resp_mode_select() sanity check the block descriptor len to avoid UAF. BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032 CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113 CVE-2021-47576 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: media: mxl111sf: change mutex_init() location Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized mutex. The problem was in wrong mutex_init() location. Previous mutex_init(&state->msg_lock) call was in ->init() function, but dvb_usbv2_init() has this order of calls: dvb_usbv2_init() dvb_usbv2_adapter_init() dvb_usbv2_adapter_frontend_init() props->frontend_attach() props->init() Since mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach() internally we need to initialize state->msg_lock before frontend_attach(). To achieve it, ->probe() call added to all mxl111sf_* devices, which will simply initiaize mutex. CVE-2021-47583 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: igbvf: fix double free in `igbvf_probe` In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has been freed below label err_hw_init. So this a UAF. In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before `adapter->rx_ring`. The KASAN logs are as follows: [ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasan_kmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0 CVE-2021-47589 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_ets: don't remove idle classes from the round-robin list Shuang reported that the following script: 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 2) mausezahn ddd0 -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp & 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 crashes systematically when line 2) is commented: list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:47! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0 Call Trace: <TASK> ets_qdisc_change+0x58b/0xa70 [sch_ets] tc_modify_qdisc+0x323/0x880 rtnetlink_rcv_msg+0x169/0x4a0 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x1a5/0x280 netlink_sendmsg+0x257/0x4d0 sock_sendmsg+0x5b/0x60 ____sys_sendmsg+0x1f2/0x260 ___sys_sendmsg+0x7c/0xc0 __sys_sendmsg+0x57/0xa0 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7efdc8031338 Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55 RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338 RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940 R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets] ---[ end trace f35878d1912655c2 ]--- RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe RSP: 0018:ffffae46807a3888 EFLAGS: 00010246 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400 FS: 00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000 ---truncated--- CVE-2021-47595 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Currently, the hns3_remove function firstly uninstall client instance, and then uninstall acceletion engine device. The netdevice is freed in client instance uninstall process, but acceletion engine device uninstall process still use it to trace runtime information. This causes a use after free problem. So fixes it by check the instance register state to avoid use after free. CVE-2021-47596 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm btree remove: fix use after free in rebalance_children() Move dm_tm_unlock() after dm_tm_dec(). CVE-2021-47600 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211: track only QoS data frames for admission control For admission control, obviously all of that only works for QoS data frames, otherwise we cannot even access the QoS field in the header. Syzbot reported (see below) an uninitialized value here due to a status of a non-QoS nullfunc packet, which isn't even long enough to contain the QoS header. Fix this to only do anything for QoS data packets. CVE-2021-47602 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Fix string overflow in SCPI genpd driver Without the bound checks for scpi_pd->name, it could result in the buffer overflow when copying the SCPI device name from the corresponding device tree node as the name string is set at maximum size of 30. Let us fix it by using devm_kasprintf so that the string buffer is allocated dynamically. CVE-2021-47609 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mac80211: validate extended element ID is present Before attempting to parse an extended element, verify that the extended element ID is present. CVE-2021-47611 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfc: fix segfault in nfc_genl_dump_devices_done When kmalloc in nfc_genl_dump_devices() fails then nfc_genl_dump_devices_done() segfaults as below KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Call Trace: <TASK> class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 netlink_sock_destruct+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 process_one_work+0x411/0x710 worker_thread+0x6fd/0xa80 CVE-2021-47612 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: pciehp: Fix infinite loop in IRQ handler upon power fault The Power Fault Detected bit in the Slot Status register differs from all other hotplug events in that it is sticky: It can only be cleared after turning off slot power. Per PCIe r5.0, sec. 6.7.1.8: If a power controller detects a main power fault on the hot-plug slot, it must automatically set its internal main power fault latch [...]. The main power fault latch is cleared when software turns off power to the hot-plug slot. The stickiness used to cause interrupt storms and infinite loops which were fixed in 2009 by commits 5651c48cfafe ("PCI pciehp: fix power fault interrupt storm problem") and 99f0169c17f3 ("PCI: pciehp: enable software notification on empty slots"). Unfortunately in 2020 the infinite loop issue was inadvertently reintroduced by commit 8edf5332c393 ("PCI: pciehp: Fix MSI interrupt race"): The hardirq handler pciehp_isr() clears the PFD bit until pciehp's power_fault_detected flag is set. That happens in the IRQ thread pciehp_ist(), which never learns of the event because the hardirq handler is stuck in an infinite loop. Fix by setting the power_fault_detected flag already in the hardirq handler. CVE-2021-47617 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ARM: 9170/1: fix panic when kasan and kprobe are enabled arm32 uses software to simulate the instruction replaced by kprobe. some instructions may be simulated by constructing assembly functions. therefore, before executing instruction simulation, it is necessary to construct assembly function execution environment in C language through binding registers. after kasan is enabled, the register binding relationship will be destroyed, resulting in instruction simulation errors and causing kernel panic. the kprobe emulate instruction function is distributed in three files: actions-common.c actions-arm.c actions-thumb.c, so disable KASAN when compiling these files. for example, use kprobe insert on cap_capable+20 after kasan enabled, the cap_capable assembly code is as follows: <cap_capable>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e1a05000 mov r5, r0 e280006c add r0, r0, #108 ; 0x6c e1a04001 mov r4, r1 e1a06002 mov r6, r2 e59fa090 ldr sl, [pc, #144] ; ebfc7bf8 bl c03aa4b4 <__asan_load4> e595706c ldr r7, [r5, #108] ; 0x6c e2859014 add r9, r5, #20 ...... The emulate_ldr assembly code after enabling kasan is as follows: c06f1384 <emulate_ldr>: e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} e282803c add r8, r2, #60 ; 0x3c e1a05000 mov r5, r0 e7e37855 ubfx r7, r5, #16, #4 e1a00008 mov r0, r8 e1a09001 mov r9, r1 e1a04002 mov r4, r2 ebf35462 bl c03c6530 <__asan_load4> e357000f cmp r7, #15 e7e36655 ubfx r6, r5, #12, #4 e205a00f and sl, r5, #15 0a000001 beq c06f13bc <emulate_ldr+0x38> e0840107 add r0, r4, r7, lsl #2 ebf3545c bl c03c6530 <__asan_load4> e084010a add r0, r4, sl, lsl #2 ebf3545a bl c03c6530 <__asan_load4> e2890010 add r0, r9, #16 ebf35458 bl c03c6530 <__asan_load4> e5990010 ldr r0, [r9, #16] e12fff30 blx r0 e356000f cm r6, #15 1a000014 bne c06f1430 <emulate_ldr+0xac> e1a06000 mov r6, r0 e2840040 add r0, r4, #64 ; 0x40 ...... when running in emulate_ldr to simulate the ldr instruction, panic occurred, and the log is as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000090 pgd = ecb46400 [00000090] *pgd=2e0fa003, *pmd=00000000 Internal error: Oops: 206 [#1] SMP ARM PC is at cap_capable+0x14/0xb0 LR is at emulate_ldr+0x50/0xc0 psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 32c5387d Table: 2d546400 DAC: 55555555 Process bash (pid: 1643, stack limit = 0xecd60190) (cap_capable) from (kprobe_handler+0x218/0x340) (kprobe_handler) from (kprobe_trap_handler+0x24/0x48) (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) (do_undefinstr) from (__und_svc_finish+0x0/0x30) (__und_svc_finish) from (cap_capable+0x18/0xb0) (cap_capable) from (cap_vm_enough_memory+0x38/0x48) (cap_vm_enough_memory) from (security_vm_enough_memory_mm+0x48/0x6c) (security_vm_enough_memory_mm) from (copy_process.constprop.5+0x16b4/0x25c8) (copy_process.constprop.5) from (_do_fork+0xe8/0x55c) (_do_fork) from (SyS_clone+0x1c/0x24) (SyS_clone) from (__sys_trace_return+0x0/0x10) Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) CVE-2021-47618 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix queues reservation for XDP When XDP was configured on a system with large number of CPUs and X722 NIC there was a call trace with NULL pointer dereference. i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12 i40e 0000:87:00.0: setup of MAIN VSI failed BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e] Call Trace: ? i40e_reconfig_rss_queues+0x130/0x130 [i40e] dev_xdp_install+0x61/0xe0 dev_xdp_attach+0x18a/0x4c0 dev_change_xdp_fd+0x1e6/0x220 do_setlink+0x616/0x1030 ? ahci_port_stop+0x80/0x80 ? ata_qc_issue+0x107/0x1e0 ? lock_timer_base+0x61/0x80 ? __mod_timer+0x202/0x380 rtnl_setlink+0xe5/0x170 ? bpf_lsm_binder_transaction+0x10/0x10 ? security_capable+0x36/0x50 rtnetlink_rcv_msg+0x121/0x350 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x50/0xf0 netlink_unicast+0x1d3/0x2a0 netlink_sendmsg+0x22a/0x440 sock_sendmsg+0x5e/0x60 __sys_sendto+0xf0/0x160 ? __sys_getsockname+0x7e/0xc0 ? _copy_from_user+0x3c/0x80 ? __sys_setsockopt+0xc8/0x1a0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f83fa7a39e0 This was caused by PF queue pile fragmentation due to flow director VSI queue being placed right after main VSI. Because of this main VSI was not able to resize its queue allocation for XDP resulting in no queues allocated for main VSI when XDP was turned on. Fix this by always allocating last queue in PF queue pile for a flow director VSI. CVE-2021-47619 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: refactor malicious adv data check Check for out-of-bound read was being performed at the end of while num_reports loop, and would fill journal with false positives. Added check to beginning of loop processing so that it doesn't get checked after ptr has been advanced. CVE-2021-47620 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network. CVE-2022-0435 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important 9 AV:N/AC:L/Au:S/C:C/I:C/A:C A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality. This flaw affects kernel versions prior to 5.14 rc1. CVE-2022-0487 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early. CVE-2022-1195 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. CVE-2022-1615 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated. CVE-2022-1941 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libprotobuf-lite20-3.9.2-150200.4.21.1 moderate In lg_probe and related functions of hid-lg.c and other USB HID files, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure if a malicious USB HID device were plugged in, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-188677105References: Upstream kernel CVE-2022-20132 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 4.9 AV:L/AC:L/Au:N/C:C/I:N/A:N In lock_sock_nested of sock.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174846563References: Upstream kernel CVE-2022-20154 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password, can exploit this flaw to obtain and use tickets to other services. CVE-2022-2031 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash. CVE-2022-2127 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a CVE-2022-2196 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer. CVE-2022-22942 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. CVE-2022-23471 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:containerd-1.7.17-150000.114.1 moderate Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. CVE-2022-23491 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:mozilla-nss-certs-3.101.2-150000.3.120.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-certifi-2018.1.18-150000.3.3.1 moderate IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure. CVE-2022-23824 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. CVE-2022-24836 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism. CVE-2022-2601 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-2.04-150300.22.43.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-i386-pc-2.04-150300.22.43.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-x86_64-efi-2.04-150300.22.43.1 moderate The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. CVE-2022-27191 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:containerd-1.7.17-150000.114.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. CVE-2022-27943 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. CVE-2022-29181 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:ruby2.5-rubygem-nokogiri-1.8.5-150000.3.9.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort. CVE-2022-2928 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:dhcp-4.3.6.P1-150000.6.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:dhcp-client-4.3.6.P1-150000.6.19.1 moderate In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory. CVE-2022-2929 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:dhcp-4.3.6.P1-150000.6.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:dhcp-client-4.3.6.P1-150000.6.19.1 moderate NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259. CVE-2022-2980 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Use After Free in GitHub repository vim/vim prior to 9.0.0260. CVE-2022-2982 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.0322. CVE-2022-3037 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1. CVE-2022-3094 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.0360. CVE-2022-3099 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate An issue was discovered in the Linux kernel through 5.16-rc6. amvdec_set_canvases in drivers/staging/media/meson/vdec/vdec_helpers.c lacks check of the return value of kzalloc() and will cause the null pointer dereference. CVE-2022-3112 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel through 5.16-rc6. malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of the return value of kzalloc() and will cause the null pointer dereference. CVE-2022-3115 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.0389. CVE-2022-3134 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404. CVE-2022-3153 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. CVE-2022-3171 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libprotobuf-lite20-3.9.2-150200.4.21.1 important Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483. CVE-2022-3234 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Use After Free in GitHub repository vim/vim prior to 9.0.0490. CVE-2022-3235 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer). CVE-2022-32742 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it. CVE-2022-32743 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling full domain takeover. CVE-2022-32744 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important A flaw was found in Samba. Samba AD users can cause the server to access uninitialized data with an LDAP add or modify the request, usually resulting in a segmentation fault. CVE-2022-32745 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl. CVE-2022-32746 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libldb2-2.4.4-150300.3.23.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552. CVE-2022-3278 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577. CVE-2022-3296 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.0579. CVE-2022-3297 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598. CVE-2022-3324 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.0614. CVE-2022-3352 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing. CVE-2022-33746 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings. CVE-2022-33747 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 low lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU. CVE-2022-33748 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability. CVE-2022-3435 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. CVE-2022-3437 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash. CVE-2022-3479 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:mozilla-nss-certs-3.101.2-150000.3.120.1 moderate Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742. CVE-2022-3491 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. CVE-2022-3520 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service. CVE-2022-35205 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low Null pointer dereference vulnerability in Binutils readelf 2.38.50 via function read_and_display_attr_value in file dwarf.c. CVE-2022-35206 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2022-3554 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-6-1.6.5-150000.3.33.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-data-1.6.5-150000.3.33.1 moderate DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2022-3555 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-6-1.6.5-150000.3.33.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-data-1.6.5-150000.3.33.1 moderate A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087. CVE-2022-3564 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability. CVE-2022-3566 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.0789. CVE-2022-3591 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability. CVE-2022-3606 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly. CVE-2022-36109 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 moderate An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). CVE-2022-36280 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). CVE-2022-36402 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324. CVE-2022-3705 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. CVE-2022-37454 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 important When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded. CVE-2022-3775 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-2.04-150300.22.43.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-i386-pc-2.04-150300.22.43.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-x86_64-efi-2.04-150300.22.43.1 moderate unknown CVE-2022-37966 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important unknown CVE-2022-37967 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important unknown CVE-2022-38023 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). CVE-2022-38096 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2022-38126 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2022-38127 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. CVE-2022-3821 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libsystemd0-246.16-150300.7.57.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libudev1-246.16-150300.7.57.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:systemd-246.16-150300.7.57.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:systemd-sysvinit-246.16-150300.7.57.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:udev-246.16-150300.7.57.1 moderate In GNU Binutils before 2.40, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file. CVE-2022-38533 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. CVE-2022-40897 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-setuptools-40.5.0-150100.6.6.1 moderate Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2022-40982 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input. CVE-2022-41409 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libpcre2-8-0-10.31-150000.3.15.1 moderate Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing an attacker to CTRL-W gf in the expression used in the RHS of the substitute command. CVE-2022-4141 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain. CVE-2022-42309 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 important Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made permanent in the data base. CVE-2022-42310 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVE-2022-42311 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVE-2022-42313 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVE-2022-42317 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring page. Thus a guest not reading the response can cause xenstored to not free the temporary memory. This can result in memory shortages causing Denial of Service (DoS) of xenstored. CVE-2022-42319 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0. CVE-2022-42320 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 important Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored. CVE-2022-42321 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota. CVE-2022-42322 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes. CVE-2022-42325 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. CVE-2022-42331 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated. CVE-2022-42332 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 important x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334). CVE-2022-42333 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. CVE-2022-4269 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599. CVE-2022-4285 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug." CVE-2022-42898 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-client-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate Use After Free in GitHub repository vim/vim prior to 9.0.0882. CVE-2022-4292 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804. CVE-2022-4293 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third parties as not being reproduceable and they argue this is not a valid vulnerability. CVE-2022-42969 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-py-1.10.0-150100.5.12.1 moderate A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. CVE-2022-4304 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. CVE-2022-43552 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-43945 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture. CVE-2022-43995 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:sudo-1.9.5p2-150300.3.33.1 important A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. CVE-2022-4415 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libsystemd0-246.16-150300.7.57.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libudev1-246.16-150300.7.57.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:systemd-246.16-150300.7.57.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:systemd-sysvinit-246.16-150300.7.57.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:udev-246.16-150300.7.57.1 moderate The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. CVE-2022-4450 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c. CVE-2022-44840 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 important An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. CVE-2022-45061 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate A Cleartext Storage of Sensitive Information vulnerability in suppportutils of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 15 SP3 allows attackers that get access to the support logs to gain knowledge of the stored credentials This issue affects: SUSE Linux Enterprise Server 12 supportutils version 3.0.10-95.51.1CWE-312: Cleartext Storage of Sensitive Information and prior versions. SUSE Linux Enterprise Server 15 supportutils version 3.1.21-150000.5.44.1 and prior versions. SUSE Linux Enterprise Server 15 SP3 supportutils version 3.1.21-150300.7.35.15.1 and prior versions. CVE-2022-45154 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:supportutils-3.1.30-150300.7.35.30.1 moderate Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c. CVE-2022-45703 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 important An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops. CVE-2022-45884 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected. CVE-2022-45885 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free. CVE-2022-45886 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call. CVE-2022-45887 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event. CVE-2022-45919 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system. CVE-2022-4662 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE. CVE-2022-46908 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libsqlite3-0-3.44.0-150000.3.23.1 important A double-free flaw was found in the Linux kernel's TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system. CVE-2022-4744 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important An issue was discovered in the Linux kernel before 6.0.11. Missing offset validation in drivers/net/wireless/microchip/wilc1000/hif.c in the WILC1000 wireless driver can trigger an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet. CVE-2022-47520 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. CVE-2022-47629 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libksba8-1.3.5-150000.4.6.1 important An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts. CVE-2022-47673 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 important An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c. CVE-2022-47695 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 important An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols. CVE-2022-47696 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 important In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands. This affects qdisc_graft in net/sched/sch_api.c. CVE-2022-47929 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack. CVE-2022-48063 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack. CVE-2022-48064 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c. CVE-2022-48065 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 moderate GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. CVE-2022-48303 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:tar-1.34-150000.3.34.1 moderate close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. CVE-2022-48624 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:less-530-150000.3.9.1 important In the Linux kernel, the following vulnerability has been resolved: vt: fix memory overlapping when deleting chars in the buffer A memory overlapping copy occurs when deleting a long line. This memory overlapping copy can cause data corruption when scr_memcpyw is optimized to memcpy because memcpy does not ensure its behavior if the destination buffer overlaps with the source buffer. The line buffer is not always broken, because the memcpy utilizes the hardware acceleration, whose result is not deterministic. Fix this problem by using replacing the scr_memcpyw with scr_memmovew. CVE-2022-48627 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 When walking through an inode extents, the ext4_ext_binsearch_idx() function assumes that the extent header has been previously validated. However, there are no checks that verify that the number of entries (eh->eh_entries) is non-zero when depth is > 0. And this will lead to problems because the EXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this: [ 135.245946] ------------[ cut here ]------------ [ 135.247579] kernel BUG at fs/ext4/extents.c:2258! [ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP [ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4 [ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0 [ 135.256475] Code: [ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246 [ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023 [ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c [ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c [ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024 [ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000 [ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 [ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0 [ 135.277952] Call Trace: [ 135.278635] <TASK> [ 135.279247] ? preempt_count_add+0x6d/0xa0 [ 135.280358] ? percpu_counter_add_batch+0x55/0xb0 [ 135.281612] ? _raw_read_unlock+0x18/0x30 [ 135.282704] ext4_map_blocks+0x294/0x5a0 [ 135.283745] ? xa_load+0x6f/0xa0 [ 135.284562] ext4_mpage_readpages+0x3d6/0x770 [ 135.285646] read_pages+0x67/0x1d0 [ 135.286492] ? folio_add_lru+0x51/0x80 [ 135.287441] page_cache_ra_unbounded+0x124/0x170 [ 135.288510] filemap_get_pages+0x23d/0x5a0 [ 135.289457] ? path_openat+0xa72/0xdd0 [ 135.290332] filemap_read+0xbf/0x300 [ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40 [ 135.292192] new_sync_read+0x103/0x170 [ 135.293014] vfs_read+0x15d/0x180 [ 135.293745] ksys_read+0xa1/0xe0 [ 135.294461] do_syscall_64+0x3c/0x80 [ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0 This patch simply adds an extra check in __ext4_ext_check(), verifying that eh_entries is not 0 when eh_depth is > 0. CVE-2022-48631 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup Fix Oops in dasd_alias_get_start_dev() function caused by the pavgroup pointer being NULL. The pavgroup pointer is checked on the entrance of the function but without the lcu->lock being held. Therefore there is a race window between dasd_alias_get_start_dev() and _lcu_update() which sets pavgroup to NULL with the lcu->lock held. Fix by checking the pavgroup pointer with lcu->lock held. CVE-2022-48636 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cgroup: cgroup_get_from_id() must check the looked-up kn is a directory cgroup has to be one kernfs dir, otherwise kernel panic is caused, especially cgroup id is provide from userspace. CVE-2022-48638 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts() Commit 8f394da36a36 ("scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG") made the __qlt_24xx_handle_abts() function return early if tcm_qla2xxx_find_cmd_by_tag() didn't find a command, but it missed to clean up the allocated memory for the management command. CVE-2022-48650 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following: ================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: 1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers() 2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit() In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use "skb->head + skb->mac_header", out-of-bound access occurs. This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug. CVE-2022-48651 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find() nf_osf_find() incorrectly returns true on mismatch, this leads to copying uninitialized memory area in nft_osf which can be used to leak stale kernel stack data to userspace. CVE-2022-48654 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: of: fdt: fix off-by-one error in unflatten_dt_nodes() Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. CVE-2022-48672 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: Fix possible access to freed memory in link clear After modifying the QP to the Error state, all RX WR would be completed with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not wait for it is done, but destroy the QP and free the link group directly. So there is a risk that accessing the freed memory in tasklet context. Here is a crash example: BUG: unable to handle page fault for address: ffffffff8f220860 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 Oops: 0002 [#1] SMP PTI CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e <48> 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> _raw_spin_lock_irqsave+0x30/0x40 mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib] smc_wr_rx_tasklet_fn+0x56/0xa0 [smc] tasklet_action_common.isra.21+0x66/0x100 __do_softirq+0xd5/0x29c asm_call_irq_on_stack+0x12/0x20 </IRQ> do_softirq_own_stack+0x37/0x40 irq_exit_rcu+0x9d/0xa0 sysvec_call_function_single+0x34/0x80 asm_sysvec_call_function_single+0x12/0x20 CVE-2022-48673 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix UAF when detecting digest errors We should also bail from the io_work loop when we set rd_enabled to true, so we don't attempt to read data from the socket when the TCP stream is already out-of-sync or corrupted. CVE-2022-48686 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs In brcmstb_pm_probe(), there are two kinds of leak bugs: (1) we need to add of_node_put() when for_each__matching_node() breaks (2) we need to add iounmap() for each iomap in fail path CVE-2022-48693 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use-after-free warning Fix the following use-after-free warning which is observed during controller reset: refcount_t: underflow; use-after-free. WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0 CVE-2022-48695 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() There may be a bad USB audio device with a USB ID of (0x04fa, 0x4201) and the number of it's interfaces less than 4, an out-of-bounds read bug occurs when parsing the interface descriptor for this device. Fix this by checking the number of interfaces. CVE-2022-48701 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() The voice allocator sometimes begins allocating from near the end of the array and then wraps around, however snd_emu10k1_pcm_channel_alloc() accesses the newly allocated voices as if it never wrapped around. This results in out of bounds access if the first voice has a high enough index so that first_voice + requested_voice_count > NUM_G (64). The more voices are requested, the more likely it is for this to occur. This was initially discovered using PipeWire, however it can be reproduced by calling aplay multiple times with 16 channels: aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 index 65 is out of range for type 'snd_emu10k1_voice [64]' CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 Call Trace: <TASK> dump_stack_lvl+0x49/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x3f __ubsan_handle_out_of_bounds.cold+0x44/0x49 snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] snd_pcm_hw_params+0x29f/0x600 [snd_pcm] snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] ? exit_to_user_mode_prepare+0x35/0x170 ? do_syscall_64+0x69/0x90 ? syscall_exit_to_user_mode+0x26/0x50 ? do_syscall_64+0x69/0x90 ? exit_to_user_mode_prepare+0x35/0x170 snd_pcm_ioctl+0x27/0x40 [snd_pcm] __x64_sys_ioctl+0x95/0xd0 do_syscall_64+0x5c/0x90 ? do_syscall_64+0x69/0x90 ? do_syscall_64+0x69/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd CVE-2022-48702 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: add a force flush to delay work when radeon Although radeon card fence and wait for gpu to finish processing current batch rings, there is still a corner case that radeon lockup work queue may not be fully flushed, and meanwhile the radeon_suspend_kms() function has called pci_set_power_state() to put device in D3hot state. Per PCI spec rev 4.0 on 5.3.1.4.1 D3hot State. > Configuration and Message requests are the only TLPs accepted by a Function in > the D3hot state. All other received Requests must be handled as Unsupported Requests, > and all received Completions may optionally be handled as Unexpected Completions. This issue will happen in following logs: Unable to handle kernel paging request at virtual address 00008800e0008010 CPU 0 kworker/0:3(131): Oops 0 pc = [<ffffffff811bea5c>] ra = [<ffffffff81240844>] ps = 0000 Tainted: G W pc is at si_gpu_check_soft_reset+0x3c/0x240 ra is at si_dma_is_lockup+0x34/0xd0 v0 = 0000000000000000 t0 = fff08800e0008010 t1 = 0000000000010000 t2 = 0000000000008010 t3 = fff00007e3c00000 t4 = fff00007e3c00258 t5 = 000000000000ffff t6 = 0000000000000001 t7 = fff00007ef078000 s0 = fff00007e3c016e8 s1 = fff00007e3c00000 s2 = fff00007e3c00018 s3 = fff00007e3c00000 s4 = fff00007fff59d80 s5 = 0000000000000000 s6 = fff00007ef07bd98 a0 = fff00007e3c00000 a1 = fff00007e3c016e8 a2 = 0000000000000008 a3 = 0000000000000001 a4 = 8f5c28f5c28f5c29 a5 = ffffffff810f4338 t8 = 0000000000000275 t9 = ffffffff809b66f8 t10 = ff6769c5d964b800 t11= 000000000000b886 pv = ffffffff811bea20 at = 0000000000000000 gp = ffffffff81d89690 sp = 00000000aa814126 Disabling lock debugging due to kernel taint Trace: [<ffffffff81240844>] si_dma_is_lockup+0x34/0xd0 [<ffffffff81119610>] radeon_fence_check_lockup+0xd0/0x290 [<ffffffff80977010>] process_one_work+0x280/0x550 [<ffffffff80977350>] worker_thread+0x70/0x7c0 [<ffffffff80977410>] worker_thread+0x130/0x7c0 [<ffffffff80982040>] kthread+0x200/0x210 [<ffffffff809772e0>] worker_thread+0x0/0x7c0 [<ffffffff80981f8c>] kthread+0x14c/0x210 [<ffffffff80911658>] ret_from_kernel_thread+0x18/0x20 [<ffffffff80981e40>] kthread+0x0/0x210 Code: ad3e0008 43f0074a ad7e0018 ad9e0020 8c3001e8 40230101 <88210000> 4821ed21 So force lockup work queue flush to fix this problem. CVE-2022-48704 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix a possible null pointer dereference In radeon_fp_native_mode(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. The failure status of drm_cvt_mode() on the other path is checked too. CVE-2022-48710 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe Running tests with a debug kernel shows that bnx2fc_recv_frame() is modifying the per_cpu lport stats counters in a non-mpsafe way. Just boot a debug kernel and run the bnx2fc driver with the hardware enabled. [ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_ [ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G B [ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 1391.699183] Call Trace: [ 1391.699188] dump_stack_lvl+0x57/0x7d [ 1391.699198] check_preemption_disabled+0xc8/0xd0 [ 1391.699205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] [ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180 [ 1391.699221] ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc] [ 1391.699229] ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc] [ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc] [ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc] [ 1391.699258] kthread+0x364/0x420 [ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50 [ 1391.699268] ? set_kthread_struct+0x100/0x100 [ 1391.699273] ret_from_fork+0x22/0x30 Restore the old get_cpu/put_cpu code with some modifications to reduce the size of the critical section. CVE-2022-48715 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ASoC: max9759: fix underflow in speaker_gain_control_put() Check for negative values of "priv->gain" to prevent an out of bounds access. The concern is that these might come from the user via: -> snd_ctl_elem_write_user() -> snd_ctl_elem_write() -> kctl->put() CVE-2022-48717 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: ca8210: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. We then leak the skb structure. Free the skb structure upon error before returning. CVE-2022-48722 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() After commit e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated"). For tear down scenario, fn is only freed after fail to allocate ir_domain, though it also should be freed in case dmar_enable_qi returns error. Besides free fn, irq_domain and ir_msi_domain need to be removed as well if intel_setup_irq_remapping fails to enable queued invalidation. Improve the rewinding path by add out_free_ir_domain and out_free_fwnode lables per Baolu's suggestion. CVE-2022-48724 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/ucma: Protect mc during concurrent multicast leaves Partially revert the commit mentioned in the Fixes line to make sure that allocation and erasing multicast struct are locked. BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xae0 fs/read_write.c:588 ksys_write+0x1ee/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Currently the xarray search can touch a concurrently freeing mc as the xa_for_each() is not surrounded by any lock. Rather than hold the lock for a full scan hold it only for the effected items, which is usually an empty list. CVE-2022-48726 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix AIP early init panic An early failure in hfi1_ipoib_setup_rn() can lead to the following panic: BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0 PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI Workqueue: events work_for_cpu_fn RIP: 0010:try_to_grab_pending+0x2b/0x140 Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 <f0> 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046 RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000 RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0 RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690 FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __cancel_work_timer+0x42/0x190 ? dev_printk_emit+0x4e/0x70 iowait_cancel_work+0x15/0x30 [hfi1] hfi1_ipoib_txreq_deinit+0x5a/0x220 [hfi1] ? dev_err+0x6c/0x90 hfi1_ipoib_netdev_dtor+0x15/0x30 [hfi1] hfi1_ipoib_setup_rn+0x10e/0x150 [hfi1] rdma_init_netdev+0x5a/0x80 [ib_core] ? hfi1_ipoib_free_rdma_netdev+0x20/0x20 [hfi1] ipoib_intf_init+0x6c/0x350 [ib_ipoib] ipoib_intf_alloc+0x5c/0xc0 [ib_ipoib] ipoib_add_one+0xbe/0x300 [ib_ipoib] add_client_context+0x12c/0x1a0 [ib_core] enable_device_and_get+0xdc/0x1d0 [ib_core] ib_register_device+0x572/0x6b0 [ib_core] rvt_register_device+0x11b/0x220 [rdmavt] hfi1_register_ib_device+0x6b4/0x770 [hfi1] do_init_one.isra.20+0x3e3/0x680 [hfi1] local_pci_probe+0x41/0x90 work_for_cpu_fn+0x16/0x20 process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x1cf/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x1f/0x40 The panic happens in hfi1_ipoib_txreq_deinit() because there is a NULL deref when hfi1_ipoib_netdev_dtor() is called in this error case. hfi1_ipoib_txreq_init() and hfi1_ipoib_rxq_init() are self unwinding so fix by adjusting the error paths accordingly. Other changes: - hfi1_ipoib_free_rdma_netdev() is deleted including the free_netdev() since the netdev core code deletes calls free_netdev() - The switch to the accelerated entrances is moved to the success path. CVE-2022-48728 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix potential spectre v1 gadget It appears like nr could be a Spectre v1 gadget as it's supplied by a user and used as an array index. Prevent the contents of kernel memory from being leaked to userspace via speculative execution by using array_index_nospec. [sumits: added fixes and cc: stable tags] CVE-2022-48730 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix off by one in BIOS boundary checking Bounds checking when parsing init scripts embedded in the BIOS reject access to the last byte. This causes driver initialization to fail on Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working console. This is probably only seen on OpenFirmware machines like PowerPC Macs because the BIOS image provided by OF is only the used parts of the ROM, not a power-of-two blocks read from PCI directly so PCs always have empty bytes at the end that are never accessed. CVE-2022-48732 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2022-48736 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2022-48737 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range. CVE-2022-48738 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix handling of wrong devices during bond netevent Current implementation of bond netevent handler only check if the handled netdev is VF representor and it missing a check if the VF representor is on the same phys device of the bond handling the netevent. Fix by adding the missing check and optimizing the check if the netdev is VF representor so it will not access uninitialized private data and crashes. BUG: kernel NULL pointer dereference, address: 000000000000036c PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Workqueue: eth3bond0 bond_mii_monitor [bonding] RIP: 0010:mlx5e_is_uplink_rep+0xc/0x50 [mlx5_core] RSP: 0018:ffff88812d69fd60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000 RDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880 RBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008 R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10 R13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5e_eswitch_uplink_rep+0x31/0x40 [mlx5_core] mlx5e_rep_is_lag_netdev+0x94/0xc0 [mlx5_core] mlx5e_rep_esw_bond_netevent+0xeb/0x3d0 [mlx5_core] raw_notifier_call_chain+0x41/0x60 call_netdevice_notifiers_info+0x34/0x80 netdev_lower_state_changed+0x4e/0xa0 bond_mii_monitor+0x56b/0x640 [bonding] process_one_work+0x1b9/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x124/0x150 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 CVE-2022-48746 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: block: Fix wrong offset in bio_truncate() bio_truncate() clears the buffer outside of last block of bdev, however current bio_truncate() is using the wrong offset of page. So it can return the uninitialized data. This happened when both of truncated/corrupted FS and userspace (via bdev) are trying to read the last of bdev. CVE-2022-48747 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: vlan: fix memory leak in __allowed_ingress When using per-vlan state, if vlan snooping and stats are disabled, untagged or priority-tagged ingress frame will go to check pvid state. If the port state is forwarding and the pvid state is not learning/forwarding, untagged or priority-tagged frame will be dropped but skb memory is not freed. Should free skb when __allowed_ingress returns false. CVE-2022-48748 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc The function performs a check on the "ctx" input parameter, however, it is used before the check. Initialize the "base" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493866 ("Null pointer dereference") CVE-2022-48749 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel triggered below warning: [ 172.851380] ------------[ cut here ]------------ [ 172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280 [ 172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse [ 172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2 [ 172.851451] NIP: c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180 [ 172.851458] REGS: c000000017687860 TRAP: 0700 Not tainted (5.16.0-rc5-03218-g798527287598) [ 172.851465] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 48004884 XER: 20040000 [ 172.851482] CFAR: c00000000013d5b4 IRQMASK: 1 [ 172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004 [ 172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000 [ 172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68 [ 172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000 [ 172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0 [ 172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003 [ 172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600 [ 172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8 [ 172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280 [ 172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280 [ 172.851565] Call Trace: [ 172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable) [ 172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60 [ 172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660 [ 172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0 [ 172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140 [ 172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40 [ 172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380 [ 172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268 The warning indicates that MSR_EE being set(interrupt enabled) when there was an overflown PMC detected. This could happen in power_pmu_disable since it runs under interrupt soft disable condition ( local_irq_save ) and not with interrupts hard disabled. commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") intended to clear PMI pending bit in Paca when disabling the PMU. It could happen that PMC gets overflown while code is in power_pmu_disable callback function. Hence add a check to see if PMI pending bit is set in Paca before clearing it via clear_pmi_pending. CVE-2022-48752 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says that the phydev might go away with put_device(). Fix potential use-after-free by calling phy_device_reset() before put_device(). CVE-2022-48754 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable The function performs a check on the "phy" input parameter, however, it is used before the check. Initialize the "dev" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493860 ("Null pointer dereference") CVE-2022-48756 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() The bnx2fc_destroy() functions are removing the interface before calling destroy_work. This results multiple WARNings from sysfs_remove_group() as the controller rport device attributes are removed too early. Replace the fcoe_port's destroy_work queue. It's not needed. The problem is easily reproducible with the following steps. Example: $ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Link down on port (7500a1) [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! [ 583.490468] ------------[ cut here ]------------ [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ... [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1 [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 [ 584.454888] Call Trace: [ 584.466108] device_del+0xb2/0x3e0 [ 584.481701] device_unregister+0x13/0x60 [ 584.501306] bsg_unregister_queue+0x5b/0x80 [ 584.522029] bsg_remove_queue+0x1c/0x40 [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] [ 584.573823] process_one_work+0x1e3/0x3b0 [ 584.592396] worker_thread+0x50/0x3b0 [ 584.609256] ? rescuer_thread+0x370/0x370 [ 584.628877] kthread+0x149/0x170 [ 584.643673] ? set_kthread_struct+0x40/0x40 [ 584.662909] ret_from_fork+0x22/0x30 [ 584.680002] ---[ end trace 53575ecefa942ece ]--- CVE-2022-48758 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev struct rpmsg_ctrldev contains a struct cdev. The current code frees the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the cdev is a managed object, therefore its release is not predictable and the rpmsg_ctrldev could be freed before the cdev is entirely released, as in the backtrace below. [ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c [ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0 [ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v [ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 [ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) [ 93.730055] Workqueue: events kobject_delayed_cleanup [ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) [ 93.740216] pc : debug_print_object+0x13c/0x1b0 [ 93.744890] lr : debug_print_object+0x13c/0x1b0 [ 93.749555] sp : ffffffacf5bc7940 [ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 [ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 [ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c [ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 [ 93.802244] x11: 0000000000000001 x10: 0000000000000000 [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 [ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 [ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 [ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 [ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 [ 93.835104] Call trace: [ 93.837644] debug_print_object+0x13c/0x1b0 [ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0 [ 93.846987] debug_check_no_obj_freed+0x18/0x20 [ 93.851669] slab_free_freelist_hook+0xbc/0x1e4 [ 93.856346] kfree+0xfc/0x2f4 [ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8 [ 93.864445] device_release+0x84/0x168 [ 93.868310] kobject_cleanup+0x12c/0x298 [ 93.872356] kobject_delayed_cleanup+0x10/0x18 [ 93.876948] process_one_work+0x578/0x92c [ 93.881086] worker_thread+0x804/0xcf8 [ 93.884963] kthread+0x2a8/0x314 [ 93.888303] ret_from_fork+0x10/0x18 The cdev_device_add/del() API was created to address this issue (see commit '233ed09d7fda ("chardev: add helper function to register char devs with a struct device")'), use it instead of cdev add/del(). CVE-2022-48759 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix hang in usb_kill_urb by adding memory barriers The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received. The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions: CPU 0 CPU 1 ---------------------------- --------------------------------- usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue); Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is: write urb->reject, then read urb->use_count; whereas the overall pattern of accesses on CPU 1 is: write urb->use_count, then read urb->reject. This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb(). The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb(). The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect. This patch adds the necessary memory barriers. CVE-2022-48760 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: properly put ceph_string reference after async create attempt The reference acquired by try_prep_async_create is currently leaked. Ensure we put it. CVE-2022-48767 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing/histogram: Fix a potential memory leak for kstrdup() kfree() is missing on an error path to free the memory allocated by kstrdup(): p = param = kstrdup(data->params[i], GFP_KERNEL); So it is better to free it via kfree(p). CVE-2022-48768 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun. CVE-2022-4899 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libzstd1-1.4.4-150000.1.9.1 moderate A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. CVE-2022-4904 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcares2-1.19.1-150000.3.26.1 moderate The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 CVE-2023-0045 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143. CVE-2023-0049 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144. CVE-2023-0051 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145. CVE-2023-0054 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate A deadlock flaw was found in the Linux kernel's BPF subsystem. This flaw allows a local user to potentially crash the system. CVE-2023-0160 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution. CVE-2023-0179 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected. CVE-2023-0215 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate A flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. CVE-2023-0225 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e CVE-2023-0266 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. CVE-2023-0286 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 important Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189. CVE-2023-0288 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection. CVE-2023-0361 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgnutls30-3.6.7-150200.14.31.1 moderate Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225. CVE-2023-0433 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 CVE-2023-0459 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c CVE-2023-0461 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. CVE-2023-0464 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. CVE-2023-0465 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications. CVE-2023-0466 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 low Divide By Zero in GitHub repository vim/vim prior to 9.0.1247. CVE-2023-0512 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected. CVE-2023-0590 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory. CVE-2023-0597 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. CVE-2023-0614 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libldb2-2.4.4-150300.3.23.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled. CVE-2023-0687 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:nscd-2.31-150300.83.1 low 4 AV:A/AC:H/Au:S/C:P/I:P/A:P An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. CVE-2023-0767 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:mozilla-nss-certs-3.101.2-150000.3.120.1 important The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. CVE-2023-0922 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. CVE-2023-1075 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. CVE-2023-1076 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. CVE-2023-1077 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. CVE-2023-1078 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data. CVE-2023-1079 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference. CVE-2023-1095 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. CVE-2023-1118 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Divide By Zero in GitHub repository vim/vim prior to 9.0.1367. CVE-2023-1127 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376. CVE-2023-1170 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378. CVE-2023-1175 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service. CVE-2023-1192 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. CVE-2023-1206 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free flaw was found in the Linux kernel's core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected. CVE-2023-1249 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392. CVE-2023-1264 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. CVE-2023-1281 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1402. CVE-2023-1355 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. CVE-2023-1380 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. CVE-2023-1382 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A remote denial of service vulnerability was found in the Linux kernel's TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition. CVE-2023-1390 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. CVE-2023-1513 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low Heap based buffer overflow in binutils-gdb/bfd/libbfd.c in bfd_getl64. CVE-2023-1579 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. CVE-2023-1582 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea CVE-2023-1611 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks. CVE-2023-1637 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service. CVE-2023-1667 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 moderate A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system. CVE-2023-1670 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root. We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. CVE-2023-1829 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:suse-module-tools-15.3.18-150300.3.25.1 important A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. CVE-2023-1838 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem. CVE-2023-1855 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free flaw was found in xen_9pfs_front_removet in net/9p/trans_xen.c in Xen transport for 9pfs in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a race problem, possibly leading to a kernel information leak. CVE-2023-1859 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8. CVE-2023-1872 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A potential heap based buffer overflow was found in _bfd_elf_slurp_version_tables() in bfd/elf.c. This may lead to loss of availability. CVE-2023-1972 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash. CVE-2023-1981 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices. CVE-2023-1989 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem. CVE-2023-1990 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. CVE-2023-1998 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. CVE-2023-2002 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2023-2004 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libfreetype6-2.10.4-150000.4.15.1 moderate The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel. CVE-2023-2007 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. CVE-2023-2008 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. CVE-2023-20569 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. CVE-2023-20588 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate An issue in "Zen 2" CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. CVE-2023-20593 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the number of worker threads, the master will become unresponsive to return requests until restarted. CVE-2023-20897 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-minion-3006.0-150300.53.79.2 moderate Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongful executions, data corruption and/or crash. CVE-2023-20898 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-minion-3006.0-150300.53.79.2 moderate An out-of-bounds memory access flaw was found in the Linux kernel's XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system. CVE-2023-2124 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Heap buffer overflow in sqlite in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-2137 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libsqlite3-0-3.44.0-150000.3.23.1 important In multiple functions of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation. CVE-2023-21400 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system. CVE-2023-2156 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information. CVE-2023-2162 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. CVE-2023-2163 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege. CVE-2023-2176 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service. CVE-2023-2177 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution. CVE-2023-2194 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate This was deemed not a security vulnerability by upstream. CVE-2023-2222 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value. CVE-2023-22809 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:sudo-1.9.5p2-150300.3.33.1 important A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK. CVE-2023-2283 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 moderate In the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls. CVE-2023-22995 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). CVE-2023-22998 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used. CVE-2023-23000 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). CVE-2023-23004 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer). CVE-2023-23006 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). CVE-2023-23454 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). CVE-2023-23455 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. CVE-2023-23559 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:suse-module-tools-15.3.18-150300.3.25.1 moderate Due to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process. timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit 788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring CVE-2023-23586 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. CVE-2023-23916 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. CVE-2023-23931 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-cryptography-3.3.2-150200.22.1 low Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS. CVE-2023-24023 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499. CVE-2023-2426 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. CVE-2023-24329 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 important Rejected by upstream. CVE-2023-24593 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glib2-tools-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgio-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libglib-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgmodule-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgobject-2_0-0-2.62.6-150200.3.18.1 moderate DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-33203. Reason: This candidate is a reservation duplicate of CVE-2023-33203. Notes: All CVE users should reference CVE-2023-33203 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2023-2483 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long. CVE-2023-25012 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. CVE-2023-2513 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVE-2023-25153 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:containerd-1.7.17-150000.114.1 moderate containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. CVE-2023-25173 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:containerd-1.7.17-150000.114.1 moderate A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service. CVE-2023-25585 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2023-25587 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low A flaw was found in Binutils. The field `the_bfd` of `asymbol`struct is uninitialized in the `bfd_mach_o_get_synthetic_symtab` function, which may lead to an application crash and local denial of service. CVE-2023-25588 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:binutils-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf-nobfd0-2.41-150100.7.46.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libctf0-2.41-150100.7.46.1 low runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. CVE-2023-25809 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:runc-1.1.13-150000.67.1 low A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. CVE-2023-2603 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcap2-2.26-150000.4.9.1 moderate NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531. CVE-2023-2609 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. CVE-2023-2610 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. CVE-2023-2650 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. CVE-2023-26545 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. CVE-2023-27043 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. CVE-2023-27533 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. CVE-2023-27534 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. CVE-2023-27535 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. CVE-2023-27536 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. CVE-2023-27538 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. CVE-2023-27561 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:runc-1.1.13-150000.67.1 moderate Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit. It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1. CVE-2023-2828 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave. CVE-2023-28320 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 low An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`. CVE-2023-28321 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. CVE-2023-28322 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service. CVE-2023-28327 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service. CVE-2023-28328 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. CVE-2023-28370 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-minion-3006.0-150300.53.79.2 low hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation. CVE-2023-28464 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). CVE-2023-28466 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. CVE-2023-28484 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libxml2-2-2.9.7-150000.3.70.1 moderate Sudo before 1.9.13 does not escape control characters in log messages. CVE-2023-28486 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:sudo-1.9.5p2-150300.3.33.1 moderate Sudo before 1.9.13 does not escape control characters in sudoreplay output. CVE-2023-28487 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:sudo-1.9.5p2-150300.3.33.1 moderate An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. The flaw exists within the processing of seg6 attributes. The issue results from the improper validation of user-supplied data, which can result in a read past the end of an allocated buffer. This flaw allows a privileged local user to disclose sensitive information on affected installations of the Linux kernel. CVE-2023-2860 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. CVE-2023-28642 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:runc-1.1.13-150000.67.1 moderate Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2023-28746 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow. CVE-2023-28772 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. Two iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded. The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container's outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network. Patches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster. CVE-2023-28840 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 important Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation. Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees. It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster. CVE-2023-28841 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 moderate Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. The `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate. Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. In multi-node clusters, deploy a global 'pause' container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec. CVE-2023-28842 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 moderate In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. CVE-2023-29383 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:login_defs-4.8.1-150300.4.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:shadow-4.8.1-150300.4.18.1 moderate An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). CVE-2023-29469 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libxml2-2-2.9.7-150000.3.70.1 moderate ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable. CVE-2023-29491 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libncurses6-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:ncurses-utils-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:terminfo-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:terminfo-base-6.1-150000.5.24.1 moderate A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. CVE-2023-2953 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libldap-2_4-2-2.4.46-150200.14.17.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libldap-data-2.4.46-150200.14.17.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openldap2-client-2.4.46-150200.14.17.1 moderate A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem. CVE-2023-2985 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-32181. Reason: This record is a duplicate of CVE-2023-32181. Notes: All CVE users should reference CVE-2023-32181 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage. CVE-2023-30078 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libeconf0-0.5.2-150300.3.11.1 important DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-22652. Reason: This record is a duplicate of CVE-2023-22652. Notes: All CVE users should reference CVE-2023-22652 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage. CVE-2023-30079 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libeconf0-0.5.2-150300.3.11.1 important Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. NOTE: Some third parties have indicated the fix in 3.5 does not adequately address the vulnerability. The argument is that the proposed patch prevents dmidecode from writing to an existing file. However, there are multiple attack vectors that would not require overwriting an existing file that would provide the same level of unauthorized privilege escalation (e.g. creating a new file in /etc/cron.hourly). CVE-2023-30630 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:dmidecode-3.2-150100.9.16.1 moderate The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device. CVE-2023-30772 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e. CVE-2023-3090 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur. CVE-2023-31083 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process. CVE-2023-31084 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0. CVE-2023-31085 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). CVE-2023-3111 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. CVE-2023-31124 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcares2-1.19.1-150000.3.26.1 low c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. CVE-2023-31130 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcares2-1.19.1-150000.3.26.1 moderate c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. CVE-2023-31147 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcares2-1.19.1-150000.3.26.1 moderate Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace CVE-2023-31248 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption. CVE-2023-3138 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-6-1.6.5-150000.3.33.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-data-1.6.5-150000.3.33.1 important A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. CVE-2023-3141 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. CVE-2023-31436 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:perl-5.26.1-150300.17.17.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:perl-base-5.26.1-150300.17.17.1 important A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails. CVE-2023-3159 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service. CVE-2023-3161 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. CVE-2023-32067 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcares2-1.19.1-150000.3.26.1 important In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. CVE-2023-32233 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. CVE-2023-32269 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication. CVE-2023-32324 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:cups-config-2.2.7-150000.3.62.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcups2-2.2.7-150000.3.62.1 moderate An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently printed documents. CVE-2023-32360 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:cups-config-2.2.7-150000.3.62.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcups2-2.2.7-150000.3.62.1 moderate An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information. CVE-2023-3268 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0. CVE-2023-32681 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-requests-2.25.1-150300.3.12.2 moderate An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition. CVE-2023-33288 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. CVE-2023-3341 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. CVE-2023-33460 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libyajl2-2.1.0-150000.4.6.1 moderate A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system. CVE-2023-3358 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. CVE-2023-3390 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script with the privileges of the user running Salt-SSH. Do not make the copy path on the target predictable and ensure we check return codes of the scp command if the copy fails. CVE-2023-34049 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-minion-3006.0-150300.53.79.2 moderate OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version 2.4.6 has a patch for this issue. CVE-2023-34241 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:cups-config-2.2.7-150000.3.62.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcups2-2.2.7-150000.3.62.1 important The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver. CVE-2023-34319 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shadow root page table that the CPU in question is presently running on. While a precaution exists to supposedly prevent the tearing down of the underlying live page table, the time window covered by that precaution isn't large enough. CVE-2023-34322 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 important When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default). CVE-2023-34323 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one issue has been reported to the Xen Security Team that allows an attacker to trigger a stack buffer overflow in libfsimage. After further analisys the Xen Security Team is no longer confident in the suitability of libfsimage when run against guest controlled input with super user priviledges. In order to not affect current deployments that rely on pygrub patches are provided in the resolution section of the advisory that allow running pygrub in deprivileged mode. CVE-2023-4949 refers to the original issue in the upstream grub project ("An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub's XFS file system implementation.") CVE-2023-34325 refers specifically to the vulnerabilities in Xen's copy of libfsimage, which is decended from a very old version of grub. CVE-2023-34325 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions. CVE-2023-34326 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 important [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. CVE-2023-34327 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-3446 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition. CVE-2023-34966 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves. CVE-2023-34967 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path. CVE-2023-34968 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. CVE-2023-34969 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:dbus-1-1.12.2-150100.8.17.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdbus-1-3-1.12.2-150100.8.17.1 moderate Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace CVE-2023-35001 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information. CVE-2023-3567 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation. CVE-2023-35788 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c. CVE-2023-35823 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c. CVE-2023-35824 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c. CVE-2023-35827 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c. CVE-2023-35828 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11. CVE-2023-35945 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libnghttp2-14-1.40.0-150200.17.1 important lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count. CVE-2023-36054 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-client-1.19.2-150300.19.1 important A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc. CVE-2023-3609 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. CVE-2023-3611 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. CVE-2023-3772 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f. CVE-2023-3776 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8. CVE-2023-3777 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important An out-of-bounds memory access flaw was found in the Linux kernel's TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system. CVE-2023-3812 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-3817 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. CVE-2023-38408 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-clients-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-common-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-server-8.4p1-150300.3.37.1 important A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record. CVE-2023-38469 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function. CVE-2023-38470 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function. CVE-2023-38471 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function. CVE-2023-38472 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function. CVE-2023-38473 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-client3-0.7-150100.3.35.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libavahi-common3-0.7-150100.3.35.1 moderate This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course. CVE-2023-38546 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue. CVE-2023-3863 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. CVE-2023-39189 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure. CVE-2023-39192 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. CVE-2023-39193 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure. CVE-2023-39194 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol. CVE-2023-39197 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation. CVE-2023-39198 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input. CVE-2023-39615 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libxml2-2-2.9.7-150000.3.70.1 moderate In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c. CVE-2023-39804 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:tar-1.34-150000.3.34.1 low A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. CVE-2023-4004 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important Under some circumstances, this weakness allows a user who has access to run the "ps" utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap. CVE-2023-4016 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:procps-3.3.17-150000.7.39.1 low An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) CVE-2023-40217 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 important An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled. CVE-2023-40283 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions. CVE-2023-4091 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate ** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Reason: This record is a duplicate of CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Notes: All CVE users should reference CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage. CVE-2023-4128 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition. CVE-2023-4132 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition. CVE-2023-4133 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability was found in the cyttsp4_core driver in the Linux kernel. This issue occurs in the device cleanup routine due to a possible rearming of the watchdog_timer from the workqueue. This could allow a local user to crash the system, causing a denial of service. CVE-2023-4134 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system. CVE-2023-4147 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence. CVE-2023-4154 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 important A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information. CVE-2023-4156 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:gawk-4.2.1-150000.3.3.1 low A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate. CVE-2023-4194 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability. We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8. CVE-2023-4244 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:sudo-1.9.5p2-150300.3.33.1 moderate A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task. CVE-2023-42669 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:samba-client-libs-4.15.13+git.710.7032820fcd-150300.3.66.2 moderate A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack. CVE-2023-4273 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. CVE-2023-42753 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system. CVE-2023-42754 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system. CVE-2023-43785 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-6-1.6.5-150000.3.33.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-data-1.6.5-150000.3.33.1 moderate A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition. CVE-2023-43786 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-6-1.6.5-150000.3.33.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-data-1.6.5-150000.3.33.1 moderate A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges. CVE-2023-43787 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-6-1.6.5-150000.3.33.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libX11-data-1.6.5-150000.3.33.1 moderate urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. CVE-2023-43804 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-urllib3-1.25.10-150300.4.12.1 moderate A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check. CVE-2023-4385 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem. CVE-2023-4387 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information. CVE-2023-4389 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVE-2023-4408 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libnghttp2-14-1.40.0-150200.17.1 important A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup. CVE-2023-4459 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023. CVE-2023-4504 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:cups-config-2.2.7-150000.3.62.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcups2-2.2.7-150000.3.62.1 important An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. CVE-2023-45288 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:containerd-1.7.17-150000.114.1 moderate libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." CVE-2023-45322 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libxml2-2-2.9.7-150000.3.70.1 moderate urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. CVE-2023-45803 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-urllib3-1.25.10-150300.4.12.1 moderate MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. CVE-2023-45853 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libz1-1.2.11-150000.3.48.1 moderate An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation. CVE-2023-45862 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in lib/kobject.c in the Linux kernel before 6.2.3. With root access, an attacker can trigger a race condition that results in a fill_kobj_path out-of-bounds write. CVE-2023-45863 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU. CVE-2023-45871 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2023-45918 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libncurses6-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:ncurses-utils-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:terminfo-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:terminfo-base-6.1-150000.5.24.1 low This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain. CVE-2023-46218 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. CVE-2023-4622 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. CVE-2023-4623 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068. CVE-2023-46246 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c. CVE-2023-46343 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. CVE-2023-4641 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:login_defs-4.8.1-150300.4.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:shadow-4.8.1-150300.4.18.1 low The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks. CVE-2023-46835 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen. CVE-2023-46836 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides a certain initial portion of the to be transferred data, these parts are directly translated into what Linux calls SKB fragments. Such converted request parts can, when for a particular SKB they are all of length zero, lead to a de-reference of NULL in core networking code. CVE-2023-46838 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned. Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain. CVE-2023-46839 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. CVE-2023-46841 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. CVE-2023-46842 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved. CVE-2023-4692 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-2.04-150300.22.43.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-i386-pc-2.04-150300.22.43.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-x86_64-efi-2.04-150300.22.43.1 important An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk. CVE-2023-4693 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-2.04-150300.22.43.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-i386-pc-2.04-150300.22.43.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:grub2-x86_64-efi-2.04-150300.22.43.1 moderate The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this "could be exploited in a real world scenario." This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. CVE-2023-47233 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.1840. CVE-2023-4733 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. CVE-2023-4734 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. CVE-2023-4735 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. CVE-2023-4738 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Use After Free in GitHub repository vim/vim prior to 9.0.1857. CVE-2023-4750 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Use After Free in GitHub repository vim/vim prior to 9.0.1858. CVE-2023-4752 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. CVE-2023-4781 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge. CVE-2023-4813 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:nscd-2.31-150300.83.1 moderate Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48231 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48232 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48233 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48234 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48235 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48236 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48237 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue. CVE-2023-48706 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-clients-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-common-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-server-8.4p1-150300.3.37.1 important CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux kernel security team. CVE-2023-4881 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. CVE-2023-49083 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-cryptography-3.3.2-150200.22.1 moderate A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8. CVE-2023-4921 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry(). CVE-2023-50495 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libncurses6-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:ncurses-utils-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:terminfo-6.1-150000.5.24.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:terminfo-base-6.1-150000.5.24.1 moderate The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free. CVE-2023-51042 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload. CVE-2023-51043 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. CVE-2023-51385 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-clients-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-common-8.4p1-150300.3.37.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssh-server-8.4p1-150300.3.37.1 moderate bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition. CVE-2023-51779 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. CVE-2023-51780 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition. CVE-2023-51782 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket. CVE-2023-52340 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count. CVE-2023-52429 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction New elements in this transaction might expired before such transaction ends. Skip sync GC for such elements otherwise commit path might walk over an already released object. Once transaction is finished, async GC will collect such expired element. CVE-2023-52433 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock. CVE-2023-52439 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). CVE-2023-52443 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack. CVE-2023-52445 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Syzkaller has reported a NULL pointer dereference when accessing rgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creating rgd->rd_gl fails in read_rindex_entry(). Add a NULL pointer check in gfs2_rgrp_dump() to prevent that. CVE-2023-52448 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access 'gluebi->desc' in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME. CVE-2023-52449 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/memhp: Fix access beyond end of drmem array dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer: pr_debug("Failed to hot-remove memory at %llx\n", lmb->base_addr); This was found by inspection and confirmed with KASAN: pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949 dump_stack_lvl+0xa4/0xfc (unreliable) print_report+0x214/0x63c kasan_report+0x140/0x2e0 __asan_load8+0xa8/0xe0 dlpar_memory+0x298/0x1658 handle_dlpar_errorlog+0x130/0x1d0 dlpar_store+0x18c/0x3e0 kobj_attr_store+0x68/0xa0 sysfs_kf_write+0xc4/0x110 kernfs_fop_write_iter+0x26c/0x390 vfs_write+0x2d4/0x4e0 ksys_write+0xac/0x1a0 system_call_exception+0x268/0x530 system_call_vectored_common+0x15c/0x2ec Allocated by task 1: kasan_save_stack+0x48/0x80 kasan_set_track+0x34/0x50 kasan_save_alloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 __kmalloc+0x8c/0x320 kmalloc_array.constprop.0+0x48/0x5c drmem_init+0x2a0/0x41c do_one_initcall+0xe0/0x5c0 kernel_init_freeable+0x4ec/0x5a0 kernel_init+0x30/0x1e0 ret_from_kernel_user_thread+0x14/0x1c The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0) ================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0 Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry. CVE-2023-52451 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: efivarfs: force RO when remounting if SetVariable is not supported If SetVariable at runtime is not supported by the firmware we never assign a callback for that function. At the same time mount the efivarfs as RO so no one can call that. However, we never check the permission flags when someone remounts the filesystem as RW. As a result this leads to a crash looking like this: $ mount -o remount,rw /sys/firmware/efi/efivars $ efi-updatevar -f PK.auth PK [ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 303.280482] Mem abort info: [ 303.280854] ESR = 0x0000000086000004 [ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits [ 303.282016] SET = 0, FnV = 0 [ 303.282414] EA = 0, S1PTW = 0 [ 303.282821] FSC = 0x04: level 0 translation fault [ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000 [ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP [ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6 [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1 [ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023 [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 303.292123] pc : 0x0 [ 303.292443] lr : efivar_set_variable_locked+0x74/0xec [ 303.293156] sp : ffff800008673c10 [ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000 [ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027 [ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000 [ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000 [ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54 [ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4 [ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002 [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201 [ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc [ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000 [ 303.303341] Call trace: [ 303.303679] 0x0 [ 303.303938] efivar_entry_set_get_size+0x98/0x16c [ 303.304585] efivarfs_file_write+0xd0/0x1a4 [ 303.305148] vfs_write+0xc4/0x2e4 [ 303.305601] ksys_write+0x70/0x104 [ 303.306073] __arm64_sys_write+0x1c/0x28 [ 303.306622] invoke_syscall+0x48/0x114 [ 303.307156] el0_svc_common.constprop.0+0x44/0xec [ 303.307803] do_el0_svc+0x38/0x98 [ 303.308268] el0_svc+0x2c/0x84 [ 303.308702] el0t_64_sync_handler+0xf4/0x120 [ 303.309293] el0t_64_sync+0x190/0x194 [ 303.309794] Code: ???????? ???????? ???????? ???????? (????????) [ 303.310612] ---[ end trace 0000000000000000 ]--- Fix this by adding a .reconfigure() function to the fs operations which we can use to check the requested flags and deny anything that's not RO if the firmware doesn't implement SetVariable at runtime. CVE-2023-52463 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug. CVE-2023-52469 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref. CVE-2023-52470 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a Here are the specific bugs: 1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len. Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iov_len and are thus not intended to be in the packet. 2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages. This has not been an issue with SDMA packets from hfi1 Verbs or PSM2 because they only produce iovecs that end short of PAGE_SIZE as the tail iovec of an SDMA request. Fixing these bugs exposes other bugs with the SDMA pin cache (struct mmu_rb_handler) that get in way of supporting user SDMA requests with multiple payload iovecs whose buffers do not end at PAGE_SIZE. So this commit fixes those issues as well. Here are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec payload user SDMA requests can hit: 1. Overlapping memory ranges in mmu_rb_handler will result in duplicate pinnings. 2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node), the mmu_rb code (1) removes the existing entry under a lock, (2) releases that lock, pins the new pages, (3) then reacquires the lock to insert the extended mmu_rb_node. If someone else comes in and inserts an overlapping entry between (2) and (3), insert in (3) will fail. The failure path code in this case unpins _all_ pages in either the original mmu_rb_node or the new mmu_rb_node that was inserted between (2) and (3). 3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node could be evicted by another thread that gets mmu_rb_handler->lock and checks mmu_rb_node->refcount before mmu_rb_node->refcount is incremented. 4. Related to #2 above, SDMA request submission failure path does not check mmu_rb_node->refcount before freeing mmu_rb_node object. If there are other SDMA requests in progress whose iovecs have pointers to the now-freed mmu_rb_node(s), those pointers to the now-freed mmu_rb nodes will be dereferenced when those SDMA requests complete. CVE-2023-52474 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: Input: powermate - fix use-after-free in powermate_config_complete syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e CVE-2023-52475 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf/x86/lbr: Filter vsyscall addresses We found that a panic can occur when a vsyscall is made while LBR sampling is active. If the vsyscall is interrupted (NMI) for perf sampling, this call sequence can occur (most recent at top): __insn_get_emulate_prefix() insn_get_emulate_prefix() insn_get_prefixes() insn_get_opcode() decode_branch_type() get_branch_type() intel_pmu_lbr_filter() intel_pmu_handle_irq() perf_event_nmi_handler() Within __insn_get_emulate_prefix() at frame 0, a macro is called: peek_nbyte_next(insn_byte_t, insn, i) Within this macro, this dereference occurs: (insn)->next_byte Inspecting registers at this point, the value of the next_byte field is the address of the vsyscall made, for example the location of the vsyscall version of gettimeofday() at 0xffffffffff600000. The access to an address in the vsyscall region will trigger an oops due to an unhandled page fault. To fix the bug, filtering for vsyscalls can be done when determining the branch type. This patch will return a "none" branch if a kernel address if found to lie in the vsyscall region. CVE-2023-52476 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: hub: Guard against accesses to uninitialized BOS descriptors Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usb_get_bos_descriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:hub_port_reset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace: hub_event+0x73f/0x156e ? hub_activate+0x5b7/0x68f process_one_work+0x1a2/0x487 worker_thread+0x11a/0x288 kthread+0x13a/0x152 ? process_one_work+0x487/0x487 ? kthread_associate_blkcg+0x70/0x70 ret_from_fork+0x1f/0x30 Fall back to a default behavior if the BOS descriptor isn't accessible and skip all the functionalities that depend on it: LPM support checks, Super Speed capabilitiy checks, U1/U2 states setup. CVE-2023-52477 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU) races when it races with itself. hidpp_connect_event() primarily runs from a workqueue but it also runs on probe() and if a "device-connected" packet is received by the hw when the thread running hidpp_connect_event() from probe() is waiting on the hw, then a second thread running hidpp_connect_event() will be started from the workqueue. This opens the following races (note the below code is simplified): 1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; } We can actually see this race hit in the dmesg in the abrt output attached to rhbz#2227968: [ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. Testing with extra logging added has shown that after this the 2 threads take turn grabbing the hw access mutex (send_mutex) so they ping-pong through all the other TOCTOU cases managing to hit all of them: 2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; } 3. Initializing the power_supply class for the battery (problematic!): hidpp_initialize_battery() { if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); } 4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev); The really big problem here is 3. Hitting the race leads to the following sequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); So now we have registered 2 power supplies for the same battery, which looks a bit weird from userspace's pov but this is not even the really big problem. Notice how: 1. This is all devm-maganaged 2. The hidpp->battery.desc struct is shared between the 2 power supplies 3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup() This causes a use after free scenario on USB disconnect of the receiver: 1. The last registered power supply class device gets unregistered 2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory 3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data 4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one: Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08 ... Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0 ... Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0 Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0 Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680 Sep 22 20:01:35 eric kernel: ---truncated--- CVE-2023-52478 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/srso: Add SRSO mitigation for Hygon processors Add mitigation for the speculative return stack overflow vulnerability which exists on Hygon processors too. CVE-2023-52482 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in channel unregistration function __dma_async_device_channel_register() can fail. In case of failure, chan->local is freed (with free_percpu()), and chan->local is nullified. When dma_async_device_unregister() is called (because of managed API or intentionally by DMA controller driver), channels are unconditionally unregistered, leading to this NULL pointer: [ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 [...] [ 1.484499] Call trace: [ 1.486930] device_del+0x40/0x394 [ 1.490314] device_unregister+0x20/0x7c [ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0 Look at dma_async_device_register() function error path, channel device unregistration is done only if chan->local is not NULL. Then add the same condition at the beginning of __dma_async_device_channel_unregister() function, to avoid NULL pointer issue whatever the API used to reach this function. CVE-2023-52492 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command Tags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed when we receive the response. CVE-2023-52500 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. Getting a reference on the socket found in a lookup while holding a lock should happen before releasing the lock. nfc_llcp_sock_get_sn() has a similar problem. Finally nfc_llcp_recv_snl() needs to make sure the socket found by nfc_llcp_sock_from_sn() does not disappear. CVE-2023-52502 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() The nvme_fc_fcp_op structure describing an AEN operation is initialized with a null request structure pointer. An FC LLDD may make a call to nvme_fc_io_getuuid passing a pointer to an nvmefc_fcp_req for an AEN operation. Add validation of the request structure pointer before dereference. CVE-2023-52508 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add(). CVE-2023-52530 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: Fix a memory corruption issue A few lines above, space is kzalloc()'ed for: sizeof(struct iwl_nvm_data) + sizeof(struct ieee80211_channel) + sizeof(struct ieee80211_rate) 'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine. At the end of this structure, there is the 'channels' flex array. Each element is of type 'struct ieee80211_channel'. So only 1 element is allocated in this array. When doing: mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels; We point at the first element of the 'channels' flex array. So this is fine. However, when doing: mvm->nvm_data->bands[0].bitrates = (void *)((u8 *)mvm->nvm_data->channels + 1); because of the "(u8 *)" cast, we add only 1 to the address of the beginning of the flex array. It is likely that we want point at the 'struct ieee80211_rate' allocated just after. Remove the spurious casting so that the pointer arithmetic works as expected. CVE-2023-52531 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix TX CQE error handling For an unknown TX CQE error type (probably from a newer hardware), still free the SKB, update the queue tail, etc., otherwise the accounting will be wrong. Also, TX errors can be triggered by injecting corrupted packets, so replace the WARN_ONCE to ratelimited error logging. CVE-2023-52532 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: remove BUG() after failure to insert delayed dir index item Instead of calling BUG() when we fail to insert a delayed dir index item into the delayed node's tree, we can just release all the resources we have allocated/acquired before and return the error to the caller. This is fine because all existing call chains undo anything they have done before calling btrfs_insert_delayed_dir_index() or BUG_ON (when creating pending snapshots in the transaction commit path). So remove the BUG() call and do proper error handling. This relates to a syzbot report linked below, but does not fix it because it only prevents hitting a BUG(), it does not fix the issue where somehow we attempt to use twice the same index number for different index items. CVE-2023-52569 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug. CVE-2023-52574 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-52575 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak when more than 255 elements expired When more than 255 elements expired we're supposed to switch to a new gc container structure. This never happens: u8 type will wrap before reaching the boundary and nft_trans_gc_space() always returns true. This means we recycle the initial gc container structure and lose track of the elements that came before. While at it, don't deref 'gc' after we've passed it to call_rcu. CVE-2023-52581 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: fix deadlock or deadcode of misusing dget() The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. CVE-2023-52583 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: reiserfs: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change reiserfs rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem. CVE-2023-52591 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc register kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control (fpc) register of a guest cpu. The new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the host process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space / host process fpc register value, however it will be discarded, when returning to user space. In result the host process will incorrectly continue to run with the value that was supposed to be used for a guest cpu. Fix this by simply removing the test. There is another test right before the SIE context is entered which will handles invalid values. This results in a change of behaviour: invalid values will now be accepted instead of that the ioctl fails with -EINVAL. This seems to be acceptable, given that this interface is most likely not used anymore, and this is in addition the same behaviour implemented with the memory mapped interface (replace invalid values with zero) - see sync_regs() in kvm-s390.c. CVE-2023-52597 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-52605 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. CVE-2023-52607 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: aqc111: check packet for fixup for true limit If a device sends a packet that is inbetween 0 and sizeof(u64) the value passed to skb_trim() as length will wrap around ending up as some very large value. The driver will then proceed to parse the header located at that position, which will either oops or process some random value. The fix is to check against sizeof(u64) rather than 0, which the driver currently does. The issue exists since the introduction of the driver. CVE-2023-52655 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv: Add a null pointer check in opal_event_init() kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. CVE-2023-52686 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: sched/psi: Fix use-after-free in ep_remove_wait_queue() If a non-root cgroup gets removed when there is a thread that registered trigger and is polling on a pressure file within the cgroup, the polling waitqueue gets freed in the following path: do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy However, the polling thread still has a reference to the pressure file and will access the freed waitqueue when the file is closed or upon exit: fput ep_eventpoll_release ep_free ep_remove_wait_queue remove_wait_queue This results in use-after-free as pasted below. The fundamental problem here is that cgroup_file_release() (and consequently waitqueue's lifetime) is not tied to the file's real lifetime. Using wake_up_pollfree() here might be less than ideal, but it is in line with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()") since the waitqueue's lifetime is not tied to file's one and can be considered as another special case. While this would be fixable by somehow making cgroup_file_release() be tied to the fput(), it would require sizable refactoring at cgroups or higher layer which might be more justifiable if we identify more cases like this. BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0 Write of size 4 at addr ffff88810e625328 by task a.out/4404 CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 Call Trace: <TASK> dump_stack_lvl+0x73/0xa0 print_report+0x16c/0x4e0 kasan_report+0xc3/0xf0 kasan_check_range+0x2d2/0x310 _raw_spin_lock_irqsave+0x60/0xc0 remove_wait_queue+0x1a/0xa0 ep_free+0x12c/0x170 ep_eventpoll_release+0x26/0x30 __fput+0x202/0x400 task_work_run+0x11d/0x170 do_exit+0x495/0x1130 do_group_exit+0x100/0x100 get_signal+0xd67/0xde0 arch_do_signal_or_restart+0x2a/0x2b0 exit_to_user_mode_prepare+0x94/0x100 syscall_exit_to_user_mode+0x20/0x40 do_syscall_64+0x52/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> Allocated by task 4404: kasan_set_track+0x3d/0x60 __kasan_kmalloc+0x85/0x90 psi_trigger_create+0x113/0x3e0 pressure_write+0x146/0x2e0 cgroup_file_write+0x11c/0x250 kernfs_fop_write_iter+0x186/0x220 vfs_write+0x3d8/0x5c0 ksys_write+0x90/0x110 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 4407: kasan_set_track+0x3d/0x60 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x11d/0x170 slab_free_freelist_hook+0x87/0x150 __kmem_cache_free+0xcb/0x180 psi_trigger_destroy+0x2e8/0x310 cgroup_file_release+0x4f/0xb0 kernfs_drain_open_files+0x165/0x1f0 kernfs_drain+0x162/0x1a0 __kernfs_remove+0x1fb/0x310 kernfs_remove_by_name_ns+0x95/0xe0 cgroup_addrm_files+0x67f/0x700 cgroup_destroy_locked+0x283/0x3c0 cgroup_rmdir+0x29/0x100 kernfs_iop_rmdir+0xd1/0x140 vfs_rmdir+0xfe/0x240 do_rmdir+0x13d/0x280 __x64_sys_rmdir+0x2c/0x30 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd CVE-2023-52707 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 CVE-2023-52752 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() The put_device() calls rmi_release_function() which frees "fn" so the dereference on the next line "fn->num_of_irqs" is a use after free. Move the put_device() to the end to fix this. CVE-2023-52840 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: llcc: Handle a second device without data corruption Usually there is only one llcc device. But if there were a second, even a failed probe call would modify the global drv_data pointer. So check if drv_data is valid before overwriting it. CVE-2023-52871 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that. CVE-2023-52880 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001 CVE-2023-52881 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. CVE-2023-5344 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 low NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2023-5388 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:mozilla-nss-certs-3.101.2-150000.3.120.1 moderate NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960. CVE-2023-5441 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 moderate A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVE-2023-5517 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important Use After Free in GitHub repository vim/vim prior to v9.0.2010. CVE-2023-5535 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVE-2023-5678 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. CVE-2023-5717 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. CVE-2023-5981 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgnutls30-3.6.7-150200.14.31.1 moderate A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter. CVE-2023-6004 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 moderate An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access. CVE-2023-6040 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg). CVE-2023-6121 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system. CVE-2023-6176 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. CVE-2023-6270 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service. CVE-2023-6356 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. CVE-2023-6516 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on. CVE-2023-6531 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. CVE-2023-6535 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. CVE-2023-6536 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. CVE-2023-6597 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 important An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. CVE-2023-6606 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information. CVE-2023-6610 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a. CVE-2023-6817 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel. This issue may allow an attacker using this library to cause a denial of service problem due to a missing check at a function return. CVE-2023-6915 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection. CVE-2023-6918 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libssh4-0.9.8-150200.13.6.2 important A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b. CVE-2023-6931 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1. CVE-2023-6932 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service. CVE-2023-7042 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow. CVE-2023-7192 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames. CVE-2023-7207 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:cpio-2.12-150000.3.12.1 low A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file. CVE-2024-0340 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low A defect was discovered in the Python "ssl" module where there is a memory race condition with the ssl.SSLContext methods "cert_store_stats()" and "get_ca_certs()". The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. CVE-2024-0397 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. CVE-2024-0450 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 moderate A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. CVE-2024-0553 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgnutls30-3.6.7-150200.14.31.1 moderate An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service. CVE-2024-0565 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality. CVE-2024-0607 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel's SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system. CVE-2024-0639 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-0727 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 low A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free. CVE-2024-0775 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. CVE-2024-0841 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. CVE-2024-1086 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues. CVE-2024-1151 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1737 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. CVE-2024-1975 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:bind-utils-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libbind9-1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libdns1605-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libirs1601-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisc1606-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccc1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libisccfg1600-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libns1604-9.16.6-150300.22.47.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-bind-9.16.6-150300.22.47.1 important runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVE-2024-21626 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:runc-1.1.13-150000.67.1 important A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. CVE-2024-2193 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems. CVE-2024-2201 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C. This issue affects Linux kernel: v2.6.12-rc2. CVE-2024-22099 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. CVE-2024-22195 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-Jinja2-2.10.1-150000.3.13.1 moderate Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt master. CVE-2024-22231 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-minion-3006.0-150300.53.79.2 moderate A specially crafted url can be created which leads to a directory traversal in the salt file server. A malicious user can read an arbitrary file from a Salt master's filesystem. CVE-2024-22232 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-3006.0-150300.53.79.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:salt-minion-3006.0-150300.53.79.2 important Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-9.1.0330-150000.5.63.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:vim-data-common-9.1.0330-150000.5.63.1 important Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow. CVE-2024-23307 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options. CVE-2024-23651 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 important BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature. CVE-2024-23652 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 moderate BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources. CVE-2024-23653 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 moderate In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access. CVE-2024-23849 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl. CVE-2024-23851 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:curl-7.66.0-150200.4.72.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcurl4-7.66.0-150200.4.72.1 moderate An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. CVE-2024-25062 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libxml2-2-2.9.7-150000.3.70.1 important Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. CVE-2024-2511 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 moderate c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist. CVE-2024-25629 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcares2-1.19.1-150000.3.26.1 moderate Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. CVE-2024-26458 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-client-1.19.2-150300.19.1 important Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. CVE-2024-26461 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-client-1.19.2-150300.19.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active. CVE-2024-26581 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix race between tx work scheduling and socket close Similarly to previous commit, the submitting thread (recvmsg/sendmsg) may exit as soon as the async crypto handler calls complete(). Reorder scheduling the work before calling complete(). This seems more logical in the first place, as it's the inverse order of what the submitting thread will do. CVE-2024-26585 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b CVE-2024-26586 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited". CVE-2024-26589 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read. CVE-2024-26593 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon 'region->group->tcam' [1]. Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Call Trace: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b CVE-2024-26595 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP If the external phy working together with phy-omap-usb2 does not implement send_srp(), we may still attempt to call it. This can happen on an idle Ethernet gadget triggering a wakeup for example: configfs-gadget.g1 gadget.0: ECM Suspend configfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup ... Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute ... PC is at 0x0 LR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc] ... musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core] usb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether] eth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c dev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4 sch_direct_xmit from __dev_queue_xmit+0x334/0xd88 __dev_queue_xmit from arp_solicit+0xf0/0x268 arp_solicit from neigh_probe+0x54/0x7c neigh_probe from __neigh_event_send+0x22c/0x47c __neigh_event_send from neigh_resolve_output+0x14c/0x1c0 neigh_resolve_output from ip_finish_output2+0x1c8/0x628 ip_finish_output2 from ip_send_skb+0x40/0xd8 ip_send_skb from udp_send_skb+0x124/0x340 udp_send_skb from udp_sendmsg+0x780/0x984 udp_sendmsg from __sys_sendto+0xd8/0x158 __sys_sendto from ret_fast_syscall+0x0/0x58 Let's fix the issue by checking for send_srp() and set_vbus() before calling them. For USB peripheral only cases these both could be NULL. CVE-2024-26600 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: sched/membarrier: reduce the ability to hammer on sys_membarrier On some systems, sys_membarrier can be very expensive, causing overall slowdowns for everything. So put a lock on the path in order to serialize the accesses to prevent the ability for this to be called at too high of a frequency and saturate the machine. CVE-2024-26602 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x] [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x] [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm] [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper] [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper] [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm] [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper] [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper] [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper] [ 53.326401] drm_client_register+0x5c/0xa0 [drm] [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper] [ 53.336881] tidss_probe+0x128/0x264 [tidss] [ 53.341174] platform_probe+0x68/0xc4 [ 53.344841] really_probe+0x188/0x3c4 [ 53.348501] __driver_probe_device+0x7c/0x16c [ 53.352854] driver_probe_device+0x3c/0x10c [ 53.357033] __device_attach_driver+0xbc/0x158 [ 53.361472] bus_for_each_drv+0x88/0xe8 [ 53.365303] __device_attach+0xa0/0x1b4 [ 53.369135] device_initial_probe+0x14/0x20 [ 53.373314] bus_probe_device+0xb0/0xb4 [ 53.377145] deferred_probe_work_func+0xcc/0x124 [ 53.381757] process_one_work+0x1f0/0x518 [ 53.385770] worker_thread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] ret_from_fork+0x10/0x20 The issue here is as follows: - tidss probes, but is deferred as sii902x is still missing. - sii902x starts probing and enters sii902x_init(). - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from DRM's perspective. - sii902x calls sii902x_audio_codec_init() and platform_device_register_data() - The registration of the audio platform device causes probing of the deferred devices. - tidss probes, which eventually causes sii902x_bridge_get_edid() to be called. - sii902x_bridge_get_edid() tries to use the i2c to read the edid. However, the sii902x driver has not set up the i2c part yet, leading to the crash. Fix this by moving the drm_bridge_add() to the end of the sii902x_init(), which is also at the very end of sii902x_probe(). CVE-2024-26607 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in bytes, we'll write past the buffer. CVE-2024-26610 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508) Code: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7 30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900 RBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff R10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000 R13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000 FS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0 Call Trace: <IRQ> _raw_spin_unlock (kernel/locking/spinlock.c:186) inet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321) inet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358) tcp_check_req (net/ipv4/tcp_minisocks.c:868) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205) ip_local_deliver_finish (net/ipv4/ip_input.c:234) __netif_receive_skb_one_core (net/core/dev.c:5529) process_backlog (./include/linux/rcupdate.h:779) __napi_poll (net/core/dev.c:6533) net_rx_action (net/core/dev.c:6604) __do_softirq (./arch/x86/include/asm/jump_label.h:27) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4374) ip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235) __ip_queue_xmit (net/ipv4/ip_output.c:535) __tcp_transmit_skb (net/ipv4/tcp_output.c:1462) tcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469) tcp_rcv_state_process (net/ipv4/tcp_input.c:6657) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929) __release_sock (./include/net/sock.h:1121 net/core/sock.c:2968) release_sock (net/core/sock.c:3536) inet_wait_for_connect (net/ipv4/af_inet.c:609) __inet_stream_connect (net/ipv4/af_inet.c:702) inet_stream_connect (net/ipv4/af_inet.c:748) __sys_connect (./include/linux/file.h:45 net/socket.c:2064) __x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) RIP: 0033:0x7fa10ff05a3d Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640 R13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20 </TASK> The issue triggering process is analyzed as follows: Thread A Thread B tcp_v4_rcv //receive ack TCP packet inet_shutdown tcp_check_req tcp_disconnect //disconnect sock ... tcp_set_state(sk, TCP_CLOSE) inet_csk_complete_hashdance ... inet_csk_reqsk_queue_add ---truncated--- CVE-2024-26614 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. CVE-2024-26622 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. CVE-2024-26642 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too. CVE-2024-26643 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ceph: prevent use-after-free in encode_cap_msg() In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This implies before the refcount could be increment here, it was freed. In same file, in "handle_cap_grant()" refcount is decremented by this line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race occurred and resource was freed by the latter line before the former line could increment it. encode_cap_msg() is called by __send_cap() and __send_cap() is called by ceph_check_caps() after calling __prep_cap(). __prep_cap() is where arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where the refcount must be increased to prevent "use after free" error. CVE-2024-26689 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix double-free of blocks due to wrong extents moved_len In ext4_move_extents(), moved_len is only updated when all moves are successfully executed, and only discards orig_inode and donor_inode preallocations when moved_len is not zero. When the loop fails to exit after successfully moving some extents, moved_len is not updated and remains at 0, so it does not discard the preallocations. If the moved extents overlap with the preallocated extents, the overlapped extents are freed twice in ext4_mb_release_inode_pa() and ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4: Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is incremented twice. Hence when trim is executed, a zero-division bug is triggered in mb_update_avg_fragment_size() because bb_free is not zero and bb_fragments is zero. Therefore, update move_len after each extent move to avoid the issue. CVE-2024-26704 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: arp: Prevent overflow in arp_req_get(). syzkaller reported an overflown write in arp_req_get(). [0] When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. The arp_ha here is struct sockaddr, not struct sockaddr_storage, so the sa_data buffer is just 14 bytes. In the splat below, 2 bytes are overflown to the next int field, arp_flags. We initialise the field just after the memcpy(), so it's not a problem. However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) in arp_ioctl() before calling arp_req_get(). To avoid the overflow, let's limit the max length of memcpy(). Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible array in struct sockaddr") just silenced syzkaller. [0]: memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Modules linked in: CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 sock_do_ioctl+0xdf/0x260 net/socket.c:1204 sock_ioctl+0x3ef/0x650 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x7f172b262b8d Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 </TASK> CVE-2024-26733 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: don't override retval if we already lost the skb If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF. Move the retval override to the error path which actually need it. CVE-2024-26739 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Support specifying the srpt_service_guid parameter Make loading ib_srpt with this parameter set work. The current behavior is that setting that parameter while loading the ib_srpt kernel module triggers the following kernel crash: BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> parse_one+0x18c/0x1d0 parse_args+0xe1/0x230 load_module+0x8de/0xa60 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x181/0x240 __x64_sys_finit_module+0x5a/0xb0 do_syscall_64+0x5f/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 CVE-2024-26744 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86, relocs: Ignore relocations in .notes section When building with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the "startup_xen" entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable. To avoid leaking the KASLR base without breaking unprivileged tools that are expecting to read /sys/kernel/notes, skip performing relocations in the .notes section. The values readable in .notes are then identical to those found in System.map. CVE-2024-26816 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: set correct id, uid and cruid for multiuser automounts When uid, gid and cruid are not specified, we need to dynamically set them into the filesystem context used for automounting otherwise they'll end up reusing the values from the parent mount. CVE-2024-26822 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending. CVE-2024-26828 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix memory leak in cachefiles_add_cache() The following memory leak was reported after unbinding /dev/cachefiles: ================================================================== unreferenced object 0xffff9b674176e3c0 (size 192): comm "cachefilesd2", pid 680, jiffies 4294881224 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc ea38a44b): [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 ================================================================== Put the reference count of cache_cred in cachefiles_daemon_unbind() to fix the problem. And also put cache_cred in cachefiles_add_cache() error branch to avoid memory leaks. CVE-2024-26840 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 low In the Linux kernel, the following vulnerability has been resolved: net/ipv6: avoid possible UAF in ip6_route_mpath_notify() syzbot found another use-after-free in ip6_route_mpath_notify() [1] Commit f7225172f25a ("net/ipv6: prevent use after free in ip6_route_mpath_notify") was not able to fix the root cause. We need to defer the fib6_info_release() calls after ip6_route_mpath_notify(), in the cleanup phase. [1] BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0 Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037 CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f73dd87dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 </TASK> Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m ---truncated--- CVE-2024-26852 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: packet: annotate data-races around ignore_outgoing ignore_outgoing is read locklessly from dev_queue_xmit_nit() and packet_getsockopt() Add appropriate READ_ONCE()/WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt write to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0: packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003 do_sock_setsockopt net/socket.c:2311 [inline] __sys_setsockopt+0x1d8/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff888107804542 of 1 bytes by task 27 on cpu 1: dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248 xmit_one net/core/dev.c:3527 [inline] dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547 __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108 batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335 worker_thread+0x526/0x730 kernel/workqueue.c:3416 kthread+0x1d1/0x210 kernel/kthread.c:388 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 value changed: 0x00 -> 0x01 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet CVE-2024-26862 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault(). CVE-2024-26906 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. CVE-2024-26921 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix garbage collector racing against connect() Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. CVE-2024-26923 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. CVE-2024-26925 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2024-26929 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of the ha->vp_map pointer Coverity scan reported potential risk of double free of the pointer ha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed in function qla2x00_mem_free(ha). Assign NULL to vp_map and kfree take care of NULL. CVE-2024-26930 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free. CVE-2024-27043 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread | Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait a time) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] process_one_work+0x561/0xc50 [ 95.890755] worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ 95.890755] sco_sock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [ 95.890755] sco_sock_release+0x232/0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.890755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated--- CVE-2024-27398 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect allocation size gcc-14 notices that the allocation with sizeof(void) on 32-bit architectures is not enough for a 64-bit phys_addr_t: drivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open': drivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size] 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); | ^ Use the correct type instead here. CVE-2024-27413 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. CVE-2024-28085 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libblkid1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libfdisk1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libmount1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libsmartcols1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libuuid1-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:util-linux-2.36.2-150300.4.44.12 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:util-linux-systemd-2.36.2-150300.4.44.11 important nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. CVE-2024-28182 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libnghttp2-14-1.40.0-150200.17.1 important The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable. CVE-2024-2961 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:nscd-2.31-150300.83.1 important Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html CVE-2024-31142 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 moderate An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVE-2024-31143 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:xen-libs-4.14.6_16-150300.3.75.1 important less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. CVE-2024-32487 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:less-530-150000.3.9.1 important nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33599 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:nscd-2.31-150300.83.1 important nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33600 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:nscd-2.31-150300.83.1 important nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33601 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:nscd-2.31-150300.83.1 moderate nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVE-2024-33602 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-i18ndata-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glibc-locale-base-2.31-150300.83.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:nscd-2.31-150300.83.1 low Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4. CVE-2024-34064 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-Jinja2-2.10.1-150000.3.13.1 moderate An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. CVE-2024-34397 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:glib2-tools-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgio-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libglib-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgmodule-2_0-0-2.62.6-150200.3.18.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libgobject-2_0-0-2.62.6-150200.3.18.1 low An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. CVE-2024-34459 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libxml2-2-2.9.7-150000.3.70.1 low Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. CVE-2024-35195 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-requests-2.25.1-150300.3.12.2 moderate OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue. CVE-2024-35235 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:cups-config-2.2.7-150000.3.62.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libcups2-2.2.7-150000.3.62.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes When moving a station out of a VLAN and deleting the VLAN afterwards, the fast_rx entry still holds a pointer to the VLAN's netdev, which can cause use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx after the VLAN change. CVE-2024-35789 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35861 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_network_name_deleted() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35862 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. CVE-2024-35864 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: drm/client: Fully protect modes[] with dev->mode_config.mutex The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. CVE-2024-35950 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size. CVE-2024-3651 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-idna-2.6-150000.3.3.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") CVE-2024-36894 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. Thus, there is a small race window where other threads could try to reuse the port during connect() and call sock_hold() in tcp_twsk_unique() for the TIME-WAIT socket with zero refcnt. If that happens, the refcnt taken by tcp_twsk_unique() is overwritten and sock_put() will cause underflow, triggering a real use-after-free somewhere else. To avoid the use-after-free, we need to use refcount_inc_not_zero() in tcp_twsk_unique() and give up on reusing the port if it returns false. [0]: refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1 Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027 RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK> CVE-2024-36904 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init(). It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(), so freeing it in pinctrl_enable() will lead to a double free. The devm_pinctrl_dev_release() function frees the pindescs and destroys the mutex as well. CVE-2024-36940 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. CVE-2024-36964 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 important In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37370 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-client-1.19.2-150300.19.1 important In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVE-2024-37371 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-1.19.2-150300.19.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:krb5-client-1.19.2-150300.19.1 moderate urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations. CVE-2024-37891 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-urllib3-1.25.10-150300.4.12.1 moderate url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. CVE-2024-38428 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:wget-1.20.3-150000.3.20.1 moderate In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). CVE-2024-38541 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronous events and CQ destruction are concurrent, CQ may have been released, which will cause UAF. Use the xa_lock() to protect the CQ refcount. CVE-2024-38545 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38559 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. CVE-2024-38560 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:kernel-default-5.3.18-150300.59.167.1 moderate The "ipaddress" module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private". This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn't be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. CVE-2024-4032 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-3.6.15-150300.10.65.2 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:python3-curses-3.6.15-150300.10.65.2 low Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. CVE-2024-41110 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:docker-25.0.6_ce-150000.203.1 critical Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVE-2024-4741 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:libopenssl1_1-1.1.1d-150200.11.91.1 Public Cloud Image google/sles-15-sp3-byos-v20240809-x86-64:openssl-1_1-1.1.1d-150200.11.91.1 important