SUSE-IU-2023:604-1: Security update of sles-15-sp4-chost-byos-v20230901-arm64

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Sep 5 07:02:43 UTC 2023


SUSE Image Update Advisory: sles-15-sp4-chost-byos-v20230901-arm64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2023:604-1
Image Tags        : sles-15-sp4-chost-byos-v20230901-arm64:20230901
Image Release     : 
Severity          : critical
Type              : security
References        : 1002895 1027519 1102408 1107105 1118088 1138666 1138715 1138746
                        1158763 1167732 1176389 1177120 1179534 1179805 1182142 1182421
                        1182422 1184177 1184505 1186606 1187045 1193412 1193752 1194038
                        1194609 1194900 1195916 1196696 1198331 1200771 1201253 1201519
                        1202498 1202498 1204145 1204364 1204844 1206212 1206418 1206627
                        1207129 1207805 1208036 1208194 1208574 1209741 1210323 1210419
                        1210627 1210702 1210740 1210780 1211079 1211131 1211461 1211576
                        1211674 1211738 1211757 1212434 1212502 1212604 1212901 1212928
                        1213049 1213167 1213185 1213189 1213212 1213231 1213272 1213287
                        1213304 1213443 1213472 1213514 1213517 1213557 1213575 1213582
                        1213585 1213586 1213588 1213616 1213620 1213653 1213673 1213713
                        1213715 1213747 1213756 1213759 1213777 1213810 1213812 1213842
                        1213853 1213856 1213857 1213863 1213867 1213870 1213871 1213873
                        1213951 1214025 1214054 1214071 1214082 1214083 1214248 1214290
                        CVE-2018-19787 CVE-2020-25659 CVE-2020-26137 CVE-2020-27783 CVE-2020-29651
                        CVE-2020-29651 CVE-2021-28957 CVE-2021-30560 CVE-2021-33503 CVE-2021-43818
                        CVE-2022-2309 CVE-2022-23491 CVE-2022-40982 CVE-2022-40982 CVE-2022-41409
                        CVE-2022-42969 CVE-2022-48468 CVE-2023-0459 CVE-2023-2004 CVE-2023-20569
                        CVE-2023-20569 CVE-2023-20593 CVE-2023-21400 CVE-2023-2156 CVE-2023-2166
                        CVE-2023-23931 CVE-2023-31083 CVE-2023-3268 CVE-2023-32681 CVE-2023-33460
                        CVE-2023-3567 CVE-2023-36054 CVE-2023-3609 CVE-2023-3611 CVE-2023-3776
                        CVE-2023-3817 CVE-2023-4004 CVE-2023-4016 CVE-2023-4156 
-----------------------------------------------------------------

The container sles-15-sp4-chost-byos-v20230901-arm64 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1037-1
Released:    Mon Apr 20 10:49:39 2020
Summary:     Recommended update for python-pytest
Type:        recommended
Severity:    low
References:  1002895,1107105,1138666,1167732

This update fixes the following issues:

New python-pytest versions are provided.

In Basesystem:

- python3-pexpect: updated to 4.8.0
- python3-py: updated to 1.8.1
- python3-zipp: shipped as dependency in version 0.6.0

In Python2:

- python2-pexpect: updated to 4.8.0
- python2-py: updated to 1.8.1

  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1859-1
Released:    Fri Jun  4 09:02:38 2021
Summary:     Security update for python-py
Type:        security
Severity:    moderate
References:  1179805,1184505,CVE-2020-29651
This update for python-py fixes the following issues:

- CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2012-1
Released:    Fri Jun 18 09:15:13 2021
Summary:     Security update for python-urllib3
Type:        security
Severity:    important
References:  1187045,CVE-2021-33503
This update for python-urllib3 fixes the following issues:

- CVE-2021-33503: Fixed a denial of service when the URL contained many @ characters in the authority component (bsc#1187045)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2817-1
Released:    Mon Aug 23 15:03:36 2021
Summary:     Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3
Type:        security
Severity:    moderate
References:  1102408,1138715,1138746,1176389,1177120,1182421,1182422,CVE-2020-26137
This patch updates the Python AWS SDK stack in SLE 15:

General:

# aws-cli

- Version updated to upstream release v1.19.9
  For a detailed list of all changes, please refer to the changelog file of this package.

# python-boto3

- Version updated to upstream release 1.17.9
  For a detailed list of all changes, please refer to the changelog file of this package.

# python-botocore

- Version updated to upstream release 1.20.9
  For a detailed list of all changes, please refer to the changelog file of this package.

# python-urllib3

- Version updated to upstream release 1.25.10
  For a detailed list of all changes, please refer to the changelog file of this package.

# python-service_identity

- Added this new package to resolve runtime dependencies for other packages.
  Version: 18.1.0

# python-trustme

- Added this new package to resolve runtime dependencies for other packages.
  Version: 0.6.0

Security fixes:

# python-urllib3:
  
- CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated
  by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:803-1
Released:    Thu Mar 10 17:35:53 2022
Summary:     Security update for python-lxml
Type:        security
Severity:    important
References:  1118088,1179534,1184177,1193752,CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818
This update for python-lxml fixes the following issues:

- CVE-2018-19787: Fixed XSS vulnerability via unescaped URL (bsc#1118088).
- CVE-2021-28957: Fixed XSS vulnerability ia HTML5 attributes unescaped (bsc#1184177).
- CVE-2021-43818: Fixed XSS vulnerability via script content in SVG images using data URIs (bnc#1193752).
- CVE-2020-27783: Fixed mutation XSS with improper parser use (bnc#1179534).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2355-1
Released:    Mon Jul 11 12:44:33 2022
Summary:     Recommended update for python-cryptography
Type:        recommended
Severity:    moderate
References:  1198331,CVE-2020-25659

This update for python-cryptography fixes the following issues:

python-cryptography was updated to 3.3.2.

update to 3.3.0:

* BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit
  to 1024-bit (8 byte to 128 byte) initialization vectors. This
  change is to conform with an upcoming OpenSSL release that will
  no longer support sizes outside this window.
* BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we
  now raise ValueError rather than UnsupportedAlgorithm when an
  unsupported cipher is used. This change is to conform with an
  upcoming OpenSSL release that will no longer distinguish
  between error types.
* BACKWARDS INCOMPATIBLE: We no longer allow loading of finite
  field Diffie-Hellman parameters of less than 512 bits in
  length. This change is to conform with an upcoming OpenSSL
  release that no longer supports smaller sizes. These keys were
  already wildly insecure and should not have been used in any
  application outside of testing.
* Added the recover_data_from_signature() function to
  RSAPublicKey for recovering the signed data from an RSA
  signature. 

Update to 3.2.1:

Disable blinding on RSA public keys to address an error with
some versions of OpenSSL.

update to 3.2 (bsc#1178168, CVE-2020-25659):

* CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time,
  to protect against Bleichenbacher vulnerabilities. Due to limitations imposed
  by our API, we cannot completely mitigate this vulnerability.
* Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.

update to 3.1:

* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
  :term:`U-label` parsing in various X.509 classes. This support was originally
  deprecated in version 2.1 and moved to an extra in 2.5.
* ``backend`` arguments to functions are no longer required and the
  default backend will automatically be selected if no ``backend`` is provided.
* Added initial support for parsing certificates from PKCS7 files with
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
  and
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
  .
* Calling ``update`` or ``update_into`` on
  :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
  longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
  also resolves the same issue in :doc:`/fernet`.

update to 3.0:

* RSA generate_private_key() no longer accepts public_exponent values except
   65537 and 3 (the latter for legacy purposes).
* X.509 certificate parsing now enforces that the version field contains
   a valid value, rather than deferring this check until version is accessed.
* Deprecated support for Python 2
* Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa
   private keys: load_ssh_private_key() for loading and OpenSSH for writing.
* Added support for OpenSSH certificates to load_ssh_public_key().
* Added encrypt_at_time() and decrypt_at_time() to Fernet.
* Added support for the SubjectInformationAccess X.509 extension.
* Added support for parsing SignedCertificateTimestamps in OCSP responses.
* Added support for parsing attributes in certificate signing requests via get_attribute_for_oid().
* Added support for encoding attributes in certificate signing requests via add_attribute().
* On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in CSPRNG
   instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
* Added initial support for creating PKCS12 files with serialize_key_and_certificates().

Update to 2.9:

* BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to
  low usage and maintenance burden.
* BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed.
  Users on older version of OpenSSL will need to upgrade.
* BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed.
* Removed support for calling public_bytes() with no arguments, as per 
  our deprecation policy. You must now pass encoding and format.
* BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string()
  returns the RDNs as required by RFC 4514.
* Added support for parsing single_extensions in an OCSP response.
* NameAttribute values can now be empty strings.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2548-1
Released:    Tue Jul 26 13:48:28 2022
Summary:     Critical update for python-cssselect
Type:        recommended
Severity:    critical
References:  
This update for python-cssselect implements packages to the unrestrictied repository.
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2831-1
Released:    Wed Aug 17 14:41:04 2022
Summary:     Recommended update for aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures, python-coverage, python-oniconfig, python-unittest-mixins
Type:        security
Severity:    moderate
References:  1195916,1196696,CVE-2020-29651
This update for aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures fixes the following issues:

- Update in SLE-15 (bsc#1196696, bsc#1195916, jsc#SLE-23972)

- Remove redundant python3 dependency from Requires
- Update regular expression to fix python shebang
- Style is enforced upstream and triggers unnecessary build version requirements
- Allow specifying fs_id in cloudwatch log group name
- Includes fix for stunnel path
- Added hardening to systemd service(s). 
- Raise minimal pytest version
- Fix typo in the ansi2html Requires
- Cleanup with spec-cleaner
- Make sure the tests are really executed
- Remove useless devel dependency
- Multiprocessing support in Python 3.8 was broken, but is now fixed
- Bumpy the URL to point to github rather than to docs


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2853-1
Released:    Fri Aug 19 15:59:42 2022
Summary:     Recommended update for sle-module-legacy-release
Type:        recommended
Severity:    low
References:  1202498
This update for python-iniconfig provides the following fix:

- Ship python3-iniconfig also to openSUSE 15.3 and 15.4 (bsc#1202498)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2908-1
Released:    Fri Aug 26 11:36:03 2022
Summary:     Security update for python-lxml
Type:        security
Severity:    important
References:  1201253,CVE-2022-2309
This update for python-lxml fixes the following issues:

- CVE-2022-2309: Fixed NULL pointer dereference due to state leak between parser runs (bsc#1201253).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2943-1
Released:    Tue Aug 30 15:42:16 2022
Summary:     Recommended update for python-iniconfig
Type:        recommended
Severity:    low
References:  1202498
This update for python-iniconfig provides the following fix:

- Ship missing python2-iniconfig to openSUSE 15.3 (bsc#1202498)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3022-1
Released:    Mon Sep  5 15:16:02 2022
Summary:     Recommended update for python-pyOpenSSL
Type:        recommended
Severity:    moderate
References:  1200771
This update for python-pyOpenSSL fixes the following issues:

- Fixed checks for invalid ALPN lists before calling OpenSSL (gh#pyca/pyopenssl#1056).

python-pyOpenSSL was updated to 21.0.0 (bsc#1200771, jsc#SLE-24519):

- The minimum ``cryptography`` version is now 3.3.
- Raise an error when an invalid ALPN value is set.
- Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version``
- Updated ``to_cryptography`` and ``from_cryptography`` methods to support an upcoming release of ``cryptography`` without raising deprecation warnings.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3985-1
Released:    Tue Nov 15 12:54:11 2022
Summary:     
	  Recommended update for python-apipkg
  
Type:        recommended
Severity:    moderate
References:  1204145

	  This update fixes for python3-apipkg the following issues:
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:139-1
Released:    Wed Jan 25 14:41:55 2023
Summary:     Security update for python-certifi
Type:        security
Severity:    important
References:  1206212,CVE-2022-23491
This update for python-certifi fixes the following issues:

- remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle
  certs (bsc#1206212 CVE-2022-23491)
     - TrustCor RootCert CA-1
     - TrustCor RootCert CA-2
     - TrustCor ECA-1
- Add removeTrustCor.patch

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:161-1
Released:    Thu Jan 26 18:23:16 2023
Summary:     Security update for python-py
Type:        security
Severity:    moderate
References:  1204364,CVE-2022-42969
This update for python-py fixes the following issues:

- CVE-2022-42969: Fixed an excessive resource consumption that could
  be triggered when interacting with a Subversion repository
  containing crated data (bsc#1204364).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:557-1
Released:    Tue Feb 28 09:29:15 2023
Summary:     Security update for libxslt
Type:        security
Severity:    important
References:  1208574,CVE-2021-30560
This update for libxslt fixes the following issues:

- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:722-1
Released:    Tue Mar 14 14:57:15 2023
Summary:     Security update for python-cryptography
Type:        security
Severity:    moderate
References:  1208036,CVE-2023-23931
This update for python-cryptography fixes the following issues:

  - CVE-2023-23931: Fixed memory corruption due to invalidly changed immutable object (bsc#1208036).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2143-1
Released:    Tue May  9 14:49:45 2023
Summary:     Security update for protobuf-c
Type:        security
Severity:    important
References:  1210323,CVE-2022-48468
This update for protobuf-c fixes the following issues:

- CVE-2022-48468: Fixed an unsigned integer overflow. (bsc#1210323)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2866-1
Released:    Tue Jul 18 11:09:03 2023
Summary:     Security update for python-requests
Type:        security
Severity:    moderate
References:  1211674,CVE-2023-32681
This update for python-requests fixes the following issues:

- CVE-2023-32681: Fixed unintended leak of Proxy-Authorization header (bsc#1211674).

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:2898-1
Released:    Thu Jul 20 09:15:33 2023
Summary:     Recommended update for python-instance-billing-flavor-check
Type:        feature
Severity:    critical
References:  
This update for python-instance-billing-flavor-check fixes the following issues:


- Include PAYG checker package in SLE (jsc#PED-4791) 
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2905-1
Released:    Thu Jul 20 10:17:54 2023
Summary:     Recommended update for fstrm
Type:        recommended
Severity:    moderate
References:  
This update for fstrm fixes the following issues:

- Update to 0.6.1:

  - fstrm_capture: ignore SIGPIPE, which will cause the
    interrupted connections to generate an EPIPE instead.
  - Fix truncation in snprintf calls in argument processing.
  - fstrm_capture: Fix output printf format. 

- Update to 0.6.0 

  It adds a new feature for fstrm_capture. It can perform output
  file rotation when a SIGUSR1 signal is received by fstrm_capture.
  (See the --gmtime or --localtime options.) This allows
  fstrm_capture's output file to be rotated by logrotate or a
  similar external utility. (Output rotation is suppressed if
  fstrm_capture is writing to stdout.)

Update to 0.5.0

- Change license to modern MIT license for compatibility with
  GPLv2 software. Contact software at farsightsecurity.com for
  alternate licensing.
- src/fstrm_replay.c: For OpenBSD and Posix portability include
  netinet/in.h and sys/socket.h to get struct sockaddr_in and the
  AF_* defines respectively.
- Fix various compiler warnings.

Update to 0.4.0

The C implementation of the Frame Streams data transport
protocol, fstrm version 0.4.0, was released. It adds TCP support,
a new tool, new documentation, and several improvements.

- Added manual pages for fstrm_capture and fstrm_dump.
- Added new tool, fstrm_replay, for replaying saved Frame Streams
  data to a socket connection.
- Adds TCP support. Add tcp_writer to the core library which
  implements a bi-directional Frame Streams writer as a TCP
  socket client. Introduces new developer API:
  fstrm_tcp_writer_init, fstrm_tcp_writer_options_init,
  fstrm_tcp_writer_options_destroy,
  fstrm_tcp_writer_options_set_socket_address, and
  fstrm_tcp_writer_options_set_socket_port.
- fstrm_capture: new options for reading from TCP socket.
- fstrm_capture: add '-c' / '--connections' option to limit the
  number of concurrent connections it will accept.
- fstrm_capture: add '-b / --buffer-size' option to set the read
  buffer size (effectively the maximum frame size) to a value
  other than the default 256 KiB.
- fstrm_capture: skip oversize messages to fix stalled
  connections caused by messages larger than the read highwater
  mark of the input buffer. Discarded messages are logged for the
  purposes of tuning the input buffer size.
- fstrm_capture: complete sending of FINISH frame before closing
  connection.
- Various test additions and improvements.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3196-1
Released:    Fri Aug  4 10:02:04 2023
Summary:     Recommended update for protobuf-c
Type:        recommended
Severity:    moderate
References:  1213443
This update for protobuf-c fixes the following issues:

- Include executables required to generate Protocol Buffers glue code in the devel subpackage (bsc#1213443)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3217-1
Released:    Mon Aug  7 16:51:10 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3270-1
Released:    Thu Aug 10 19:34:35 2023
Summary:     Recommended update for vim
Type:        recommended
Severity:    moderate
References:  1211461
This update for vim fixes the following issues:

- Calling vim on xterm leads to missing first character of the command prompt (bsc#1211461)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3275-1
Released:    Fri Aug 11 10:19:36 2023
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1213472
This update for apparmor fixes the following issues:

- Add pam_apparmor README (bsc#1213472)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3282-1
Released:    Fri Aug 11 10:26:23 2023
Summary:     Recommended update for blog
Type:        recommended
Severity:    moderate
References:  
This update for blog fixes the following issues:

- Fix big endian cast problems to be able to read commands and ansers as well as passphrases

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3285-1
Released:    Fri Aug 11 10:30:38 2023
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1206627,1213189
This update for shadow fixes the following issues:

- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3286-1
Released:    Fri Aug 11 10:32:03 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1194900
This update for util-linux fixes the following issues:

- Fix blkid for floppy drives (bsc#1194900)
- Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3288-1
Released:    Fri Aug 11 12:30:14 2023
Summary:     Recommended update for python-apipkg
Type:        recommended
Severity:    moderate
References:  1213582

This update for python-apipkg provides python3-apipkg to SUSE Linux Enterprise Micro 5.2. 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3301-1
Released:    Mon Aug 14 07:24:59 2023
Summary:     Security update for libyajl
Type:        security
Severity:    moderate
References:  1212928,CVE-2023-33460
This update for libyajl fixes the following issues:

  - CVE-2023-33460: Fixed memory leak which could cause out-of-memory in server (bsc#1212928).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3313-1
Released:    Mon Aug 14 17:34:46 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1206418,1207129,1210627,1210780,1211131,1211738,1212502,1212604,1212901,1213167,1213272,1213287,1213304,1213585,1213586,1213588,1213620,1213653,1213713,1213715,1213747,1213756,1213759,1213777,1213810,1213812,1213842,1213856,1213857,1213863,1213867,1213870,1213871,CVE-2022-40982,CVE-2023-0459,CVE-2023-20569,CVE-2023-21400,CVE-2023-2156,CVE-2023-2166,CVE-2023-31083,CVE-2023-3268,CVE-2023-3567,CVE-2023-3609,CVE-2023-3611,CVE-2023-3776,CVE-2023-4004

The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling' (bsc#1206418).
- CVE-2023-0459: Fixed information leak in __uaccess_begin_nospec (bsc#1211738).
- CVE-2023-20569: Fixed side channel attack ‘Inception’ or ‘RAS Poisoning’ (bsc#1213287).
- CVE-2023-21400: Fixed several memory corruptions due to improper locking in io_uring (bsc#1213272).
- CVE-2023-2156: Fixed a flaw in the networking subsystem within the handling of the RPL protocol (bsc#1211131).
- CVE-2023-2166: Fixed NULL pointer dereference in can_rcv_filter (bsc#1210627).
- CVE-2023-31083: Fixed race condition in hci_uart_tty_ioctl (bsc#1210780).
- CVE-2023-3268: Fixed an out of bounds memory access flaw in relay_file_read_start_pos in the relayfs (bsc#1212502).
- CVE-2023-3567: Fixed a use-after-free in vcs_read in drivers/tty/vt/vc_screen.c (bsc#1213167).
- CVE-2023-3609: Fixed reference counter leak leading to  overflow in net/sched (bsc#1213586).
- CVE-2023-3611: Fixed an out-of-bounds write in net/sched sch_qfq(bsc#1213585).
- CVE-2023-3776: Fixed improper refcount update in  cls_fw leads to use-after-free (bsc#1213588).
- CVE-2023-4004: Fixed improper element removal netfilter nft_set_pipapo (bsc#1213812).

The following non-security bugs were fixed:

- afs: Fix access after dec in put functions (git-fixes).
- afs: Fix afs_getattr() to refetch file status if callback break occurred (git-fixes).
- afs: Fix dynamic root getattr (git-fixes).
- afs: Fix fileserver probe RTT handling (git-fixes).
- afs: Fix infinite loop found by xfstest generic/676 (git-fixes).
- afs: Fix lost servers_outstanding count (git-fixes).
- afs: Fix server->active leak in afs_put_server (git-fixes).
- afs: Fix setting of mtime when creating a file/dir/symlink (git-fixes).
- afs: Fix updating of i_size with dv jump from server (git-fixes).
- afs: Fix vlserver probe RTT handling (git-fixes).
- afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked (git-fixes).
- afs: Use refcount_t rather than atomic_t (git-fixes).
- afs: Use the operation issue time instead of the reply time for callbacks (git-fixes).
- afs: adjust ack interpretation to try and cope with nat (git-fixes).
- alsa: emu10k1: roll up loops in dsp setup code for audigy (git-fixes).
- alsa: hda/realtek: support asus g713pv laptop (git-fixes).
- alsa: hda/relatek: enable mute led on hp 250 g8 (git-fixes).
- alsa: usb-audio: add quirk for microsoft modern wireless headset (bsc#1207129).
- alsa: usb-audio: update for native dsd support quirks (git-fixes).
- asoc: atmel: fix the 8k sample parameter in i2sc master (git-fixes).
- asoc: codecs: es8316: fix dmic config (git-fixes).
- asoc: da7219: check for failure reading aad irq events (git-fixes).
- asoc: da7219: flush pending aad irq when suspending (git-fixes).
- asoc: fsl_sai: disable bit clock with transmitter (git-fixes).
- asoc: fsl_spdif: silence output on stop (git-fixes).
- asoc: rt5682-sdw: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: rt711-sdca: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: rt711: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: wm8904: fill the cache for wm8904_adc_test_0 register (git-fixes).
- ata: pata_ns87415: mark ns87560_tf_read static (git-fixes).
- block, bfq: Fix division by zero error on zero wsum (bsc#1213653).
- block: Fix a source code comment in include/uapi/linux/blkzoned.h (git-fixes).
- can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED (git-fixes).
- ceph: do not let check_caps skip sending responses for revoke msgs (bsc#1213856).
- coda: Avoid partial allocation of sig_inputArgs (git-fixes).
- dlm: fix missing lkb refcount handling (git-fixes).
- dlm: fix plock invalid read (git-fixes).
- documentation: devices.txt: reconcile serial/ucc_uart minor numers (git-fixes).
- drm/amd/display: Disable MPC split by default on special asic (git-fixes).
- drm/amd/display: Keep PHY active for DP displays on DCN31 (git-fixes).
- drm/client: Fix memory leak in drm_client_modeset_probe (git-fixes).
- drm/msm/adreno: Fix snapshot BINDLESS_DATA size (git-fixes).
- drm/msm/dpu: drop enum dpu_core_perf_data_bus_id (git-fixes).
- drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb() (git-fixes).
- drm/radeon: Fix integer overflow in radeon_cs_parser_init (git-fixes).
- file: always lock position for FMODE_ATOMIC_POS (bsc#1213759).
- fs: dlm: add midcomms init/start functions (git-fixes).
- fs: dlm: do not set stop rx flag after node reset (git-fixes).
- fs: dlm: filter user dlm messages for kernel locks (git-fixes).
- fs: dlm: fix log of lowcomms vs midcomms (git-fixes).
- fs: dlm: fix race between test_bit() and queue_work() (git-fixes).
- fs: dlm: fix race in lowcomms (git-fixes).
- fs: dlm: handle -EBUSY first in lock arg validation (git-fixes).
- fs: dlm: move sending fin message into state change handling (git-fixes).
- fs: dlm: retry accept() until -EAGAIN or error returns (git-fixes).
- fs: dlm: return positive pid value for F_GETLK (git-fixes).
- fs: dlm: start midcomms before scand (git-fixes).
- fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() (git-fixes).
- fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev (git-fixes).
- fs: jfs: check for read-only mounted filesystem in txbegin (git-fixes).
- fs: jfs: fix null-ptr-deref read in txbegin (git-fixes).
- gve: Set default duplex configuration to full (git-fixes).
- gve: unify driver name usage (git-fixes).
- hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature (git-fixes).
- hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled (git-fixes).
- iavf: Fix out-of-bounds when setting channels on remove (git-fixes).
- iavf: Fix use-after-free in free_netdev (git-fixes).
- iavf: use internal state to free traffic IRQs (git-fixes).
- igc: Check if hardware TX timestamping is enabled earlier (git-fixes).
- igc: Enable and fix RX hash usage by netstack (git-fixes).
- igc: Fix Kernel Panic during ndo_tx_timeout callback (git-fixes).
- igc: Fix inserting of empty frame for launchtime (git-fixes).
- igc: Fix launchtime before start of cycle (git-fixes).
- igc: Fix race condition in PTP tx code (git-fixes).
- igc: Handle PPS start time programming for past time values (git-fixes).
- igc: Prevent garbled TX queue with XDP ZEROCOPY (git-fixes).
- igc: Remove delay during TX ring configuration (git-fixes).
- igc: Work around HW bug causing missing timestamps (git-fixes).
- igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings (git-fixes).
- input: i8042 - add clevo pcx0dx to i8042 quirk table (git-fixes).
- input: iqs269a - do not poll during ati (git-fixes).
- input: iqs269a - do not poll during suspend or resume (git-fixes).
- jffs2: GC deadlock reading a page that is used in jffs2_write_begin() (git-fixes).
- jffs2: fix memory leak in jffs2_do_fill_super (git-fixes).
- jffs2: fix memory leak in jffs2_do_mount_fs (git-fixes).
- jffs2: fix memory leak in jffs2_scan_medium (git-fixes).
- jffs2: fix use-after-free in jffs2_clear_xattr_subsystem (git-fixes).
- jffs2: reduce stack usage in jffs2_build_xattr_subsystem() (git-fixes).
- jfs: jfs_dmap: Validate db_l2nbperpage while mounting (git-fixes).
- kvm: arm64: do not read a hw interrupt pending state in user context (git-fixes)
- kvm: arm64: warn if accessing timer pending state outside of vcpu (bsc#1213620)
- kvm: do not null dereference ops->destroy (git-fixes)
- kvm: downgrade two bug_ons to warn_on_once (git-fixes)
- kvm: initialize debugfs_dentry when a vm is created to avoid null (git-fixes)
- kvm: s390: pv: fix index value of replaced asce (git-fixes bsc#1213867).
- kvm: vmx: inject #gp on encls if vcpu has paging disabled (cr0.pg==0) (git-fixes).
- kvm: vmx: inject #gp, not #ud, if sgx2 encls leafs are unsupported (git-fixes).
- kvm: vmx: restore vmx_vmexit alignment (git-fixes).
- kvm: x86: account fastpath-only vm-exits in vcpu stats (git-fixes).
- libceph: harden msgr2.1 frame segment length checks (bsc#1213857).
- media: staging: atomisp: select V4L2_FWNODE (git-fixes).
- net/sched: sch_qfq: refactor parsing of netlink parameters (bsc#1213585).
- net/sched: sch_qfq: reintroduce lmax bound check for MTU (bsc#1213585).
- net: ena: fix shift-out-of-bounds in exponential backoff (git-fixes).
- net: mana: Batch ringing RX queue doorbell on receiving packets (bsc#1212901).
- net: mana: Use the correct WQE count for ringing RQ doorbell (bsc#1212901).
- net: phy: marvell10g: fix 88x3310 power up (git-fixes).
- nfsd: add encoding of op_recall flag for write delegation (git-fixes).
- nfsd: fix double fget() bug in __write_ports_addfd() (git-fixes).
- nfsd: fix sparse warning (git-fixes).
- nfsd: remove open coding of string copy (git-fixes).
- nfsv4.1: always send a reclaim_complete after establishing lease (git-fixes).
- nfsv4.1: freeze the session table upon receiving nfs4err_badsession (git-fixes).
- nvme-pci: fix DMA direction of unmapping integrity data (git-fixes).
- nvme-pci: remove nvme_queue from nvme_iod (git-fixes).
- octeontx-af: fix hardware timestamp configuration (git-fixes).
- octeontx2-af: Move validation of ptp pointer before its usage (git-fixes).
- octeontx2-pf: Add additional check for MCAM rules (git-fixes).
- phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() (git-fixes).
- pinctrl: amd: Do not show `Invalid config param` errors (git-fixes).
- pinctrl: amd: Use amd_pinconf_set() for all config options (git-fixes).
- platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 (git-fixes).
- rdma/bnxt_re: fix hang during driver unload (git-fixes)
- rdma/bnxt_re: prevent handling any completions after qp destroy (git-fixes)
- rdma/core: update cma destination address on rdma_resolve_addr (git-fixes)
- rdma/irdma: add missing read barriers (git-fixes)
- rdma/irdma: fix data race on cqp completion stats (git-fixes)
- rdma/irdma: fix data race on cqp request done (git-fixes)
- rdma/irdma: fix op_type reporting in cqes (git-fixes)
- rdma/irdma: report correct wc error (git-fixes)
- rdma/mlx4: make check for invalid flags stricter (git-fixes)
- rdma/mthca: fix crash when polling cq for shared qps (git-fixes)
- regmap: Account for register length in SMBus I/O limits (git-fixes).
- regmap: Drop initial version of maximum transfer length fixes (git-fixes).
- revert 'debugfs, coccinelle: check for obsolete define_simple_attribute() usage' (git-fixes).
- revert 'nfsv4: retry lock on old_stateid during delegation return' (git-fixes).
- revert 'usb: dwc3: core: enable autoretry feature in the controller' (git-fixes).
- revert 'usb: gadget: tegra-xudc: fix error check in tegra_xudc_powerdomain_init()' (git-fixes).
- revert 'usb: xhci: tegra: fix error check' (git-fixes).
- revert 'xhci: add quirk for host controllers that do not update endpoint dcs' (git-fixes).
- rxrpc, afs: Fix selection of abort codes (git-fixes).
- s390/bpf: Add expoline to tail calls (git-fixes bsc#1213870).
- s390/dasd: fix hanging device after quiesce/resume (git-fixes bsc#1213810).
- s390/decompressor: specify __decompress() buf len to avoid overflow (git-fixes bsc#1213863).
- s390/ipl: add missing intersection check to ipl_report handling (git-fixes bsc#1213871).
- s390/qeth: Fix vipa deletion (git-fixes bsc#1213713).
- s390/vmem: fix empty page tables cleanup under KASAN (git-fixes bsc#1213715).
- s390: introduce nospec_uses_trampoline() (git-fixes bsc#1213870).
- scftorture: Count reschedule IPIs (git-fixes).
- scsi: lpfc: Abort outstanding ELS cmds when mailbox timeout error is detected (bsc#1213756).
- scsi: lpfc: Avoid -Wstringop-overflow warning (bsc#1213756).
- scsi: lpfc: Clean up SLI-4 sysfs resource reporting (bsc#1213756).
- scsi: lpfc: Copyright updates for 14.2.0.14 patches (bsc#1213756).
- scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() (bsc#1213756).
- scsi: lpfc: Fix incorrect big endian type assignment in bsg loopback path (bsc#1213756).
- scsi: lpfc: Fix incorrect big endian type assignments in FDMI and VMID paths (bsc#1213756).
- scsi: lpfc: Fix lpfc_name struct packing (bsc#1213756).
- scsi: lpfc: Make fabric zone discovery more robust when handling unsolicited LOGO (bsc#1213756).
- scsi: lpfc: Pull out fw diagnostic dump log message from driver's trace buffer (bsc#1213756).
- scsi: lpfc: Qualify ndlp discovery state when processing RSCN (bsc#1213756).
- scsi: lpfc: Refactor cpu affinity assignment paths (bsc#1213756).
- scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (bsc#1213756).
- scsi: lpfc: Replace all non-returning strlcpy() with strscpy() (bsc#1213756).
- scsi: lpfc: Replace one-element array with flexible-array member (bsc#1213756).
- scsi: lpfc: Revise ndlp kref handling for dev_loss_tmo_callbk and lpfc_drop_node (bsc#1213756).
- scsi: lpfc: Set Establish Image Pair service parameter only for Target Functions (bsc#1213756).
- scsi: lpfc: Simplify fcp_abort transport callback log message (bsc#1213756).
- scsi: lpfc: Update lpfc version to 14.2.0.14 (bsc#1213756).
- scsi: lpfc: Use struct_size() helper (bsc#1213756).
- scsi: qla2xxx: Adjust IOCB resource on qpair create (bsc#1213747).
- scsi: qla2xxx: Array index may go out of bound (bsc#1213747).
- scsi: qla2xxx: Avoid fcport pointer dereference (bsc#1213747).
- scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() (bsc#1213747).
- scsi: qla2xxx: Correct the index of array (bsc#1213747).
- scsi: qla2xxx: Drop useless LIST_HEAD (bsc#1213747).
- scsi: qla2xxx: Fix NULL pointer dereference in target mode (bsc#1213747).
- scsi: qla2xxx: Fix TMF leak through (bsc#1213747).
- scsi: qla2xxx: Fix buffer overrun (bsc#1213747).
- scsi: qla2xxx: Fix command flush during TMF (bsc#1213747).
- scsi: qla2xxx: Fix deletion race condition (bsc#1213747).
- scsi: qla2xxx: Fix end of loop test (bsc#1213747).
- scsi: qla2xxx: Fix erroneous link up failure (bsc#1213747).
- scsi: qla2xxx: Fix error code in qla2x00_start_sp() (bsc#1213747).
- scsi: qla2xxx: Fix potential NULL pointer dereference (bsc#1213747).
- scsi: qla2xxx: Fix session hang in gnl (bsc#1213747).
- scsi: qla2xxx: Limit TMF to 8 per function (bsc#1213747).
- scsi: qla2xxx: Pointer may be dereferenced (bsc#1213747).
- scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue (bsc#1213747).
- scsi: qla2xxx: Replace one-element array with DECLARE_FLEX_ARRAY() helper (bsc#1213747).
- scsi: qla2xxx: Silence a static checker warning (bsc#1213747).
- scsi: qla2xxx: Turn off noisy message log (bsc#1213747).
- scsi: qla2xxx: Update version to 10.02.08.400-k (bsc#1213747).
- scsi: qla2xxx: Update version to 10.02.08.500-k (bsc#1213747).
- scsi: qla2xxx: Use vmalloc_array() and vcalloc() (bsc#1213747).
- scsi: qla2xxx: fix inconsistent TMF timeout (bsc#1213747).
- serial: qcom-geni: drop bogus runtime pm state update (git-fixes).
- serial: sifive: Fix sifive_serial_console_setup() section (git-fixes).
- soundwire: qcom: update status correctly with mask (git-fixes).
- staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() (git-fixes).
- staging: r8712: Fix memory leak in _r8712_init_xmit_priv() (git-fixes).
- sunrpc: always free ctxt when freeing deferred request (git-fixes).
- sunrpc: double free xprt_ctxt while still in use (git-fixes).
- sunrpc: fix trace_svc_register() call site (git-fixes).
- sunrpc: fix uaf in svc_tcp_listen_data_ready() (git-fixes).
- sunrpc: remove dead code in svc_tcp_release_rqst() (git-fixes).
- sunrpc: remove the maximum number of retries in call_bind_status (git-fixes).
- svcrdma: Prevent page release when nothing was received (git-fixes).
- tpm_tis: Explicitly check for error code (git-fixes).
- tty: n_gsm: fix UAF in gsm_cleanup_mux (git-fixes).
- ubifs: Add missing iput if do_tmpfile() failed in rename whiteout (git-fixes).
- ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers (git-fixes).
- ubifs: Fix 'ui->dirty' race between do_tmpfile() and writeback work (git-fixes).
- ubifs: Fix AA deadlock when setting xattr for encrypted file (git-fixes).
- ubifs: Fix build errors as symbol undefined (git-fixes).
- ubifs: Fix deadlock in concurrent rename whiteout and inode writeback (git-fixes).
- ubifs: Fix memory leak in alloc_wbufs() (git-fixes).
- ubifs: Fix memory leak in do_rename (git-fixes).
- ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() (git-fixes).
- ubifs: Fix to add refcount once page is set private (git-fixes).
- ubifs: Fix wrong dirty space budget for dirty inode (git-fixes).
- ubifs: Free memory for tmpfile name (git-fixes).
- ubifs: Rectify space amount budget for mkdir/tmpfile operations (git-fixes).
- ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted (git-fixes).
- ubifs: Rectify space budget for ubifs_xrename() (git-fixes).
- ubifs: Rename whiteout atomically (git-fixes).
- ubifs: Reserve one leb for each journal head while doing budget (git-fixes).
- ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 (git-fixes).
- ubifs: rename_whiteout: Fix double free for whiteout_ui->data (git-fixes).
- ubifs: rename_whiteout: correct old_dir size computing (git-fixes).
- ubifs: setflags: Make dirtied_ino_d 8 bytes aligned (git-fixes).
- ubifs: ubifs_writepage: Mark page dirty after writing inode failed (git-fixes).
- usb: dwc3: do not reset device side if dwc3 was configured as host-only (git-fixes).
- usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy (git-fixes).
- usb: gadget: core: remove unbalanced mutex_unlock in usb_gadget_activate (git-fixes).
- usb: xhci-mtk: set the dma max_seg_size (git-fixes).
- vhost: support PACKED when setting-getting vring_base (git-fixes).
- vhost_net: revert upend_idx only on retriable error (git-fixes).
- virtio-net: Maintain reverse cleanup order (git-fixes).
- virtio_net: Fix error unwinding of XDP initialization (git-fixes).
- x86/PVH: obtain VGA console info in Dom0 (git-fixes).
- xen/blkfront: Only check REQ_FUA for writes (git-fixes).
- xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3327-1
Released:    Wed Aug 16 08:45:25 2023
Summary:     Security update for pcre2
Type:        security
Severity:    moderate
References:  1213514,CVE-2022-41409
This update for pcre2 fixes the following issues:

  - CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3330-1
Released:    Wed Aug 16 08:59:33 2023
Summary:     Recommended update for python-pyasn1
Type:        recommended
Severity:    important
References:  1207805
This update for python-pyasn1 fixes the following issues:

- To avoid users of this package having to recompile bytecode
  files, change the mtime of any __init__.py. (bsc#1207805)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3363-1
Released:    Fri Aug 18 14:54:16 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3371-1
Released:    Tue Aug 22 13:30:18 2023
Summary:     Recommended update for liblognorm
Type:        recommended
Severity:    moderate
References:  
This update for liblognorm fixes the following issues:

- Update to liblognorm v2.0.6 (jsc#PED-4883)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3372-1
Released:    Tue Aug 22 13:44:38 2023
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1211757,1213212
This update for rsyslog fixes the following issues:

- Fix removal of imfile state files (bsc#1213212)
- Fix segfaults in modExit() of imklog.c (bsc#1211757)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3395-1
Released:    Wed Aug 23 18:09:24 2023
Summary:     Security update for xen
Type:        security
Severity:    moderate
References:  1027519,1213616,1214082,1214083,CVE-2022-40982,CVE-2023-20569,CVE-2023-20593
This update for xen fixes the following issues:

- CVE-2023-20569: Fixed side channel attack Inception or RAS Poisoning. (bsc#1214082, XSA-434)
- CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling'. (bsc#1214083, XSA-435)
- CVE-2023-20593: Fixed a ZenBleed issue in 'Zen 2' CPUs that could allow an attacker to potentially access sensitive information. (bsc#1213616, XSA-433)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3397-1
Released:    Wed Aug 23 18:35:56 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
- Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released:    Mon Aug 28 08:57:10 2023
Summary:     Security update for gawk
Type:        security
Severity:    low
References:  1214025,CVE-2023-4156
This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3451-1
Released:    Mon Aug 28 12:15:22 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873
This update for systemd fixes the following issues:

- Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
- Decrease devlink priority for iso disks (bsc#1213185)
- Do not ignore mount point paths longer than 255 characters (bsc#1208194)
- Refuse hibernation if there's no possible way to resume (bsc#1186606)
- Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
- Drop some entries no longer needed by YaST (bsc#1194609)
- The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
- Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3452-1
Released:    Mon Aug 28 12:41:11 2023
Summary:     Recommended update for supportutils-plugin-suse-public-cloud
Type:        recommended
Severity:    moderate
References:  1213951
This update for supportutils-plugin-suse-public-cloud fixes the following issues:

- Update from version 1.0.7 to 1.0.8 (bsc#1213951)
  - Capture CSP billing adapter config and log
  - Accept upper case Amazon string in DMI table

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3454-1
Released:    Mon Aug 28 13:43:18 2023
Summary:     Security update for ca-certificates-mozilla
Type:        security
Severity:    important
References:  1214248
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
  Added:
  - Atos TrustedRoot Root CA ECC G2 2020
  - Atos TrustedRoot Root CA ECC TLS 2021
  - Atos TrustedRoot Root CA RSA G2 2020
  - Atos TrustedRoot Root CA RSA TLS 2021
  - BJCA Global Root CA1
  - BJCA Global Root CA2
  - LAWtrust Root CA2 (4096)
  - Sectigo Public Email Protection Root E46
  - Sectigo Public Email Protection Root R46
  - Sectigo Public Server Authentication Root E46
  - Sectigo Public Server Authentication Root R46
  - SSL.com Client ECC Root CA 2022
  - SSL.com Client RSA Root CA 2022
  - SSL.com TLS ECC Root CA 2022
  - SSL.com TLS RSA Root CA 2022
  Removed CAs:
  - Chambers of Commerce Root
  - E-Tugra Certification Authority
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  - Hongkong Post Root CA 1

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3461-1
Released:    Mon Aug 28 17:25:09 2023
Summary:     Security update for freetype2
Type:        security
Severity:    moderate
References:  1210419,CVE-2023-2004
This update for freetype2 fixes the following issues:

- CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3468-1
Released:    Tue Aug 29 09:22:18 2023
Summary:     Recommended update for python3
Type:        recommended
Severity:    low
References:  
This update for python3 fixes the following issue:

- Rename sources in preparation of python3.11 (jsc#PED-68)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3470-1
Released:    Tue Aug 29 10:49:33 2023
Summary:     Recommended update for parted
Type:        recommended
Severity:    low
References:  1182142,1193412
This update for parted fixes the following issues:

- fix null pointer dereference (bsc#1193412)
- update mkpart options in manpage (bsc#1182142)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3472-1
Released:    Tue Aug 29 10:55:16 2023
Summary:     Security update for procps
Type:        security
Severity:    low
References:  1214290,CVE-2023-4016
This update for procps fixes the following issues:

  - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:3484-1
Released:    Tue Aug 29 13:49:29 2023
Summary:     Feature update for bind
Type:        feature
Severity:    moderate
References:  1213049
This update for bind fixes the following issues:

- Add dnstap support (jsc#PED-4852, jsc#PED-4853)
- Log named-checkconf output (bsc#1213049)
- Update to release 9.16.43

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3486-1
Released:    Tue Aug 29 14:25:23 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1214071
This update for lvm2 fixes the following issues:

- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3514-1
Released:    Fri Sep  1 15:48:52 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1158763,1210740,1213231,1213557,1213673
This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
- Revised explanation of --force-resolution in man page (bsc#1213557)
- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)


The following package changes have been done:

- apparmor-abstractions-3.0.4-150400.5.6.1 updated
- apparmor-parser-3.0.4-150400.5.6.1 updated
- audit-3.0.6-150400.4.13.1 updated
- bind-utils-9.16.43-150400.5.34.1 updated
- blog-2.26-150300.4.6.1 updated
- ca-certificates-mozilla-2.62-150200.30.1 updated
- gawk-4.2.1-150000.3.3.1 updated
- hostname-3.16-2.22 added
- kernel-default-5.14.21-150400.24.81.1 updated
- krb5-1.19.2-150400.3.6.1 updated
- libapparmor1-3.0.4-150400.5.6.1 updated
- libaudit1-3.0.6-150400.4.13.1 updated
- libauparse0-3.0.6-150400.4.13.1 updated
- libblkid1-2.37.2-150400.8.20.1 updated
- libblogger2-2.26-150300.4.6.1 updated
- libcryptsetup12-2.4.3-150400.3.3.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.188.1 updated
- libfdisk1-2.37.2-150400.8.20.1 updated
- libfreetype6-2.10.4-150000.4.15.1 updated
- libfstrm0-0.6.1-150300.9.3.1 added
- liblognorm5-2.0.6-150000.3.3.1 updated
- libmount1-2.37.2-150400.8.20.1 updated
- libopenssl1_1-1.1.1l-150400.7.53.1 updated
- libparted0-3.2-150300.21.3.1 updated
- libpcre2-8-0-10.39-150400.4.9.1 updated
- libprocps7-3.3.15-150000.7.34.1 updated
- libprotobuf-c1-1.3.2-150200.3.6.1 added
- libsmartcols1-2.37.2-150400.8.20.1 updated
- libsystemd0-249.16-150400.8.33.1 updated
- libudev1-249.16-150400.8.33.1 updated
- libuuid1-2.37.2-150400.8.20.1 updated
- libxslt1-1.1.34-150400.3.3.1 added
- libyajl2-2.1.0-150000.4.6.1 updated
- libzypp-17.31.20-150400.3.40.1 updated
- login_defs-4.8.1-150400.10.9.1 updated
- openssl-1_1-1.1.1l-150400.7.53.1 updated
- parted-3.2-150300.21.3.1 updated
- procps-3.3.15-150000.7.34.1 updated
- python-instance-billing-flavor-check-0.0.2-150000.1.3.1 added
- python3-apipkg-1.4-150000.3.6.1 added
- python3-asn1crypto-0.24.0-3.2.1 added
- python3-bind-9.16.43-150400.5.34.1 updated
- python3-certifi-2018.1.18-150000.3.3.1 added
- python3-cffi-1.13.2-3.2.5 added
- python3-chardet-3.0.4-3.23 added
- python3-cryptography-3.3.2-150400.16.6.1 added
- python3-cssselect-1.0.3-150000.3.3.1 added
- python3-idna-2.6-1.20 added
- python3-iniconfig-1.1.1-150000.1.9.1 added
- python3-lxml-4.7.1-150200.3.10.1 added
- python3-ordered-set-4.0.2-150400.8.34 updated
- python3-pyOpenSSL-21.0.0-150400.7.62 added
- python3-pyasn1-0.4.2-150000.3.5.1 added
- python3-pycparser-2.17-3.2.1 added
- python3-py-1.10.0-150100.5.12.1 added
- python3-requests-2.24.0-150300.3.3.1 added
- python3-urllib3-1.25.10-4.3.1 added
- rsyslog-module-relp-8.2306.0-150400.5.18.1 updated
- rsyslog-8.2306.0-150400.5.18.1 updated
- shadow-4.8.1-150400.10.9.1 updated
- supportutils-plugin-suse-public-cloud-1.0.8-150000.3.17.1 updated
- system-group-audit-3.0.6-150400.4.13.1 updated
- systemd-sysvinit-249.16-150400.8.33.1 updated
- systemd-249.16-150400.8.33.1 updated
- udev-249.16-150400.8.33.1 updated
- util-linux-systemd-2.37.2-150400.8.20.1 updated
- util-linux-2.37.2-150400.8.20.1 updated
- vim-data-common-9.0.1572-150000.5.49.1 updated
- vim-9.0.1572-150000.5.49.1 updated
- xen-libs-4.16.5_02-150400.4.31.1 updated
- zypper-1.14.63-150400.3.29.1 updated


More information about the sle-security-updates mailing list