AusCERT - Security Bulletins
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 2 óra 47 perc
ESB-2022.0297 - [Appliance] IBM Cloud Private: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0297
Security Bulletin: Vulnerability in Apache Log4j affects IBM
Cloud Private (CVE-2021-45046)
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cloud Private
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-45105 CVE-2021-45046 CVE-2021-44228
Reference: ASB-2021.0244.6
Original Bulletin:
https://www.ibm.com/support/pages/node/6529452
https://www.ibm.com/support/pages/node/6529458
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046)
Document Information
Document number : 6529452
Modified date : 18 January 2022
Product : IBM Cloud Private
Software version : all
Operating system(s): Linux
Summary
There is a vulnerability in the Apache Log4j open source library. The library
is used by Elasticsearch, a dependency of IBM Cloud Private, for logging
messages to files. This bulletin identifies the security fixes to apply to
address the Log4Shell vulnerability (CVE-2021-45046).
Vulnerability Details
CVEID: CVE-2021-45046
DESCRIPTION: Apache Log4j could result in remote code execution, caused by an
incomplete fix of CVE-2021-44228 in certain non-default configurations. When
the logging configuration uses a non-default Pattern Layout with a Context
Lookup, an attacker with control over Thread Context Map (MDC) input data can
craft malicious input data using a JNDI Lookup pattern to leak sensitive
information and remote code execution in some environments and local code
execution in all environments.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
215195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.1.0 |
+--------------------+----------+
|IBM Cloud Private |3.1.1 |
+--------------------+----------+
|IBM Cloud Private |3.1.2 |
+--------------------+----------+
|IBM Cloud Private |3.2.0 |
+--------------------+----------+
|IBM Cloud Private |3.2.1 CD |
+--------------------+----------+
|IBM Cloud Private |3.2.2 CD |
+--------------------+----------+
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading.
The recommended solution involves the IBM Cloud Private ibm-icplogging
component. It is recommended that you follow the instructions for the component
in the links listed below:
For IBM Cloud Private 3.1.0: IBM Cloud Private 3.1.0 Patch
For IBM Cloud Private 3.1.1: IBM Cloud Private 3.1.1 Patch
For IBM Cloud Private 3.1.2: IBM Cloud Private 3.1.2 Patch
For IBM Cloud Private 3.2.0: IBM Cloud Private 3.2.0 Patch
For IBM Cloud Private 3.2.1: IBM Cloud Private 3.2.1 Patch
For IBM Cloud Private 3.2.2: IBM Cloud Private 3.2.2 Patch
For IBM Cloud Private 3.1.0:
o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
Private 3.2.2.
Workarounds and Mitigations
None
Details of the ElasticSearch remediation for IBM Cloud Private Version 3.2.1
and 3.2.2
The ibm-icplogging component has been updated to use Elasticsearch 6.8.22. This
release upgrades the Log4j package to 2.17.0, which remediates the log4j
vulnerabilities and should not trigger false positives in vulnerability
scanners as was the case with Elasticsearch 6.8.21.
Elasticsearch announcement (ESA-2021-31)
https://discuss.elastic.co/t/
apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31
/291476
Details of the ElasticSearch remediation for IBM Cloud Private Version 3.1.1,
3.1.2, and 3.2.0
Elasticsearch and Logstash within ibm-icplogging component have been updated to
remediate the log4j vulnerabilities by removing the vulnerable JndiLookup class
from the log4j-core package. Some vulnerability scanners may continue to flag
Elasticsearch in association with this vulnerability based on the Log4j version
alone. However, the mitigation sufficiently protects both remote code execution
and information leakage.
Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228,
CVE-2021-45046 remediation
https://discuss.elastic.co/t/
elasticsearch-5-0-0-5-6-10-and-6-0-0-6-3-2-log4j-cve-2021-44228-cve-2021-45046-remediation
/292054
Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046
remediation
https://discuss.elastic.co/t/
logstash-5-0-0-6-8-20-and-7-0-0-7-16-0-log4j-cve-2021-44228-cve-2021-45046-remediation
/292343
Acknowledgement
Change History
21 Dec 2021: Initial Publication
22 Dec 2021: Add patch links for 3.1.1, 3.1.2, 3.2.0
18 Jan 2022: Add patch link for 3.1.0
- --------------------------------------------------------------------------------
Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105)
Document Information
Document number : 6529458
Modified date : 18 January 2022
Product : IBM Cloud Private
Software version : all
Operating system(s): Linux
Summary
There is a vulnerability in the Apache Log4j open source library. The library
is used by Elasticsearch, a dependency of IBM Cloud Private, for logging
messages to files. This bulletin identifies the security fixes to apply to
address the Log4Shell vulnerability (CVE-2021-45105).
Vulnerability Details
CVEID: CVE-2021-45105
DESCRIPTION: Apache Log4j is vulnerable to a denial of service, caused by the
failure to protect from uncontrolled recursion from self-referential lookups. A
remote attacker with control over Thread Context Map (MDC) input data could
craft malicious input data that contains a recursive lookup to cause a
StackOverflowError that will terminate the process. Note: The vulnerability is
also called LOG4J2-3230.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
215647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM Cloud Private |3.1.0 |
+--------------------+----------+
|IBM Cloud Private |3.1.1 |
+--------------------+----------+
|IBM Cloud Private |3.1.2 |
+--------------------+----------+
|IBM Cloud Private |3.2.0 |
+--------------------+----------+
|IBM Cloud Private |3.2.1 CD |
+--------------------+----------+
|IBM Cloud Private |3.2.2 CD |
+--------------------+----------+
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading.
The recommended solution involves the IBM Cloud Private ibm-icplogging
component. It is recommended that you follow the instructions for the component
in the links listed below:
For IBM Cloud Private 3.1.0: IBM Cloud Private 3.1.0 Patch
For IBM Cloud Private 3.1.1: IBM Cloud Private 3.1.1 Patch
For IBM Cloud Private 3.1.2: IBM Cloud Private 3.1.2 Patch
For IBM Cloud Private 3.2.0: IBM Cloud Private 3.2.0 Patch
For IBM Cloud Private 3.2.1: IBM Cloud Private 3.2.1 Patch
For IBM Cloud Private 3.2.2: IBM Cloud Private 3.2.2 Patch
For IBM Cloud Private 3.1.0:
o Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud
Private 3.2.2.
Workarounds and Mitigations
None
Details of the ElasticSearch remediation for IBM Cloud Private Version 3.2.1
and 3.2.2
The ibm-icplogging component has been updated to use Elasticsearch 6.8.22. This
release upgrades the Log4j package to 2.17.0, which remediates the log4j
vulnerabilities and should not trigger false positives in vulnerability
scanners as was the case with Elasticsearch 6.8.21.
Elasticsearch announcement (ESA-2021-31)
https://discuss.elastic.co/t/
apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31
/291476
Details of the ElasticSearch remediation for IBM Cloud Private Version 3.1.1,
3.1.2, and 3.2.0
Elasticsearch and Logstash within ibm-icplogging component have been updated to
remediate the log4j vulnerabilities by removing the vulnerable JndiLookup class
from the log4j-core package. Some vulnerability scanners may continue to flag
Elasticsearch in association with this vulnerability based on the Log4j version
alone. However, the mitigation sufficiently protects both remote code execution
and information leakage.
Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228,
CVE-2021-45046 remediation
https://discuss.elastic.co/t/
elasticsearch-5-0-0-5-6-10-and-6-0-0-6-3-2-log4j-cve-2021-44228-cve-2021-45046-remediation
/292054
Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046
remediation
https://discuss.elastic.co/t/
logstash-5-0-0-6-8-20-and-7-0-0-7-16-0-log4j-cve-2021-44228-cve-2021-45046-remediation
/292343
Acknowledgement
Change History
21 Dec 2021: Initial Publication
22 Dec 2021: Add patch links for 3.1.1, 3.1.2, 3.2.0
18 Jan 2022: Add patch link for 3.1.0
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo9/ONLKJtyKPYoAQirrg//bpdfTN8hmYgtK1aLPIdDys8IR59YJdVW
diCp5C1s4QmZ3Non4PysKq7vdF5i5La1BngfzZKzsWA55atHrnVXJWzkujHUw8mQ
qxk5u/MjN5hT5k7PL4wuQIhrNXulRFlTQmsbl2am3bH4H3SGad35MG/tliJJMF6V
2kLDr4GVrWC87AaTGd2aQoHHXSpePtYxnUqJk6VqHi3WVSv3cUU5KVbKl95xZG7k
Z/GIcBqBIXIFE0H5u1GLS/95zcLTrxz2UYv/kZIUKBoDGycSDjEMTKpVYjQCQH5C
Vl7Gpf+/1vF5rne5jq+5CNfMirXbJmrwDCCIDndS4IoqyJOsfORfMEQSTITqpUg3
E9mRSsOJb6xn+F1y29v7J8pKgswbAtz6oWLWlsSSxgjF1IH7S4+p7iDd2XrRuGNY
v2JV9AZacrWGmmyqc0CX1vihhsY4HaeRa0YSF/PjnACXChvbVkS25EfBbhke6RH9
82UwUfu3HEpRZVjbrL6jEin0u0OovGG/S0ZQosXhgk6Jbd2BSrzZOF68TvaqHWwg
SggVA66K0/3MXp0RCWNDVPSvT2YGfRcYw0vJVylvShexJONCs1lcqwMzx+ndvCEt
NOE7mBpQCSD6RP8mtKdQeZHWt2S31dBjnFuI4asITggx4Mh1NCGF5lXlYc4b7Lzg
Lh/UofmW9Yw=
=Ytfy
-----END PGP SIGNATURE-----
ESB-2022.0296 - [Appliance] BIG-IP DNS, GTM and LTM: Reduced security - Unknown/unspecified
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0296
K41415626: Transparent DNS Cache can consume excessive resources
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP DNS
BIG-IP GTM
BIG-IP LTM
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
Original Bulletin:
https://support.f5.com/csp/article/K41415626
- --------------------------BEGIN INCLUDED TEXT--------------------
K41415626: Transparent DNS Cache can consume excessive resources
Original Publication Date: 19 Jan, 2022
Security Advisory Description
When transparent Domain Name System (DNS) cache is configured on a virtual
server, undisclosed Extension Mechanisms for DNS (EDNS0) queries can cause the
BIG-IP system to send a large volume of User Datagram Protocol (UDP) traffic on
the server side.
This issue occurs when all of the following conditions are met:
o Transparent DNS Cache is enabled.
o EDNS is enabled.
Impact
This can cause the BIG-IP system to send a large volume of UDP traffic to the
server side.
Symptoms
As a result of this issue, you may encounter the following symptom:
o Increase in BIG-IP server-side UDP traffic.
Security Advisory Status
F5 Product Development has assigned ID 1035853 to this issue. This issue has
been classified as CWE-20: Improper Input Validation.
To determine if your product and version have been evaluated for this issue,
refer to the Applies to (see versions) box. To determine if your release is
affected by this issue and for information about releases, point releases, or
hotfixes that address the issue, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the Applies to (see versions) box of this
article have reached the End of Technical Support (EoTS) phase of their
lifecycle and are no longer evaluated for security issues. For more
information, refer to the Security hotfixes section of K4602: Overview of the
F5 security vulnerability response policy.
+------------------------+------+----------------------------+----------------+
|Product |Branch|Versions affected by this |Fixes introduced|
| | |issue^1 |in |
+------------------------+------+----------------------------+----------------+
| |16.x |16.1.0 - 16.1.1 |16.1.2 |
| +------+----------------------------+----------------+
| |15.x |15.1.0 - 15.1.4 |15.1.5 |
| +------+----------------------------+----------------+
| |14.x |14.1.0 - 14.1.4 |14.1.4.5 |
|BIG-IP (DNS, GTM, LTM) +------+----------------------------+----------------+
| |13.x |13.1.0 - 13.1.4 |None |
| +------+----------------------------+----------------+
| |12.x |12.1.0 - 12.1.6 |Will not fix |
| +------+----------------------------+----------------+
| |11.x |11.6.1 - 11.6.5 |Will not fix |
+------------------------+------+----------------------------+----------------+
| |16.x |None |Not applicable |
| +------+----------------------------+----------------+
| |15.x |None |Not applicable |
| +------+----------------------------+----------------+
|BIG-IP (all other |14.x |None |Not applicable |
|modules) +------+----------------------------+----------------+
| |13.x |None |Not applicable |
| +------+----------------------------+----------------+
| |12.x |None |Not applicable |
| +------+----------------------------+----------------+
| |11.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
|BIG-IQ Centralized |8.x |None |Not applicable |
|Management +------+----------------------------+----------------+
| |7.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
|F5OS-A |1.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
|F5OS-C |1.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
| |3.x |None |Not applicable |
| +------+----------------------------+----------------+
|NGINX App Protect |2.x |None |Not applicable |
| +------+----------------------------+----------------+
| |1.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
Recommended Actions
If you are running a version listed in the Versions affected by this issue
column, you can eliminate this issue by installing a version listed in the
Fixes introduced in column. If the Fixes introduced in column does not list a
version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
None
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K51812227: Understanding security advisory versioning
o K41942608: Overview of AskF5 security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo9zONLKJtyKPYoAQiYtA/+O0hoozh3wiANGksEHgE7c3+Xf85gOtlq
fIU+YseZmyr8SlwQBtOLuaLsYA1Sn54gG518CB/RYLnwHOfhZmoNGuuw5qJuoDcG
N7+5mUuZllc8xAU1NCga6vf7CP61dsyV5QXtxscP/9Ucvx7kZLN4+h9BGX/NH0bz
730f+coLxvztaJ9/R7lGpONLEXYBS/LYVOm/aS3gGa3AjJkaKnx7Tt33O5620CTE
CiDLMo3c8IK6GXP5533L+HR/hrDMlFi48En+Zze3Hb4FIPoWZcayxr7N/NEMQQ3O
uyNVbT6tqT/WXaXOy2kzklUc+uJW6hUZJ+wgYudGyuIVOo99KcQZURCb/d2yTNoe
Qv5yJKxtwqsh9KsUpxNeJ8zBLwU1ojOf3fRXIqPMSVZl9WYvheSjwkQTEsCLFszL
0ievSnZzXrWsoqxYjh6rNa8w7WGaGvtZVgPYmy6jFT0xwEUBFTDbGSSoYUO0VOeh
DMj3nteyp/q39+JZADyQznrzIxIp+TF9XXoRHG5o/FPEAAxS9WQm8GewfPq4Mz3G
EC60OD8tpNuqRvA6rsINgWqWUFLLImPK8/R7ZEU0PEJfRrb5KD6GhtmJ77WdJTzj
jqbNSzCOfOZoz9Zasn1lDwPIEgIsYLwrvfGwkEFeKrzMgCItpEz7UkOuLTuJS2kK
Q4Iggg2dGh0=
=PDma
-----END PGP SIGNATURE-----
ESB-2022.0295 - [Appliance] BIG-IP: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0295
K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23010
Original Bulletin:
https://support.f5.com/csp/article/K34360320
- --------------------------BEGIN INCLUDED TEXT--------------------
K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010
Original Publication Date: 19 Jan, 2022
Security Advisory Description
When a FastL4 profile and an HTTP profile are configured on a virtual server,
undisclosed requests can cause an increase in memory resource utilization. (
CVE-2022-23010)
Impact
System performance can degrade until the process is either forced to restart or
is manually restarted. This vulnerability allows a remote attacker to cause a
degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP
system. There is no control plane exposure; this is a data plane issue only.
Security Advisory Status
F5 Product Development has assigned ID 550928 (BIG-IP) to this vulnerability.
This issue has been classified as CWE-404: Improper Resource Shutdown or
Release.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+------------+------+-------------+----------+----------+------+--------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to be |introduced|Severity |score^|component or |
| | |vulnerable |in | |1 |feature |
+------------+------+-------------+----------+----------+------+--------------+
| |16.x |16.0.0 - |16.1.0 | | | |
| | |16.0.1 | | | | |
| +------+-------------+----------+ | | |
| |15.x |15.1.0 - |15.1.4.1 | | | |
| | |15.1.4 | | | | |
| +------+-------------+----------+ | | |
| |14.x |14.1.0 - |14.1.4.4 | | | |
|BIG-IP (all | |14.1.4 | | | |Performance |
|modules) +------+-------------+----------+High |7.5 |type virtual |
| |13.x |13.1.0 - |None | | |servers |
| | |13.1.3 | | | | |
| +------+-------------+----------+ | | |
| |12.x |12.1.0 - |Will not | | | |
| | |12.1.5 |fix | | | |
| +------+-------------+----------+ | | |
| |11.x |11.6.1 - |Will not | | | |
| | |11.6.5 |fix | | | |
+------------+------+-------------+----------+----------+------+--------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized +------+-------------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+-------------+----------+----------+------+--------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+-------------+----------+----------+------+--------------+
|F5OS-C |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+-------------+----------+----------+------+--------------+
| |3.x |None |Not | | | |
| | | |applicable| | | |
| +------+-------------+----------+ | | |
|NGINX App |2.x |None |Not |Not |None |None |
|Protect | | |applicable|vulnerable| | |
| +------+-------------+----------+ | | |
| |1.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+-------------+----------+----------+------+--------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+-------------+----------+----------+------+--------------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
If you must associate an HTTP profile with the virtual server, use a Standard
virtual server instead of the Performance virtual server.
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo9xeNLKJtyKPYoAQiKwxAAhNGbNU/eAUQXWQ+ShsxUsXzinQZVU1k+
ZyJoBfn37aTPBoJjsPN/s1KeYKxG1cwGy3m76yRhHq6Jk3IkzG7BvqTS/IvF0X8u
eFvNzF/gaI+uutVuIi21OXXor1OaC/Xau1HljI+kowOu9Ouvf1wLo3K8EP890o6S
7c53oZT9ZHeR9xrUy6qGxTBWdjCW8A1SPc11OqjFhwV9j6mRDt+GpId/tP3fhJfr
qNz9pavtSAOJMUDl0SyBIOMA7JnGr1CGlAV3UKpd89mY8Yv9WjYskQWg3O6JmXXo
nXxgkjDEebaXkaJoJwT93GgvOIjEdsOY37WWO2HgAtDVQV8ur8IQp+oJTmG2qYVN
tz7jqCuOksAYVw7ew5yjJLYmQIYP66yjDX98VD8xgLW/FceYw8t6WLA5AgkyJMRO
uQMakhT9Na/XXyV1ZBswNdh2oUxGzwTmNv6N5TK2kc+ZtjOlc0+YWqt/xPk0Tevn
lhNPw5H102MISc+DaJEk2K/EMseJfmyTUx6OUZyXy2oQytE1aa9TRJ8bNWhVE1RC
IS5rgvWTLg4cGceuhMR2mquD+PvpeGIbn9vZbcNRxuWNdgdj8QvqVOmqtl4uUVK0
Qt2AUltWC2kDmxDGuSVcic3ZfkXY3+mKguXjO6wm6h30XkHDF/fm4tKnNAFHXqxe
Hzsttl5ZUHo=
=Ukj7
-----END PGP SIGNATURE-----
ESB-2022.0294 - [Appliance] BIG-IP Advanced WAF and ASM: Reduced security - Unknown/unspecified
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0294
K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect
attack signature check failure
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP Advanced WAF and ASM
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
Original Bulletin:
https://support.f5.com/csp/article/K30911244
- --------------------------BEGIN INCLUDED TEXT--------------------
K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature
check failure
Original Publication Date: 19 Jan, 2022
Security Advisory Description
The F5 Advanced Web Application Firewall (Advanced WAF), BIG-IP ASM, and NGINX
App Protect attack signature check may fail to detect and block certain HTTP
requests when some signatures are disabled on the security policy and wildcard
header.
Impact
The attack signature check fails to detect and block such requests, as expected
of a security policy.
Symptoms
As a result of this issue, you may encounter the following symptom:
o Requests that should have been blocked by the Advanced WAF, BIG-IP ASM, or
NGINX App Protect systems are received by the back-end server.
Security Advisory Status
F5 Product Development has assigned ID 1019853 (BIG-IP) and WAFMC-4672 (NGINX
App Protect) to this issue. This issue has been classified as CWE-697:
Incorrect Comparison.
To determine if your product and version have been evaluated for this issue,
refer to the Applies to (see versions) box. To determine if your release is
affected by this issue and for information about releases, point releases, or
hotfixes that address the issue, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the Applies to (see versions) box of this
article have reached the End of Technical Support (EoTS) phase of their
lifecycle and are no longer evaluated for security issues. For more
information, refer to the Security hotfixes section of K4602: Overview of the
F5 security vulnerability response policy.
+------------------------+------+----------------------------+----------------+
|Product |Branch|Versions affected by this |Fixes introduced|
| | |issue^1 |in |
+------------------------+------+----------------------------+----------------+
| |16.x |16.1.0 - 16.1.1 |16.1.2 |
| +------+----------------------------+----------------+
| |15.x |15.1.0 - 15.1.4 |15.1.4.1 |
| +------+----------------------------+----------------+
|BIG-IP (Advanced WAF, |14.x |14.1.0 - 14.1.4 |14.1.4.5 |
|ASM) +------+----------------------------+----------------+
| |13.x |13.1.0 - 13.1.4 |None |
| +------+----------------------------+----------------+
| |12.x |12.1.0 - 12.1.6 |Will not fix |
| +------+----------------------------+----------------+
| |11.x |11.6.1 - 11.6.5 |Will not fix |
+------------------------+------+----------------------------+----------------+
| |16.x |None |Not applicable |
| +------+----------------------------+----------------+
| |15.x |None |Not applicable |
| +------+----------------------------+----------------+
|BIG-IP (all other |14.x |None |Not applicable |
|modules) +------+----------------------------+----------------+
| |13.x |None |Not applicable |
| +------+----------------------------+----------------+
| |12.x |None |Not applicable |
| +------+----------------------------+----------------+
| |11.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
|BIG-IQ Centralized |8.x |None |Not applicable |
|Management +------+----------------------------+----------------+
| |7.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
|F5OS-A |1.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
|F5OS-C |1.x |None |Not applicable |
+------------------------+------+----------------------------+----------------+
| |3.x |3.0.0 - 3.6.0 |3.7.0 |
| +------+----------------------------+----------------+
|NGINX App Protect |2.x |2.0.0 - 2.3.0 |None |
| +------+----------------------------+----------------+
| |1.x |1.0.0 - 1.3.0 |None |
+------------------------+------+----------------------------+----------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
Recommended Actions
If you are running a version listed in the Versions affected by this issue
column, you can eliminate this issue by installing a version listed in the
Fixes introduced in column. If the Fixes introduced in column does not list a
version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
To mitigate this issue, you can remove the disabled signature from the wildcard
header and disable these signatures on the security policy instead.
Impact of action: Performing the mitigation should not have a negative impact
on your system.
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K51812227: Understanding security advisory versioning
o K41942608: Overview of AskF5 security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo9veNLKJtyKPYoAQhypQ//Y7I3vdds+sQlahMhAIjgjEXvcb2nJ/7m
PrLI4h5VUU+f2TXT5KzLJGsAuSoOEGLFyTdyutzrJoZK7/Eo1nkNymgUTZdj86rU
P+f/dFcHXpks1hV653RzvGKWDX7hJ0xIeJfZFSjjhmn2Dou8prDvNCgwFX8vhkNp
uDwFre6g0K93Nyj/lrkRqse10qa5nhFTMveZksZNDBnkum3x2UbVdU7K/m54zWZQ
pY57WWUwPqf1F48hH0A5JECqhJK382+0pDpkmR6l1rhdefC0QJinaqJ3IrMY0ZO7
WSVBPwDFOhkk1B5N59/4eXxQJZdtprNBgP9IzCM0mn72L759KCeyev4sZvD3ROfT
2//BZQvsTfvMXdAOTSfe7Eg4RTRn2pFnO1crC+jmeWSOSI/ri7FRT0xUyeO4jazh
zpU1GEFUjL9Wv4zJ8raJPlNEpT2oh3uqKCmUcVb7aU5BHAuLnzB/ZkCUVEV21bFY
LE2cNhQQTYCp+gG54K6HGQVp4xr+zQh+OCmrpIgbg6Nn3Lmpw32GeDa6wxkA3YOJ
lT44BtDgW6QT1Q6GSZxLt7jjSFKx6BEUrHdELB/i8v2aupDzhlxfzfsehwBRmKXo
u7gMdIFfbEnWi9eMwIiIanHU4uFx+cKJgCYEGeMg2c5Ze9tVdKuMQLzrv4AHt8kp
5SQUSIeyxbc=
=ex5N
-----END PGP SIGNATURE-----
ESB-2022.0293 - [Appliance] BIG-IP Virtual server with FastL4: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0293
K30573026: BIG-IP virtual server with FastL4 profile
vulnerability CVE-2022-23027
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP Virtual server with FastL4
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23027
Original Bulletin:
https://support.f5.com/csp/article/K30573026
- --------------------------BEGIN INCLUDED TEXT--------------------
K30573026: BIG-IP virtual server with FastL4 profile vulnerability
CVE-2022-23027
Original Publication Date: 19 Jan, 2022
Security Advisory Description
When a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are
configured on the same virtual server, undisclosed requests can cause the
virtual server to stop processing new client connections. (CVE-2022-23027)
Impact
Traffic is disrupted for new client connections. This vulnerability allows an
unauthenticated remote attacker to cause a denial-of-service (DoS) on the
BIG-IP system, specific to the impacted virtual server. There is no control
plane exposure; this is a data plane issue only.
Security Advisory Status
F5 Product Development has assigned ID 887965 (BIG-IP) to this
vulnerability. This issue has been classified as CWE-697: Incorrect Comparison
.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the Applies to (see versions) box of this
article have reached the End of Technical Support (EoTS) phase of their
lifecycle and are no longer evaluated for security issues. For more
information, refer to the Security hotfixes section of K4602: Overview of the
F5 security vulnerability response policy.
+-----------+------+-----------+----------+----------+------+-----------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to be|introduced|Severity |score^|component or |
| | |vulnerable |in | |1 |feature |
+-----------+------+-----------+----------+----------+------+-----------------+
| |16.x |None |16.0.0 | | | |
| +------+-----------+----------+ | | |
| |15.x |15.1.0 - |15.1.4 | | | |
| | |15.1.3 | | | | |
| +------+-----------+----------+ | | |
| |14.x |14.1.0 - |14.1.4.4 | | | |
| | |14.1.4 | | | |Virtual server |
|BIG-IP (all+------+-----------+----------+Medium |5.3 |with FastL4 and |
|modules) |13.x |13.1.3.6 - |None | | |certain L7 |
| | |13.1.4 | | | |profiles |
| +------+-----------+----------+ | | |
| |12.x |12.1.5.3 - |Will not | | | |
| | |12.1.6 |fix | | | |
| +------+-----------+----------+ | | |
| |11.x |11.6.5.2 |Will not | | | |
| | | |fix | | | |
+-----------+------+-----------+----------+----------+------+-----------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized+------+-----------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+-----------+------+-----------+----------+----------+------+-----------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
|F5OS-C |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
|Traffix SDC|5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K16446: The BIG-IP system now allows a Performance (Layer 4) virtual server
to have an associated HTTP profile
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo7C+NLKJtyKPYoAQiK5BAAjOHUS9fMe6Q0Iucv76CxYwFcLY08TsS7
ou0CDJb46JlatRy0QswxJJZ4hdmpakz9jcWgUxh6wq5tB+iKSQpZBDUyDf4qrz5E
Sqk+1FzF/kldPZSX1RiO3nkU1uc3wkssyl6tlOezPniurkOPq1ugGGBUXzYLkYKM
ARS9Tx3vB/7toeeht//ykp8YK84HL6ykwRvXZr5FO/9zwMqf28c231UvOJ452tb4
HmXA2CysjsVUGBvkmHguz9s49MzRX3QsSQN01vl65agAaPm6LuY9xOKzE538OaS6
/o3NrVkNuZKfSsIh42AqP8RT5VhG2oruMUmFsSeVz9mIzgNqgxeGm7HBUljQP/kT
HCXkQgu+2fXHShQdSoHHUh7s4ZRD1s0Wz/5UbEVGdzYfZ5BV2n784GQM2Ia6DOkd
uzmtmGCfyxVzLh3vGNWXIjGRYvXrTf7cQiVWLxZkr+Jff+E1YsyPNeeiYuFX0m45
YRONut0VtuRsxpOHdXRxpFwBb9lGPxZdk1KGLNccdRdn/CBiafdDEC4KktEbvidi
TFxv5+mIBXpzdMYktjDmlakt0tsEEEBmFgtYXYb64+u27MbC3wHPHSID9vdL5IAy
mZ0CLFiL9ZuRJD784pdyaRjhrGONkQdTt4431YRQ9hZzClBqQkR65uh/YfOcL+0q
XC+2sQIrG64=
=tcn1
-----END PGP SIGNATURE-----
ESB-2022.0292 - [SUSE] webkit2gtk3: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0292
Security update for webkit2gtk3
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: webkit2gtk3
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Existing Account
Access Confidential Data -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-30897 CVE-2021-30890 CVE-2021-30889
CVE-2021-30888 CVE-2021-30887 CVE-2021-30884
CVE-2021-30858 CVE-2021-30851 CVE-2021-30849
CVE-2021-30848 CVE-2021-30846 CVE-2021-30836
CVE-2021-30823 CVE-2021-30818 CVE-2021-30809
CVE-2021-30762 CVE-2021-30761 CVE-2021-30682
CVE-2021-30666 CVE-2021-30661 CVE-2021-1871
CVE-2021-1844 CVE-2021-1826 CVE-2021-1825
CVE-2021-1820 CVE-2021-1817 CVE-2021-1788
CVE-2021-1765 CVE-2020-29623 CVE-2020-27918
CVE-2020-13753 CVE-2020-10018 CVE-2020-9952
CVE-2020-9951 CVE-2020-9948 CVE-2020-9947
CVE-2020-9805 CVE-2020-9803 CVE-2020-9802
CVE-2020-3902 CVE-2020-3901 CVE-2020-3900
CVE-2020-3897 CVE-2020-3895 CVE-2020-3894
CVE-2020-3885 CVE-2019-8822 CVE-2019-8821
CVE-2019-8815 CVE-2019-8808 CVE-2019-8782
CVE-2019-8768 CVE-2019-8766 CVE-2019-8765
CVE-2019-8763 CVE-2019-8733 CVE-2019-8726
CVE-2019-8719 CVE-2019-8707 CVE-2019-8690
CVE-2019-8689 CVE-2019-8688 CVE-2019-8687
CVE-2019-8684 CVE-2019-8681 CVE-2019-8674
CVE-2019-8563 CVE-2019-8559 CVE-2019-8558
CVE-2019-8551 CVE-2018-8523 CVE-2018-8518
CVE-2018-8498 CVE-2018-8488 CVE-2018-8480
CVE-2017-5226
Reference: ESB-2021.3779
ESB-2021.1566
ESB-2021.1486
ESB-2020.4476
ESB-2020.2509
ESB-2019.3818
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220142-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for webkit2gtk3
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0142-1
Rating: important
References: #1194019
Cross-References: CVE-2018-8518 CVE-2018-8523 CVE-2019-8551 CVE-2019-8558
CVE-2019-8559 CVE-2019-8563 CVE-2019-8674 CVE-2019-8681
CVE-2019-8684 CVE-2019-8687 CVE-2019-8688 CVE-2019-8689
CVE-2019-8690 CVE-2019-8707 CVE-2019-8719 CVE-2019-8726
CVE-2019-8733 CVE-2019-8763 CVE-2019-8765 CVE-2019-8766
CVE-2019-8768 CVE-2019-8782 CVE-2019-8808 CVE-2019-8815
CVE-2019-8821 CVE-2019-8822 CVE-2020-10018 CVE-2020-13753
CVE-2020-27918 CVE-2020-29623 CVE-2020-3885 CVE-2020-3894
CVE-2020-3895 CVE-2020-3897 CVE-2020-3900 CVE-2020-3901
CVE-2020-3902 CVE-2020-9802 CVE-2020-9803 CVE-2020-9805
CVE-2020-9947 CVE-2020-9948 CVE-2020-9951 CVE-2020-9952
CVE-2021-1765 CVE-2021-1788 CVE-2021-1817 CVE-2021-1820
CVE-2021-1825 CVE-2021-1826 CVE-2021-1844 CVE-2021-1871
CVE-2021-30661 CVE-2021-30666 CVE-2021-30682 CVE-2021-30761
CVE-2021-30762 CVE-2021-30809 CVE-2021-30818 CVE-2021-30823
CVE-2021-30836 CVE-2021-30846 CVE-2021-30848 CVE-2021-30849
CVE-2021-30851 CVE-2021-30858 CVE-2021-30884 CVE-2021-30887
CVE-2021-30888 CVE-2021-30889 CVE-2021-30890 CVE-2021-30897
Affected Products:
SUSE OpenStack Cloud Crowbar 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud 8
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server 12-SP4-LTSS
SUSE Linux Enterprise Server 12-SP3-LTSS
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP2-BCL
HPE Helion Openstack 8
______________________________________________________________________________
An update that fixes 72 vulnerabilities is now available.
Description:
This update for webkit2gtk3 fixes the following issues:
o Update to version 2.34.3 (bsc#1194019).
o CVE-2021-30887: Fixed logic issue allowing unexpectedly unenforced Content
Security Policy when processing maliciously crafted web content.
o CVE-2021-30890: Fixed logic issue allowing universal cross site scripting
when processing maliciously crafted web content.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-142=1
o SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2022-142=1
o SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2022-142=1
o SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2022-142=1
o SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-142=1
o SUSE Linux Enterprise Server for SAP 12-SP4:
zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-142=1
o SUSE Linux Enterprise Server for SAP 12-SP3:
zypper in -t patch SUSE-SLE-SAP-12-SP3-2022-142=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-142=1
o SUSE Linux Enterprise Server 12-SP4-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-142=1
o SUSE Linux Enterprise Server 12-SP3-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2022-142=1
o SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-142=1
o SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-142=1
o HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2022-142=1
Package List:
o SUSE OpenStack Cloud Crowbar 9 (x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE OpenStack Cloud Crowbar 9 (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE OpenStack Cloud Crowbar 8 (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE OpenStack Cloud Crowbar 8 (x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE OpenStack Cloud 9 (x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE OpenStack Cloud 9 (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE OpenStack Cloud 8 (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE OpenStack Cloud 8 (x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le
s390x x86_64):
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
webkit2gtk3-devel-2.34.3-2.82.1
o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE Linux Enterprise Server for SAP 12-SP4 (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE Linux Enterprise Server for SAP 12-SP3 (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP5 (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP4-LTSS (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP3-LTSS (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
o SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
webkit2gtk3-devel-2.34.3-2.82.1
o HPE Helion Openstack 8 (x86_64):
libjavascriptcoregtk-4_0-18-2.34.3-2.82.1
libjavascriptcoregtk-4_0-18-debuginfo-2.34.3-2.82.1
libwebkit2gtk-4_0-37-2.34.3-2.82.1
libwebkit2gtk-4_0-37-debuginfo-2.34.3-2.82.1
typelib-1_0-JavaScriptCore-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2-4_0-2.34.3-2.82.1
typelib-1_0-WebKit2WebExtension-4_0-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-2.34.3-2.82.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.34.3-2.82.1
webkit2gtk3-debugsource-2.34.3-2.82.1
o HPE Helion Openstack 8 (noarch):
libwebkit2gtk3-lang-2.34.3-2.82.1
References:
o https://www.suse.com/security/cve/CVE-2018-8518.html
o https://www.suse.com/security/cve/CVE-2018-8523.html
o https://www.suse.com/security/cve/CVE-2019-8551.html
o https://www.suse.com/security/cve/CVE-2019-8558.html
o https://www.suse.com/security/cve/CVE-2019-8559.html
o https://www.suse.com/security/cve/CVE-2019-8563.html
o https://www.suse.com/security/cve/CVE-2019-8674.html
o https://www.suse.com/security/cve/CVE-2019-8681.html
o https://www.suse.com/security/cve/CVE-2019-8684.html
o https://www.suse.com/security/cve/CVE-2019-8687.html
o https://www.suse.com/security/cve/CVE-2019-8688.html
o https://www.suse.com/security/cve/CVE-2019-8689.html
o https://www.suse.com/security/cve/CVE-2019-8690.html
o https://www.suse.com/security/cve/CVE-2019-8707.html
o https://www.suse.com/security/cve/CVE-2019-8719.html
o https://www.suse.com/security/cve/CVE-2019-8726.html
o https://www.suse.com/security/cve/CVE-2019-8733.html
o https://www.suse.com/security/cve/CVE-2019-8763.html
o https://www.suse.com/security/cve/CVE-2019-8765.html
o https://www.suse.com/security/cve/CVE-2019-8766.html
o https://www.suse.com/security/cve/CVE-2019-8768.html
o https://www.suse.com/security/cve/CVE-2019-8782.html
o https://www.suse.com/security/cve/CVE-2019-8808.html
o https://www.suse.com/security/cve/CVE-2019-8815.html
o https://www.suse.com/security/cve/CVE-2019-8821.html
o https://www.suse.com/security/cve/CVE-2019-8822.html
o https://www.suse.com/security/cve/CVE-2020-10018.html
o https://www.suse.com/security/cve/CVE-2020-13753.html
o https://www.suse.com/security/cve/CVE-2020-27918.html
o https://www.suse.com/security/cve/CVE-2020-29623.html
o https://www.suse.com/security/cve/CVE-2020-3885.html
o https://www.suse.com/security/cve/CVE-2020-3894.html
o https://www.suse.com/security/cve/CVE-2020-3895.html
o https://www.suse.com/security/cve/CVE-2020-3897.html
o https://www.suse.com/security/cve/CVE-2020-3900.html
o https://www.suse.com/security/cve/CVE-2020-3901.html
o https://www.suse.com/security/cve/CVE-2020-3902.html
o https://www.suse.com/security/cve/CVE-2020-9802.html
o https://www.suse.com/security/cve/CVE-2020-9803.html
o https://www.suse.com/security/cve/CVE-2020-9805.html
o https://www.suse.com/security/cve/CVE-2020-9947.html
o https://www.suse.com/security/cve/CVE-2020-9948.html
o https://www.suse.com/security/cve/CVE-2020-9951.html
o https://www.suse.com/security/cve/CVE-2020-9952.html
o https://www.suse.com/security/cve/CVE-2021-1765.html
o https://www.suse.com/security/cve/CVE-2021-1788.html
o https://www.suse.com/security/cve/CVE-2021-1817.html
o https://www.suse.com/security/cve/CVE-2021-1820.html
o https://www.suse.com/security/cve/CVE-2021-1825.html
o https://www.suse.com/security/cve/CVE-2021-1826.html
o https://www.suse.com/security/cve/CVE-2021-1844.html
o https://www.suse.com/security/cve/CVE-2021-1871.html
o https://www.suse.com/security/cve/CVE-2021-30661.html
o https://www.suse.com/security/cve/CVE-2021-30666.html
o https://www.suse.com/security/cve/CVE-2021-30682.html
o https://www.suse.com/security/cve/CVE-2021-30761.html
o https://www.suse.com/security/cve/CVE-2021-30762.html
o https://www.suse.com/security/cve/CVE-2021-30809.html
o https://www.suse.com/security/cve/CVE-2021-30818.html
o https://www.suse.com/security/cve/CVE-2021-30823.html
o https://www.suse.com/security/cve/CVE-2021-30836.html
o https://www.suse.com/security/cve/CVE-2021-30846.html
o https://www.suse.com/security/cve/CVE-2021-30848.html
o https://www.suse.com/security/cve/CVE-2021-30849.html
o https://www.suse.com/security/cve/CVE-2021-30851.html
o https://www.suse.com/security/cve/CVE-2021-30858.html
o https://www.suse.com/security/cve/CVE-2021-30884.html
o https://www.suse.com/security/cve/CVE-2021-30887.html
o https://www.suse.com/security/cve/CVE-2021-30888.html
o https://www.suse.com/security/cve/CVE-2021-30889.html
o https://www.suse.com/security/cve/CVE-2021-30890.html
o https://www.suse.com/security/cve/CVE-2021-30897.html
o https://bugzilla.suse.com/1194019
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo5feNLKJtyKPYoAQju8RAAsGRVIre8jH+lC3hTTVQV/KcoZ2FFDHoa
uAivE614+m4XGTldgtqmO0paZ7cXrVmE06V8ouBi653ES9HOZtUr2j+iRYpfoy1W
ExQDWJheqK0hdSt/RBaE2AyDl6eWUK79Tr19kgA+b1m/Bn2V21x2zVMA57uCpMUP
mqgyk08uvdm/d5MQ0DQY84MzR3NTpha/BuUwwfeepLmfqb3Rd7rAImb7bUU5bn3x
g2tTodbWLAligUxSBaXwD76ekeeXVfdfghjzxduNoZmRZWh13PdHWb4tTqtnrvU5
6Y5a+HdTTwz8ACer+lTLzulNbo3KXFHvgXwAw5kv5NGE1JiHrkHJGPYnT3jPCPly
w/+hJom9LwX9wBRlSK4RdbFb90imgp4Tyqnc07bvsj/DxqT4b3Afn74zzdnG1x8/
XhgjQAzpMLkeBOxBc19hrP57I44aj6VGjNMtJijdp5JQgHoCxMjgfVev/S8pZbFg
zDCInaUm4eOvv5MtDQ/b45osIyuJ3bK2zoZDq8Kmuh890NBewMkJsowoRTHj19C/
o40fw8we17v2UrRDmi1QQ7KTxz6UwbSox+EtOTQ6/1Zp/P5oLSxw0fiURA8fUtkT
QCAZiqIXcpXA+7+XIIWizxHgehJwjJdP1QmGJWBiBVm+s/qXULz7otDgOZuFBr5g
MOWrk3Jbj0s=
=jlzw
-----END PGP SIGNATURE-----
ESB-2022.0291 - [SUSE] busybox: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0291
Security update for busybox
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: busybox
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Create Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-42386 CVE-2021-42385 CVE-2021-42384
CVE-2021-42383 CVE-2021-42382 CVE-2021-42381
CVE-2021-42380 CVE-2021-42379 CVE-2021-42378
CVE-2021-42377 CVE-2021-42376 CVE-2021-42375
CVE-2021-42374 CVE-2021-42373 CVE-2021-28831
CVE-2019-5747 CVE-2018-1000517 CVE-2018-1000500
CVE-2018-20679 CVE-2017-16544 CVE-2017-15874
CVE-2017-15873 CVE-2016-6301 CVE-2016-2148
CVE-2016-2147 CVE-2015-9261 CVE-2011-5325
Reference: ESB-2021.4159
ESB-2021.3584
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220135-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for busybox
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0135-1
Rating: important
References: #1064976 #1064978 #1069412 #1099260 #1099263 #1102912
#1121426 #1121428 #1184522 #1192869 #951562 #970662 #970663
#991940
Cross-References: CVE-2011-5325 CVE-2015-9261 CVE-2016-2147 CVE-2016-2148
CVE-2016-6301 CVE-2017-15873 CVE-2017-15874 CVE-2017-16544
CVE-2018-1000500 CVE-2018-1000517 CVE-2018-20679
CVE-2019-5747 CVE-2021-28831 CVE-2021-42373 CVE-2021-42374
CVE-2021-42375 CVE-2021-42376 CVE-2021-42377 CVE-2021-42378
CVE-2021-42379 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382
CVE-2021-42383 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386
Affected Products:
SUSE Manager Server 4.1
SUSE Manager Retail Branch Server 4.1
SUSE Manager Proxy 4.1
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server for SAP 15
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Enterprise Storage 7
SUSE Enterprise Storage 6
SUSE CaaS Platform 4.0
______________________________________________________________________________
An update that fixes 27 vulnerabilities is now available.
Description:
This update for busybox fixes the following issues:
o CVE-2011-5325: Fixed tar directory traversal (bsc#951562).
o CVE-2015-9261: Fixed segfalts and application crashes in huft_build (bsc#
1102912).
o CVE-2016-2147: Fixed out of bounds write (heap) due to integer underflow in
udhcpc (bsc#970663).
o CVE-2016-2148: Fixed heap-based buffer overflow in OPTION_6RD parsing (bsc#
970662).
o CVE-2016-6301: Fixed NTP server denial of service flaw (bsc#991940).
o CVE-2017-15873: Fixed integer overflow in get_next_block function in
archival/libarchive/decompress_bunzip2.c (bsc#1064976).
o CVE-2017-15874: Fixed integer underflow in archival/libarchive/
decompress_unlzma.c (bsc#1064978).
o CVE-2017-16544: Fixed Insufficient sanitization of filenames when
autocompleting (bsc#1069412).
o CVE-2018-1000500 : Fixed missing SSL certificate validation in wget (bsc#
1099263).
o CVE-2018-1000517: Fixed heap-based buffer overflow in the
retrieve_file_data() (bsc#1099260).
o CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426).
o CVE-2019-5747: Fixed out of bounds read in udhcp components (bsc#1121428).
o CVE-2021-28831: Fixed invalid free or segmentation fault via malformed gzip
data (bsc#1184522).
o CVE-2021-42373: Fixed NULL pointer dereference in man leading to DoS when a
section name is supplied but no page argument is given (bsc#1192869).
o CVE-2021-42374: Fixed out-of-bounds heap read in unlzma leading to
information leak and DoS when crafted LZMA-compressed input is decompressed
(bsc#1192869).
o CVE-2021-42375: Fixed incorrect handling of a special element in ash
leading to DoS when processing a crafted shell command, due to the shell
mistaking specific characters for reserved characters (bsc#1192869).
o CVE-2021-42376: Fixed NULL pointer dereference in hush leading to DoS when
processing a crafted shell command (bsc#1192869).
o CVE-2021-42377: Fixed attacker-controlled pointer free in hush leading to
DoS and possible code execution when processing a crafted shell command
(bsc#1192869).
o CVE-2021-42378: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the getvar_i
function (bsc#1192869).
o CVE-2021-42379: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the next_input_file
function (bsc#1192869).
o CVE-2021-42380: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the clrvar function
(bsc#1192869).
o CVE-2021-42381: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the hash_init
function (bsc#1192869).
o CVE-2021-42382: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the getvar_s
function (bsc#1192869).
o CVE-2021-42383: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the evaluate
function (bsc#1192869).
o CVE-2021-42384: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the handle_special
function (bsc#1192869).
o CVE-2021-42385: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the evaluate
function (bsc#1192869).
o CVE-2021-42386: Fixed use-after-free in awk leading to DoS and possibly
code execution when processing a crafted awk pattern in the nvalloc
function (bsc#1192869).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-135=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-135=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-135=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-135=1
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-135=1
o SUSE Linux Enterprise Server for SAP 15:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-135=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-135=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-135=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-135=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-135=1
o SUSE Linux Enterprise Server 15-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-2022-135=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-135=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-135=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-135=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-135=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-135=1
o SUSE Linux Enterprise High Performance Computing 15-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-135=1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-135=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-135=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-135=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform 'skuba' tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
Package List:
o SUSE Manager Server 4.1 (ppc64le s390x x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Manager Retail Branch Server 4.1 (x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Manager Proxy 4.1 (x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):
busybox-1.34.1-4.9.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):
busybox-1.34.1-4.9.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64
x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64
x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64
x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64
x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):
busybox-1.34.1-4.9.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64):
busybox-1.34.1-4.9.1
o SUSE Enterprise Storage 7 (aarch64 x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE Enterprise Storage 6 (aarch64 x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
o SUSE CaaS Platform 4.0 (x86_64):
busybox-1.34.1-4.9.1
busybox-static-1.34.1-4.9.1
References:
o https://www.suse.com/security/cve/CVE-2011-5325.html
o https://www.suse.com/security/cve/CVE-2015-9261.html
o https://www.suse.com/security/cve/CVE-2016-2147.html
o https://www.suse.com/security/cve/CVE-2016-2148.html
o https://www.suse.com/security/cve/CVE-2016-6301.html
o https://www.suse.com/security/cve/CVE-2017-15873.html
o https://www.suse.com/security/cve/CVE-2017-15874.html
o https://www.suse.com/security/cve/CVE-2017-16544.html
o https://www.suse.com/security/cve/CVE-2018-1000500.html
o https://www.suse.com/security/cve/CVE-2018-1000517.html
o https://www.suse.com/security/cve/CVE-2018-20679.html
o https://www.suse.com/security/cve/CVE-2019-5747.html
o https://www.suse.com/security/cve/CVE-2021-28831.html
o https://www.suse.com/security/cve/CVE-2021-42373.html
o https://www.suse.com/security/cve/CVE-2021-42374.html
o https://www.suse.com/security/cve/CVE-2021-42375.html
o https://www.suse.com/security/cve/CVE-2021-42376.html
o https://www.suse.com/security/cve/CVE-2021-42377.html
o https://www.suse.com/security/cve/CVE-2021-42378.html
o https://www.suse.com/security/cve/CVE-2021-42379.html
o https://www.suse.com/security/cve/CVE-2021-42380.html
o https://www.suse.com/security/cve/CVE-2021-42381.html
o https://www.suse.com/security/cve/CVE-2021-42382.html
o https://www.suse.com/security/cve/CVE-2021-42383.html
o https://www.suse.com/security/cve/CVE-2021-42384.html
o https://www.suse.com/security/cve/CVE-2021-42385.html
o https://www.suse.com/security/cve/CVE-2021-42386.html
o https://bugzilla.suse.com/1064976
o https://bugzilla.suse.com/1064978
o https://bugzilla.suse.com/1069412
o https://bugzilla.suse.com/1099260
o https://bugzilla.suse.com/1099263
o https://bugzilla.suse.com/1102912
o https://bugzilla.suse.com/1121426
o https://bugzilla.suse.com/1121428
o https://bugzilla.suse.com/1184522
o https://bugzilla.suse.com/1192869
o https://bugzilla.suse.com/951562
o https://bugzilla.suse.com/970662
o https://bugzilla.suse.com/970663
o https://bugzilla.suse.com/991940
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo43ONLKJtyKPYoAQjlYw/8DbjiaujXG50FqdhJRLFEivchwTSMkDjg
K4FG/QX7z01DUATwTofcP6UcHbOGsGdXIObGBWmVZTWMFlxNFjlyRundyFZ3Bawt
iKhawUQFyacHoJAqHHRuwhaxhc9KG97ADsKEUbIrVnKeajval73WRYgbqXR5ClHa
woS0NY4PmkGrrmkvKJIjcj/gVxDc21ZM/IXWczFR/nrHw5a/+ZyrcJ0I2v0jwDgP
J5NstmTqkYIeoqUeyA0litNrFBMt4L1n5plsbkna4hOOtjXQKi4MtDKGPNMClHBb
XN2osd7D1Lfcgo2OhXmb8vPKloDjZ0VVdQ53FBvyfXs5GQH9DvwJskzO2aYI7U+k
sTDeNOwoaFks/m4POnMmBaxnPs4GqiUdRSt3HZa0dnwGhB4b8Ca0Xd5YPbdYyk2b
B0eeFBN6/X6BLuB3HY4d2s53RglonsU8Ycfo5Mmat0oPwkOFBSjLPx5qjcZUyUTm
adRbi48LDgP1P3Atd/kSvj3Hi91PLPCWlaTB+H4W6cB+QPwGmfjeTs+TR1SA61Hd
hcNIRK8UuWROp99AMwyH9GOKqEIr0TnW6ytqqGem/I4CJvhRUi4LfKCCngEeZ+SW
R6tOySDbJFytQHBS7FXYQqVvHi9BuQrdnyIN0K+FJ8OrBX1Gm/RJomkMnQma5mO3
FX56x7YuPSM=
=VOg0
-----END PGP SIGNATURE-----
ESB-2022.0290 - [SUSE] Linux Kernel: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0290
Security update for the Linux Kernel
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Linux Kernel
Publisher: SUSE
Operating System: SUSE
Impact/Access: Modify Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-45486 CVE-2021-45485 CVE-2021-43976
CVE-2021-43975 CVE-2021-28715 CVE-2021-28714
CVE-2021-28713 CVE-2021-28712 CVE-2021-28711
CVE-2021-4002 CVE-2021-4001 CVE-2020-27820
CVE-2020-24504
Reference: ESB-2022.0121
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220131-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0131-1
Rating: important
References: #1139944 #1151927 #1152489 #1153275 #1154353 #1154355
#1161907 #1164565 #1166780 #1169514 #1176242 #1176447
#1176536 #1176544 #1176545 #1176546 #1176548 #1176558
#1176559 #1176774 #1176940 #1176956 #1177440 #1178134
#1178270 #1179211 #1179424 #1179426 #1179427 #1179599
#1181148 #1181507 #1181710 #1182404 #1183534 #1183540
#1183897 #1184318 #1185726 #1185902 #1186332 #1187541
#1189126 #1189158 #1191793 #1191876 #1192267 #1192320
#1192507 #1192511 #1192569 #1192606 #1192691 #1192845
#1192847 #1192874 #1192946 #1192969 #1192987 #1192990
#1192998 #1193002 #1193042 #1193139 #1193169 #1193306
#1193318 #1193349 #1193440 #1193442 #1193655 #1193993
#1194087 #1194094
Cross-References: CVE-2020-24504 CVE-2020-27820 CVE-2021-28711 CVE-2021-28712
CVE-2021-28713 CVE-2021-28714 CVE-2021-28715 CVE-2021-4001
CVE-2021-4002 CVE-2021-43975 CVE-2021-43976 CVE-2021-45485
CVE-2021-45486
Affected Products:
SUSE MicroOS 5.1
SUSE Linux Enterprise Workstation Extension 15-SP3
SUSE Linux Enterprise Module for Live Patching 15-SP3
SUSE Linux Enterprise Module for Legacy Software 15-SP3
SUSE Linux Enterprise Module for Development Tools 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise High Availability 15-SP3
______________________________________________________________________________
An update that solves 13 vulnerabilities, contains one feature and has 61 fixes
is now available.
Description:
The SUSE Linux Enterprise 15 SP3 kernel was updated
o Unprivileged BPF has been disabled by default to reduce attack surface as
too many security issues have happened in the past (jsc#SLE-22573) You can
reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled
to 0. (kernel.unprivileged_bpf_disabled = 0)
The following security bugs were fixed:
o CVE-2021-45485: Fixed an information leak because of certain use of a hash
table which use IPv6 source addresses. (bsc#1194094)
o CVE-2021-45486: Fixed an information leak because the hash table is very
small in net/ipv4/route.c. (bnc#1194087).
o CVE-2021-4001: Fixed a race condition when the EBPF map is frozen. (bsc#
1192990)
o CVE-2021-28715: Fixed an issue where a guest could force Linux netback
driver to hog large amounts of kernel memory by do not queueing unlimited
number of packages. (bsc#1193442)
o CVE-2021-28714: Fixed an issue where a guest could force Linux netback
driver to hog large amounts of kernel memory by fixing rx queue stall
detection. (bsc#1193442)
o CVE-2021-28713: Fixed a rogue backends that could cause DoS of guests via
high frequency events by hardening hvc_xen against event channel storms.
(bsc#1193440)
o CVE-2021-28712: Fixed a rogue backends that could cause DoS of guests via
high frequency events by hardening netfront against event channel storms.
(bsc#1193440)
o CVE-2021-28711: Fixed a rogue backends that could cause DoS of guests via
high frequency events by hardening blkfront against event channel storms.
(bsc#1193440)
o CVE-2020-24504: Fixed an uncontrolled resource consumption in some Intel(R)
Ethernet E810 Adapter drivers that may have allowed an authenticated user
to potentially enable denial of service via local access. (bnc#1182404)
o CVE-2021-43975: Fixed a flaw in hw_atl_utils_fw_rpc_wait that could allow
an attacker (who can introduce a crafted device) to trigger an
out-of-bounds write via a crafted length value. (bnc#1192845)
o CVE-2021-43976: Fixed a flaw that could allow an attacker (who can connect
a crafted USB device) to cause a denial of service. (bnc#1192847)
o CVE-2021-4002: Added a missing TLB flush that could lead to leak or
corruption of data in hugetlbfs. (bsc#1192946)
o CVE-2020-27820: Fixed a vulnerability where a use-after-frees in nouveau's
postclose() handler could happen if removing device. (bnc#1179599)
The following non-security bugs were fixed:
o ACPI: battery: Accept charges over the design capacity as full (git-fixes).
o ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses (git-fixes).
o ACPICA: Avoid evaluating methods too early during system resume
(git-fixes).
o Add SMB 2 support for getting and setting SACLs (bsc#1192606).
o Add to supported.conf: fs/smbfs_common/cifs_arc4 fs/smbfs_common/cifs_md4
o ALSA: ctxfi: Fix out-of-range access (git-fixes).
o ALSA: gus: fix null pointer dereference on pointer block (git-fixes).
o ALSA: hda: hdac_ext_stream: fix potential locking issues (git-fixes).
o ALSA: hda: hdac_stream: fix potential locking issue in
snd_hdac_stream_assign() (git-fixes).
o ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N (git-fixes).
o ALSA: hda/realtek: Add quirk for ASUS UX550VE (git-fixes).
o ALSA: hda/realtek: Add quirk for Clevo PC70HS (git-fixes).
o ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED (git-fixes).
o ALSA: ISA: not for M68K (git-fixes).
o ALSA: synth: missing check for possible NULL after the call to kstrdup
(git-fixes).
o ALSA: timer: Fix use-after-free problem (git-fixes).
o ALSA: timer: Unconditionally unlink slave instances, too (git-fixes).
o ALSA: usb-audio: Add registration quirk for JBL Quantum 400 (git-fixes).
o ARM: 8970/1: decompressor: increase tag size (git-fixes).
o ARM: 8974/1: use SPARSMEM_STATIC when SPARSEMEM is enabled (git-fixes)
o ARM: 8986/1: hw_breakpoint: Do not invoke overflow handler on uaccess
watchpoints (git-fixes)
o ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT
(git-fixes)
o ARM: 9019/1: kprobes: Avoid fortify_panic() when copying optprobe
(git-fixes)
o ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores
(git-fixes)
o ARM: 9064/1: hw_breakpoint: Do not directly check the event's (git-fixes)
o ARM: 9071/1: uprobes: Do not hook on thumb instructions (git-fixes)
o ARM: 9081/1: fix gcc-10 thumb2-kernel regression (git-fixes)
o ARM: 9091/1: Revert "mm: qsd8x50: Fix incorrect permission faults"
(git-fixes)
o ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned (git-fixes)
o ARM: 9134/1: remove duplicate memcpy() definition (git-fixes)
o ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype (git-fixes)
o ARM: 9141/1: only warn about XIP address when not compile testing
(git-fixes)
o ARM: 9155/1: fix early early_iounmap() (git-fixes)
o ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
(git-fixes)
o ARM: at91: pm: of_node_put() after its usage (git-fixes)
o ARM: at91: pm: use proper master clock register offset (git-fixes)
o ARM: bcm: Select ARM_TIMER_SP804 for ARCH_BCM_NSP (git-fixes)
o ARM: dts sunxi: Relax a bit the CMA pool allocation range (git-fixes)
o ARM: dts: am335x-pocketbeagle: Fix mmc0 Write Protect (git-fixes)
o ARM: dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema
(git-fixes)
o ARM: dts: am437x-idk-evm: Fix incorrect OPP node names (git-fixes)
o ARM: dts: am437x-l4: fix typo in can@0 node (git-fixes)
o ARM: dts: armada-38x: fix NETA lockup when repeatedly switching speeds
(git-fixes)
o ARM: dts: armada388-helios4: assign pinctrl to each fan (git-fixes)
o ARM: dts: armada388-helios4: assign pinctrl to LEDs (git-fixes)
o ARM: dts: aspeed: s2600wf: Fix VGA memory region location (git-fixes)
o ARM: dts: aspeed: tiogapass: Remove vuart (git-fixes)
o ARM: dts: at91-sama5d27_som1: fix phy address to 7 (git-fixes)
o ARM: dts: at91: add pinctrl-{names, 0} for all gpios (git-fixes)
o ARM: dts: at91: at91sam9rl: fix ADC triggers (git-fixes)
o ARM: dts: at91: sama5d2_ptc_ek: fix sdmmc0 node description (git-fixes)
o ARM: dts: at91: sama5d2_ptc_ek: fix vbus pin (git-fixes)
o ARM: dts: at91: sama5d2_xplained: classd: pull-down the R1 and R3 lines
(git-fixes)
o ARM: dts: at91: sama5d2: fix CAN message ram offset and size (git-fixes)
o ARM: dts: at91: sama5d2: map securam as device (git-fixes)
o ARM: dts: at91: sama5d3_xplained: add pincontrol for USB Host (git-fixes)
o ARM: dts: at91: sama5d4_xplained: add pincontrol for USB Host (git-fixes)
o ARM: dts: at91: sama5d4: fix pinctrl muxing (git-fixes)
o ARM: dts: at91: tse850: the emaclt;->phy interface is rmii (git-fixes)
o ARM: dts: bcm: HR2: Fix PPI interrupt types (git-fixes)
o ARM: dts: bcm: HR2: Fixed QSPI compatible string (git-fixes)
o ARM: dts: bcm2835-rpi-zero-w: Fix led polarity (git-fixes)
o ARM: dts: BCM5301X: Add interrupt properties to GPIO node (git-fixes)
o ARM: dts: BCM5301X: Fix I2C controller interrupt (git-fixes)
o ARM: dts: BCM5301X: Fixed QSPI compatible string (git-fixes)
o ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz (git-fixes)
o ARM: dts: Configure missing thermal interrupt for 4430 (git-fixes)
o ARM: dts: dra76x: Fix mmc3 max-frequency (git-fixes)
o ARM: dts: dra76x: m_can: fix order of clocks (git-fixes)
o ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source (git-fixes)
o ARM: dts: exynos: correct fuel gauge interrupt trigger level on Midas
(git-fixes)
o ARM: dts: exynos: correct MUIC interrupt trigger level on Midas (git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale
(git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5
(git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Midas (git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Monk (git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid X/U3
(git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3
(git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato
(git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250
(git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Snow (git-fixes)
o ARM: dts: exynos: correct PMIC interrupt trigger level on Spring
(git-fixes)
o ARM: dts: exynos: Fix GPIO polarity for thr GalaxyS3 CM36651 sensor's bus
(git-fixes)
o ARM: dts: exynos: fix PWM LED max brightness on Odroid HC1 (git-fixes)
o ARM: dts: exynos: fix PWM LED max brightness on Odroid XU/XU3 (git-fixes)
o ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 (git-fixes)
o ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU (git-fixes)
o ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid
(git-fixes)
o ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on
(git-fixes)
o ARM: dts: Fix dcan driver probe failed on am437x platform (git-fixes)
o ARM: dts: Fix duovero smsc interrupt for suspend (git-fixes)
o ARM: dts: gemini-rut1xx: remove duplicate ethernet node (git-fixes)
o ARM: dts: gose: Fix ports node name for adv7180 (git-fixes)
o ARM: dts: gose: Fix ports node name for adv7612 (git-fixes)
o ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells (git-fixes)
o ARM: dts: imx: Fix USB host power regulator polarity on M53Menlo
(git-fixes)
o ARM: dts: imx: Swap M53Menlo pinctrl_power_button/pinctrl_power_out
(git-fixes)
o ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries
(git-fixes)
o ARM: dts: imx50-evk: Fix the chip select 1 IOMUX (git-fixes)
o ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces (git-fixes)
o ARM: dts: imx6: phycore-som: fix arm and soc minimum voltage (git-fixes)
o ARM: dts: imx6: phycore-som: fix emmc supply (git-fixes)
o ARM: dts: imx6: Use gpc for FEC interrupt controller to fix wake on LAN
(git-fixes)
o ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties
(git-fixes).
o ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch (git-fixes)
o ARM: dts: imx6dl-yapp4: Fix Ursa board Ethernet connection (git-fixes)
o ARM: dts: imx6q-dhcom: Add gpios pinctrl for i2c bus recovery (git-fixes)
o ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators (git-fixes)
o ARM: dts: imx6q-dhcom: Fix ethernet plugin detection problems (git-fixes)
o ARM: dts: imx6q-dhcom: Fix ethernet reset time properties (git-fixes)
o ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming (git-fixes)
o ARM: dts: imx6qdl-gw551x: Do not use 'simple-audio-card,dai-link'
(git-fixes)
o ARM: dts: imx6qdl-gw551x: fix audio SSI (git-fixes)
o ARM: dts: imx6qdl-icore: Fix OTG_ID pin and sdcard detect (git-fixes)
o ARM: dts: imx6qdl-kontron-samx6i: fix i2c_lcd/cam default status
(git-fixes)
o ARM: dts: imx6qdl-kontron-samx6i: fix I2C_PM scl pin (git-fixes)
o ARM: dts: imx6qdl-sr-som: Increase the PHY reset duration to 10ms
(git-fixes)
o ARM: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy (git-fixes)
o ARM: dts: imx6sl: fix rng node (git-fixes)
o ARM: dts: imx6sx-sabreauto: Fix the phy-mode on fec2 (git-fixes)
o ARM: dts: imx6sx-sdb: Fix the phy-mode on fec2 (git-fixes)
o ARM: dts: imx6sx: Add missing UART RTS/CTS pins mux (git-fixes)
o ARM: dts: imx6sx: fix the pad QSPI1B_SCLK mux mode for uart3 (git-fixes)
o ARM: dts: imx6sx: Improve UART pins macro defines (git-fixes)
o ARM: dts: imx7-colibri: Fix frequency for sd/mmc (git-fixes)
o ARM: dts: imx7-colibri: fix muxing of usbc_det pin (git-fixes)
o ARM: dts: imx7-colibri: prepare module device tree for FlexCAN (git-fixes)
o ARM: dts: imx7d-meerkat96: Fix the 'tuning-step' property (git-fixes)
o ARM: dts: imx7d-pico: Fix the 'tuning-step' property (git-fixes)
o ARM: dts: imx7d: Correct speed grading fuse settings (git-fixes)
o ARM: dts: imx7d: fix opp-supported-hw (git-fixes)
o ARM: dts: imx7ulp: Correct gpio ranges (git-fixes)
o ARM: dts: logicpd-som-lv-baseboard: Fix broken audio (git-fixes)
o ARM: dts: logicpd-som-lv-baseboard: Fix missing video (git-fixes)
o ARM: dts: logicpd-torpedo-baseboard: Fix broken audio (git-fixes)
o ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL (git-fixes)
o ARM: dts: ls1021a: fix QuadSPI-memory reg range (git-fixes)
o ARM: dts: ls1021a: Restore MDIO compatible to gianfar (git-fixes)
o ARM: dts: meson: fix PHY deassert timing requirements (git-fixes)
o ARM: dts: meson8: remove two invalid interrupt lines from the GPU
(git-fixes)
o ARM: dts: meson8: Use a higher default GPU clock frequency (git-fixes)
o ARM: dts: meson8b: ec100: Fix the pwm regulator supply properties
(git-fixes)
o ARM: dts: meson8b: mxq: Fix the pwm regulator supply properties (git-fixes)
o ARM: dts: meson8b: odroidc1: Fix the pwm regulator supply properties
(git-fixes)
o ARM: dts: mt7623: add missing pause for switchport (git-fixes)
o ARM: dts: N900: fix onenand timings (git-fixes).
o ARM: dts: NSP: Correct FA2 mailbox node (git-fixes)
o ARM: dts: NSP: Disable PL330 by default, add dma-coherent property
(git-fixes)
o ARM: dts: NSP: Fixed QSPI compatible string (git-fixes)
o ARM: dts: omap3-gta04a4: accelerometer irq fix (git-fixes)
o ARM: dts: omap3430-sdp: Fix NAND device node (git-fixes)
o ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers (git-fixes)
o ARM: dts: oxnas: Fix clear-mask property (git-fixes)
o ARM: dts: pandaboard: fix pinmux for gpio user button of Pandaboard
(git-fixes)
o ARM: dts: qcom: apq8064: Use 27MHz PXO clock as DSI PLL reference
(git-fixes)
o ARM: dts: qcom: msm8974: Add xo_board reference clock to DSI0 PHY
(git-fixes)
o ARM: dts: r7s9210: Remove bogus clock-names from OSTM nodes (git-fixes)
o ARM: dts: r8a73a4: Add missing CMT1 interrupts (git-fixes)
o ARM: dts: r8a7740: Add missing extal2 to CPG node (git-fixes)
o ARM: dts: r8a7779, marzen: Fix DU clock names (git-fixes)
o ARM: dts: Remove non-existent i2c1 from 98dx3236 (git-fixes)
o ARM: dts: renesas: Fix IOMMU device node names (git-fixes)
o ARM: dts: s5pv210: Set keep-power-in-suspend for SDHCI1 on Aries
(git-fixes)
o ARM: dts: socfpga: Align L2 cache-controller nodename with dtschema
(git-fixes)
o ARM: dts: socfpga: fix register entry for timer3 on Arria10 (git-fixes)
o ARM: dts: stm32: fix a typo for DAC io-channel-cells on stm32f429
(git-fixes)
o ARM: dts: stm32: fix a typo for DAC io-channel-cells on stm32h743
(git-fixes)
o ARM: dts: sun6i: a31-hummingbird: Enable RGMII RX/TX delay on (git-fixes)
o ARM: dts: sun7i: a20: bananapro: Fix ethernet phy-mode (git-fixes)
o ARM: dts: sun7i: bananapi-m1-plus: Enable RGMII RX/TX delay on (git-fixes)
o ARM: dts: sun7i: bananapi: Enable RGMII RX/TX delay on Ethernet PHY
(git-fixes)
o ARM: dts: sun7i: cubietruck: Enable RGMII RX/TX delay on Ethernet PHY
(git-fixes)
o ARM: dts: sun7i: pcduino3-nano: enable RGMII RX/TX delay on PHY (git-fixes)
o ARM: dts: sun8i-a83t-tbs-a711: Fix USB OTG mode detection (git-fixes)
o ARM: dts: sun8i-h2-plus-bananapi-m2-zero: Fix led polarity (git-fixes)
o ARM: dts: sun8i: a83t: Enable both RGMII RX/TX delay on Ethernet PHY
(git-fixes)
o ARM: dts: sun8i: h3: orangepi-plus2e: Enable RGMII RX/TX delay on
(git-fixes)
o ARM: dts: sun8i: r40: bananapi-m2-berry: Fix dcdc1 regulator (git-fixes)
o ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix dcdc1 regulator (git-fixes)
o ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix ethernet node (git-fixes)
o ARM: dts: sun8i: r40: Move AHCI device node based on address order
(git-fixes)
o ARM: dts: sun8i: v3s: fix GIC node memory range (git-fixes)
o ARM: dts: sun8i: v40: bananapi-m2-berry: Fix ethernet node (git-fixes)
o ARM: dts: sun9i: Enable both RGMII RX/TX delay on Ethernet PHY (git-fixes)
o ARM: dts: sunxi: bananapi-m2-plus-v1.2: Fix CPU supply voltages (git-fixes)
o ARM: dts: sunxi: bananapi-m2-plus: Enable RGMII RX/TX delay on (git-fixes)
o ARM: dts: sunxi: Fix DE2 clocks register range (git-fixes)
o ARM: dts: turris-omnia: add comphy handle to eth2 (git-fixes)
o ARM: dts: turris-omnia: add SFP node (git-fixes)
o ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin
(git-fixes)
o ARM: dts: turris-omnia: describe switch interrupt (git-fixes)
o ARM: dts: turris-omnia: enable HW buffer management (git-fixes)
o ARM: dts: turris-omnia: fix hardware buffer management (git-fixes)
o ARM: dts: uniphier: Change phy-mode to RGMII-ID to enable delay pins
(git-fixes)
o ARM: dts: uniphier: Set SCSSI clock and reset IDs for each channel
(git-fixes).
o ARM: dts: vf610-zii-dev-rev-b: Remove #address-cells and #size-cells
(git-fixes)
o ARM: dts: vfxxx: Add syscon compatible with OCOTP (git-fixes)
o ARM: exynos: add missing of_node_put for loop iteration (git-fixes)
o ARM: exynos: MCPM: Restore big.LITTLE cpuidle support (git-fixes)
o ARM: footbridge: fix PCI interrupt mapping (git-fixes)
o ARM: imx: add missing clk_disable_unprepare() (git-fixes)
o ARM: imx: add missing iounmap() (git-fixes)
o ARM: imx: build suspend-imx6.S with arm instruction set (git-fixes)
o ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init (git-fixes)
o ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
(git-fixes)
o ARM: imx6: disable the GIC CPU interface before calling stby-poweroff
(git-fixes)
o ARM: mvebu: drop pointless check for coherency_base (git-fixes)
o ARM: OMAP2+: Fix legacy mode dss_reset (git-fixes)
o ARM: OMAP2+: omap_device: fix idling of devices during probe (git-fixes)
o ARM: OMAP2+: pm33xx-core: Make am43xx_get_rtc_base_addr static (git-fixes)
o ARM: p2v: fix handling of LPAE translation in BE mode (git-fixes)
o ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc()
(git-fixes)
o ARM: s3c24xx: fix missing system reset (git-fixes)
o ARM: s3c24xx: fix mmc gpio lookup tables (git-fixes)
o ARM: samsung: do not build plat/pm-common for Exynos (git-fixes)
o ARM: samsung: fix PM debug build with DEBUG_LL but !MMU (git-fixes)
o ARM: socfpga: PM: add missing put_device() call in
socfpga_setup_ocram_self_refresh() (git-fixes)
o ASoC: DAPM: Cover regression by kctl change notification fix (git-fixes).
o ASoC: nau8824: Add DMI quirk mechanism for active-high jack-detect
(git-fixes).
o ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer (git-fixes).
o ASoC: SOF: Intel: hda-dai: fix potential locking issue (git-fixes).
o ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
(git-fixes).
o ath: dfs_pattern_detector: Fix possible null-pointer dereference in
channel_detector_create() (git-fixes).
o ath10k: fix invalid dma_addr_t token assignment (git-fixes).
o ath10k: high latency fixes for beacon buffer (git-fixes).
o Bbluetooth: btusb: Add another Bluetooth part for Realtek 8852AE (bsc#
1193655).
o bfq: Limit number of requests consumed by each cgroup (bsc#1184318).
o bfq: Store full bitmap depth in bfq_data (bsc#1184318).
o bfq: Track number of allocated requests in bfq_entity (bsc#1184318).
o block: Fix use-after-free issue accessing struct io_cq (bsc#1193042).
o block: Provide blk_mq_sched_get_icq() (bsc#1184318).
o Bluetooth: Add additional Bluetooth part for Realtek 8852AE (bsc#1193655).
o Bluetooth: btrtl: Refine the ic_id_table for clearer and more regular (bsc#
1193655).
o Bluetooth: btusb: Add the more support IDs for Realtek RTL8822CE (bsc#
1193655).
o Bluetooth: btusb: Add the new support ID for Realtek RTL8852A (bsc#
1193655).
o Bluetooth: btusb: btrtl: Add support for RTL8852A (bsc#1193655).
o Bluetooth: fix use-after-free error in lock_sock_nested() (git-fixes).
o bnxt_en: reject indirect blk offload when hw-tc-offload is off (jsc#
SLE-8372 bsc#1153275).
o bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
(git-fixes).
o bpf, arm: Fix register clobbering in div/mod implementation (git-fixes)
o bpf, s390: Fix potential memory leak about jit_data (git-fixes).
o bpf, x86: Fix "no previous prototype" warning (git-fixes).
o brcmfmac: Add DMI nvram filename quirk for Cyberbook T116 tablet
(git-fixes).
o btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums
(bsc#1193002).
o btrfs: fix fsync failure and transaction abort after writes to prealloc
extents (bsc#1193002).
o btrfs: fix lost inode on log replay after mix of fsync, rename and inode
eviction (bsc#1192998).
o btrfs: fix race causing unnecessary inode logging during link and rename
(bsc#1192998).
o btrfs: make checksum item extension more efficient (bsc#1193002).
o cfg80211: call cfg80211_stop_ap when switch from P2P_GO type (git-fixes).
o cifs use true,false for bool variable (bsc#1164565).
o cifs_atomic_open(): fix double-put on late allocation failure (bsc#
1192606).
o cifs_debug: use %pd instead of messing with ->d_name (bsc#1192606).
o cifs: add a debug macro that prints \\server\share for errors (bsc#
1164565).
o cifs: add a function to get a cached dir based on its dentry (bsc#1192606).
o cifs: add a helper to find an existing readable handle to a file (bsc#
1154355).
o cifs: add a timestamp to track when the lease of the cached dir was taken
(bsc#1192606).
o cifs: add an smb3_fs_context to cifs_sb (bsc#1192606).
o cifs: add FALLOC_FL_INSERT_RANGE support (bsc#1192606).
o cifs: add files to host new mount api (bsc#1192606).
o cifs: add fs_context param to parsing helpers (bsc#1192606).
o cifs: Add get_security_type_str function to return sec type (bsc#1192606).
o cifs: add initial reconfigure support (bsc#1192606).
o cifs: add missing mount option to /proc/mounts (bsc#1164565).
o cifs: add missing parsing of backupuid (bsc#1192606).
o cifs: Add missing sentinel to smb3_fs_parameters (bsc#1192606).
o cifs: add mount parameter tcpnodelay (bsc#1192606).
o cifs: add multichannel mount options and data structs (bsc#1192606).
o cifs: add new debugging macro cifs_server_dbg (bsc#1164565).
o cifs: Add new mount parameter "acdirmax" to allow caching directory
metadata (bsc#1192606).
o cifs: Add new parameter "acregmax" for distinct file and directory metadata
timeout (bsc#1192606).
o cifs: add NULL check for ses->tcon_ipc (bsc#1178270).
o cifs: add passthrough for smb2 setinfo (bsc#1164565).
o cifs: add server param (bsc#1192606).
o cifs: add shutdown support (bsc#1192606).
o cifs: add smb2 POSIX info level (bsc#1164565).
o cifs: add SMB2_open() arg to return POSIX data (bsc#1164565).
o cifs: add SMB3 change notification support (bsc#1164565).
o cifs: add support for FALLOC_FL_COLLAPSE_RANGE (bsc#1192606).
o cifs: add support for fallocate mode 0 for non-sparse files (bsc#1164565).
o cifs: add support for flock (bsc#1164565).
o cifs: Add support for setting owner info, dos attributes, and create time
(bsc#1164565).
o cifs: Add tracepoints for errors on flush or fsync (bsc#1164565).
o cifs: Add witness information to debug data dump (bsc#1192606).
o cifs: add witness mount option and data structs (bsc#1192606).
o cifs: added WARN_ON for all the count decrements (bsc#1192606).
o cifs: Adjust indentation in smb2_open_file (bsc#1164565).
o cifs: Adjust key sizes and key generation routines for AES256 encryption
(bsc#1192606).
o cifs: allocate buffer in the caller of build_path_from_dentry() (bsc#
1192606).
o cifs: Allocate crypto structures on the fly for calculating signatures of
incoming packets (bsc#1192606).
o cifs: Allocate encryption header through kmalloc (bsc#1192606).
o cifs: allow chmod to set mode bits using special sid (bsc#1164565).
o cifs: allow syscalls to be restarted in __smb_send_rqst() (bsc#1176956).
o cifs: allow unlock flock and OFD lock across fork (bsc#1192606).
o cifs: Always update signing key of first channel (bsc#1192606).
o cifs: ask for more credit on async read/write code paths (bsc#1192606).
o cifs: Assign boolean values to a bool variable (bsc#1192606).
o cifs: Avoid doing network I/O while holding cache lock (bsc#1164565).
o cifs: Avoid error pointer dereference (bsc#1192606).
o cifs: avoid extra calls in posix_info_parse (bsc#1192606).
o cifs: Avoid field over-reading memcpy() (bsc#1192606).
o cifs: avoid starvation when refreshing dfs cache (bsc#1185902).
o cifs: avoid using MID 0xFFFF (bnc#1151927 5.3.8).
o cifs: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#
1164565).
o cifs: change confusing field serverName (to ip_addr) (bsc#1192606).
o cifs: change format of CIFS_FULL_KEY_DUMP ioctl (bsc#1192606).
o cifs: change noisy error message to FYI (bsc#1181507).
o cifs: Change SIDs in ACEs while transferring file ownership (bsc#1192606).
o cifs: check all path components in resolved dfs target (bsc#1181710).
o cifs: check new file size when extending file by fallocate (bsc#1192606).
o cifs: check pointer before freeing (bsc#1183534).
o cifs: check the timestamp for the cached dirent when deciding on revalidate
(bsc#1192606).
o cifs: cifs_md4 convert to SPDX identifier (bsc#1192606).
o cifs: cifspdu.h: Replace one-element array with flexible-array member (bsc#
1192606).
o cifs: cifspdu.h: Replace zero-length array with flexible-array member (bsc#
1192606).
o cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1164565).
o cifs: clarify comment about timestamp granularity for old servers (bsc#
1192606).
o cifs: clarify hostname vs ip address in /proc/fs/cifs/DebugData (bsc#
1192606).
o cifs: Clarify SMB1 code for delete (bsc#1192606).
o cifs: Clarify SMB1 code for POSIX Create (bsc#1192606).
o cifs: Clarify SMB1 code for POSIX delete file (bsc#1192606).
o cifs: Clarify SMB1 code for POSIX Lock (bsc#1192606).
o cifs: Clarify SMB1 code for rename open file (bsc#1192606).
o cifs: Clarify SMB1 code for SetFileSize (bsc#1192606).
o cifs: clarify SMB1 code for UnixCreateHardLink (bsc#1192606).
o cifs: Clarify SMB1 code for UnixCreateSymLink (bsc#1192606).
o cifs: Clarify SMB1 code for UnixSetPathInfo (bsc#1192606).
o cifs: Clean up DFS referral cache (bsc#1164565).
o cifs: cleanup a few le16 vs. le32 uses in cifsacl.c (bsc#1192606).
o cifs: cleanup misc.c (bsc#1192606).
o cifs: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1192606).
o cifs: Close cached root handle only if it had a lease (bsc#1164565).
o cifs: Close open handle after interrupted close (bsc#1164565).
o cifs: close the shared root handle on tree disconnect (bsc#1164565).
o cifs: compute full_path already in cifs_readdir() (bsc#1192606).
o cifs: connect individual channel servers to primary channel server (bsc#
1192606).
o cifs: connect: style: Simplify bool comparison (bsc#1192606).
o cifs: constify get_normalized_path() properly (bsc#1185902).
o cifs: constify path argument of ->make_node() (bsc#1192606).
o cifs: constify pathname arguments in a bunch of helpers (bsc#1192606).
o cifs: Constify static struct genl_ops (bsc#1192606).
o cifs: convert list_for_each to entry variant (bsc#1192606, jsc#SLE-20042).
o cifs: convert list_for_each to entry variant in cifs_debug.c (bsc#1192606).
o cifs: convert list_for_each to entry variant in smb2misc.c (bsc#1192606).
o cifs: convert revalidate of directories to using directory metadata cache
timeout (bsc#1192606).
o cifs: convert to use be32_add_cpu() (bsc#1192606).
o cifs: Convert to use the fallthrough macro (bsc#1192606).
o cifs: correct comments explaining internal semaphore usage in the module
(bsc#1192606).
o cifs: correct four aliased mount parms to allow use of previous names (bsc#
1192606).
o cifs: create a helper function to parse the query-directory response buffer
(bsc#1164565).
o cifs: create a helper to find a writeable handle by path name (bsc#
1154355).
o cifs: create a MD4 module and switch cifs.ko to use it (bsc#1192606).
o cifs: Create a new shared file holding smb2 pdu definitions (bsc#1192606).
o cifs: create sd context must be a multiple of 8 (bsc#1192606).
o cifs: Deal with some warnings from W=1 (bsc#1192606).
o cifs: Delete a stray unlock in cifs_swn_reconnect() (bsc#1192606).
o cifs: delete duplicated words in header files (bsc#1192606).
o cifs: detect dead connections only when echoes are enabled (bsc#1192606).
o cifs: Display local UID details for SMB sessions in DebugData (bsc#
1192606).
o cifs: do d_move in rename (bsc#1164565).
o cifs: do not allow changing posix_paths during remount (bsc#1192606).
o cifs: do not cargo-cult strndup() (bsc#1185902).
o cifs: do not create a temp nls in cifs_setup_ipc (bsc#1192606).
o cifs: do not disable noperm if multiuser mount option is not provided (bsc#
1192606).
o cifs: Do not display RDMA transport on reconnect (bsc#1164565).
o cifs: do not duplicate fscache cookie for secondary channels (bsc#1192606).
o cifs: do not fail __smb_send_rqst if non-fatal signals are pending
(git-fixes).
o cifs: do not ignore the SYNC flags in getattr (bsc#1164565).
o cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1164565).
o cifs: Do not leak EDEADLK to dgetents64 for STATUS_USER_SESSION_DELETED
(bsc#1192606).
o cifs: Do not miss cancelled OPEN responses (bsc#1164565).
o cifs: do not negotiate session if session already exists (bsc#1192606).
o cifs: do not send close in compound create+close requests (bsc#1181507).
o cifs: do not send tree disconnect to ipc shares (bsc#1185902).
o cifs: do not share tcons with DFS (bsc#1178270).
o cifs: do not share tcp servers with dfs mounts (bsc#1185902).
o cifs: do not share tcp sessions of dfs connections (bsc#1185902).
o cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1164565).
o cifs: Do not use iov_iter::type directly (bsc#1192606).
o cifs: Do not use the original cruid when following DFS links for multiuser
mounts (bsc#1192606).
o cifs: document and cleanup dfs mount (bsc#1178270).
o cifs: dump channel info in DebugData (bsc#1192606).
o cifs: dump Security Type info in DebugData (bsc#1192606).
o cifs: dump the session id and keys also for SMB2 sessions (bsc#1192606).
o cifs: enable change notification for SMB2.1 dialect (bsc#1164565).
o cifs: enable extended stats by default (bsc#1192606).
o cifs: Enable sticky bit with cifsacl mount option (bsc#1192606).
o cifs: ensure correct super block for DFS reconnect (bsc#1178270).
o cifs: escape spaces in share names (bsc#1192606).
o cifs: export supported mount options via new mount_params /proc file (bsc#
1192606).
o cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1164565).
o cifs: fiemap: do not return EINVAL if get nothing (bsc#1192606).
o cifs: fix a comment for the timeouts when sending echos (bsc#1164565).
o cifs: fix a memleak with modefromsid (bsc#1192606).
o cifs: fix a sign extension bug (bsc#1192606).
o cifs: fix a white space issue in cifs_get_inode_info() (bsc#1164565).
o cifs: fix allocation size on newly created files (bsc#1192606).
o cifs: Fix an error pointer dereference in cifs_mount() (bsc#1178270).
o cifs: Fix atime update check vs mtime (bsc#1164565).
o cifs: Fix bug which the return value by asynchronous read is error (bsc#
1192606).
o cifs: Fix cached_fid refcnt leak in open_shroot (bsc#1192606).
o cifs: fix channel signing (bsc#1192606).
o cifs: fix check of dfs interlinks (bsc#1185902).
o cifs: fix check of tcon dfs in smb1 (bsc#1178270).
o cifs: Fix chmod with modefromsid when an older ACE already exists (bsc#
1192606).
o cifs: fix chown and chgrp when idsfromsid mount option enabled (bsc#
1192606).
o cifs: Fix cifsacl ACE mask for group and others (bsc#1192606).
o cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs (bnc#
1151927 5.3.10).
o cifs: fix credit accounting for extra channel (bsc#1192606).
o cifs: fix dereference on ses before it is null checked (bsc#1164565).
o cifs: fix dfs domain referrals (bsc#1192606).
o cifs: fix DFS failover (bsc#1192606).
o cifs: fix DFS mount with cifsacl/modefromsid (bsc#1178270).
o cifs: fix dfs-links (bsc#1192606).
o cifs: fix doc warnings in cifs_dfs_ref.c (bsc#1192606).
o cifs: Fix double add page to memcg when cifs_readpages (bsc#1192606).
o cifs: fix double free error on share and prefix (bsc#1178270).
o cifs: Fix fall-through warnings for Clang (bsc#1192606).
o cifs: fix fallocate when trying to allocate a hole (bsc#1192606).
o cifs: fix gcc warning in sid_to_id (bsc#1192606).
o cifs: fix handling of escaped ',' in the password mount argument (bsc#
1192606).
o cifs: Fix in error types returned for out-of-credit situations (bsc#
1192606).
o cifs: Fix incomplete memory allocation on setxattr path (bsc#1179211).
o cifs: Fix inconsistent indenting (bsc#1192606).
o cifs: Fix inconsistent IS_ERR and PTR_ERR (bsc#1192606).
o cifs: fix incorrect check for null pointer in header_assemble (bsc#
1192606).
o cifs: fix incorrect kernel doc comments (bsc#1192606).
o cifs: fix interrupted close commands (git-fixes).
o cifs: fix ipv6 formating in cifs_ses_add_channel (bsc#1192606).
o cifs: fix leak in cifs_smb3_do_mount() ctx (bsc#1192606).
o cifs: Fix leak when handling lease break for cached root fid (bsc#1176242).
o cifs: fix leaked reference on requeued write (bsc#1178270).
o cifs: Fix lookup of root ses in DFS referral cache (bsc#1164565).
o cifs: Fix lookup of SMB connections on multichannel (bsc#1192606).
o cifs: fix max ea value size (bnc#1151927 5.3.4).
o cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1164565).
o cifs: fix memory leak in smb2_copychunk_range (git-fixes).
o cifs: fix memory leak of smb3_fs_context_dup::server_hostname (bsc#
1192606).
o cifs: fix minor typos in comments and log messages (bsc#1192606).
o cifs: Fix missed free operations (bnc#1151927 5.3.8).
o cifs: fix missing null session check in mount (bsc#1192606).
o cifs: fix missing spinlock around update to ses->status (bsc#1192606).
o cifs: fix misspellings using codespell tool (bsc#1192606).
o cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#
1164565).
o cifs: Fix mode output in debugging statements (bsc#1164565).
o cifs: fix mount option display for sec=krb5i (bsc#1161907).
o cifs: Fix mount options set in automount (bsc#1164565).
o cifs: fix mounts to subdirectories of target (bsc#1192606).
o cifs: fix nodfs mount option (bsc#1181710).
o cifs: fix NULL dereference in match_prepath (bsc#1164565).
o cifs: fix NULL dereference in smb2_check_message() (bsc#1192606).
o cifs: Fix null pointer check in cifs_read (bsc#1192606).
o cifs: Fix NULL pointer dereference in mid callback (bsc#1164565).
o cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bnc#
1151927 5.3.16).
o cifs: Fix oplock handling for SMB 2.1+ protocols (bnc#1151927 5.3.4).
o cifs: fix out-of-bound memory access when calling smb3_notify() at mount
point (bsc#1192606).
o cifs: fix path comparison and hash calc (bsc#1185902).
o cifs: fix possible uninitialized access and race on iface_list (bsc#
1192606).
o cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#
1164565).
o cifs: fix potential mismatch of UNC paths (bsc#1164565).
o cifs: Fix potential softlockups while refreshing DFS cache (bsc#1164565).
o cifs: fix potential use-after-free bugs (bsc#1192606, jsc#SLE-20042).
o cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
o cifs: Fix preauth hash corruption (git-fixes).
o cifs: fix print of hdr_flags in dfscache_proc_show() (bsc#1192606, jsc#
SLE-20042).
o cifs: fix reference leak for tlink (bsc#1192606).
o cifs: fix regression when mounting shares with prefix paths (bsc#1192606).
o cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#
1164565).
o cifs: Fix resource leak (bsc#1192606).
o cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1164565).
o cifs: Fix retry mid list corruption on reconnects (bnc#1151927 5.3.10).
o cifs: Fix return value in __update_cache_entry (bsc#1164565).
o cifs: fix rsize/wsize to be negotiated values (bsc#1192606).
o cifs: fix SMB1 error path in cifs_get_file_info_unix (bsc#1192606).
o cifs: Fix SMB2 oplock break processing (bsc#1154355 bnc#1151927 5.3.16).
o cifs: fix soft mounts hanging in the reconnect code (bsc#1164565).
o cifs: fix soft mounts hanging in the reconnect code (bsc#1164565).
o cifs: Fix some error pointers handling detected by static checker (bsc#
1192606).
o cifs: Fix spelling of 'security' (bsc#1192606).
o cifs: fix string declarations and assignments in tracepoints (bsc#1192606).
o cifs: Fix support for remount when not changing rsize/wsize (bsc#1192606).
o cifs: Fix task struct use-after-free on reconnect (bsc#1164565).
o cifs: fix the out of range assignment to bit fields in
parse_server_interfaces (bsc#1192606).
o cifs: Fix the target file was deleted when rename failed (bsc#1192606).
o cifs: fix trivial typo (bsc#1192606).
o cifs: fix uninitialised lease_key in open_shroot() (bsc#1178270).
o cifs: fix uninitialized variable in smb3_fs_context_parse_param (bsc#
1192606).
o cifs: fix unitialized variable poential problem with network I/O cache lock
patch (bsc#1164565).
o cifs: Fix unix perm bits to cifsacl conversion for "other" bits (bsc#
1192606).
o cifs: fix unneeded null check (bsc#1192606).
o cifs: fix use after free in cifs_smb3_do_mount() (bsc#1192606).
o cifs: Fix use after free of file info structures (bnc#1151927 5.3.8).
o cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1164565).
o cifs: fix wrong release in sess_alloc_buffer() failed path (bsc#1192606).
o cifs: for compound requests, use open handle if possible (bsc#1192606).
o cifs: Force reval dentry if LOOKUP_REVAL flag is set (bnc#1151927 5.3.7).
o cifs: Force revalidate inode when dentry is stale (bnc#1151927 5.3.7).
o cifs: fork arc4 and create a separate module for it for cifs and other
users (bsc#1192606).
o cifs: get mode bits from special sid on stat (bsc#1164565).
o cifs: get rid of @noreq param in __dfs_cache_find() (bsc#1185902).
o cifs: get rid of cifs_sb->mountdata (bsc#1192606).
o cifs: Get rid of kstrdup_const()'d paths (bsc#1164565).
o cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#
1178270).
o cifs: Grab a reference for the dentry of the cached directory during the
lifetime of the cache (bsc#1192606).
o cifs: Gracefully handle QueryInfo errors during open (bnc#1151927 5.3.7).
o cifs: handle -EINTR in cifs_setattr (bsc#1192606).
o cifs: handle "guest" mount parameter (bsc#1192606).
o cifs: handle "nolease" option for vers=1.0 (bsc#1192606).
o cifs: handle different charsets in dfs cache (bsc#1185902).
o cifs: handle empty list of targets in cifs_reconnect() (bsc#1178270).
o cifs: handle hostnames that resolve to same ip in failover (bsc#1178270).
o cifs: handle prefix paths in reconnect (bsc#1164565).
o cifs: handle reconnect of tcon when there is no cached dfs referral (bsc#
1192606).
o cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect (bsc#1178270).
o cifs: Handle witness client move notification (bsc#1192606).
o cifs: have ->mkdir() handle race with another client sanely (bsc#1192606).
o cifs: have cifs_fattr_to_inode() refuse to change type on live inode (bsc#
1192606).
o cifs: Identify a connection by a conn_id (bsc#1192606).
o cifs: If a corrupted DACL is returned by the server, bail out (bsc#
1192606).
o cifs: ignore auto and noauto options if given (bsc#1192606).
o cifs: ignore cached share root handle closing errors (bsc#1166780).
o cifs: improve fallocate emulation (bsc#1192606).
o cifs: improve read performance for page size 64KB cache=strict vers=2.1+
(bsc#1192606).
o cifs: In the new mount api we get the full devname as source= (bsc#
1192606).
o cifs: Increment num_remote_opens stats counter even in case of
smb2_query_dir_first (bsc#1192606).
o cifs: Initialize filesystem timestamp ranges (bsc#1164565).
o cifs: introduce cifs_ses_mark_for_reconnect() helper (bsc#1192606).
o cifs: introduce helper for finding referral server (bsc#1181710).
o cifs: Introduce helpers for finding TCP connection (bsc#1164565).
o cifs: introduce new helper for cifs_reconnect() (bsc#1192606, jsc#
SLE-20042).
o cifs: keep referral server sessions alive (bsc#1185902).
o cifs: log mount errors using cifs_errorf() (bsc#1192606).
o cifs: log warning message (once) if out of disk space (bsc#1164565).
o cifs: make build_path_from_dentry() return const char * (bsc#1192606).
o cifs: make const array static, makes object smaller (bsc#1192606).
o cifs: Make extract_hostname function public (bsc#1192606).
o cifs: Make extract_sharename function public (bsc#1192606).
o cifs: make fs_context error logging wrapper (bsc#1192606).
o cifs: make locking consistent around the server session status (bsc#
1192606).
o cifs: make multichannel warning more visible (bsc#1192606).
o cifs: Make SMB2_notify_init static (bsc#1164565).
o cifs: make sure we do not overflow the max EA buffer size (bsc#1164565).
o cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1164565).
o cifs: map STATUS_ACCOUNT_LOCKED_OUT to -EACCES (bsc#1192606).
o cifs: merge __{cifs,smb2}_reconnect[_tcon]() into cifs_tree_connect() (bsc#
1178270).
o cifs: Merge is_path_valid() into get_normalized_path() (bsc#1164565).
o cifs: minor fix to two debug messages (bsc#1192606).
o cifs: minor kernel style fixes for comments (bsc#1192606).
o cifs: minor simplification to smb2_is_network_name_deleted (bsc#1192606).
o cifs: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#
1192606).
o cifs: minor updates to Kconfig (bsc#1192606).
o cifs: misc: Use array_size() in if-statement controlling expression (bsc#
1192606).
o cifs: missed ref-counting smb session in find (bsc#1192606).
o cifs: missing null check for newinode pointer (bsc#1192606).
o cifs: missing null pointer check in cifs_mount (bsc#1185902).
o cifs: modefromsid: make room for 4 ACE (bsc#1164565).
o cifs: modefromsid: write mode ACE first (bsc#1164565).
o cifs: move [brw]size from cifs_sb to cifs_sb->ctx (bsc#1192606).
o cifs: move cache mount options to fs_context.ch (bsc#1192606).
o cifs: move cifs_cleanup_volume_info[_content] to fs_context.c (bsc#
1192606).
o cifs: move cifs_parse_devname to fs_context.c (bsc#1192606).
o cifs: move cifsFileInfo_put logic into a work-queue (bsc#1154355).
o cifs: move debug print out of spinlock (bsc#1192606).
o cifs: Move more definitions into the shared area (bsc#1192606).
o cifs: move NEGOTIATE_PROTOCOL definitions out into the common area (bsc#
1192606).
o cifs: move security mount options into fs_context.ch (bsc#1192606).
o cifs: move SMB FSCTL definitions to common code (bsc#1192606).
o cifs: move smb version mount options into fs_context.c (bsc#1192606).
o cifs: Move SMB2_Create definitions to the shared area (bsc#1192606).
o cifs: move some variables off the stack in smb2_ioctl_query_info (bsc#
1192606).
o cifs: move the check for nohandlecache into open_shroot (bsc#1192606).
o cifs: move the enum for cifs parameters into fs_context.h (bsc#1192606).
o cifs: move update of flags into a separate function (bsc#1192606).
o cifs: multichannel: always zero struct cifs_io_parms (bsc#1192606).
o cifs: multichannel: move channel selection above transport layer (bsc#
1192606).
o cifs: multichannel: move channel selection in function (bsc#1192606).
o cifs: multichannel: try to rebind when reconnecting a channel (bsc#
1192606).
o cifs: multichannel: use pointer for binding channel (bsc#1192606).
o cifs: mute -Wunused-const-variable message (bnc#1151927 5.3.9).
o cifs: New optype for session operations (bsc#1181507).
o cifs: nosharesock should be set on new server (bsc#1192606).
o cifs: nosharesock should not share socket with future sessions (bsc#
1192606).
o cifs: On cifs_reconnect, resolve the hostname again (bsc#1192606).
o cifs: only update prefix path of DFS links in cifs_tree_connect() (bsc#
1178270).
o cifs: only write 64kb at a time when fallocating a small region of a file
(bsc#1192606).
o cifs: Optimize readdir on reparse points (bsc#1164565).
o cifs: pass a path to open_shroot and check if it is the root or not (bsc#
1192606).
o cifs: pass the dentry instead of the inode down to the revalidation check
functions (bsc#1192606).
o cifs: plumb smb2 POSIX dir enumeration (bsc#1164565).
o cifs: populate server_hostname for extra channels (bsc#1192606).
o cifs: potential unintitliazed error code in cifs_getattr() (bsc#1164565).
o cifs: prepare SMB2_Flush to be usable in compounds (bsc#1154355).
o cifs: prepare SMB2_query_directory to be used with compounding (bsc#
1164565).
o cifs: prevent NULL deref in cifs_compose_mount_options() (bsc#1185902).
o cifs: prevent truncation from long to int in wait_for_free_credits (bsc#
1192606).
o cifs: print MIDs in decimal notation (bsc#1181507).
o cifs: Print the address and port we are connecting to in generic_ip_connect
() (bsc#1192606).
o cifs: print warning mounting with vers=1.0 (bsc#1164565).
o cifs: properly invalidate cached root handle when closing it (bsc#1192606).
o cifs: Properly process SMB3 lease breaks (bsc#1164565).
o cifs: protect session channel fields with chan_lock (bsc#1192606).
o cifs: protect srv_count with cifs_tcp_ses_lock (bsc#1192606).
o cifs: protect updating server->dstaddr with a spinlock (bsc#1192606).
o cifs: Re-indent cifs_swn_reconnect() (bsc#1192606).
o cifs: reduce number of referral requests in DFS link lookups (bsc#1178270).
o cifs: reduce stack use in smb2_compound_op (bsc#1192606).
o cifs: refactor cifs_get_inode_info() (bsc#1164565).
o cifs: refactor create_sd_buf() and and avoid corrupting the buffer (bsc#
1192606).
o cifs: Reformat DebugData and index connections by conn_id (bsc#1192606).
o cifs: Register generic netlink family (bsc#1192606). Update configs with
CONFIG_SWN_UPCALL unset.
o cifs: release lock earlier in dequeue_mid error case (bsc#1192606).
o cifs: remove [gu]id/backup[gu]id/file_mode/dir_mode from cifs_sb (bsc#
1192606).
o cifs: remove actimeo from cifs_sb (bsc#1192606).
o cifs: remove bogus debug code (bsc#1179427).
o cifs: remove ctx argument from cifs_setup_cifs_sb (bsc#1192606).
o cifs: remove duplicated prototype (bsc#1192606).
o cifs: remove old dead code (bsc#1192606).
o cifs: remove pathname for file from SPDX header (bsc#1192606).
o cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1164565).
o cifs: remove redundant assignment to variable rc (bsc#1164565).
o cifs: remove redundant initialization of variable rc (bsc#1192606).
o cifs: remove redundant initialization of variable rc (bsc#1192606).
o cifs: Remove repeated struct declaration (bsc#1192606).
o cifs: Remove set but not used variable 'capabilities' (bsc#1164565).
o cifs: remove set but not used variable 'server' (bsc#1164565).
o cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#
1164565).
o cifs: remove set but not used variables (bsc#1164565).
o cifs: remove some minor warnings pointed out by kernel test robot (bsc#
1192606).
o cifs: remove the devname argument to cifs_compose_mount_options (bsc#
1192606).
o cifs: remove the retry in cifs_poxis_lock_set (bsc#1192606).
o cifs: Remove the superfluous break (bsc#1192606).
o cifs: remove two cases where rc is set unnecessarily in sid_to_id (bsc#
1192606).
o cifs: remove unnecessary copies of tcon->crfid.fid (bsc#1192606).
o cifs: Remove unnecessary struct declaration (bsc#1192606).
o cifs: remove unneeded variable in smb3_fs_context_dup (bsc#1192606).
o cifs: Remove unused inline function is_sysvol_or_netlogon() (bsc#1185902).
o cifs: remove unused variable 'server' (bsc#1192606).
o cifs: remove unused variable 'sid_user' (bsc#1164565).
o cifs: remove unused variable (bsc#1164565).
o cifs: Remove useless variable (bsc#1192606).
o cifs: remove various function description warnings (bsc#1192606).
o cifs: rename a variable in SendReceive() (bsc#1164565).
o cifs: rename cifs_common to smbfs_common (bsc#1192606).
o cifs: rename dup_vol to smb3_fs_context_dup and move it into fs_context.c
(bsc#1192606).
o cifs: rename posix create rsp (bsc#1164565).
o cifs: rename reconn_inval_dfs_target() (bsc#1178270).
o cifs: rename smb_vol as smb3_fs_context and move it to fs_context.h (bsc#
1192606).
o cifs: rename the *_shroot* functions to *_cached_dir* (bsc#1192606).
o cifs: report error instead of invalid when revalidating a dentry fails (bsc
#1177440).
o cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1164565).
o cifs: Retain old ACEs when converting between mode bits and ACL (bsc#
1192606).
o cifs: retry lookup and readdir when EAGAIN is returned (bsc#1192606).
o cifs: return cached_fid from open_shroot (bsc#1192606).
o cifs: Return correct error code from smb2_get_enc_key (git-fixes).
o cifs: Return directly after a failed build_path_from_dentry() in
cifs_do_create() (bsc#1164565).
o cifs: return proper error code in statfs(2) (bsc#1181507).
o cifs: Return the error from crypt_message when enc/dec key not found (bsc#
1179426).
o cifs: returning mount parm processing errors correctly (bsc#1192606).
o cifs: revalidate mapping when we open files for SMB1 POSIX (bsc#1192606).
o cifs: Send witness register and unregister commands to userspace daemon
(bsc#1192606).
o cifs: Send witness register messages to userspace daemon in echo task (bsc#
1192606).
o cifs: send workstation name during ntlmssp session setup (bsc#1192606).
o cifs: set a minimum of 120s for next dns resolution (bsc#1192606).
o cifs: set a minimum of 2 minutes for refreshing dfs cache (bsc#1185902).
o cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath (bsc#
1192606).
o cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1164565).
o cifs: set server->cipher_type to AES-128-CCM for SMB3.0 (bsc#1192606).
o cifs: set up next DFS target before generic_ip_connect() (bsc#1178270).
o cifs: Set witness notification handler for messages from userspace daemon
(bsc#1192606).
o cifs: Silently ignore unknown oplock break handle (bsc#1192606).
o cifs: Simplify bool comparison (bsc#1192606).
o cifs: simplify handling of cifs_sb/ctx->local_nls (bsc#1192606).
o cifs: Simplify reconnect code when dfs upcall is enabled (bsc#1192606).
o cifs: simplify SWN code with dummy funcs instead of ifdefs (bsc#1192606).
o cifs: smb1: Try failing back to SetFileInfo if SetPathInfo fails (bsc#
1192606).
o cifs: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#
1192606).
o cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#
1164565).
o cifs: smbd: Calculate the correct maximum packet size for segmented
SMBDirect send/receive (bsc#1192606).
o cifs: smbd: Check and extend sender credits in interrupt context (bsc#
1192606).
o cifs: smbd: Check send queue size before posting a send (bsc#1192606).
o cifs: smbd: Do not schedule work to send immediate packet on every receive
(bsc#1192606).
o cifs: smbd: Invalidate and deregister memory registration on re-send for
direct I/O (bsc#1164565).
o cifs: smbd: Merge code to track pending packets (bsc#1192606).
o cifs: smbd: Only queue work for error recovery on memory registration (bsc#
1164565).
o cifs: smbd: Properly process errors on ib_post_send (bsc#1192606).
o cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1164565).
o cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state
(bsc#1164565).
o cifs: smbd: Return -EINVAL when the number of iovs exceeds
SMBDIRECT_MAX_SGE (bsc#1164565).
o cifs: smbd: Update receive credits before sending and deal with credits
roll back on failure before sending (bsc#1192606).
o cifs: sort interface list by speed (bsc#1192606).
o cifs: Spelling s/EACCESS/EACCES/ (bsc#1192606).
o cifs: split out dfs code from cifs_reconnect() (bsc#1192606, jsc#
SLE-20042).
o cifs: Standardize logging output (bsc#1192606).
o cifs: store a pointer to the root dentry in cifs_sb_info once we have
completed mounting the share (bsc#1192606).
o cifs: style: replace one-element array with flexible-array (bsc#1192606).
o cifs: support nested dfs links over reconnect (bsc#1192606, jsc#SLE-20042).
o cifs: support share failover when remounting (bsc#1192606, jsc#SLE-20042).
o cifs: switch build_path_from_dentry() to using dentry_path_raw() (bsc#
1192606).
o cifs: switch servers depending on binding state (bsc#1192606).
o cifs: switch to new mount api (bsc#1192606).
o cifs: To match file servers, make sure the server hostname matches (bsc#
1192606).
o cifs: Tracepoints and logs for tracing credit changes (bsc#1181507).
o cifs: try harder to open new channels (bsc#1192606).
o cifs: try opening channels after mounting (bsc#1192606).
o cifs: uncomplicate printing the iocharset parameter (bsc#1192606).
o cifs: Unlock on errors in cifs_swn_reconnect() (bsc#1192606).
o cifs: update ctime and mtime during truncate (bsc#1192606).
o cifs: update FSCTL definitions (bsc#1192606).
o cifs: update internal module version number (bsc#1192606).
o cifs: update internal module version number (bsc#1192606).
o cifs: update internal module version number (bsc#1192606).
o cifs: update internal module version number (bsc#1192606).
o cifs: update internal module version number (bsc#1192606).
o cifs: update internal module version number (bsc#1192606).
o cifs: update internal module version number (bsc#1192606).
o cifs: update internal module version number (bsc#1192606).
o cifs: update internal version number (bsc#1192606).
o cifs: update internal version number (bsc#1192606).
o cifs: update internal version number (bsc#1192606).
o cifs: update internal version number (bsc#1192606).
o cifs: update mnt_cifs_flags during reconfigure (bsc#1192606).
o cifs: update new ACE pointer after populate_new_aces (bsc#1192606).
o cifs: update super_operations to show_devname (bsc#1192606).
o cifs: Use #define in cifs_dbg (bsc#1164565).
o cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic
(bnc#1151927 5.3.7).
o cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#
1164565).
o cifs: use compounding for open and first query-dir for readdir() (bsc#
1164565).
o cifs: use discard iterator to discard unneeded network data more
efficiently (bsc#1192606).
o cifs: use echo_interval even when connection not ready (bsc#1192606).
o cifs: use existing handle for compound_op(OP_SET_INFO) when possible (bsc#
1154355).
o cifs: use helpers when parsing uid/gid mount options and validate them (bsc
#1192606).
o cifs: Use memdup_user() rather than duplicating its implementation (bsc#
1164565).
o cifs: use mod_delayed_work() for server->reconnect if already queued (bsc#
1164565).
o cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1164565).
o cifs: use SPDX-Licence-Identifier (bsc#1192606).
o cifs: use the expiry output of dns_query to schedule next resolution (bsc#
1192606).
o cifs: use true,false for bool variable (bsc#1164565).
o cifs: warn and fail if trying to use rootfs without the config option (bsc#
1192606).
o cifs: Warn less noisily on default mount (bsc#1192606).
o cifs: we do not allow changing username/password/unc/... during remount
(bsc#1192606).
o cifs/smb3: Fix data inconsistent when punch hole (bsc#1176544).
o cifs/smb3: Fix data inconsistent when zero file range (bsc#1176536).
o cifs`: handle ERRBaduid for SMB1 (bsc#1192606).
o clk: imx: imx6ul: Move csi_sel mux to correct base register (git-fixes).
o clk: ingenic: Fix bugs with divided dividers (git-fixes).
o config: refresh BPF configs (jsc#SLE-22574) The SUSE-commit 9a413cc7eb56
("config: disable unprivileged BPF by default (jsc#SLE-22573)") inherited
from SLE15-SP2 puts the BPF config into the wrong place due to SLE15-SP3
additionally backported b24abcff918a ("bpf, kconfig: Add consolidated menu
entry for bpf with core options"), and leads to duplicate
CONFIG_BPF_UNPRIV_DEFAULT_OFF entires; this commit remove those BPF config.
Also, disable unprivileged BPF for armv7hl, which did not inherit the
config change from SLE15-SP2.
o constraints: Build aarch64 on recent ARMv8.1 builders. Request asimdrdm
feature which is available only on recent ARMv8.1 CPUs. This should prevent
scheduling the kernel on an older slower builder.
o Convert trailing spaces and periods in path components (bsc#1179424).
o crypto: ecc - fix CRYPTO_DEFAULT_RNG dependency (git-fixes).
o crypto: pcrypt - Delay write to padata->info (git-fixes).
o crypto: s5p-sss - Add error handling in s5p_aes_probe() (git-fixes).
o cxgb4: fix eeprom len when diagnostics not implemented (git-fixes).
o dm raid: remove unnecessary discard limits for raid0 and raid10 (bsc#
1192320).
o dm: fix deadlock when swapping to encrypted device (bsc#1186332).
o dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro (git-fixes).
o dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result`
(git-fixes).
o do_cifs_create(): do not set ->i_mode of something we had not created (bsc#
1192606).
o drm: panel-orientation-quirks: Add quirk for Aya Neo 2021 (git-fixes).
o drm: panel-orientation-quirks: Add quirk for GPD Win3 (git-fixes).
o drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1
(git-fixes).
o drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book 10.6
(git-fixes).
o drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2)
(git-fixes).
o drm/amd/display: Set plane update flags for all planes in reset
(git-fixes).
o drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga
and dvi connectors (git-fixes).
o drm/msm: Do hw_init() before capturing GPU state (git-fixes).
o drm/msm/a6xx: Allocate enough space for GMU registers (git-fixes).
o drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrame (git-fixes).
o drm/nouveau/acr: fix a couple NULL vs IS_ERR() checks (git-fixes).
o drm/nouveau/svm: Fix refcount leak bug and missing check against null bug
(git-fixes).
o drm/panel-orientation-quirks: add Valve Steam Deck (git-fixes).
o drm/pl111: Actually fix CONFIG_VEXPRESS_CONFIG depends (git-fixes).
o drm/plane-helper: fix uninitialized variable reference (git-fixes).
o drm/vc4: fix error code in vc4_create_object() (git-fixes).
o drop superfluous empty lines
o e1000e: Separate TGP board type from SPT (bsc#1192874).
o EDAC/amd64: Handle three rank interleaving mode (bsc#1152489).
o elfcore: correct reference to CONFIG_UML (git-fixes).
o elfcore: fix building with clang (bsc#1169514).
o ethtool: fix ethtool msg len calculation for pause stats (jsc#SLE-15075).
o firmware: qcom_scm: Mark string array const (git-fixes).
o fuse: release pipe buf after last use (bsc#1193318).
o gve: Add netif_set_xps_queue call (bsc#1176940).
o gve: Add rx buffer pagecnt bias (bsc#1176940).
o gve: Allow pageflips on larger pages (bsc#1176940).
o gve: Do lazy cleanup in TX path (git-fixes).
o gve: DQO: avoid unused variable warnings (bsc#1176940).
o gve: Switch to use napi_complete_done (git-fixes).
o gve: Track RX buffer allocation failures (bsc#1176940).
o hwmon: (k10temp) Add additional missing Zen2 and Zen3 APUs (jsc#SLE-17823
jsc#SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) Add support for yellow carp (jsc#SLE-17823 jsc#SLE-23139
jsc#ECO-3666).
o hwmon: (k10temp) Add support for Zen3 CPUs (jsc#SLE-17823 jsc#SLE-23139 jsc
#ECO-3666).
o hwmon: (k10temp) Create common functions and macros for Zen CPU families
(jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) Define SVI telemetry and current factors for Zen2 CPUs
(jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) Do not show Tdie for all Zen/Zen2/Zen3 CPU/APU (jsc#
SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) make some symbols static (jsc#SLE-17823 jsc#SLE-23139 jsc#
ECO-3666).
o hwmon: (k10temp) Remove residues of current and voltage (jsc#SLE-17823 jsc#
SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) Remove support for displaying voltage and current on Zen
CPUs (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) Reorganize and simplify temperature support detection (jsc
#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) Rework the temperature offset calculation (jsc#SLE-17823
jsc#SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) support Zen3 APUs (jsc#SLE-17823 jsc#SLE-23139 jsc#
ECO-3666).
o hwmon: (k10temp) Swap Tdie and Tctl on Family 17h CPUs (jsc#SLE-17823 jsc#
SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) Update documentation and add temp2_input info (jsc#
SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
o hwmon: (k10temp) Update driver documentation (jsc#SLE-17823 jsc#SLE-23139
jsc#ECO-3666).
o hwmon: (k10temp) Zen3 Ryzen Desktop CPUs support (jsc#SLE-17823 jsc#
SLE-23139 jsc#ECO-3666).
o i2c: cbus-gpio: set atomic transfer callback (git-fixes).
o i2c: stm32f7: flush TX FIFO upon transfer errors (git-fixes).
o i2c: stm32f7: recover the bus on access timeout (git-fixes).
o i2c: stm32f7: stop dma transfer in case of NACK (git-fixes).
o i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe
()' (git-fixes).
o i40e: Fix changing previously set num_queue_pairs for PFs (git-fixes).
o i40e: Fix correct max_pkt_size on VF RX queue (git-fixes).
o i40e: Fix creation of first queue by omitting it if is not power of two
(git-fixes).
o i40e: Fix display error code in dmesg (git-fixes).
o i40e: Fix failed opcode appearing if handling messages from VF (git-fixes).
o i40e: Fix NULL ptr dereference on VSI filter sync (git-fixes).
o i40e: Fix ping is lost after configuring ADq on VF (git-fixes).
o i40e: Fix pre-set max number of queues for VF (git-fixes).
o i40e: Fix warning message and call stack during rmmod i40e driver
(git-fixes).
o iavf: check for null in iavf_fix_features (git-fixes).
o iavf: do not clear a lock we do not hold (git-fixes).
o iavf: Fix failure to exit out from last all-multicast mode (git-fixes).
o iavf: Fix for setting queues to 0 (jsc#SLE-12877).
o iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset
(git-fixes).
o iavf: Fix reporting when setting descriptor count (git-fixes).
o iavf: Fix return of set the new channel count (jsc#SLE-12877).
o iavf: free q_vectors before queues in iavf_disable_vf (git-fixes).
o iavf: prevent accidental free of filter structure (git-fixes).
o iavf: Prevent changing static ITR values if adaptive moderation is on
(git-fixes).
o iavf: Restore VLAN filters after link down (git-fixes).
o iavf: validate pointers (git-fixes).
o ibmvnic: drop bad optimization in reuse_rx_pools() (bsc#1193349 ltc#
195568).
o ibmvnic: drop bad optimization in reuse_tx_pools() (bsc#1193349 ltc#
195568).
o ice: avoid bpf_prog refcount underflow (jsc#SLE-7926).
o ice: avoid bpf_prog refcount underflow (jsc#SLE-7926).
o ice: Delete always true check of PF pointer (git-fixes).
o ice: Fix not stopping Tx queues for VFs (jsc#SLE-7926).
o ice: Fix VF true promiscuous mode (jsc#SLE-12878).
o ice: fix vsi->txq_map sizing (jsc#SLE-7926).
o ice: ignore dropped packets during init (git-fixes).
o ice: Remove toggling of antispoof for VF trusted promiscuous mode (jsc#
SLE-12878).
o igb: fix netpoll exit with traffic (git-fixes).
o igc: Remove _I_PHY_ID checking (bsc#1193169).
o igc: Remove phy->type checking (bsc#1193169).
o iio: imu: st_lsm6dsx: Avoid potential array overflow in st_lsm6dsx_set_odr
() (git-fixes).
o Input: iforce - fix control-message timeout (git-fixes).
o iommu: Check if group is NULL before remove device (git-fixes).
o iommu/amd: Relocate GAMSup check to early_enable_iommus (git-fixes).
o iommu/amd: Remove iommu_init_ga() (git-fixes).
o iommu/mediatek: Fix out-of-range warning with clang (git-fixes).
o iommu/vt-d: Consolidate duplicate cache invaliation code (git-fixes).
o iommu/vt-d: Fix incomplete cache flush in intel_pasid_tear_down_entry()
(git-fixes).
o iommu/vt-d: Update the virtual command related registers (git-fixes).
o ipmi: Disable some operations during a panic (git-fixes).
o kABI: dm: fix deadlock when swapping to encrypted device (bsc#1186332).
o kabi: hide changes to struct uv_info (git-fixes).
o kernel-obs-build: include the preferred kernel parameters Currently the
Open Build Service hardcodes the kernel boot parameters globally. Recently
functionality was added to control the parameters by the kernel-obs-build
package, so make use of that. parameters here will overwrite what is used
by OBS otherwise.
o kernel-obs-build: inform build service about virtio-serial Inform the build
worker code that this kernel supports virtio-serial, which improves
performance and relability of logging.
o kernel-obs-build: remove duplicated/unused parameters lbs=0 - this
parameters is just giving "unused parameter" and it looks like I can not
find any version that implemented this. rd.driver.pre=binfmt_misc is not
needed when setup_obs is used, it alread loads the kernel module. quiet and
panic=1 will now be also always added by OBS, so we do not have to set it
here anymore.
o kernel-source.spec: install-kernel-tools also required on 15.4
o lib/xz: Avoid overlapping memcpy() with invalid input with in-place
decompression (git-fixes).
o lib/xz: Validate the value before assigning it to an enum variable
(git-fixes).
o libata: fix checking of DMA state (git-fixes).
o linux/parser.h: add include guards (bsc#1192606).
o lpfc: Reintroduce old IRQ probe logic (bsc#1183897).
o md: add md_submit_discard_bio() for submitting discard bio (bsc#1192320).
o md: fix a lock order reversal in md_alloc (git-fixes).
o md/raid10: extend r10bio devs to raid disks (bsc#1192320).
o md/raid10: improve discard request for far layout (bsc#1192320).
o md/raid10: improve raid10 discard request (bsc#1192320).
o md/raid10: initialize r10_bio->read_slot before use (bsc#1192320).
o md/raid10: pull the code that wait for blocked dev into one function (bsc#
1192320).
o md/raid10: Remove unnecessary rcu_dereference in raid10_handle_discard (bsc
#1192320).
o mdio: aspeed: Fix "Link is Down" issue (bsc#1176447).
o media: imx: set a media_device bus_info string (git-fixes).
o media: ipu3-imgu: imgu_fmt: Handle properly try (git-fixes).
o media: ipu3-imgu: VIDIOC_QUERYCAP: Fix bus_info (git-fixes).
o media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers
(git-fixes).
o media: mceusb: return without resubmitting URB in case of -EPROTO error
(git-fixes).
o media: mt9p031: Fix corrupted frame after restarting stream (git-fixes).
o media: netup_unidvb: handle interrupt properly according to the firmware
(git-fixes).
o media: rcar-csi2: Add checking to rcsi2_start_receiver() (git-fixes).
o media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe()
(git-fixes).
o media: stm32: Potential NULL pointer dereference in dcmi_irq_thread()
(git-fixes).
o media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte()
(git-fixes).
o media: uvcvideo: Return -EIO for control errors (git-fixes).
o media: uvcvideo: Set capability in s_param (git-fixes).
o media: uvcvideo: Set unique vdev name based in type (git-fixes).
o memstick: r592: Fix a UAF bug when removing the driver (git-fixes).
o MM: reclaim mustn't enter FS for swap-over-NFS (bsc#1191876).
o mmc: dw_mmc: Dont wait for DRTO on Write RSP error (git-fixes).
o mmc: winbond: do not build on M68K (git-fixes).
o mtd: core: do not remove debugfs directory if device is in use (git-fixes).
o mwifiex: Properly initialize private structure on interface type changes
(git-fixes).
o mwifiex: Read a PCI register after writing the TX ring write pointer
(git-fixes).
o mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type
(git-fixes).
o mwl8k: Fix use-after-free in mwl8k_fw_state_machine() (git-fixes).
o net: asix: fix uninit value bugs (git-fixes).
o net: bnx2x: fix variable dereferenced before check (git-fixes).
o net: bridge: fix under estimation in br_get_linkxstats_size() (bsc#
1176447).
o net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero (git-fixes).
o net: delete redundant function declaration (git-fixes).
o net: hns3: change affinity_mask to numa node range (bsc#1154353).
o net: hns3: fix misuse vf id and vport id in some logs (bsc#1154353).
o net: hns3: remove check VF uc mac exist when set by PF (bsc#1154353).
o net: hso: fix control-request directions (git-fixes).
o net: hso: fix muxed tty registration (git-fixes).
o net: linkwatch: fix failure to restore device state across suspend/resume
(bsc#1192511).
o net: mana: Allow setting the number of queues while the NIC is down (jsc#
SLE-18779, bsc#1185726).
o net: mana: Fix memory leak in mana_hwc_create_wq (jsc#SLE-18779, bsc#
1185726).
o net: mana: Fix spelling mistake "calledd" -> "called" (jsc#SLE-18779, bsc#
1185726).
o net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (jsc#
SLE-18779, bsc#1185726).
o net: mana: Improve the HWC error handling (jsc#SLE-18779, bsc#1185726).
o net: mana: Support hibernation and kexec (jsc#SLE-18779, bsc#1185726).
o net: mana: Use kcalloc() instead of kzalloc() (jsc#SLE-18779, bsc#1185726).
o net: pegasus: fix uninit-value in get_interrupt_interval (git-fixes).
o net: qlogic: qlcnic: Fix a NULL pointer dereference in
qlcnic_83xx_add_rings() (git-fixes).
o net: stmmac: add EHL 2.5Gbps PCI info and PCI ID (bsc#1192691).
o net: stmmac: add EHL PSE0 PSE1 1Gbps PCI info and PCI ID (bsc#1192691).
o net: stmmac: add EHL RGMII 1Gbps PCI info and PCI ID (bsc#1192691).
o net: stmmac: add EHL SGMII 1Gbps PCI info and PCI ID (bsc#1192691).
o net: stmmac: add TGL SGMII 1Gbps PCI info and PCI ID (bsc#1192691).
o net: stmmac: create dwmac-intel.c to contain all Intel platform (bsc#
1192691).
o net: stmmac: pci: Add HAPS support using GMAC5 (bsc#1192691).
o net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no
IRQ is available (git-fixes).
o net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no
IRQ is available (git-fixes).
o net: usb: Merge cpu_to_le32s + memcpy to put_unaligned_le32 (git-fixes).
o net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
(git-fixes).
o net/mlx5: E-Switch, return error if encap isn't supported (jsc#SLE-15172).
o net/mlx5e: reset XPS on error flow if netdev isn't registered yet
(git-fixes).
o net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1176774).
o netfilter: ctnetlink: do not erase error code with EINVAL (bsc#1176447).
o netfilter: ctnetlink: fix filtering with CTA_TUPLE_REPLY (bsc#1176447).
o netfilter: flowtable: fix IPv6 tunnel addr match (bsc#1176447).
o NFC: add NCI_UNREG flag to eliminate the race (git-fixes).
o NFC: pn533: Fix double free when pn533_fill_fragment_skbs() fails
(git-fixes).
o NFC: reorder the logic in nfc_{un,}register_device (git-fixes).
o NFC: reorganize the functions in nci_request (git-fixes).
o nfp: checking parameter process for rx-usecs/tx-usecs is invalid
(git-fixes).
o nfp: Fix memory leak in nfp_cpp_area_cache_add() (git-fixes).
o NFS: Do not set NFS_INO_DATA_INVAL_DEFER and NFS_INO_INVALID_DATA
(git-fixes).
o NFS: do not take i_rwsem for swap IO (bsc#1191876).
o NFS: Fix deadlocks in nfs_scan_commit_list() (git-fixes).
o NFS: Fix up commit deadlocks (git-fixes).
o NFS: move generic_write_checks() call from nfs_file_direct_write() to
nfs_file_write() (bsc#1191876).
o nfsd: do not alloc under spinlock in rpc_parse_scope_id (git-fixes).
o nfsd: fix error handling of register_pernet_subsys() in init_nfsd()
(git-fixes).
o nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero (git-fixes).
o NFSv4: Fix a regression in nfs_set_open_stateid_locked() (git-fixes).
o nvme-multipath: Skip not ready namespaces when revalidating paths (bsc#
1191793 bsc#1192507 bsc#1192969).
o nvme-pci: add NO APST quirk for Kioxia device (git-fixes).
o objtool: Support Clang non-section symbols in ORC generation (bsc#1169514).
o PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros (git-fixes).
o PCI: Mark Atheros QCA6174 to avoid bus reset (git-fixes).
o PCI/MSI: Deal with devices lying about their MSI mask capability
(git-fixes).
o perf: Correctly handle failed perf_get_aux_event() (git-fixes).
o perf/x86/intel: Fix unchecked MSR access error caused by VLBR_EVENT
(git-fixes).
o perf/x86/intel/uncore: Fix Intel ICX IIO event constraints (git-fixes).
o perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server (git-fixes).
o perf/x86/intel/uncore: Fix the scale of the IMC free-running events
(git-fixes).
o perf/x86/intel/uncore: Support extra IMC channel on Ice Lake server
(git-fixes).
o perf/x86/vlbr: Add c->flags to vlbr event constraints (git-fixes).
o platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()'
(git-fixes).
o platform/x86: wmi: do not fail if disabling fails (git-fixes).
o PM: hibernate: Get block device exclusively in swsusp_check() (git-fixes).
o PM: hibernate: use correct mode for swsusp_close() (git-fixes).
o pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds
(git-fixes).
o powerpc: fix unbalanced node refcount in check_kvm_guest() (jsc#SLE-15869
jsc#SLE-16321 git-fixes).
o powerpc/iommu: Report the correct most efficient DMA mask for PCI devices
(git-fixes).
o powerpc/paravirt: correct preempt debug splat in vcpu_is_preempted() (bsc#
1181148 ltc#190702 git-fixes).
o powerpc/paravirt: vcpu_is_preempted() commentary (bsc#1181148 ltc#190702
git-fixes).
o powerpc/perf: Fix cycles/instructions as PM_CYC/PM_INST_CMPL in power10
(jsc#SLE-13513 git-fixes).
o powerpc/pseries: Move some PAPR paravirt functions to their own file (bsc#
1181148 ltc#190702 git-fixes).
o powerpc/watchdog: Avoid holding wd_smp_lock over printk and
smp_send_nmi_ipi (bsc#1187541 ltc#192129).
o powerpc/watchdog: Fix missed watchdog reset due to memory ordering race
(bsc#1187541 ltc#192129).
o powerpc/watchdog: Fix wd_smp_last_reset_tb reporting (bsc#1187541 ltc#
192129).
o powerpc/watchdog: read TB close to where it is used (bsc#1187541 ltc#
192129).
o powerpc/watchdog: tighten non-atomic read-modify-write access (bsc#1187541
ltc#192129).
o printk: Remove printk.h inclusion in percpu.h (bsc#1192987).
o qede: validate non LSO skb length (git-fixes).
o r8152: limit the RX buffer size of RTL8153A for USB 2.0 (git-fixes).
o r8169: Add device 10ec:8162 to driver r8169 (git-fixes).
o RDMA/bnxt_re: Update statistics counter name (jsc#SLE-16649).
o recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
o recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#
1192267).
o reset: socfpga: add empty driver allowing consumers to probe (git-fixes).
o ring-buffer: Protect ring_buffer_reset() from reentrancy (bsc#1179960).
o rpm/*.spec.in: use buildroot macro instead of env variable The
RPM_BUILD_ROOT variable is considered deprecated over a buildroot macro.
future proof the spec files.
o rpm/kernel-binary.spec.in: do not strip vmlinux again (bsc#1193306) After
usrmerge, vmlinux file is not named vmlinux-lt;version>, but simply
vmlinux. And this is not reflected in STRIP_KEEP_SYMTAB we set. So fix this
by removing the dash...
o rpm/kernel-obs-build.spec.in: move to zstd for the initrd Newer distros
have capability to decompress zstd, which provides a 2-5% better
compression ratio at very similar cpu overhead. Plus this tests the zstd
codepaths now as well.
o rt2x00: do not mark device gone on EPROTO errors during start (git-fixes).
o rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() (bsc#1154353 bnc#1151927
5.3.9).
o s390: mm: Fix secure storage access exception handling (git-fixes).
o s390/bpf: Fix branch shortening during codegen pass (bsc#1193993).
o s390/uv: fully validate the VMA before calling follow_page() (git-fixes).
o scsi: iscsi: Adjust iface sysfs attr detection (git-fixes).
o scsi: lpfc: Fix non-recovery of remote ports following an unsolicited LOGO
(bsc#1189126).
o scsi: mpi3mr: Fix duplicate device entries when scanning through sysfs
(git-fixes).
o scsi: mpt3sas: Fix kernel panic during drive powercycle test (git-fixes).
o scsi: mpt3sas: Fix system going into read-only mode (git-fixes).
o scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc() (git-fixes).
o scsi: qla2xxx: Fix gnl list corruption (git-fixes).
o scsi: qla2xxx: Relogin during fabric disturbance (git-fixes).
o scsi: qla2xxx: Turn off target reset during issue_lip (git-fixes).
o serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array (git-fixes).
o serial: 8250_pci: rewrite pericom_do_set_divisor() (git-fixes).
o serial: 8250: Fix RTS modem control while in rs485 mode (git-fixes).
o serial: core: fix transmit-buffer reset and memleak (git-fixes).
o smb2: clarify rc initialization in smb2_reconnect (bsc#1192606).
o smb2: fix use-after-free in smb2_ioctl_query_info() (bsc#1192606).
o smb3: add additional null check in SMB2_ioctl (bsc#1192606).
o smb3: add additional null check in SMB2_open (bsc#1192606).
o smb3: add additional null check in SMB2_tcon (bsc#1192606).
o smb3: add additional null check in SMB311_posix_mkdir (bsc#1192606).
o smb3: Add debug message for new file creation with idsfromsid mount option
(bsc#1192606).
o smb3: add debug messages for closing unmatched open (bsc#1164565).
o smb3: add defines for new crypto algorithms (bsc#1192606).
o smb3: Add defines for new information level, FileIdInformation (bsc#
1164565).
o smb3: add defines for new signing negotiate context (bsc#1192606).
o smb3: add dynamic trace point to trace when credits obtained (bsc#1181507).
o smb3: add dynamic trace points for socket connection (bsc#1192606).
o smb3: add dynamic tracepoints for flush and close (bsc#1164565).
o smb3: add indatalen that can be a non-zero value to calculation of credit
charge in smb2 ioctl (bsc#1192606).
o smb3: add missing flag definitions (bsc#1164565).
o smb3: Add missing reparse tags (bsc#1164565).
o smb3: add missing worker function for SMB3 change notify (bsc#1164565).
o smb3: add mount option to allow forced caching of read only share (bsc#
1164565).
o smb3: add mount option to allow RW caching of share accessed by only 1
client (bsc#1164565).
o smb3: Add new compression flags (bsc#1192606).
o smb3: Add new info level for query directory (bsc#1192606).
o smb3: add new module load parm enable_gcm_256 (bsc#1192606).
o smb3: add new module load parm require_gcm_256 (bsc#1192606).
o smb3: Add new parm "nodelete" (bsc#1192606).
o smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#
1164565).
o smb3: add rasize mount parameter to improve readahead performance (bsc#
1192606).
o smb3: add some missing definitions from MS-FSCC (bsc#1192606).
o smb3: add some more descriptive messages about share when mounting cache=ro
(bsc#1164565).
o smb3: Add support for getting and setting SACLs (bsc#1192606).
o smb3: Add support for lookup with posix extensions query info (bsc#
1192606).
o smb3: Add support for negotiating signing algorithm (bsc#1192606).
o smb3: Add support for query info using posix extensions (level 100) (bsc#
1192606).
o smb3: add support for recognizing WSL reparse tags (bsc#1192606).
o smb3: Add support for SMB311 query info (non-compounded) (bsc#1192606).
o smb3: add support for stat of WSL reparse points for special file types
(bsc#1192606).
o smb3: add support for using info level for posix extensions query (bsc#
1192606).
o smb3: Add tracepoints for new compound posix query info (bsc#1192606).
o smb3: Additional compression structures (bsc#1192606).
o smb3: allow decryption keys to be dumped by admin for debugging (bsc#
1164565).
o smb3: allow disabling requesting leases (bnc#1151927 5.3.4).
o smb3: allow dumping GCM256 keys to improve debugging of encrypted shares
(bsc#1192606).
o smb3: allow dumping keys for multiuser mounts (bsc#1192606).
o smb3: allow parallelizing decryption of reads (bsc#1164565).
o smb3: allow skipping signature verification for perf sensitive
configurations (bsc#1164565).
o smb3: allow uid and gid owners to be set on create with idsfromsid mount
option (bsc#1192606).
o smb3: avoid confusing warning message on mount to Azure (bsc#1192606).
o smb3: Avoid Mid pending list corruption (bsc#1192606).
o smb3: Backup intent flag missing from some more ops (bsc#1164565).
o smb3: Call cifs reconnect from demultiplex thread (bsc#1192606).
o smb3: change noisy error message to FYI (bsc#1192606).
o smb3: cleanup some recent endian errors spotted by updated sparse (bsc#
1164565).
o smb3: correct server pointer dereferencing check to be more consistent (bsc
#1192606).
o smb3: correct smb3 ACL security descriptor (bsc#1192606).
o smb3: default to minimum of two channels when multichannel specified (bsc#
1192606).
o smb3: display max smb3 requests in flight at any one time (bsc#1164565).
o smb3: do not attempt multichannel to server which does not support it (bsc#
1192606).
o smb3: do not error on fsync when readonly (bsc#1192606).
o smb3: do not fail if no encryption required but server does not support it
(bsc#1192606).
o smb3: do not log warning message if server does not populate salt (bsc#
1192606).
o smb3: do not setup the fscache_super_cookie until fsinfo initialized (bsc#
1192606).
o smb3: do not try to cache root directory if dir leases not supported (bsc#
1192606).
o smb3: dump in_send and num_waiters stats counters by default (bsc#1164565).
o smb3: enable negotiating stronger encryption by default (bsc#1192606).
o smb3: enable offload of decryption of large reads via mount option (bsc#
1164565).
o smb3: enable swap on SMB3 mounts (bsc#1192606).
o smb3: extend fscache mount volume coherency check (bsc#1192606).
o smb3: fix access denied on change notify request to some servers (bsc#
1192606).
o smb3: fix cached file size problems in duplicate extents (reflink) (bsc#
1192606).
o smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding
path (bsc#1164565).
o smb3: fix crediting for compounding when only one request in flight (bsc#
1181507).
o smb3: fix default permissions on new files when mounting with modefromsid
(bsc#1164565).
o smb3: Fix ids returned in POSIX query dir (bsc#1192606).
o smb3: fix incorrect number of credits when ioctl MaxOutputResponse > 64K
(bsc#1192606).
o smb3: fix leak in "open on server" perf counter (bnc#1151927 5.3.4).
o smb3: Fix mkdir when idsfromsid configured on mount (bsc#1192606).
o smb3: fix mode passed in on create for modetosid mount option (bsc#
1164565).
o smb3: fix mount failure to some servers when compression enabled (bsc#
1192606).
o smb3: Fix out-of-bounds bug in SMB2_negotiate() (bsc#1183540).
o smb3: fix performance regression with setting mtime (bsc#1164565).
o smb3: Fix persistent handles reconnect (bnc#1151927 5.3.11).
o smb3: fix posix extensions mount option (bsc#1192606).
o smb3: fix possible access to uninitialized pointer to DACL (bsc#1192606).
o smb3: fix potential null dereference in decrypt offload (bsc#1164565).
o smb3: fix problem with null cifs super block with previous patch (bsc#
1164565).
o smb3: fix readpage for large swap cache (bsc#1192606).
o smb3: fix refcount underflow warning on unmount when no directory leases
(bsc#1164565).
o smb3: Fix regression in time handling (bsc#1164565).
o smb3: fix signing verification of large reads (bsc#1154355).
o smb3: fix stat when special device file and mounted with modefromsid (bsc#
1192606).
o smb3: fix typo in compression flag (bsc#1192606).
o smb3: fix typo in header file (bsc#1192606).
o smb3: fix typo in mount options displayed in /proc/mounts (bsc#1192606).
o smb3: fix uninitialized value for port in witness protocol move (bsc#
1192606).
o smb3: fix unmount hang in open_shroot (bnc#1151927 5.3.4).
o smb3: fix unneeded error message on change notify (bsc#1192606).
o smb3: Handle error case during offload read path (bsc#1192606).
o smb3: Honor 'handletimeout' flag for multiuser mounts (bsc#1176558).
o smb3: Honor 'posix' flag for multiuser mounts (bsc#1176559).
o smb3: Honor 'seal' flag for multiuser mounts (bsc#1176545).
o smb3: Honor lease disabling for multiuser mounts (git-fixes).
o smb3: Honor persistent/resilient handle flags for multiuser mounts (bsc#
1176546).
o smb3: if max_channels set to more than one channel request multichannel
(bsc#1192606).
o smb3: improve check for when we send the security descriptor context on
create (bsc#1164565).
o smb3: improve handling of share deleted (and share recreated) (bsc#
1154355).
o smb3: incorrect file id in requests compounded with open (bsc#1192606).
o smb3: Incorrect size for netname negotiate context (bsc#1154355).
o smb3: limit noisy error (bsc#1192606).
o smb3: log warning if CSC policy conflicts with cache mount option (bsc#
1164565).
o smb3: Minor cleanup of protocol definitions (bsc#1192606).
o smb3: minor update to compression header definitions (bsc#1192606).
o smb3: missing ACL related flags (bsc#1164565).
o smb3: negotiate current dialect (SMB3.1.1) when version 3 or greater
requested (bsc#1192606).
o smb3: only offload decryption of read responses if multiple requests (bsc#
1164565).
o smb3: pass mode bits into create calls (bsc#1164565).
o smb3: prevent races updating CurrentMid (bsc#1192606).
o smb3: print warning if server does not support requested encryption type
(bsc#1192606).
o smb3: print warning once if posix context returned on open (bsc#1164565).
o smb3: query attributes on file close (bsc#1164565).
o smb3: rc uninitialized in one fallocate path (bsc#1192606).
o smb3: remind users that witness protocol is experimental (bsc#1192606).
o smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#
1164565).
o smb3: remove confusing mount warning when no SPNEGO info on negprot rsp
(bsc#1192606).
o smb3: remove dead code for non compounded posix query info (bsc#1192606).
o smb3: remove noisy debug message and minor cleanup (bsc#1164565).
o smb3: remove overly noisy debug line in signing errors (bsc#1192606).
o smb3: remove static checker warning (bsc#1192606).
o smb3: remove trivial dfs compile warning (bsc#1192606, jsc#SLE-20042).
o smb3: remove two unused variables (bsc#1192606).
o smb3: remove unused flag passed into close functions (bsc#1164565).
o smb3: rename nonces used for GCM and CCM encryption (bsc#1192606).
o smb3: Resolve data corruption of TCP server info fields (bsc#1192606).
o smb3: set COMPOUND_FID to FileID field of subsequent compound request (bsc#
1192606).
o smb3: set gcm256 when requested (bsc#1192606).
o smb3: smbdirect support can be configured by default (bsc#1192606).
o smb3: update comments clarifying SPNEGO info in negprot response (bsc#
1192606).
o smb3: update protocol header definitions based to include new flags (bsc#
1192606).
o smb3: update structures for new compression protocol definitions (bsc#
1192606).
o smb3: use SMB2_SIGNATURE_SIZE define (bsc#1192606).
o smb3: warn on confusing error scenario with sec=krb5 (bsc#1176548).
o smb3: when mounting with multichannel include it in requested capabilities
(bsc#1192606).
o smbdirect: missing rc checks while waiting for rdma events (bsc#1192606).
o soc/tegra: Fix an error handling path in tegra_powergate_power_up()
(git-fixes).
o soc/tegra: pmc: Fix imbalanced clock disabling in error code path
(git-fixes).
o spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in
bcm_qspi_probe() (git-fixes).
o spi: spl022: fix Microwire full duplex mode (git-fixes).
o SUNRPC: improve 'swap' handling: scheduling and PF_MEMALLOC (bsc#1191876).
o SUNRPC: remove scheduling boost for "SWAPPER" tasks (bsc#1191876).
o SUNRPC/auth: async tasks mustn't block waiting for memory (bsc#1191876).
o SUNRPC/call_alloc: async tasks mustn't block waiting for memory (bsc#
1191876).
o SUNRPC/xprt: async tasks mustn't block waiting for memory (bsc#1191876).
o supported.conf: add pwm-rockchip References: jsc#SLE-22615
o swiotlb: avoid double free (git-fixes).
o swiotlb: Fix the type of index (git-fixes).
o TCON Reconnect during STATUS_NETWORK_NAME_DELETED (bsc#1192606).
o tlb: mmu_gather: add tlb_flush_*_range APIs
o tracing: Add length protection to histogram string copies (git-fixes).
o tracing: Change STR_VAR_MAX_LEN (git-fixes).
o tracing: Check pid filtering when creating events (git-fixes).
o tracing: Fix pid filtering when triggers are attached (git-fixes).
o tracing: use %ps format string to print symbols (git-fixes).
o tracing/histogram: Do not copy the fixed-size char array field over the
field size (git-fixes).
o tty: hvc: replace BUG_ON() with negative return value (git-fixes).
o tty: serial: msm_serial: Deactivate RX DMA for polling support (git-fixes).
o tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc (git-fixes).
o usb-storage: Add compatibility quirk flags for iODD 2531/2541 (git-fixes).
o usb: chipidea: ci_hdrc_imx: fix potential error pointer dereference in
probe (git-fixes).
o usb: dwc2: gadget: Fix ISOC flow for elapsed frames (git-fixes).
o usb: dwc2: hcd_queue: Fix use of floating point literal (git-fixes).
o usb: host: ohci-tmio: check return value after calling
platform_get_resource() (git-fixes).
o usb: musb: tusb6010: check return value after calling platform_get_resource
() (git-fixes).
o usb: serial: option: add Fibocom FM101-GL variants (git-fixes).
o usb: serial: option: add Telit LE910S1 0x9200 composition (git-fixes).
o usb: typec: fusb302: Fix masking of comparator and bc_lvl interrupts
(git-fixes).
o usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect (git-fixes).
o usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect (git-fixes).
o usb: xhci: Enable runtime-pm by default on AMD Yellow Carp platform
(git-fixes).
o vfs: do not parse forbidden flags (bsc#1192606).
o x86/amd_nb: Add AMD family 19h model 50h PCI ids (jsc#SLE-17823 jsc#
SLE-23139 jsc#ECO-3666).
o x86/cpu: Fix migration safety with X86_BUG_NULL_SEL (bsc#1152489).
o x86/efi: Restore Firmware IDT before calling ExitBootServices()
(git-fixes).
o x86/entry: Add a fence for kernel entry SWAPGS in paranoid_entry() (bsc#
1178134).
o x86/mpx: Disable MPX for 32-bit userland (bsc#1193139).
o x86/pkey: Fix undefined behaviour with PKRU_WD_BIT (bsc#1152489).
o x86/pvh: add prototype for xen_pvh_init() (git-fixes).
o x86/sev: Allow #VC exceptions on the VC2 stack (git-fixes).
o x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword (bsc#
1178134).
o x86/sev: Fix stack type check in vc_switch_off_ist() (git-fixes).
o x86/xen: Add xenpv_restore_regs_and_return_to_usermode() (bsc#1152489).
o x86/Xen: swap NX determination and GDT setup on BSP (git-fixes).
o xen: sync include/xen/interface/io/ring.h with Xen's newest version
(git-fixes).
o xen/blkfront: do not take local copy of a request from the ring page
(git-fixes).
o xen/blkfront: do not trust the backend response data blindly (git-fixes).
o xen/blkfront: read response from backend only once (git-fixes).
o xen/netfront: disentangle tx_skb_freelist (git-fixes).
o xen/netfront: do not read data from request on the ring page (git-fixes).
o xen/netfront: do not trust the backend response data blindly (git-fixes).
o xen/netfront: read response from backend only once (git-fixes).
o xen/privcmd: fix error handling in mmap-resource processing (git-fixes).
o xen/pvh: add missing prototype to header (git-fixes).
o xen/x86: fix PV trap handling on secondary processors (git-fixes).
o xhci: Fix commad ring abort, write all 64 bits to CRCR register (bsc#
1192569).
o xhci: Fix commad ring abort, write all 64 bits to CRCR register (bsc#
1192569).
o xhci: Fix commad ring abort, write all 64 bits to CRCR register
(git-fixes).
o xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good
delay (git-fixes).
o zram: fix return value on writeback_store (git-fixes).
o zram: off by one in read_block_state() (git-fixes).
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE MicroOS 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-131=1
o SUSE Linux Enterprise Workstation Extension 15-SP3:
zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-131=1
o SUSE Linux Enterprise Module for Live Patching 15-SP3:
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2022-131=1
o SUSE Linux Enterprise Module for Legacy Software 15-SP3:
zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2022-131=1
o SUSE Linux Enterprise Module for Development Tools 15-SP3:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-131=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-131=1
o SUSE Linux Enterprise High Availability 15-SP3:
zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2022-131=1
Package List:
o SUSE MicroOS 5.1 (aarch64 s390x x86_64):
kernel-default-5.3.18-59.40.1
kernel-default-base-5.3.18-59.40.1.18.25.1
kernel-default-debuginfo-5.3.18-59.40.1
kernel-default-debugsource-5.3.18-59.40.1
o SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64):
kernel-default-debuginfo-5.3.18-59.40.1
kernel-default-debugsource-5.3.18-59.40.1
kernel-default-extra-5.3.18-59.40.1
kernel-default-extra-debuginfo-5.3.18-59.40.1
kernel-preempt-debuginfo-5.3.18-59.40.1
kernel-preempt-debugsource-5.3.18-59.40.1
kernel-preempt-extra-5.3.18-59.40.1
kernel-preempt-extra-debuginfo-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x
x86_64):
kernel-default-debuginfo-5.3.18-59.40.1
kernel-default-debugsource-5.3.18-59.40.1
kernel-default-livepatch-5.3.18-59.40.1
kernel-default-livepatch-devel-5.3.18-59.40.1
kernel-livepatch-5_3_18-59_40-default-1-7.3.1
o SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le
s390x x86_64):
kernel-default-debuginfo-5.3.18-59.40.1
kernel-default-debugsource-5.3.18-59.40.1
reiserfs-kmp-default-5.3.18-59.40.1
reiserfs-kmp-default-debuginfo-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le
s390x x86_64):
kernel-obs-build-5.3.18-59.40.1
kernel-obs-build-debugsource-5.3.18-59.40.1
kernel-syms-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64):
kernel-preempt-debuginfo-5.3.18-59.40.1
kernel-preempt-debugsource-5.3.18-59.40.1
kernel-preempt-devel-5.3.18-59.40.1
kernel-preempt-devel-debuginfo-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch):
kernel-docs-5.3.18-59.40.1
kernel-source-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
kernel-default-5.3.18-59.40.1
kernel-default-base-5.3.18-59.40.1.18.25.1
kernel-default-debuginfo-5.3.18-59.40.1
kernel-default-debugsource-5.3.18-59.40.1
kernel-default-devel-5.3.18-59.40.1
kernel-default-devel-debuginfo-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 x86_64):
kernel-preempt-5.3.18-59.40.1
kernel-preempt-debuginfo-5.3.18-59.40.1
kernel-preempt-debugsource-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64):
kernel-64kb-5.3.18-59.40.1
kernel-64kb-debuginfo-5.3.18-59.40.1
kernel-64kb-debugsource-5.3.18-59.40.1
kernel-64kb-devel-5.3.18-59.40.1
kernel-64kb-devel-debuginfo-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):
kernel-devel-5.3.18-59.40.1
kernel-macros-5.3.18-59.40.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (s390x):
kernel-zfcpdump-5.3.18-59.40.1
kernel-zfcpdump-debuginfo-5.3.18-59.40.1
kernel-zfcpdump-debugsource-5.3.18-59.40.1
o SUSE Linux Enterprise High Availability 15-SP3 (aarch64 ppc64le s390x
x86_64):
cluster-md-kmp-default-5.3.18-59.40.1
cluster-md-kmp-default-debuginfo-5.3.18-59.40.1
dlm-kmp-default-5.3.18-59.40.1
dlm-kmp-default-debuginfo-5.3.18-59.40.1
gfs2-kmp-default-5.3.18-59.40.1
gfs2-kmp-default-debuginfo-5.3.18-59.40.1
kernel-default-debuginfo-5.3.18-59.40.1
kernel-default-debugsource-5.3.18-59.40.1
ocfs2-kmp-default-5.3.18-59.40.1
ocfs2-kmp-default-debuginfo-5.3.18-59.40.1
References:
o https://www.suse.com/security/cve/CVE-2020-24504.html
o https://www.suse.com/security/cve/CVE-2020-27820.html
o https://www.suse.com/security/cve/CVE-2021-28711.html
o https://www.suse.com/security/cve/CVE-2021-28712.html
o https://www.suse.com/security/cve/CVE-2021-28713.html
o https://www.suse.com/security/cve/CVE-2021-28714.html
o https://www.suse.com/security/cve/CVE-2021-28715.html
o https://www.suse.com/security/cve/CVE-2021-4001.html
o https://www.suse.com/security/cve/CVE-2021-4002.html
o https://www.suse.com/security/cve/CVE-2021-43975.html
o https://www.suse.com/security/cve/CVE-2021-43976.html
o https://www.suse.com/security/cve/CVE-2021-45485.html
o https://www.suse.com/security/cve/CVE-2021-45486.html
o https://bugzilla.suse.com/1139944
o https://bugzilla.suse.com/1151927
o https://bugzilla.suse.com/1152489
o https://bugzilla.suse.com/1153275
o https://bugzilla.suse.com/1154353
o https://bugzilla.suse.com/1154355
o https://bugzilla.suse.com/1161907
o https://bugzilla.suse.com/1164565
o https://bugzilla.suse.com/1166780
o https://bugzilla.suse.com/1169514
o https://bugzilla.suse.com/1176242
o https://bugzilla.suse.com/1176447
o https://bugzilla.suse.com/1176536
o https://bugzilla.suse.com/1176544
o https://bugzilla.suse.com/1176545
o https://bugzilla.suse.com/1176546
o https://bugzilla.suse.com/1176548
o https://bugzilla.suse.com/1176558
o https://bugzilla.suse.com/1176559
o https://bugzilla.suse.com/1176774
o https://bugzilla.suse.com/1176940
o https://bugzilla.suse.com/1176956
o https://bugzilla.suse.com/1177440
o https://bugzilla.suse.com/1178134
o https://bugzilla.suse.com/1178270
o https://bugzilla.suse.com/1179211
o https://bugzilla.suse.com/1179424
o https://bugzilla.suse.com/1179426
o https://bugzilla.suse.com/1179427
o https://bugzilla.suse.com/1179599
o https://bugzilla.suse.com/1181148
o https://bugzilla.suse.com/1181507
o https://bugzilla.suse.com/1181710
o https://bugzilla.suse.com/1182404
o https://bugzilla.suse.com/1183534
o https://bugzilla.suse.com/1183540
o https://bugzilla.suse.com/1183897
o https://bugzilla.suse.com/1184318
o https://bugzilla.suse.com/1185726
o https://bugzilla.suse.com/1185902
o https://bugzilla.suse.com/1186332
o https://bugzilla.suse.com/1187541
o https://bugzilla.suse.com/1189126
o https://bugzilla.suse.com/1189158
o https://bugzilla.suse.com/1191793
o https://bugzilla.suse.com/1191876
o https://bugzilla.suse.com/1192267
o https://bugzilla.suse.com/1192320
o https://bugzilla.suse.com/1192507
o https://bugzilla.suse.com/1192511
o https://bugzilla.suse.com/1192569
o https://bugzilla.suse.com/1192606
o https://bugzilla.suse.com/1192691
o https://bugzilla.suse.com/1192845
o https://bugzilla.suse.com/1192847
o https://bugzilla.suse.com/1192874
o https://bugzilla.suse.com/1192946
o https://bugzilla.suse.com/1192969
o https://bugzilla.suse.com/1192987
o https://bugzilla.suse.com/1192990
o https://bugzilla.suse.com/1192998
o https://bugzilla.suse.com/1193002
o https://bugzilla.suse.com/1193042
o https://bugzilla.suse.com/1193139
o https://bugzilla.suse.com/1193169
o https://bugzilla.suse.com/1193306
o https://bugzilla.suse.com/1193318
o https://bugzilla.suse.com/1193349
o https://bugzilla.suse.com/1193440
o https://bugzilla.suse.com/1193442
o https://bugzilla.suse.com/1193655
o https://bugzilla.suse.com/1193993
o https://bugzilla.suse.com/1194087
o https://bugzilla.suse.com/1194094
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo4vONLKJtyKPYoAQhKDg//SXdFkVQM1pKwNzl0xM7Q3R+rSDsvx+ZP
PPm57OcwVG+tx3hqqJH1AnZVXLbX6wQiKtszAJex+JUOuQUcQRrRnCJYP2yMHXZa
zRYs15ndS8a7fK4oFp8Osx418yvu6Jyv9yqjdFQf+2MhK1TaHYRjsdqyiP2CUQjl
poBGaruyRW2jZ09eDHnLnv/NTGp1bVfEQYGGGs3x+RXdVxAnkJQhqxWRZHaakEnl
mpsl+jkZGE7+ncjoxRp2Atukl3pFFP93PaWcTLXAGhGpnbSL7klhnd28fRvi3i24
ZaFQdHMSpyoacNnPc3EBPM6iBCFHJ5hzyJH39u+RaQD6RtNGKaFqEXMyoOuHs+Td
KsbOaFaT0AM1jd5av/wGyabTwF/lizuOeo1/de4ye4OZdrT5YtQxGYdS4Jy6B7Nj
GY5is7Zt5bhdF1KNL/UU0sY61Hwd6cxaFWQ9a46dzJjAibThv3HSIWcUO0hjQ2uw
qO8V700MYZWOZhbYdvnv/EtyHZwc2/nmsPuqXutfOailO7uBjhLOWygSew894bGs
OFsZgBtzWVp9bRwxxV3xF2xN/AHKbxLzKhHu9z3CrxUI0OATFF4UvV879gDWY2qx
7yYhCnv0mzEmmXO5TsCgqsHEdP7/QOBBTO6niLlHrQAFnUMWLdbvycZy1GSFvaD/
jsVQgQ2J4EM=
=ZvFJ
-----END PGP SIGNATURE-----
ESB-2022.0289 - [SUSE] libvirt: Denial of service - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0289
Security update for libvirt
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libvirt
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-4147 CVE-2021-3975
Reference: ESB-2022.0117
ESB-2022.0055
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220128-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for libvirt
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0128-1
Rating: important
References: #1191668 #1192017 #1192876 #1193981 #1194041
Cross-References: CVE-2021-3975 CVE-2021-4147
Affected Products:
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Enterprise Storage 6
SUSE CaaS Platform 4.0
______________________________________________________________________________
An update that solves two vulnerabilities and has three fixes is now available.
Description:
This update for libvirt fixes the following issues:
o CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults. (bsc#1194041)
o CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF. (bsc#
1192876)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-128=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-128=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-128=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-128=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-128=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-128=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform 'skuba' tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
Package List:
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
libvirt-5.1.0-17.1
libvirt-admin-5.1.0-17.1
libvirt-admin-debuginfo-5.1.0-17.1
libvirt-client-5.1.0-17.1
libvirt-client-debuginfo-5.1.0-17.1
libvirt-daemon-5.1.0-17.1
libvirt-daemon-config-network-5.1.0-17.1
libvirt-daemon-config-nwfilter-5.1.0-17.1
libvirt-daemon-debuginfo-5.1.0-17.1
libvirt-daemon-driver-interface-5.1.0-17.1
libvirt-daemon-driver-interface-debuginfo-5.1.0-17.1
libvirt-daemon-driver-lxc-5.1.0-17.1
libvirt-daemon-driver-lxc-debuginfo-5.1.0-17.1
libvirt-daemon-driver-network-5.1.0-17.1
libvirt-daemon-driver-network-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nodedev-5.1.0-17.1
libvirt-daemon-driver-nodedev-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nwfilter-5.1.0-17.1
libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-17.1
libvirt-daemon-driver-qemu-5.1.0-17.1
libvirt-daemon-driver-qemu-debuginfo-5.1.0-17.1
libvirt-daemon-driver-secret-5.1.0-17.1
libvirt-daemon-driver-secret-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-5.1.0-17.1
libvirt-daemon-driver-storage-core-5.1.0-17.1
libvirt-daemon-driver-storage-core-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-disk-5.1.0-17.1
libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-logical-5.1.0-17.1
libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-17.1
libvirt-daemon-hooks-5.1.0-17.1
libvirt-daemon-lxc-5.1.0-17.1
libvirt-daemon-qemu-5.1.0-17.1
libvirt-debugsource-5.1.0-17.1
libvirt-devel-5.1.0-17.1
libvirt-libs-5.1.0-17.1
libvirt-libs-debuginfo-5.1.0-17.1
libvirt-lock-sanlock-5.1.0-17.1
libvirt-lock-sanlock-debuginfo-5.1.0-17.1
libvirt-nss-5.1.0-17.1
libvirt-nss-debuginfo-5.1.0-17.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (noarch):
libvirt-bash-completion-5.1.0-17.1
libvirt-doc-5.1.0-17.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64):
libvirt-daemon-driver-libxl-5.1.0-17.1
libvirt-daemon-driver-libxl-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-17.1
libvirt-daemon-xen-5.1.0-17.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64):
libvirt-5.1.0-17.1
libvirt-admin-5.1.0-17.1
libvirt-admin-debuginfo-5.1.0-17.1
libvirt-client-5.1.0-17.1
libvirt-client-debuginfo-5.1.0-17.1
libvirt-daemon-5.1.0-17.1
libvirt-daemon-config-network-5.1.0-17.1
libvirt-daemon-config-nwfilter-5.1.0-17.1
libvirt-daemon-debuginfo-5.1.0-17.1
libvirt-daemon-driver-interface-5.1.0-17.1
libvirt-daemon-driver-interface-debuginfo-5.1.0-17.1
libvirt-daemon-driver-lxc-5.1.0-17.1
libvirt-daemon-driver-lxc-debuginfo-5.1.0-17.1
libvirt-daemon-driver-network-5.1.0-17.1
libvirt-daemon-driver-network-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nodedev-5.1.0-17.1
libvirt-daemon-driver-nodedev-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nwfilter-5.1.0-17.1
libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-17.1
libvirt-daemon-driver-qemu-5.1.0-17.1
libvirt-daemon-driver-qemu-debuginfo-5.1.0-17.1
libvirt-daemon-driver-secret-5.1.0-17.1
libvirt-daemon-driver-secret-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-5.1.0-17.1
libvirt-daemon-driver-storage-core-5.1.0-17.1
libvirt-daemon-driver-storage-core-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-disk-5.1.0-17.1
libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-logical-5.1.0-17.1
libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-17.1
libvirt-daemon-hooks-5.1.0-17.1
libvirt-daemon-lxc-5.1.0-17.1
libvirt-daemon-qemu-5.1.0-17.1
libvirt-debugsource-5.1.0-17.1
libvirt-devel-5.1.0-17.1
libvirt-libs-5.1.0-17.1
libvirt-libs-debuginfo-5.1.0-17.1
libvirt-lock-sanlock-5.1.0-17.1
libvirt-lock-sanlock-debuginfo-5.1.0-17.1
libvirt-nss-5.1.0-17.1
libvirt-nss-debuginfo-5.1.0-17.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 x86_64):
libvirt-daemon-driver-storage-rbd-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-17.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (noarch):
libvirt-bash-completion-5.1.0-17.1
libvirt-doc-5.1.0-17.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64):
libvirt-daemon-driver-libxl-5.1.0-17.1
libvirt-daemon-driver-libxl-debuginfo-5.1.0-17.1
libvirt-daemon-xen-5.1.0-17.1
o SUSE Linux Enterprise Server 15-SP1-BCL (noarch):
libvirt-bash-completion-5.1.0-17.1
libvirt-doc-5.1.0-17.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
libvirt-5.1.0-17.1
libvirt-admin-5.1.0-17.1
libvirt-admin-debuginfo-5.1.0-17.1
libvirt-client-5.1.0-17.1
libvirt-client-debuginfo-5.1.0-17.1
libvirt-daemon-5.1.0-17.1
libvirt-daemon-config-network-5.1.0-17.1
libvirt-daemon-config-nwfilter-5.1.0-17.1
libvirt-daemon-debuginfo-5.1.0-17.1
libvirt-daemon-driver-interface-5.1.0-17.1
libvirt-daemon-driver-interface-debuginfo-5.1.0-17.1
libvirt-daemon-driver-libxl-5.1.0-17.1
libvirt-daemon-driver-libxl-debuginfo-5.1.0-17.1
libvirt-daemon-driver-lxc-5.1.0-17.1
libvirt-daemon-driver-lxc-debuginfo-5.1.0-17.1
libvirt-daemon-driver-network-5.1.0-17.1
libvirt-daemon-driver-network-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nodedev-5.1.0-17.1
libvirt-daemon-driver-nodedev-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nwfilter-5.1.0-17.1
libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-17.1
libvirt-daemon-driver-qemu-5.1.0-17.1
libvirt-daemon-driver-qemu-debuginfo-5.1.0-17.1
libvirt-daemon-driver-secret-5.1.0-17.1
libvirt-daemon-driver-secret-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-5.1.0-17.1
libvirt-daemon-driver-storage-core-5.1.0-17.1
libvirt-daemon-driver-storage-core-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-disk-5.1.0-17.1
libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-logical-5.1.0-17.1
libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-17.1
libvirt-daemon-hooks-5.1.0-17.1
libvirt-daemon-lxc-5.1.0-17.1
libvirt-daemon-qemu-5.1.0-17.1
libvirt-daemon-xen-5.1.0-17.1
libvirt-debugsource-5.1.0-17.1
libvirt-devel-5.1.0-17.1
libvirt-libs-5.1.0-17.1
libvirt-libs-debuginfo-5.1.0-17.1
libvirt-lock-sanlock-5.1.0-17.1
libvirt-lock-sanlock-debuginfo-5.1.0-17.1
libvirt-nss-5.1.0-17.1
libvirt-nss-debuginfo-5.1.0-17.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64
x86_64):
libvirt-5.1.0-17.1
libvirt-admin-5.1.0-17.1
libvirt-admin-debuginfo-5.1.0-17.1
libvirt-client-5.1.0-17.1
libvirt-client-debuginfo-5.1.0-17.1
libvirt-daemon-5.1.0-17.1
libvirt-daemon-config-network-5.1.0-17.1
libvirt-daemon-config-nwfilter-5.1.0-17.1
libvirt-daemon-debuginfo-5.1.0-17.1
libvirt-daemon-driver-interface-5.1.0-17.1
libvirt-daemon-driver-interface-debuginfo-5.1.0-17.1
libvirt-daemon-driver-lxc-5.1.0-17.1
libvirt-daemon-driver-lxc-debuginfo-5.1.0-17.1
libvirt-daemon-driver-network-5.1.0-17.1
libvirt-daemon-driver-network-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nodedev-5.1.0-17.1
libvirt-daemon-driver-nodedev-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nwfilter-5.1.0-17.1
libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-17.1
libvirt-daemon-driver-qemu-5.1.0-17.1
libvirt-daemon-driver-qemu-debuginfo-5.1.0-17.1
libvirt-daemon-driver-secret-5.1.0-17.1
libvirt-daemon-driver-secret-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-5.1.0-17.1
libvirt-daemon-driver-storage-core-5.1.0-17.1
libvirt-daemon-driver-storage-core-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-disk-5.1.0-17.1
libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-logical-5.1.0-17.1
libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-17.1
libvirt-daemon-hooks-5.1.0-17.1
libvirt-daemon-lxc-5.1.0-17.1
libvirt-daemon-qemu-5.1.0-17.1
libvirt-debugsource-5.1.0-17.1
libvirt-devel-5.1.0-17.1
libvirt-libs-5.1.0-17.1
libvirt-libs-debuginfo-5.1.0-17.1
libvirt-lock-sanlock-5.1.0-17.1
libvirt-lock-sanlock-debuginfo-5.1.0-17.1
libvirt-nss-5.1.0-17.1
libvirt-nss-debuginfo-5.1.0-17.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64):
libvirt-daemon-driver-libxl-5.1.0-17.1
libvirt-daemon-driver-libxl-debuginfo-5.1.0-17.1
libvirt-daemon-xen-5.1.0-17.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch):
libvirt-bash-completion-5.1.0-17.1
libvirt-doc-5.1.0-17.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64
x86_64):
libvirt-5.1.0-17.1
libvirt-admin-5.1.0-17.1
libvirt-admin-debuginfo-5.1.0-17.1
libvirt-client-5.1.0-17.1
libvirt-client-debuginfo-5.1.0-17.1
libvirt-daemon-5.1.0-17.1
libvirt-daemon-config-network-5.1.0-17.1
libvirt-daemon-config-nwfilter-5.1.0-17.1
libvirt-daemon-debuginfo-5.1.0-17.1
libvirt-daemon-driver-interface-5.1.0-17.1
libvirt-daemon-driver-interface-debuginfo-5.1.0-17.1
libvirt-daemon-driver-lxc-5.1.0-17.1
libvirt-daemon-driver-lxc-debuginfo-5.1.0-17.1
libvirt-daemon-driver-network-5.1.0-17.1
libvirt-daemon-driver-network-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nodedev-5.1.0-17.1
libvirt-daemon-driver-nodedev-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nwfilter-5.1.0-17.1
libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-17.1
libvirt-daemon-driver-qemu-5.1.0-17.1
libvirt-daemon-driver-qemu-debuginfo-5.1.0-17.1
libvirt-daemon-driver-secret-5.1.0-17.1
libvirt-daemon-driver-secret-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-5.1.0-17.1
libvirt-daemon-driver-storage-core-5.1.0-17.1
libvirt-daemon-driver-storage-core-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-disk-5.1.0-17.1
libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-logical-5.1.0-17.1
libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-17.1
libvirt-daemon-hooks-5.1.0-17.1
libvirt-daemon-lxc-5.1.0-17.1
libvirt-daemon-qemu-5.1.0-17.1
libvirt-debugsource-5.1.0-17.1
libvirt-devel-5.1.0-17.1
libvirt-libs-5.1.0-17.1
libvirt-libs-debuginfo-5.1.0-17.1
libvirt-lock-sanlock-5.1.0-17.1
libvirt-lock-sanlock-debuginfo-5.1.0-17.1
libvirt-nss-5.1.0-17.1
libvirt-nss-debuginfo-5.1.0-17.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch):
libvirt-bash-completion-5.1.0-17.1
libvirt-doc-5.1.0-17.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64):
libvirt-daemon-driver-libxl-5.1.0-17.1
libvirt-daemon-driver-libxl-debuginfo-5.1.0-17.1
libvirt-daemon-xen-5.1.0-17.1
o SUSE Enterprise Storage 6 (aarch64 x86_64):
libvirt-5.1.0-17.1
libvirt-admin-5.1.0-17.1
libvirt-admin-debuginfo-5.1.0-17.1
libvirt-client-5.1.0-17.1
libvirt-client-debuginfo-5.1.0-17.1
libvirt-daemon-5.1.0-17.1
libvirt-daemon-config-network-5.1.0-17.1
libvirt-daemon-config-nwfilter-5.1.0-17.1
libvirt-daemon-debuginfo-5.1.0-17.1
libvirt-daemon-driver-interface-5.1.0-17.1
libvirt-daemon-driver-interface-debuginfo-5.1.0-17.1
libvirt-daemon-driver-lxc-5.1.0-17.1
libvirt-daemon-driver-lxc-debuginfo-5.1.0-17.1
libvirt-daemon-driver-network-5.1.0-17.1
libvirt-daemon-driver-network-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nodedev-5.1.0-17.1
libvirt-daemon-driver-nodedev-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nwfilter-5.1.0-17.1
libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-17.1
libvirt-daemon-driver-qemu-5.1.0-17.1
libvirt-daemon-driver-qemu-debuginfo-5.1.0-17.1
libvirt-daemon-driver-secret-5.1.0-17.1
libvirt-daemon-driver-secret-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-5.1.0-17.1
libvirt-daemon-driver-storage-core-5.1.0-17.1
libvirt-daemon-driver-storage-core-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-disk-5.1.0-17.1
libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-logical-5.1.0-17.1
libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-17.1
libvirt-daemon-hooks-5.1.0-17.1
libvirt-daemon-lxc-5.1.0-17.1
libvirt-daemon-qemu-5.1.0-17.1
libvirt-debugsource-5.1.0-17.1
libvirt-devel-5.1.0-17.1
libvirt-libs-5.1.0-17.1
libvirt-libs-debuginfo-5.1.0-17.1
libvirt-lock-sanlock-5.1.0-17.1
libvirt-lock-sanlock-debuginfo-5.1.0-17.1
libvirt-nss-5.1.0-17.1
libvirt-nss-debuginfo-5.1.0-17.1
o SUSE Enterprise Storage 6 (x86_64):
libvirt-daemon-driver-libxl-5.1.0-17.1
libvirt-daemon-driver-libxl-debuginfo-5.1.0-17.1
libvirt-daemon-xen-5.1.0-17.1
o SUSE Enterprise Storage 6 (noarch):
libvirt-bash-completion-5.1.0-17.1
libvirt-doc-5.1.0-17.1
o SUSE CaaS Platform 4.0 (x86_64):
libvirt-5.1.0-17.1
libvirt-admin-5.1.0-17.1
libvirt-admin-debuginfo-5.1.0-17.1
libvirt-client-5.1.0-17.1
libvirt-client-debuginfo-5.1.0-17.1
libvirt-daemon-5.1.0-17.1
libvirt-daemon-config-network-5.1.0-17.1
libvirt-daemon-config-nwfilter-5.1.0-17.1
libvirt-daemon-debuginfo-5.1.0-17.1
libvirt-daemon-driver-interface-5.1.0-17.1
libvirt-daemon-driver-interface-debuginfo-5.1.0-17.1
libvirt-daemon-driver-libxl-5.1.0-17.1
libvirt-daemon-driver-libxl-debuginfo-5.1.0-17.1
libvirt-daemon-driver-lxc-5.1.0-17.1
libvirt-daemon-driver-lxc-debuginfo-5.1.0-17.1
libvirt-daemon-driver-network-5.1.0-17.1
libvirt-daemon-driver-network-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nodedev-5.1.0-17.1
libvirt-daemon-driver-nodedev-debuginfo-5.1.0-17.1
libvirt-daemon-driver-nwfilter-5.1.0-17.1
libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-17.1
libvirt-daemon-driver-qemu-5.1.0-17.1
libvirt-daemon-driver-qemu-debuginfo-5.1.0-17.1
libvirt-daemon-driver-secret-5.1.0-17.1
libvirt-daemon-driver-secret-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-5.1.0-17.1
libvirt-daemon-driver-storage-core-5.1.0-17.1
libvirt-daemon-driver-storage-core-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-disk-5.1.0-17.1
libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-5.1.0-17.1
libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-logical-5.1.0-17.1
libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-5.1.0-17.1
libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-5.1.0-17.1
libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-5.1.0-17.1
libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-17.1
libvirt-daemon-hooks-5.1.0-17.1
libvirt-daemon-lxc-5.1.0-17.1
libvirt-daemon-qemu-5.1.0-17.1
libvirt-daemon-xen-5.1.0-17.1
libvirt-debugsource-5.1.0-17.1
libvirt-devel-5.1.0-17.1
libvirt-libs-5.1.0-17.1
libvirt-libs-debuginfo-5.1.0-17.1
libvirt-lock-sanlock-5.1.0-17.1
libvirt-lock-sanlock-debuginfo-5.1.0-17.1
libvirt-nss-5.1.0-17.1
libvirt-nss-debuginfo-5.1.0-17.1
o SUSE CaaS Platform 4.0 (noarch):
libvirt-bash-completion-5.1.0-17.1
libvirt-doc-5.1.0-17.1
References:
o https://www.suse.com/security/cve/CVE-2021-3975.html
o https://www.suse.com/security/cve/CVE-2021-4147.html
o https://bugzilla.suse.com/1191668
o https://bugzilla.suse.com/1192017
o https://bugzilla.suse.com/1192876
o https://bugzilla.suse.com/1193981
o https://bugzilla.suse.com/1194041
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo4oONLKJtyKPYoAQiTLA//dTYm9p/pA/bjPXbLN5FGgof0nQdmZQ4h
MsG7rbS8Rfj26VOst61tTvcKWTIy/WovFxJqyzfVfUJ3zJ5Z7ftHF7SbxKcGuB0a
BWt2Ju22a0x2UKd35+NjTD5wt2b6S2eyEXIGt9vluzfhpqi+g97YxN7O3f/2oijE
55Xb+lLSHpN7BLDGrTPvbH5Wzu+wRhqiM3tJX+4JLGw5waMVgk6R+7XFhAtVbXFF
PpI/XbQEqJYdm4i98KRXF0uRsg/BnpH1qdoVkHT251QeRiopefUtavsh3pdp1sOf
yt2McYTDVZ030DKf9OG8p2HBBEBaYqKiePljihkSQDkNK6f37yjLgyUMCh1Ipk5p
LVDzTzb3XZviI8Q9E7aI9UsGHQKNE833C94e9mPQOm2/yLoGVzdUqik/0ievNXuC
zoV1q7wC4JVfi6CoGLCBkTpfo5eiVSF5D9Cxv5A3Wi0jAmU54JmVuwqpbx7VTz2D
jQpHE/vVneUZX8chvFbprQtOzjJEqt43MKutl+UGmFjCHAuiwR/qdlmPb71vxVA/
06L2r3XqI78DhBtxAizt81D6NLveXsiJ2CWGJn0gij0sVJO9QF1wllG0iwPOuQcu
VAh8uf93KmawpxX0lHs6ZzYw05WBmX7LqguN/m+SUSmvWWXKF9dB7fS6fKxgtjlT
XcVtoqGK8t8=
=vx2H
-----END PGP SIGNATURE-----
ESB-2022.0288 - [SUSE] kubevirt,: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0288
Security update for kubevirt, virt-api-container,
virt-controller-container, virt-handler-container,
virt-launcher-container, virt-operator-container
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kubevirt,
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-43565
Reference: ESB-2022.0122
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220130-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for kubevirt, virt-api-container,
virt-controller-container, virt-handler-container, virt-launcher-container,
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0130-1
Rating: important
References: #1193930
Cross-References: CVE-2021-43565
Affected Products:
SUSE Manager Server 4.1
SUSE Manager Retail Branch Server 4.1
SUSE Manager Proxy 4.1
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Enterprise Storage 7
SUSE CaaS Platform 4.5
______________________________________________________________________________
virt-operator-container
An update that fixes one vulnerability is now available.
Description:
This update for kubevirt, virt-api-container, virt-controller-container,
virt-handler-container, virt-launcher-container, virt-operator-container fixes
the following issues:
o CVE-2021-43565: Fixes a vulnerability in the golang.org/x/crypto/ssh
package which allowed unauthenticated clients to cause a panic in SSH
servers. (bsc#1193930)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-130=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-130=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-130=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-130=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-130=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-130=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-130=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-130=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-130=1
o SUSE CaaS Platform 4.5:
To install this update, use the SUSE CaaS Platform 'skuba' tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
Package List:
o SUSE Manager Server 4.1 (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE Manager Retail Branch Server 4.1 (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE Manager Proxy 4.1 (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE Linux Enterprise Server for SAP 15-SP2 (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE Linux Enterprise Server 15-SP2-LTSS (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE Enterprise Storage 7 (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
o SUSE CaaS Platform 4.5 (x86_64):
kubevirt-manifests-0.40.0-5.17.2
kubevirt-virtctl-0.40.0-5.17.2
kubevirt-virtctl-debuginfo-0.40.0-5.17.2
References:
o https://www.suse.com/security/cve/CVE-2021-43565.html
o https://bugzilla.suse.com/1193930
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo4keNLKJtyKPYoAQhtAw//UazJMG9cgcUKm0O2D690Ul1Wt5teEJlK
LLqziQEFSYVZ1D229Dn4bot7dsl3bnwNQMSzXMANv1brbHYGJD82mQ+JhQp4BA67
MNARRGsuXRc6auJCOkum+qeAkS3Mfph9H9HbENiAsKxnhMGMgkdUvvzEirUPXDF+
OqJbeP8Oe1hWlVvHxQKR8Ov9QqyC48SCost+P7N2U4/WgTbc43sXWAXIO2YKB6r3
Co1rgdb57radUyizdbcoT/qkzc391J0BhnbzJjSZ0APMrsXsW+FFsGpeAU0XWCRS
HIQJzePhV0/7x2nuaIty2zBFo+00G9agxVmcjodbVtBHfU9juSCfrh+9ESYTxZcp
Gmt/xwkLB43goh0DAL4o7TASVrf/Lfxjf1pG3qnWKS9Wwseyib8Gikls7V4luyDx
zQ7qoqJmnixothLiVqx/Q1QfpOWLv4URXGSNzUOwy2EGJ1pS9tygHGYgsu4dPaW5
43FYuM77PU2IEWUMzSfnt9sKdceDDWxUiAtYYVBTkhyqCh36BzZWjjGEyciuC1yC
Zc4t269+1Li3eXDRg61han/5/5+eKfPqAYgmp9UQZCJHSDNUwMJlhyP5Pc3YGcoq
9Xof3Cqfx8cMj6YUfDyT8hyAuIL/KzcPW1XyJV9lv4fu+yE/EWOz1m+8dsW0slYf
nlMuex7LGb4=
=V4xI
-----END PGP SIGNATURE-----
ESB-2022.0287 - [Win][Appliance][Mac] BIG-IP Edge Client: Multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0287
K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP Edge Client
Publisher: F5 Networks
Operating System: Network Appliance
Windows
macOS
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23032
Original Bulletin:
https://support.f5.com/csp/article/K30525503
- --------------------------BEGIN INCLUDED TEXT--------------------
K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032
Original Publication Date: 19 Jan, 2022
Security Advisory Description
When proxy settings are configured in the network access resource of a BIG-IP
APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a
DNS rebinding attack. (CVE-2022-23032)
Impact
DNS rebinding allows external attackers to bypass the same-origin policy. A
remote unauthenticated attacker can exploit this vulnerability to exfiltrate
proxy configuration details, including subdomain information and internal IP
addresses.
Security Advisory Status
F5 Product Development has assigned ID 1020609 (BIG-IP) to this
vulnerability. This issue has been classified as CWE-346: Origin Validation
Error.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the following table have reached the End of
Technical Support (EoTS) phase of their lifecycle and are no longer evaluated
for security issues. For more information, refer to the Security hotfixes
section of K4602: Overview of the F5 security vulnerability response policy.
+-----------+------+-------------+----------+----------+------+---------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+-----------+------+-------------+----------+----------+------+---------------+
| |16.x |16.0.0 - |None^3 | | | |
| | |16.1.2 | | | | |
| +------+-------------+----------+ | | |
| |15.x |15.1.0 - |None^3 | | | |
| | |15.1.5 | | | | |
| +------+-------------+----------+ | | |
|BIG-IP |14.x |14.1.0 - |14.1.4.5 | | | |
|(APM) | |14.1.4 | | | |BIG-IP Edge |
| +------+-------------+----------+Low |3.1 |Client for Mac |
| |13.x |13.1.0 - |None^3 | | |and Windows |
| | |13.1.4 | | | | |
| +------+-------------+----------+ | | |
| |12.x |12.1.0 - |Will not | | | |
| | |12.1.6 |fix | | | |
| +------+-------------+----------+ | | |
| |11.x |11.6.1 - |Will not | | | |
| | |11.6.5 |fix | | | |
+-----------+------+-------------+----------+----------+------+---------------+
|BIG-IP APM | |7.2.1 - |7.2.1.4 | | |BIG-IP Edge |
|Clients |7.x |7.2.1.3 |None |Low |3.1 |Client for Mac |
| | |7.1.6 - 7.1.9| | | |and Windows |
+-----------+------+-------------+----------+----------+------+---------------+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +------+-------------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+-------------+----------+ | | |
| |14.x |None |Not | | | |
|BIG-IP (all| | |applicable|Not |None /| |
|other +------+-------------+----------+vulnerable|0.0 |None |
|modules) |13.x |None |Not | | | |
| | | |applicable| | | |
| +------+-------------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+-------------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-----------+------+-------------+----------+----------+------+---------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized+------+-------------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+-----------+------+-------------+----------+----------+------+---------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-------------+----------+----------+------+---------------+
|F5OS-C |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-------------+----------+----------+------+---------------+
|Traffix SDC|5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-------------+----------+----------+------+---------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^3In BIG-IP APM 13.1.0 and later, the APM Clients components can be updated
independently from the BIG-IP software. To resolve this vulnerability in BIG-IP
APM 13.1.0 and later, you can update the installed version of APM Clients to a
version listed in the Fixes introduced in column and set Component Update to
Yes in the affected connectivity profile. For more information about Component
Update, refer to K15302: Understanding BIG-IP Edge Client Component Update
behavior for Windows, macOS, and Linux CLI. For more information about Edge
Client versions, refer to K52547540: Updating BIG-IP Edge Client for the BIG-IP
APM system and K13757: BIG-IP Edge Client version matrix.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the Fixes introduced in column does not list
a version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
None
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo4ZuNLKJtyKPYoAQjTUhAAngkqD+8PNh505z8f688ARfFRHrNs8Jph
wL2lyU4/DuwhXsCiNFaakaiGguZ3cJTkVHLRWJrCTZ/0m+eGPssFLn2m5WSreeEA
XeEyJntth2GJ/IjIMq2C2lGBA3MQ7EguI3MdKpsCE0d4anxjdQ5zVvR21dD5Y4Zf
92m/u1IaYDJcMqhIIfrq5126Dc28jSl2TVYaPfFXQMG6g19I/4VrZnfQMzY6ojk9
sNIwQllrmh1BUA2TC5yPewv2nneSnz7c8ivrUZo+owTgTTl2nABihgT1ryI6Y9hY
+DoFcRh8yvGUNBVmSlYj4mzYO0VOFwvN27LHLtUAidNrDk5n/B8dzMFwO5TIpf9q
1NDaS6mwZgyQEwN0dsRjxcSSogaGNBi8r45ZZ6PPQ+1sd5/qhkyocGdFm/qilAml
z3Dfm+sJ8GjiXY2mCeIfOFsWSpMSdAP79nk8fSBsNB4uimuhKhhg+XzNIfzrS0F7
2nKkyWH5crBHboS3+BLTT7uN0PU9+zGFSOTqH7ZuOQXNAbt0JKFoE9ll4cmkpFlI
r4E87SqhPYK5Q1z83bGrYu0oWAttxFBCT13OSW//yrTQvQzo58wat33SC+1pzVwX
4+axdiw38iFtyIKIxAL7shl+Wx4+l3LMJji+PWXbdl5zLTnL9U0EM3qHJhXFz0qK
dTdpTS/F4MU=
=CB0W
-----END PGP SIGNATURE-----
ESB-2022.0286 - [Appliance] BIG-IP Configuration utility: Cross-site scripting - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0286
K29500533: TMUI XSS vulnerability CVE-2022-23013
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP Configuration utility
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Cross-site Scripting -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23013
Original Bulletin:
https://support.f5.com/csp/article/K29500533
- --------------------------BEGIN INCLUDED TEXT--------------------
K29500533: TMUI XSS vulnerability CVE-2022-23013
Original Publication Date: 19 Jan, 2022
Security Advisory Description
A DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed
page of the BIG-IP Configuration utility that allows an attacker to execute
JavaScript in the context of the currently logged-in user. (CVE-2022-23013)
Impact
An attacker may exploit this vulnerability by causing an authenticated user to
submit malicious HTML or JavaScript code in the BIG-IP Configuration utility.
If successful, an attacker can run JavaScript in the context of the currently
logged-in user. In the case of an administrative user with access to the
Advanced Shell (bash), an attacker can leverage successful exploitation of this
vulnerability to compromise the BIG-IP system.
Security Advisory Status
F5 Product Development has assigned ID 937333 (BIG-IP) to this vulnerability.
This issue has been classified as CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting').
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the Applies to (see versions) box of this
article have reached the End of Technical Support (EoTS) phase of their
lifecycle and are no longer evaluated for security issues. For more
information, refer to the Security hotfixes section of K4602: Overview of the
F5 security vulnerability response policy.
+------------+------+--------------+----------+----------+------+-------------+
| | |Versions known|Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+------------+------+--------------+----------+----------+------+-------------+
| |16.x |None |16.1.0 | | | |
| +------+--------------+----------+ | | |
| |15.x |15.1.0 - |15.1.4 | | | |
| | |15.1.3 | | | | |
| +------+--------------+----------+ | | |
| |14.x |14.1.0 - |14.1.4.4 | | | |
| | |14.1.4 | | | | |
|BIG-IP (DNS,+------+--------------+----------+High |7.5 |Configuration|
|GTM) |13.x |13.1.0 - |None | | |utility |
| | |13.1.4 | | | | |
| +------+--------------+----------+ | | |
| |12.x |12.1.0 - |Will not | | | |
| | |12.1.6 |fix | | | |
| +------+--------------+----------+ | | |
| |11.x |11.6.1 - |Will not | | | |
| | |11.6.5 |fix | | | |
+------------+------+--------------+----------+----------+------+-------------+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |14.x |None |Not | | | |
|BIG-IP (all | | |applicable|Not | | |
|other +------+--------------+----------+vulnerable|None |None |
|modules) |13.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized +------+--------------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|F5OS-C |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
^1F5 only evaluates software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the Fixes introduced in column does not list
a version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
Isolated web browser
To mitigate this vulnerability, you can use a unique and isolated web browser
when managing the BIG-IP system and restrict access of the system to allow only
trusted users.
Block Configuration utility access to only trusted networks or devices
Until it is possible to install a fixed version, you can use the following
sections as temporary mitigations. These mitigations restrict access to the
Configuration utility to only trusted networks or devices, thereby limiting the
attack surface.
o Block Configuration utility access through self IP addresses
o Block Configuration utility access through the management interface
Block Configuration utility access through self IP addresses
You can block all access to the Configuration utility of your BIG-IP system
using self IP addresses. To do so, you can change the Port Lockdown setting to
Allow None for each self IP address on the system. If you must open any ports,
you should use the Allow Custom option, taking care to disallow access to the
Configuration utility. By default, the Configuration utility listens on TCP
port 443. If you modified the default port, ensure that you disallow access to
the alternate port you configured.
Note: Performing this action prevents all access to the Configuration utility
and iControl REST using the self IP address. These changes may also impact
other services, including breaking high availability (HA) configurations.
Before you make changes to the configuration of your self IP addresses, F5
strongly recommends that you refer to the following articles:
o K17333: Overview of port lockdown behavior (12.x - 16.x)
o K13092: Overview of securing access to the BIG-IP system
o K31003634: The Configuration utility of the Single-NIC BIG-IP Virtual
Edition now defaults to TCP port 8443
o K51358480: The single-NIC BIG-IP VE may erroneously revert to the default
management httpd port after a configuration reload
If you must expose port 443 on your self IP addresses and want to restrict
access to specific IP ranges, you may consider using the packet filtering
functionality built into the BIG-IP system. For more information, refer to the
following article:
o K13383: Configuring CIDR Network Addresses for the BIG-IP packet filter
Block Configuration utility access through the management interface
To mitigate this vulnerability for affected F5 products, you should restrict
management access to only trusted users and devices to F5 products over a
secure network. For more information about securing access to BIG-IP and BIG-IQ
systems, refer to the following articles:
o K13309: Restricting access to the Configuration utility by source IP
address (11.x - 16.x)
o K13092: Overview of securing access to the BIG-IP system
o K46122561: Restricting access to the management interface using network
firewall rules
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo4F+NLKJtyKPYoAQjVAQ/+LGHleauuSEIiYL2BsLzOkk8UNVa31aTj
ampsfdQACMdBfwqiI5+/5ccKvFUkUUIO8XoL6cVGf7INprx7cJCNDQMd2Z43j6su
DhgTPFdK/cy/5UY0y+T8K8k7q2ykCawscL/v7VbrPHBIkETJxP1xPDtGU4n+r2v/
Gj19XMYJZxDJInJslzfbKc/+kgGoW5EXrLp94gW33augqPHQ1Vc32sWr4OYWNbuQ
3NTmtJCqPlpz0hPXcri85ZUPuzoc27Bi0eTRI1DdNCMJn5UUvpwky7PJGgSZ8nj7
n8d25MtHTmxwDEbERTWsH1fAWYXuJ4qLMmX9Jt5zTgDiJcX5sW/6T3p5GU+iE6dQ
MVYpfybEtBoRO5juoSY00RhH94bEQ9DU/krjRyKOMv5hIFgE8FcZrz+nOY5+cWre
7SDCqsAD2Ah/LrLfVTbmkJsZBlXKd17cjsIkrzIhl61+9yt11XlnO3zpODi/Qj+d
J/y6cpjlkGoUxNHHQBe3f4jo5azJj8Ci1wPqxjgtTkjMnsqkMfpaAmY3EBvbCZI/
GwH6scsrD6t8JLvUp8bt2OcfKk0JggCLoF2m02qTS9js9wry9oJr5AVPH9BsgJx8
mXlnAsZwSwncb2iitXDwPi3gS51hliep1H3apnCC3/1UjX2NSs+UeLrf4tsPrnYh
LVZwvaXTOIM=
=9zKu
-----END PGP SIGNATURE-----
ESB-2022.0285 - [Appliance] BIG-IP TMM and DNS profile: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0285
K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP TMM
BIG-IP DNS profile
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23017
Original Bulletin:
https://support.f5.com/csp/article/K28042514
- --------------------------BEGIN INCLUDED TEXT--------------------
K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017
Original Publication Date: 19 Jan, 2022
Security Advisory Description
When a virtual server is configured with a DNS profile with the Rapid Response
Mode setting enabled and is configured on a BIG-IP system, undisclosed requests
can cause the Traffic Management Microkernel (TMM) to terminate. (
CVE-2022-23017)
Impact
System performance can degrade until the process is either forced to restart or
is manually restarted. This vulnerability allows a remote unauthenticated
attacker to cause a degradation of service that can lead to a denial-of-service
(DoS) on the BIG-IP system.
Security Advisory Status
F5 Product Development has assigned ID 999933 (BIG-IP) to this vulnerability.
This issue has been classified as CWE-476: NULL Pointer Dereference.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the Applies to (see versions) box of this
article have reached the End of Technical Support (EoTS) phase of their
lifecycle and are no longer evaluated for security issues. For more
information, refer to the Security hotfixes section of K4602: Overview of the
F5 security vulnerability response policy.
+-----------+------+-----------+----------+----------+------+-----------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to be|introduced|Severity |score^|component or |
| | |vulnerable^|in | |2 |feature |
| | |1 | | | | |
+-----------+------+-----------+----------+----------+------+-----------------+
| |16.x |16.0.0 - |16.1.0 | | | |
| | |16.0.1 | | | | |
| +------+-----------+----------+ | | |
| |15.x |15.1.0 - |15.1.4.1 | | | |
| | |15.1.4 | | | | |
| +------+-----------+----------+ | | |
| |14.x |14.1.0 - |14.1.4.5 | | |TMM/DNS profile |
|BIG-IP (all| |14.1.4 | | | |with Rapid |
|modules) +------+-----------+----------+High |7.5 |Response mode |
| |13.x |13.1.0 - |None | | |enabled |
| | |13.1.4 | | | | |
| +------+-----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+-----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-----------+------+-----------+----------+----------+------+-----------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized+------+-----------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+-----------+------+-----------+----------+----------+------+-----------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
|F5OS-C |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
|Traffix SDC|5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
^1F5 only evaluates software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the Fixes introduced in column does not list
a version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
To mitigate this vulnerability, you can disable the Rapid Response Mode setting
in the DNS profile associated with the affected virtual server. To do so,
perform the following procedure:
Impact of action: Performing the following procedure should not have a negative
impact on your system.
1. Log in to the Configuration utility of the affected BIG-IP system.
2. Go to either of the following locations:
Local Traffic > Profiles > Services > DNS
DNS > Delivery > Profiles > DNS
3. Select the DNS profile associated with the affected virtual server.
4. Under Denial of Service Protection, for the Rapid Response Mode setting,
select Disabled.
5. Select Update.
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo3++NLKJtyKPYoAQieyA/8D8hRcNC1PhrHae8Uly5ADo5b7UeResZh
wvHxLBMohocqmKUP73PT1b7Bm+KdqQPURiy5FTzFeslPbdbU4g/wP49mOHXqHIEv
5/4QFYe6waSkxQ111RvFE8MTd+2RksY8w/jzkyDR4HS0M6npQqInmgChegU6kh/5
D96OTVhty3zKGps5F1C5uObCKra3iy7Qs2Sj00rW7eiiztubKx6BVW0mWb3t0LwO
ZmZdXXfmpu1XazhgrVnMZ93CzgK14kFuhKMVqWFLJ1TXy6F1Zfp6EKfnfdbxAR6z
2QdWMdKtj6xURYpV6sPvPy5pwVoNMpXnCp5S5+oN6pf4Ih35fl2b0d70l1zA5zfs
8szaCpIjq7xv1+LrsbdWG3E7NxTlgmNIaeHXsUSHW9NY/BF0ftufiWsq/J421un6
MKbiVYDvaDKcMS/LRBwC42o0rfiG0dFe882CiGP7CuZbiGxmJIflS+h01rRKEpkG
jX/IX8tIjrxd56TfHgGAchhgmQrScCc3F85vUGOLS8TFppUOHEm2sxSR1Rrdt9Nm
9Gi0jv7QRTDE2dXQ/cwFao43NfhIgao5iCpLPl1NtF4IeJlhcLtLql97vWMzSGOQ
kItGIz1n8A05nDUfo889GgCsCBccnXHKQ6ORcHtVNNJN6/HRf/1hTjA8bazogfjR
xKux/gEvScE=
=1nfa
-----END PGP SIGNATURE-----
ESB-2022.0284 - [Appliance] BIG-IP: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0284
K26310765: HTTP/2 profile vulnerability CVE-2022-23012
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23012
Original Bulletin:
https://support.f5.com/csp/article/K26310765
- --------------------------BEGIN INCLUDED TEXT--------------------
K26310765: HTTP/2 profile vulnerability CVE-2022-23012
Original Publication Date: 19 Jan, 2022
Security Advisory Description
When the HTTP/2 profile is configured on a virtual server, undisclosed requests
can cause the Traffic Management Microkernel (TMM) to terminate. (
CVE-2022-23012)
Impact
Traffic is disrupted while the TMM process restarts. This vulnerability allows
a remote unauthenticated attacker to cause a denial-of-service (DoS) on the
BIG-IP system. There is no control plane exposure; this is a data plane issue
only.
Security Advisory Status
F5 Product Development has assigned ID 910517 (BIG-IP) to this vulnerability.
This issue has been classified as CWE-415: Double Free (4.6).
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the following table have reached the End of
Technical Support (EoTS) phase of their lifecycle and are no longer evaluated
for security issues. For more information, refer to the Security hotfixes
section of K4602: Overview of the F5 security vulnerability response policy.
+------------+------+--------------+----------+----------+------+-------------+
| | |Versions known|Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+------------+------+--------------+----------+----------+------+-------------+
| |16.x |None |16.0.0 | | | |
| +------+--------------+----------+ | | |
| |15.x |15.1.0 - |15.1.4.1 | | | |
| | |15.1.4 | | | | |
| +------+--------------+----------+ | | |
| |14.x |14.1.0 - |14.1.4.5 | | | |
| | |14.1.4 | | | | |
|BIG-IP (all +------+--------------+----------+High |7.5 |HTTP/2 |
|modules) |13.x |None |Not | | |profile |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized +------+--------------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|F5OS-C |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
^1F5 only evaluates software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the Fixes introduced in column does not list
a version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
F5 recommends you configure the BIG-IP systems with high availability (HA) to
lessen the impact of the vulnerability.
o Configure systems with HA clustering. For more information, refer to
K02234544: Manually setting up device service clustering.
o Configure the HA table to take specific actions. For more information,
refer to K9231: Overview of BIG-IP daemon heartbeat failsafe.
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo38+NLKJtyKPYoAQi/jQ/+LKtUCsqaGxVNjNGq3Tc+wuJDdva2y0dB
/jWlHLJoL8d8rQYOxgOijsp6B3Dz41DNXbiias40Aj9yjKoeDnlQG3MjQlZSGnWY
GccwfsdpS2q40AtjNEFXItCx1mq77PTMI7Iir+YpZkwjiD4NFBQ2mnP8QyDSFc49
j3oE0qu3wZtY6hhc4sZws+EGi01eY5AXWVUwvDM3THVl+AI94qcHKpVsauewXAAE
WN05/7l5E3Y0Wf5GvFROL8Ndq+CtWT7cKD47a2syV/qKRggQ83Lh/6i9Tur+9YMr
Gvu8jwO6TlxjCGY3QFP5fGA2OCgfsU+tkVKemUv9ppvQavEpyRiqXpB2i3g4cMu5
9TEZfYMKpPw0lHi83FVJOLOnOP1AE4qYftC9/OcnXcsJR+4Jk/C44SYZviaitXGs
v1594Zj3Wzcl8OMJ6zC2q+p2JYX6kozeZo5jdjEBCLmAC23nZLJEZ0OAcLVaptcd
ZNeRKs6zyGGCR8rK/ewN/Iu9VNpcYxSIlRQCGQ6RoARlXCeEs7fTXTsPC25P4Adk
alrmdULMmEDUBFnA5h4se3QTFZEeagTvCl3bJQe9pV6dUQdVWrla1ZoDniezyVee
n8I2EyzavxfZMkLENhlwULAa6SAZNWYuqm5Gmbl3gVB00C5Sqz0+Mh4RDmvYYMr7
p3KNYfaR8Yk=
=YwEV
-----END PGP SIGNATURE-----
ESB-2022.0283 - [Appliance] BIG-IP AFM: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0283
K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP AFM
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23018
Original Bulletin:
https://support.f5.com/csp/article/K24358905
- --------------------------BEGIN INCLUDED TEXT--------------------
K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018
Original Publication Date: 19 Jan, 2022
Latest Publication Date: 20 Jan, 2022
Security Advisory Description
When a virtual server is configured with both HTTP protocol security and HTTP
Proxy Connect profiles, undisclosed requests can cause the Traffic Management
Microkernel (TMM) to terminate. (CVE-2022-23018)
Impact
Traffic is disrupted while the TMM process restarts. This vulnerability allows
an unauthenticated remote attacker to cause a denial-of-service (DoS) on the
BIG-IP system. There is no control plane exposure; this is a data plane issue
only.
Security Advisory Status
F5 Product Development has assigned ID 1007489 (BIG-IP) to this
vulnerability. This issue has been classified as CWE-755: Improper Handling of
Exceptional Conditions.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the Applies to (see versions) box of this
article have reached the End of Technical Support (EoTS) phase of their
lifecycle and are no longer evaluated for security issues. For more
information, refer to the Security hotfixes section of K4602: Overview of the
F5 security vulnerability response policy.
+-----------+------+-----------+----------+----------+------+-----------------+
| | |Versions |Fixes | |CVSSv3|Vulnerable |
|Product |Branch|known to be|introduced|Severity |score^|component or |
| | |vulnerable^|in | |2 |feature |
| | |1 | | | | |
+-----------+------+-----------+----------+----------+------+-----------------+
| |16.x |16.1.0 - |16.1.2 | | | |
| | |16.1.1 | | | | |
| +------+-----------+----------+ | | |
| |15.x |15.1.2.1 - |15.1.4.1 | | | |
| | |15.1.4 | | | | |
| +------+-----------+----------+ | |Virtual server |
| |14.x |14.1.4 |14.1.4.5 | | |configured with |
|BIG-IP +------+-----------+----------+High |7.5 |both HTTP |
|(AFM) |13.x |13.1.3.4 - |None | | |protocol security|
| | |13.1.4 | | | |and HTTP Proxy |
| +------+-----------+----------+ | |Connect profiles |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+-----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-----------+------+-----------+----------+----------+------+-----------------+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +------+-----------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+-----------+----------+ | | |
| |14.x |None |Not | | | |
|BIG-IP (all| | |applicable|Not | | |
|other +------+-----------+----------+vulnerable|None |None |
|modules) |13.x |None |Not | | | |
| | | |applicable| | | |
| +------+-----------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+-----------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+-----------+------+-----------+----------+----------+------+-----------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized+------+-----------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+-----------+------+-----------+----------+----------+------+-----------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
|Traffix SDC|5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-----------+------+-----------+----------+----------+------+-----------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the Fixes introduced in column does not list
a version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
F5 recommends you configure the BIG-IP systems with high availability (HA) to
lessen the impact of the vulnerability.
o Configure systems with HA clustering. For more information, refer to
K02234544: Manually setting up device service clustering.
o Configure the HA table to take specific actions. For more information,
refer to K9231: Overview of BIG-IP daemon heartbeat failsafe.
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo36uNLKJtyKPYoAQhTwRAAj2/UkrnAj9+pPWS41thHKrYUOawxEcdK
yCJr9zae+4TsjkZbQXJ6Hn0dzko5RAN0UgGMUUei9okeNH8gIuQtSoAwqLHHJXJx
DKMVJOtVaqrfHXa/Lo4HOTfDh4eUm+ySWh6QcUFzGYklp4BaQcxWhT4g1VRfciEv
/4KiMHSRTtaK/EANZKE+u8eJRpi5Vh8xJSRdLkhpS5dZup6YYwTlvKqZ2O7xi8CK
sh7Ev1swB1g7QkVlfzGRbjack04T2DZlwfYHpQzQDflMeMnzts94d3vcs/hTHsiJ
2MU6mASFuEqJp9c2Zse5NILtqnsdCM+UtLEdqWRA32s/19tNOpPnqvUjcJKAPy7r
TgeuPIY4IkPgTYe49GDC9pJhwPfQFwxSKsh4bn+IJeS/BMtjhNUO2rxzlJtYVDLp
K71PTlhZhmKOaEgSAgEoUbft7FdYKJez4Txb0OGNrI6jbKH84gpKJggBGt+jVWlk
AO4JGdBFWsuz3V/D3ozfLLnVm/4aq4NOm3eOOOxXiyzZOekFeHvsomxY62r0byAw
1Tn0vQEkhhQUtyapguk8jOJFwuDKHI/fIpIh/7nh9jmmgW3LeNSA9vdAIcB5+SlN
83c10zzzTcrKmcKkeXvAe10m8axyXvBwgyBqCR199c4mNDANJqGxRnruRx7huFtr
Ai4CD8Ta6xc=
=t97P
-----END PGP SIGNATURE-----
ESB-2022.0282 - [Appliance] BIG-IP TMM: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0282
K17514331: BIG-IP TMM vulnerability CVE-2022-23020
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP TMM
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23020
Original Bulletin:
https://support.f5.com/csp/article/K17514331
- --------------------------BEGIN INCLUDED TEXT--------------------
K17514331: BIG-IP TMM vulnerability CVE-2022-23020
Original Publication Date: 19 Jan, 2022
Latest Publication Date: 20 Jan, 2022
Security Advisory Description
When the 'Respond on Error' setting is enabled on the Request Logging profile
and configured on a virtual server, undisclosed requests can cause the Traffic
Management Microkernel (TMM) to terminate. (CVE-2022-23020)
Impact
Traffic is disrupted while the TMM process restarts. This vulnerability allows
a remote unauthenticated attacker to cause a denial-of-service (DoS) on the
BIG-IP system. There is no control plane exposure; this is a data plane issue
only. The Respond On Error setting is disabled by default on the Request
Logging profile.
Security Advisory Status
F5 Product Development has assigned ID 1031269 (BIG-IP) to this vulnerability.
This issue has been classified as CWE-476: NULL Pointer Dereference.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the Applies to (see versions) box of this
article have reached the End of Technical Support (EoTS) phase of their
lifecycle and are no longer evaluated for security issues. For more
information, refer to the Security hotfixes section of K4602: Overview of the
F5 security vulnerability response policy.
+------------+------+--------------+----------+----------+------+-------------+
| | |Versions known|Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+------------+------+--------------+----------+----------+------+-------------+
| |16.x |16.1.0 - |16.1.2 | | | |
| | |16.1.1 | | | | |
| +------+--------------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |14.x |None |Not | | | |
|BIG-IP (all | | |applicable| | |LTM Request |
|modules) +------+--------------+----------+High |7.5 |Logging |
| |13.x |None |Not | | |Profile |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized +------+--------------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|F5OS-C |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the Fixes introduced in column does not list
a version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
To mitigate this vulnerability, you can disable the the Respond On Error
setting on the Request Logging profile. To do so, perform the following
procedure:
Impact of mitigation: Performing the following procedure should not have a
negative impact on your system.
1. From the BIG-IP Configuration utility, go to Local Traffic > Profiles >
Other > Request Logging.
2. Select the Request Logging profile configured on your virtual server.
3. Under Request Settings > Respond On Error, select Disabled.
4. Select Update.
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K15106: Managing BIG-IQ product hotfixes
o K15113: BIG-IQ hotfix and point release matrix
o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM
systems (11.4.x and later)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo35ONLKJtyKPYoAQjISg//eBkHlRD2cH1R2kmA/+r2MdRjF3F0jkSS
x5hDWOsfc6V+98cutGORwSiFgJtUDP2PV5klgDY6f0c6MvEscXOgjB0z7MIl4Dl9
q3v4aoJhYbcihBfvSCQ/H3n3S4Uk445y+3xAkzqawiCQCF/YEUJo9Ha4VIusSCnm
oLUaiFGnTCUeo08FLoRAWuM2sZrLnFDcBDUgdyyqI7IH10F5TmvJj1V57sJO8xWL
HlAyNTeCUvobb3ZGzzuhJTmUu4GDAXGjyfkhcCnGgQAwxX9Q0tWewfcVlifuZWBv
4TpxkRx7KAWwfeSqq8buVqa/A88JQy2XF/W0U9eiFrYh7Pnkus+FboLX/TLGnbjK
NlGmGZYKfir1qEMuX8k86vK4ed3RzCYSnkY/sSV0ISUxA+i0fiDA119F2arglLbT
CrMRw+yQs/FwNbUh0gXLGTEjOJFr+0dhXMzWZdYdWhhL1uw6vIXC+dZu/3HH5f2g
VVOjk5oh1eQJoCqxvh8eDIa3jpnvj6pnKCs0ByuFrkWDgxC3Z+yFKJJDBYCtDGMR
2DzpMG9zWf4BdFFCTw0W0lNMHf8De4v1Z7Yu/YZyWPlpG33qJJnOklxopLNjcjbF
yGNE3Ae3t5SrulOtfmgOkhfk5YjUvo6h+NLU95ZEl95C9P/zqAL0xKehuh73reA6
8e2JsR04z/o=
=uNxk
-----END PGP SIGNATURE-----
ESB-2022.0281 - [Appliance] BIG-IP AFM: Denial of service - Remote/unauthenticated
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0281
K16101409: BIG-IP AFM vulnerability CVE-2022-23028
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BIG-IP AFM
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23028
Original Bulletin:
https://support.f5.com/csp/article/K16101409
- --------------------------BEGIN INCLUDED TEXT--------------------
K16101409: BIG-IP AFM vulnerability CVE-2022-23028
Original Publication Date: 19 Jan, 2022
Security Advisory Description
When global AFM SYN cookie protection (TCP Half Open flood vector) is activated
in the AFM Device Dos or DOS profile, certain types of TCP connections will
fail. (CVE-2022-23028)
Impact
This vulnerability allows a remote attacker to cause a denial-of-service (DoS)
on the BIG-IP system, specific to the following three distinct scenarios. There
is no control plane exposure; this is a data plane issue only.
Traffic is disrupted for TCP connections, which falls into any of the following
three scenarios:
o Traffic arrives over the BIG-IP APM VPN tunnel and is handled by one of the
internal default APM listeners (not a more specific listener).
o Device is Active for multiple floating traffic-groups, the said
traffic-groups are not using MAC masquerading, and the BIG-IP DB key
connection.syncookies.algorithm is set to software.
o Traffic belongs to traffic-group-local-only, and the BIG-IP DB key
connection.syncookies.algorithm is set to software.
Security Advisory Status
F5 Product Development has assigned ID 997193 (BIG-IP) to this
vulnerability. This issue has been classified as CWE-682: Incorrect Calculation
.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
Note: After a fix is introduced for a given minor branch, that fix applies to
all subsequent maintenance and point releases for that branch, and no
additional fixes for that branch will be listed in the table. For example, when
a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all
later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to
K51812227: Understanding security advisory versioning. Additionally, software
versions preceding those listed in the Applies to (see versions) box of this
article have reached the End of Technical Support (EoTS) phase of their
lifecycle and are no longer evaluated for security issues. For more
information, refer to the Security hotfixes section of K4602: Overview of the
F5 security vulnerability response policy.
+------------+------+--------------+----------+----------+------+-------------+
| | |Versions known|Fixes | |CVSSv3|Vulnerable |
|Product |Branch|to be |introduced|Severity |score^|component or |
| | |vulnerable^1 |in | |2 |feature |
+------------+------+--------------+----------+----------+------+-------------+
| |16.x |None |16.1.0 | | | |
| +------+--------------+----------+ | | |
| |15.x |15.1.0 - |15.1.5 | | | |
| | |15.1.4 | | | | |
| +------+--------------+----------+ | | |
| |14.x |14.1.0 - |14.1.4.5 | | | |
| | |14.1.4 | | | |AFM SYN |
|BIG-IP AFM +------+--------------+----------+Medium |5.3 |cookie |
| |13.x |13.1.0 - |None | | |protection |
| | |13.1.4 | | | | |
| +------+--------------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
| |16.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |15.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |14.x |None |Not | | | |
|BIG-IP (all | | |applicable|Not | | |
|modules) +------+--------------+----------+vulnerable|None |None |
| |13.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |12.x |None |Not | | | |
| | | |applicable| | | |
| +------+--------------+----------+ | | |
| |11.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
| |8.x |None |Not | | | |
|BIG-IQ | | |applicable|Not | | |
|Centralized +------+--------------+----------+vulnerable|None |None |
|Management |7.x |None |Not | | | |
| | | |applicable| | | |
+------------+------+--------------+----------+----------+------+-------------+
|F5OS-A |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|F5OS-C |1.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+------------+------+--------------+----------+----------+------+-------------+
^1F5 evaluates only software versions that have not yet reached the End of
Technical Support (EoTS) phase of their lifecycle.
^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by installing a version listed in
the Fixes introduced in column. If the Fixes introduced in column does not list
a version for your branch, then no update candidate currently exists for that
branch and F5 recommends upgrading to a version with the fix (refer to the
table).
If the Fixes introduced in column lists a version prior to the one you are
running, in the same branch, then your version should have the fix.
Mitigation
Following are the mitigation options for three different scenarios:
o For the APM VPN case: Define a listener (for example, virtual server) over
the tunnel to process the traffic (instead of relying on one of the default
internal APM listeners). There is no workaround if the device is Active for
multiple floating traffic-groups at the same time.
o For the device Active for multiple floating traffic-groups case: Configure
MAC masquerading for all floating traffic-groups, or set the BIG-IP DB key
connection.syncookies.algorithm to its default value of hardware.
o For the traffic-group-local-only case: Set the BIG-IP DB key
connection.syncookies.algorithm back to its default value of hardware, or
disable AFM global SYN cookies by turning off the TCP Half-Open attack
vector at the Device Dos and DOS profile. Disabling AFM global SYN cookies
has no impact on LTM SYN cookies; LTM SYN cookies are still available to
protect the system.
Acknowledgements
This issue was discovered internally by F5.
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K8986: F5 software lifecycle policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo32+NLKJtyKPYoAQhzFg/9GXOFa6d0z47FEQb6SWpeuTTTw1zI+Eui
6YEd0DO8IckdbuG2Ae2S9irRL/uqkUxknF7qJaS76scR0nVDKQxH1uO+3l4Yl6ZE
30Nzh0NolyhDM7K+voHMz+xiIR+PMjI/soWywV0l88tfDcLNCBhikDh6g4bgMlGr
zIvjdNJBExESKmUuv8BfCCsjl7H7lhztcnSR3Y0g8GGOnXuQ+6u98cawnizNb8F0
y3diZVvakxhqVrmMThhjpdo2wZjp3TOaRHFwzTUvUy1n3esi/IGqycmud8Qt5Hys
BZcswSW/MVw6RzZADsOEjXvIk+t2c+bQjvJbuTyhuO6Ui01/YfMNtlFDkg5OkQHw
tiuEy4Ep11Aj5Ie4BWwxFzhz5yzqrCdzwTyW9cMDcF6cwC9tKCZ4Mdov+8Wx/CKD
3ATvLqEV0CxXUB0wPwUbWKEMUObERtfTr3+rXd3YQ7pGyZGYpBblm6tic+3Moi3a
KqbkxSKePxj1oQAGY5KXhSnnsdKcRgUIwLo61sfQad3Qa7/1XAUbkZXnztKuBJjk
U5NIZvQ25riEtICKh1O1JoiII2gzO1cUPOZV7Zz7sX18X3KhN6cyn5XXXQxMC5UO
Sr5u7qwDzmEh5Igr7Ut5w78oGDs4MUt8/c6tprxb4lyiD4peizXtttJybeNqd4mY
czcin8+tufs=
=G2+x
-----END PGP SIGNATURE-----
ESB-2022.0280 - permissions: Reduced security - Unknown/unspecified
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0280
Security update for permissions
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: permissions
Publisher: SUSE
Impact/Access: Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220141-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for permissions
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0141-1
Rating: moderate
References: #1169614
Affected Products:
SUSE MicroOS 5.1
SUSE MicroOS 5.0
SUSE Linux Enterprise Module for Basesystem 15-SP3
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for permissions fixes the following issues:
o Update to version 20181225: setuid bit for cockpit session binary (bsc#
1169614).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE MicroOS 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-141=1
o SUSE MicroOS 5.0:
zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-141=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-141=1
Package List:
o SUSE MicroOS 5.1 (aarch64 s390x x86_64):
permissions-20181225-23.12.1
permissions-debuginfo-20181225-23.12.1
permissions-debugsource-20181225-23.12.1
o SUSE MicroOS 5.0 (aarch64 x86_64):
permissions-20181225-23.12.1
permissions-debuginfo-20181225-23.12.1
permissions-debugsource-20181225-23.12.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
permissions-20181225-23.12.1
permissions-debuginfo-20181225-23.12.1
permissions-debugsource-20181225-23.12.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):
permissions-zypp-plugin-20181225-23.12.1
References:
o https://bugzilla.suse.com/1169614
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo2R+NLKJtyKPYoAQjI7BAAifLhbiKDnVTeKoAfkV4Q3/fJocN9rM0E
PfFItylYzbP15vsEKKQfgSbFnZoqbIAcBKstqfLXbODhLvbXXflMH6I9WAyFti0R
jy5tJ0dMQy8gShYYhR8ptuZqVEaiX3ZrycdYKvYaPT3p5C9wVs1S7Msamc8TTY6g
MwBrZphrExRfgLFOUA+te+HUoVtG0+e89eY4Ifp0Juooi+AbtI9+ehZaAufO9RDh
/sKLXhFMl9jGe0YX+wV0x2xczrETq/phhgH4GI65rcLxQ7K6RyJovQtPuJAmMFup
zHdrV+JCaVjYDLgh5s+wcLmHhUc+p6UwXY+uOaYSu+yTRQxAwoIC7s37Xac2meA8
kifbcWW9458NseaFQFLsvfIS3y9yeYNLPjt7zLm5pNevpPTZVB3JKdZU9xvG2HrV
Eg7c5rORHfKZhL1CeDg41RK9m4k6Tn3H2ByMoP5mg8cN4Uol21HKnZgIlzb6L87h
GW9HTsQUCx+vsgKGT1RYzaBcEPqDbmmJ9k5DpwGZ/AAbqOrjHMSlXenzFtPgameg
zecAhBmunGrySXAMHSQy3OYP1YWRVX5VbHfxMYWLpDvaYIdS+6Plt5fTWm39AWKi
2BJgpCoro4mQeX7wIML0wpTXmWBbvSKnpNEkmG516DD/a9mvemuXc2BEjxxdcbsU
ROrVoPifu+0=
=8REZ
-----END PGP SIGNATURE-----
ESB-2022.0279 - [UNIX/Linux][SUSE] virglrenderer: Reduced security - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0279
Security update for virglrenderer
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: virglrenderer
Publisher: SUSE
Operating System: SUSE
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0175
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220111-1
https://www.suse.com/support/update/announcement/2022/suse-su-20220110-1
Comment: This advisory references vulnerabilities in products which run on
platforms other than SUSE. It is recommended that administrators
running virglrenderer check for an updated version of the software
for their operating system.
This bulletin contains two (2) SUSE security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for virglrenderer
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0111-1
Rating: important
References: #1194601
Cross-References: CVE-2022-0175
Affected Products:
SUSE MicroOS 5.0
SUSE Linux Enterprise Module for Server Applications 15-SP3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for virglrenderer fixes the following issues:
o CVE-2022-0175: Fixed missing initialization of res->ptr (bsc#1194601).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE MicroOS 5.0:
zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-111=1
o SUSE Linux Enterprise Module for Server Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-111=1
Package List:
o SUSE MicroOS 5.0 (aarch64 x86_64):
libvirglrenderer0-0.6.0-4.6.1
libvirglrenderer0-debuginfo-0.6.0-4.6.1
virglrenderer-debuginfo-0.6.0-4.6.1
virglrenderer-debugsource-0.6.0-4.6.1
o SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64
ppc64le s390x x86_64):
libvirglrenderer0-0.6.0-4.6.1
libvirglrenderer0-debuginfo-0.6.0-4.6.1
virglrenderer-debuginfo-0.6.0-4.6.1
virglrenderer-debugsource-0.6.0-4.6.1
virglrenderer-devel-0.6.0-4.6.1
References:
o https://www.suse.com/security/cve/CVE-2022-0175.html
o https://bugzilla.suse.com/1194601
- --------------------------------------------------------------------------------
SUSE Security Update: Security update for virglrenderer
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0110-1
Rating: important
References: #1194601
Cross-References: CVE-2022-0175
Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE Linux Enterprise Server 12-SP5
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for virglrenderer fixes the following issues:
o CVE-2022-0175: Fixed missing initialization of res->ptr (bsc#1194601).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-110=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-110=1
Package List:
o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le
s390x x86_64):
virglrenderer-debugsource-0.5.0-12.6.1
virglrenderer-devel-0.5.0-12.6.1
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
libvirglrenderer0-0.5.0-12.6.1
libvirglrenderer0-debuginfo-0.5.0-12.6.1
virglrenderer-debugsource-0.5.0-12.6.1
References:
o https://www.suse.com/security/cve/CVE-2022-0175.html
o https://bugzilla.suse.com/1194601
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo2BuNLKJtyKPYoAQh9Gw/8CxezL4QOrTyaXBx50QkdFHBtqcqMjg7/
RIw4CaTD8tIaSV33ffa1mOJLYKeJDwvWDYWqTyxhEGtOi6E7Dj6GDzvlI8bvP8rl
32PfGKK0nWK9YuHHqmyBNGc0T+vdaFaPdditT4gq74gq6vAnZN6UjtHBgPkwjZOR
j7jdPuAknalAVZXWSjbdfUXHwJElOJFI+JV85CiTM6WWiZosEJiAJv88xiR8W5qY
Tu41MpG4djSNA2s6ITJ2lRiJO7EGR+8LagEQRmqYQHKLINar5eE4YN3XqbKNsmLj
xglG1qfmZwo5ZqyFBUy0Zt+AhF7mGqQsekbxjTOIln9iLjWZLKphLKoLarQpEbJt
vB8/tSrot3zPSBMPufFdtcMyoMAxThb0q2lY7MYqJPU76vG0tJbOgxud1h9noz0J
Exwe/hh6bzTeUphcCql3nBXBwNN64GhOEhmh1cjcwpdcBPax0FFUYHz7CT7zc7ox
YWsLs9WoUytGQBSHmryVVGSUcDyMtiKfZXKU8SCgTMdrr9yt9M6v90HqOheDw/kO
sPUrTpO9P6X4ZULaujHdsCbP9K15XRDkukROZnAUsdBWKx6h5jkAsSUvsrIBAJkZ
naTD8A9zvrQSxUDcNX5UdGNaMJNP/EDBTIkOTeObgNtGtlnPOl3XVqLlynvFa8a4
ddkT6n/BvHQ=
=Ajyv
-----END PGP SIGNATURE-----
ESB-2022.0278 - [UNIX/Linux][SUSE] python-numpy: Denial of service - Existing account
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0278
Security update for python-numpy
21 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-numpy
Publisher: SUSE
Operating System: SUSE
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-41496 CVE-2021-33430
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220118-1
https://www.suse.com/support/update/announcement/2022/suse-su-20220134-1
Comment: This advisory references vulnerabilities in products which run on
platforms other than SUSE. It is recommended that administrators
running python-numpy check for an updated version of the software
for their operating system.
This bulletin contains two (2) SUSE security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for python-numpy
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0118-1
Rating: moderate
References: #1193907 #1193913
Cross-References: CVE-2021-33430 CVE-2021-41496
Affected Products:
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE Linux Enterprise Server 12-SP5
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for python-numpy fixes the following issues:
o CVE-2021-33430: Fixed buffer overflow that could lead to DoS in
PyArray_NewFromDescr_int function of ctors.c (bsc#1193913).
o CVE-2021-41496: Fixed buffer overflow that could lead to DoS in
array_from_pyobj function of fortranobject.c (bsc#1193907).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-118=1
o SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-118=1
Package List:
o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le
s390x x86_64):
python-numpy-debuginfo-1.8.0-5.11.1
python-numpy-debugsource-1.8.0-5.11.1
python-numpy-devel-1.8.0-5.11.1
o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
python-numpy-1.8.0-5.11.1
python-numpy-debuginfo-1.8.0-5.11.1
python-numpy-debugsource-1.8.0-5.11.1
References:
o https://www.suse.com/security/cve/CVE-2021-33430.html
o https://www.suse.com/security/cve/CVE-2021-41496.html
o https://bugzilla.suse.com/1193907
o https://bugzilla.suse.com/1193913
- -------------------------------------------------------------------------------
SUSE Security Update: Security update for python-numpy
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0134-1
Rating: moderate
References: #1193907 #1193913
Cross-References: CVE-2021-33430 CVE-2021-41496
Affected Products:
SUSE Linux Enterprise Module for HPC 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP3
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for python-numpy fixes the following issues:
o CVE-2021-33430: Fixed buffer overflow that could lead to DoS in
PyArray_NewFromDescr_int function of ctors.c (bsc#1193913).
o CVE-2021-41496: Fixed buffer overflow that could lead to DoS in
array_from_pyobj function of fortranobject.c (bsc#1193907).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Module for HPC 15-SP3:
zypper in -t patch SUSE-SLE-Module-HPC-15-SP3-2022-134=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-134=1
Package List:
o SUSE Linux Enterprise Module for HPC 15-SP3 (aarch64 x86_64):
python-numpy_1_17_3-gnu-hpc-debugsource-1.17.3-10.1
python3-numpy-gnu-hpc-1.17.3-10.1
python3-numpy-gnu-hpc-devel-1.17.3-10.1
python3-numpy_1_17_3-gnu-hpc-1.17.3-10.1
python3-numpy_1_17_3-gnu-hpc-debuginfo-1.17.3-10.1
python3-numpy_1_17_3-gnu-hpc-devel-1.17.3-10.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
python-numpy-debugsource-1.17.3-10.1
python3-numpy-1.17.3-10.1
python3-numpy-debuginfo-1.17.3-10.1
python3-numpy-devel-1.17.3-10.1
References:
o https://www.suse.com/security/cve/CVE-2021-33430.html
o https://www.suse.com/security/cve/CVE-2021-41496.html
o https://bugzilla.suse.com/1193907
o https://bugzilla.suse.com/1193913
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeo16uNLKJtyKPYoAQhQtg//RWBWoh260GazStZsB1+XxQfV6dW/y4Z1
rmqIwsawVmgvCGc7GXd77SGMj9MBXIijNWV61hbHAxzCuT/Ln5iNkd7bVymhnKti
AqpvpBTkL9Yrd5wqZ1Og+LcCiRRx+VOHlVOP/Wnnt2CL8qtIHyGrqSNmjPIUFiTG
r3M/pOQDNQk8D8miYOmNQOIg0XMqFJCsjSqER5iIRcIBSp8gcYrW5vROW8YVYdJv
xKkIN7b/kz2A3asvRV/jRbCJEA2qvfQwkxDcOT0AyWnBCybNayODRO0e2UVfevob
+zM8DHQ7e21lY20uJaDdSJAJSovc7p1AQNIq4V5SZ3spyuqwDp1F+OwwFwM4qoDx
1jt78PmihIWA3OaU0PH6t6iQ+M8j1v8FTqalFWaiavBC1lKjsgo0dMpB7e5SEha2
uB0WJog4vChRsV+OgdxM9nLO+ZBQfD8ITZFV967J1zyLQsWYGujPOh1RSaUKJHD8
m/NjUWCigeQ6obVJ7/KFduheW5Q+ydh3ClAVgf6vRtS7Q9dxZqN+VGHWrt3h8Hzm
ReNN3qcYoOoKbmNo0y4fTAU8F1WXe/joxKkKlX20OqbK4AKs3GqK1Zx5tEzSUQ/N
9PZ+VLmnWaCRK1AP8wGZHbmYU3mnjjaSzxQeTk6T1hULJ6Kkrt0j7Kx9avp+58Ox
/qCv7YmN+g0=
=IDHq
-----END PGP SIGNATURE-----