SUSE-IU-2024:258-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2024:258-1 Interim 1 1 2024-12-08T22:19:42Z current 2024-03-08T01:00:00Z 2024-03-08T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2024:258-1 / google/sles-12-sp5-v20240308-x86-64 This image update for google/sles-12-sp5-v20240308-x86-64 contains the following changes: Package libxml2 was updated: - Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader * Added libxml2-CVE-2024-25062.patch Package suseconnect-ng was updated: - Update to version 1.7.0~git0.5338270 * Allow SUSEConnect on read write transactional systems (bsc#1219425) Package python3-base was updated: - Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing gh#python/cpython#108310, backport from upstream patch gh#python/cpython#108315 (bsc#1214692, CVE-2023-40217) - (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Repurpose skip-failing-tests.patch to increase timeout for test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time, which fails on slow machines in IBS (s390x). - Refresh CVE-2023-27043-email-parsing-errors.patch from gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). Package _product:sle-sdk-release was updated: Package vim was updated: - Updated to version 9.1 with patch level 0111, fixes the following security problems * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close() * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol() * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix - Revert the patch which caused GTK incompatibility problem * Add: vim-9.1-revert-v9.1.86.patch * This reverts commit 725c7c31a4c7603e688511d769b0addaab442d07 - for the complete list of changes see https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111 Package supportutils-plugin-suse-public-cloud was updated: - Update to version 1.0.9 (bsc#1218762, bsc#1218763) + Remove duplicate data collection for the plugin itself + Collect archive metering data when available + Query billing flavor status Package mozilla-nss was updated: - update to NSS 3.90.2 * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS. (bsc#1216198) * bmo#1867408 - add a defensive check for large ssl_DefSend return values. Package kernel-default was updated: - Update patches.suse/nvmet-tcp-fix-a-crash-in-nvmet_req_complete.patch (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - commit 1a6bd68 - nvmet-tcp: Fix the H2C expected PDU len calculation (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356). - commit 3e8a84f - Refresh patches.kabi/cpufeatures-kabi-fix.patch. Simple arithmetic fix. - commit df1ea97 - vhost: use kzalloc() instead of kmalloc() followed by memset() (CVE-2024-0340, bsc#1218689). - commit 265772f - blacklist.conf: add Korina ethernet controleer - commit 754d7b6 - blacklist.conf: update blacklist - commit 65ec0f0 - mlx4: handle non-napi callers to napi_poll (git-fixes). - commit 13aca9d - bnxt_en: Log unknown link speed appropriately (git-fixes). - commit cab91f3 - net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow (git-fixes). - commit 30b8d5c - net: mvneta: fix double free of txq-&gt;buf (git-fixes). - commit abfb85a - r8169: fix data corruption issue on RTL8402 (git-fixes). - commit a389731 - net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting (git-fixes). - commit 51f13e8 - net: fec: Do not use netdev messages too early (git-fixes). - commit 24b07f8 - net: stmmac: dwmac4/5: Clear unused address entries (git-fixes). - commit 156e8fc - net: stmmac: dwmac1000: Clear unused address entries (git-fixed). - commit b89c3f6 - blacklist.conf: add mediatek ethernet - commit ed969c9 - net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0 (git-fixed). - commit 63f7ed7 - blacklist.conf: update blacklist - commit ba8fcb7 - net: xilinx: fix possible object reference leak (git-fixed). - commit 0884dff - net: macb: Add null check for PCLK and HCLK (git-fixed). - Refresh patches.suse/0006-net-macb-fix-error-format-in-dev_err.patch. - commit 1fdfc75 - netfilter: nf_tables: reject QUEUE/DROP verdict parameters (CVE-2024-1086 bsc#1219434). - commit 1f42903 - configfs: fix a use-after-free in __configfs_open_file (git-fixes). - commit 839bbef - chardev: fix error handling in cdev_device_add() (git-fixes). - commit 76071ad - fs: don't audit the capability check in simple_xattr_list() (git-fixes). - commit 32c621d - pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP (git-fixes). - commit 165619a - pstore/ram: Fix error return code in ramoops_probe() (git-fixes). - commit 6c26e9c - kernfs: fix use-after-free in __kernfs_remove (git-fixes). - commit 1e4394d - kernfs: Separate kernfs_pr_cont_buf and rename_lock (git-fixes). - commit 302cbf3 - configfs: fix a race in configfs_{,un}register_subsystem() (git-fixes). - commit ff1ac8a - vfs: make freeze_super abort when sync_filesystem returns error (git-fixes). - commit a0e15ea - fs: orangefs: fix error return code of orangefs_revalidate_lookup() (git-fixes). - commit 05692b2 - fs: warn about impending deprecation of mandatory locks (git-fixes). - commit d313c61 - configfs: fix memleak in configfs_release_bin_file (git-fixes). - commit e182771 - 9p: missing chunk of &quot;fs/9p: Don't update file type when updating file attributes&quot; (git-fixes). - commit d7f7957 - kernfs: bring names in comments in line with code (git-fixes). - commit b2412a4 - configfs: fix config_item refcnt leak in configfs_rmdir() (git-fixes). - commit a4e6173 - help_next should increase position index (git-fixes). - commit a734d52 - configfs: fix a deadlock in configfs_symlink() (git-fixes). - commit 31f30f9 - locks: print a warning when mount fails due to lack of &quot;mand&quot; support (git-fixes). - commit 4a54942 - configfs: provide exclusion between IO and removals (git-fixes). - commit be9e3af - configfs: new object reprsenting tree fragments (git-fixes). - commit 727fecd - configfs: stash the data we need into configfs_buffer at open time (git-fixes). - commit 57d5998 - pstore/ram: Run without kernel crash dump region (git-fixes). - Refresh patches.suse/pstore-backend-autoaction. - commit 27a20a7 - fs/file.c: initialize init_files.resize_wait (git-fixes). - commit 4e99111 - fs: ratelimit __find_get_block_slow() failure message (git-fixes). - commit 066abb3 - iomap: sub-block dio needs to zeroout beyond EOF (git-fixes). - commit c176969 - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() (git-fixes). - commit 97bf06c - proc: fix /proc/*/map_files lookup (git-fixes). - commit 66524a9 - pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() (git-fixes). - commit 3b8a874 - pstore/ram: Check start of empty przs during init (git-fixes). - commit 86b8610 - statfs: enforce statfs[64] structure initialization (git-fixes). - commit e9ab62b - aio: fix mremap after fork null-deref (git-fixes). - commit f633071 - drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128 CVE-2023-51042). - commit 78c123f - nvmet-tcp: fix a crash in nvmet_req_complete() (git-fixes). - commit 45b3590 - scsi: qla0xxx: Fix system crash due to bad pointer access (git-fixes). - commit 9c33792 - atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780 bsc#1218730). - commit 42f1cd3 - mm,mremap: bail out earlier in mremap_to under map pressure (bsc#1123986). - commit d63623c - xen-netback: don't produce zero-size SKB frags (CVE-2023-46838, XSA-448, bsc#1218836). - commit 6d25bad - USB: serial: option: fix FM101R-GL defines (git-fixes). - commit c34221c - blacklist.conf: Add baa9be4ffb55 sched/fair: Fix throttle_list starvation with low CFS quota - commit f2444c0 - libceph: use kernel_connect() (bsc#1219446). - ceph: fix incorrect revoked caps assert in ceph_fill_file_size() (bsc#1219445). - commit 92ba85d - USB: serial: option: add Fibocom to DELL custom modem FM101R-GL (git-fixes). - commit 9c63fba - USB: serial: option: add entry for Sierra EM9191 with new firmware (git-fixes). - commit e18b083 - USB: serial: option: add Telit LE910C4-WWX 0x1035 composition (git-fixes). - commit 3c25206 - ext4: fix kernel BUG in 'ext4_write_inline_data_end()' (CVE-2021-33631 bsc#1219412). - commit 019d3a9 - blacklist.conf: remove a merge relic Remove a merge relic introduced in 44aaf966aab (&quot;Merge remote-tracking branch 'origin/SLE12-SP4' into SLE12-SP5-UPDATE&quot;). - commit 78c957f - blacklist.conf: add a not-relevant jump_label commit - commit 7bff5db - tracing/trigger: Fix to return error if failed to alloc snapshot (git-fixes). - commit 57e8982 - blacklist.conf: Blacklist 447ae316670230d7d29430e2cbf1f5db4f49d14c It reworks header inclusion to no real benefit for out kernel and results in massive kABI breakage. Just blacklist it. - commit 879fd91 - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach (CVE-2023-47233 bsc#1216702). - commit d2e0155 - net: stmmac: don't overwrite discard_frame status (git-fixes). - commit af86f48 - net: ethernet: ti: fix possible object reference leak (git-fixes). - commit 8292c78 - blacklist.conf: update blacklist - commit 3ec6d28 - blacklist.conf: update blacklist - commit b305f8c - net: ks8851: Set initial carrier state to down (git-fixes). - commit 667be0a - net: ks8851: Delay requesting IRQ until opened (git-fixes). - commit 605f94a - net: ks8851: Reassert reset pin if chip ID check fails (git-fixes). - commit 93e9e83 - net: dsa: qca8k: Enable delay for RGMII_ID mode (git-fixes). - commit 94c1dc4 - net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2 (git-fixes). - commit d97991c - blacklist.conf: update blacklist - commit 23ba946 - blacklist.conf: Black unapplicable patch This one requires 45b575c00d8e72d69d75dd8c112f044b7b01b069 which is blacklisted. So black list this one as well. - commit 8ad7e95 - x86/unwind/orc: Fix unreliable stack dump with gcov (git-fixes). - commit db29225 - x86/pm: Add enumeration check before spec MSRs save/restore setup (git-fixes). - commit 0b71917 - x86/kvm/lapic: always disable MMIO interface in x2APIC mode (git-fixes). - commit 42aa4b1 - x86/purgatory: Don't generate debug info for purgatory.ro (git-fixes). - commit ad7d236 - x86/cpu: Add another Alder Lake CPU to the Intel family (git-fixes). - commit 5e43536 - x86/build: Turn off -fcf-protection for realmode targets (git-fixes). - commit 06f5589 - x86/build: Treat R_386_PLT32 relocation as R_386_PC32 (git-fixes). - commit c5cf689 - x86/lib: Fix overflow when counting digits (git-fixes). - commit 0070bad - x86/asm: Ensure asm/proto.h can be included stand-alone (git-fixes). - commit b6c5df9 - x86: __always_inline __{rd,wr}msr() (git-fixes). - commit 8507f62 - x86: Mark stop_this_cpu() __noreturn (git-fixes). - commit 47a8413 - x86: Clear .brk area at early boot (git-fixes). - commit 63c0fc3 - rpm/constraints.in: add static multibuild packages Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for constraints on multibuild) added &quot;kernel-source:&quot; prefix to the dynamically generated kernels. But there are also static ones like kernel-docs. Those fail to build as the constraints are still not applied. So add the prefix also to the static ones. Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it will ever be multibuilt... - commit c2e0681 - drm/atomic: Fix potential use-after-free in nonblocking commits (bsc#1219120 CVE-2023-51043). - commit a69e3d8 - Refresh patches.kabi/cpufeatures-kabi-fix.patch. Adjust the cpuid check when applying alternatives. Fixes false BUG_ON in the presence of extra bugints/capints. - commit 48af78f - Revert &quot;Limit kernel-source build to architectures for which the kernel binary&quot; This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132. The fix for bsc#1108281 directly causes bsc#1218768, revert. - commit 2943b8a - mkspec: Include constraints for both multibuild and plain package always There is no need to check for multibuild flag, the constraints can be always generated for both cases. - commit 308ea09 - rpm/mkspec: use kernel-source: prefix for constraints on multibuild Otherwise the constraints are not applied with multibuild enabled. - commit 841012b - wd-functions.sh: Use pixz for xz compresion when available. This makes xz compression highly non-deterministic but deterministic results were not provided by xz in the first place. - commit 1524b56 - rpm/kernel-source.rpmlintrc: add action-ebpf Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf plugin) added this precompiled binary blob. Adapt rpmlintrc for kernel-source. - commit b5ccb33 - Refresh patches.suse/mce-fix-set_mce_nospec-to-always-unmap-the-whole-page.patch. - commit 97df026 - usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer (git-fixes). - commit f9ab50f - blacklist.conf: not a bug fix - commit 89a46f3 - blacklist.conf: driver not compiled - commit e4d38bb - blacklist.conf: false positive - commit be0a82f - blacklist.conf: not a bug fix - commit 3adfd09 - blacklist.conf: false positive - commit 9076062 - scsi: qedf: fc_rport_priv reference counting fixes (bsc#1212152). Refresh: - patches.suse/scsi-qedf-correctly-handle-refcounting-of-rdata - patches.suse/scsi-qedf-print-message-during-bailout-conditions - patches.suse/scsi-qedf-print-scsi_cmd-backpointer-in-good-completion-path-if-the-command-is-still-being-used - commit e171158 - ext4: silence the warning when evicting inode with dioread_nolock (bsc#1206889). - commit 3433e7a - writeback: Export inode_io_list_del() (bsc#1216989). patches/patches.suse/writeback-Protect-inode-i_io_list-with-inode-i_lock.patch: Refresh - commit c969261 - ext4: improve error recovery code paths in __ext4_remount() (bsc#1213017 bsc#1219053 CVE-2024-0775). - commit 3bb0d48 - Update patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch (bsc#1213017 bsc#1219053 CVE-2024-0775). - commit a5b396b - scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old The previous change added the manual entry from kernel-sources.change.old to old_changelog.txt unnecessarily. Let's fix it. - commit fb033e8 - Refresh patches.suse/ipmi-Cleanup-oops-on-initialization-failure.patch. Alt-commit added - commit 5093b56 - x86: Pin task-stack in __get_wchan() (git-fixes). - commit 96f1d7b - rpm/kernel-docs.spec.in: fix build with 6.8 Since upstream commit f061c9f7d058 (Documentation: Document each netlink family), the build needs python yaml. - commit 6a7ece3 - x86: Fix __get_wchan() for !STACKTRACE (git-fixes). - commit 23a1a0e - asix: Add check for usbnet_get_endpoints (git-fixes). - commit d1fcea8 - x86/mce: relocate set{clear}_mce_nospec() functions (git-fixes). - commit d9f49bd - x86/CPU/AMD: Check vendor in the AMD microcode callback (git-fixes). - commit 79b1f36 - mce: fix set_mce_nospec to always unmap the whole page (git-fixes). - commit 2dcf8c9 - x86/alternatives: Sync core before enabling interrupts (git-fixes). - commit d500914 - x86/cpu/hygon: Fix the CPU topology evaluation for real (git-fixes). - commit 01e7093 - x86/kvm: Do not try to disable kvmclock if it was not enabled (git-fixes). - commit 293b127 - x86: Fix get_wchan() to support the ORC unwinder (git-fixes). - commit 1693c4c - x86/pat: Pass valid address to sanitize_phys() (git-fixes). - commit 9776480 - x86/pat: Fix x86_has_pat_wp() (git-fixes). - blacklist.conf: - commit 0a8ce61 - x86/mm: Add a x86_has_pat_wp() helper (git-fixes). - commit 794f377 - veth: Fixing transmit return status for dropped packets (git-fixes). - commit c39655b - preserve KABI for struct sfp_socket_ops (git-fixes). - commit 58a9bc4 - blacklist.conf: - Delete patches.suse/NFSD-Fix-possible-sleep-during-nfsd4_release_lockown.patch. This patch is harmful on all kernels, and irrelevant on kernels before v5.4 bsc#1218968 - commit 5365a0a - KVM: s390: vsie: Fix STFLE interpretive execution identification (git-fixes bsc#1219022). - commit 16098a4 - net: phylink: avoid resolving link state too early (git-fixes). - commit 67b00b5 - gtp: change NET_UDP_TUNNEL dependency to select (git-fixes). - commit dd6be0d - mlxsw: spectrum: Avoid -Wformat-truncation warnings (git-fixes). - commit bd062d1 - mlxsw: spectrum: Set LAG port collector only when active (git-fixes). - commit 42cb04e - net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() (git-fixes). - commit 5db0cbe - net: systemport: Fix reception of BPDUs (git-fixes). - commit 54f0189 - sfc: initialise found bitmap in efx_ef10_mtd_probe (git-fixes). - commit 36c912f - net: sfp: do not probe SFP module before we're attached (git-fixes). - commit b335b5c - net: phy: sfp: warn the user when no tx_disable pin is available (git-fixes). - commit 921c51c - blacklist.conf: update blacklist - commit 0fefc1a - net: stmmac: Disable EEE mode earlier in XMIT callback (git-fixes). - commit 42ea2f4 - blacklist.conf: update blacklist - commit 16074da - preserve KABI for struct plat_stmmacenet_data (git-fixes). - commit be0b5cc - net: stmmac: Fallback to Platform Data clock in Watchdog conversion (git-fixes). - commit c0e8ae4 - net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() (git-fixes). - commit 1f97aba - blacklist.conf: update blacklist - commit 160c442 - net: dsa: bcm_sf2: Propagate error value from mdio_write (git-fixes). - commit 042ff8c - net: (cpts) fix a missing check of clk_prepare (git-fixes). - commit a0511a4 - blacklist.conf: update blacklist - commit 778d638 - mlxsw: spectrum: Properly cleanup LAG uppers when removing port from LAG (git-fixes). - commit 65b3a7e - blacklist.conf: update blacklist - commit 72f91b3 - nfsd: drop st_mutex and rp_mutex before calling move_to_close_lru() (bsc#1217525). - commit d08e536 - blacklist.conf: add wont-backport commit - commit 65861c5 - libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value (git-fixes). - nvdimm: Fix badblocks clear off-by-one error (git-fixes). - nvdimm: Allow overwrite in the presence of disabled dimms (git-fixes). - nvdimm/btt: do not call del_gendisk() if not needed (git-fixes). - libnvdimm/region: Fix label activation vs errors (git-fixes). - commit dc5bee2 - libnvdimm: cover up changes in struct nvdimm_bus_descriptor (git-fixes). - libnvdimm: Validate command family indices (git-fixes). - commit 27f581b - libnvdimm: Out of bounds read in __nd_ioctl() (git-fixes). - acpi/nfit: improve bounds checking for 'func' (git-fixes). - libnvdimm/btt: fix variable 'rc' set but not used (git-fixes). - libnvdimm/pmem: Delete include of nd-core.h (git-fixes). - =?UTF-8?q?libnvdimm:=20Fix=20endian=20conversion=20issues?= =?UTF-8?q?=C2=A0?= (git-fixes). - libnvdimm: Fix compilation warnings with W=1 (git-fixes). - libnvdimm/pmem: fix a possible OOB access when read and write pmem (git-fixes). - libnvdimm/btt: Fix a kmemdup failure check (git-fixes). - libnvdimm/namespace: Fix a potential NULL pointer dereference (git-fixes). - libnvdimm/btt: Fix LBA masking during 'free list' population (git-fixes). - libnvdimm/btt: Remove unnecessary code in btt_freelist_init (git-fixes). - acpi/nfit: Require opt-in for read-only label configurations (git-fixes). - UAPI: ndctl: Fix g++-unsupported initialisation in headers (git-fixes). - commit e6b26fa - blacklist.conf: false positive - commit de6f57b - blacklist.conf: blacklist Huawei HiNIC - commit d68e629 - s390/dasd: fix double module refcount decrement (bsc#1141539). - commit 1d573b9 - scripts/git_sort/git_sort.py: Add 'perf-tools' branch - commit 7ef21eb - netfilter: nf_tables: Reject tables of unsupported family (CVE-2023-6040 bsc#1218752). - commit 9e6d9d4 - net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782 bsc#1218757). - commit 5e6770d - powerpc/pseries/memhotplug: Quieten some DLPAR operations (bsc#1065729). - commit 4d451a9 - powerpc/powernv: Add a null pointer check in opal_powercap_init() (bsc#1181674 ltc#189159 git-fixes). - powerpc/powernv: Add a null pointer check in opal_event_init() (bsc#1065729). - powerpc/pseries/memhp: Fix access beyond end of drmem array (bsc#1065729). - powerpc: Don't clobber f0/vs0 during fp|altivec register save (bsc#1065729). - commit d5de04b - Store the old kernel changelog entries in kernel-docs package (bsc#1218713) The old entries are found in kernel-docs/old_changelog.txt in docdir. rpm/old_changelog.txt can be an optional file that stores the similar info like rpm/kernel-sources.changes.old. It can specify the commit range that have been truncated. scripts/tar-up.sh expands from the git log accordingly. - commit c9a2566 - fs: ocfs2: namei: check return value of ocfs2_add_entry() (git-fixes). - commit 37053b5 - orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() (git-fixes). - commit 22c7474 - orangefs: Fix sysfs not cleanup when dev init failed (git-fixes). - commit 3dc6f72 - fat: add ratelimit to fat*_ent_bread() (git-fixes). - commit 2e4dd8d - orangefs: fix orangefs df output (git-fixes). - commit 14af1e9 - fs/fat/file.c: issue flush after the writeback of FAT (git-fixes). - commit 4b5cf8c - fs/exofs: fix potential memory leak in mount option parsing (git-fixes). - commit c3e2f19 - orangefs: rate limit the client not running info message (git-fixes). - commit 9ffd7ce - gfs2: ignore negated quota changes (git-fixes). - commit 65c2047 - gfs2: Fix possible data races in gfs2_show_options() (git-fixes). - commit 57d66df - gfs2: Fix inode height consistency check (git-fixes). - commit d7ee5ae - gfs2: Check sb_bsize_shift after reading superblock (git-fixes). - commit 381ce29 - gfs2: Make sure FITRIM minlen is rounded up to fs block size (git-fixes). - commit 59f59dc - gfs2: assign rgrp glock before compute_bitstructs (git-fixes). - commit 8e79a5c - gfs2: Don't call dlm after protocol is unmounted (git-fixes). - commit 0e0a651 - gfs2: Fix use-after-free in gfs2_glock_shrink_scan (git-fixes). - commit 4dff329 - gfs2: report &quot;already frozen/thawed&quot; errors (git-fixes). - commit e5108bb - gfs2: Don't skip dlm unlock if glock has an lvb (git-fixes). - commit 38230f9 - gfs2: check for empty rgrp tree in gfs2_ri_update (git-fixes). - commit 3484422 - gfs2: Wake up when sd_glock_disposal becomes zero (git-fixes). - commit 6e96bc8 - gfs2: check for live vs. read-only file system in gfs2_fitrim (git-fixes). - commit dece8b9 - gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free (git-fixes). - commit 5f11647 - gfs2: add validation checks for size of superblock (git-fixes). - commit 4bfdec0 - gfs2: fix use-after-free on transaction ail lists (git-fixes). - commit 3c0934a - gfs2: initialize transaction tr_ailX_lists earlier (git-fixes). - commit a3dcb8b - gfs2: Allow lock_nolock mount to specify jid=X (git-fixes). - commit c3d10eb - gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache (git-fixes). - commit 50b2782 - gfs2: clear buf_in_tr when ending a transaction in sweep_bh_for_rgrps (git-fixes). - commit 0638ce6 - gfs2: Fix sign extension bug in gfs2_update_stats (git-fixes). - commit 6905d0e - gfs2: Fix lru_count going negative (git-fixes). - commit 22c6d6f - gfs2: take jdata unstuff into account in do_grow (git-fixes). - commit f6cafad - gfs2: Fix marking bitmaps non-full (git-fixes). - commit 27f21b4 - GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads (git-fixes). - commit c0d61c2 - gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated (git-fixes). - commit ca05c1f - gfs2: Special-case rindex for gfs2_grow (git-fixes). - commit 77ffe3d - reiserfs: Replace 1-element array with C99 style flex-array (git-fixes). - commit ed361ae - reiserfs: Check the return value from __getblk() (git-fixes). - commit c984c17 - affs: fix basic permission bits to actually work (git-fixes). - commit 6abe668 Package python3 was updated: - Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing gh#python/cpython#108310, backport from upstream patch gh#python/cpython#108315 (bsc#1214692, CVE-2023-40217) - (bsc#1219666, CVE-2023-6597) Add CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from gh#python/cpython!99930) fixing symlink bug in cleanup of tempfile.TemporaryDirectory. - Repurpose skip-failing-tests.patch to increase timeout for test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time, which fails on slow machines in IBS (s390x). - Refresh CVE-2023-27043-email-parsing-errors.patch from gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043). Package libssh was updated: - Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795] * Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch * Remove patches fixed in the update: - CVE-2019-14889.patch - 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch - Update to version 0.9.8 * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209) * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126) * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186) * Allow @ in usernames when parsing from URI composes - Update to version 0.9.7 * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188) * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) * Fix several memory leaks in GSSAPI handling code - Update to version 0.9.6 (bsc#1189608, CVE-2021-3634) * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6 - Add missing BR for openssh needed for tests - update to 0.9.5 (bsc#1174713, CVE-2020-16135): * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232) * Improve handling of library initialization (T222) * Fix parsing of subsecond times in SFTP (T219) * Make the documentation reproducible * Remove deprecated API usage in OpenSSL * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN * Define version in one place (T226) * Prevent invalid free when using different C runtimes than OpenSSL (T229) * Compatibility improvements to testsuite - Update to version 0.9.4 * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ * Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699) Package timezone was updated: - update to 2024a: * Kazakhstan unifies on UTC+5. This affects Asia/Almaty and Asia/Qostanay which together represent the eastern portion of the country that will transition from UTC+6 on 2024-03-01 at 00:00 to join the western portion. (Thanks to Zhanbolat Raimbekov.) * Palestine springs forward a week later than previously predicted in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward predictions to the second Saturday after Ramadan, not the first; this also affects other predictions starting in 2039. * Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00. (Thanks to Đoàn Trần Công Danh.) * From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00. (Thanks to Chris Walton.) * In 1911 Miquelon adopted standard time on June 15, not May 15. * The FROM and TO columns of Rule lines can no longer be &quot;minimum&quot; or an abbreviation of &quot;minimum&quot;, because TZif files do not support DST rules that extend into the indefinite past - although these rules were supported when TZif files had only 32-bit data, this stopped working when 64-bit TZif files were introduced in 1995. This should not be a problem for realistic data, since DST was first used in the 20th century. As a transition aid, FROM columns like &quot;minimum&quot; are now diagnosed and then treated as if they were the year 1900; this should suffice for TZif files on old systems with only 32-bit time_t, and it is more compatible with bugs in 2023c-and-earlier localtime.c. (Problem reported by Yoshito Umaoka.) * localtime and related functions no longer mishandle some timestamps that occur about 400 years after a switch to a time zone with a DST schedule. In 2023d data this problem was visible for some timestamps in November 2422, November 2822, etc. in America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.) * strftime %s now uses tm_gmtoff if available. (Problem and draft patch reported by Dag-Erling Smørgrav.) * The strftime man page documents which struct tm members affect which conversion specs, and that tzset is called. (Problems reported by Robert Elz and Steve Summit.) - update to 2023d: * Ittoqqortoormiit, Greenland changes time zones on 2024-03-31. * Vostok, Antarctica changed time zones on 2023-12-18. * Casey, Antarctica changed time zones five times since 2020. * Code and data fixes for Palestine timestamps starting in 2072. * A new data file zonenow.tab for timestamps starting now. * Fix predictions for DST transitions in Palestine in 2072-2075, correcting a typo introduced in 2023a. * Vostok, Antarctica changed to +05 on 2023-12-18. It had been at +07 (not +06) for years. * Change data for Casey, Antarctica to agree with timeanddate.com, by adding five time zone changes since 2020. Casey is now at +08 instead of +11. * Much of Greenland, represented by America/Nuuk, changed its standard time from -03 to -02 on 2023-03-25, not on 2023-10-28. * localtime.c no longer mishandles TZif files that contain a single transition into a DST regime. Previously, it incorrectly assumed DST was in effect before the transition too. * tzselect no longer creates temporary files. * tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/. * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments. * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension. * zic no longer mishandles data for Palestine after the year 2075. - Refresh tzdata-china.diff Package sudo was updated: - Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465] * Try to make sudo less vulnerable to ROWHAMMER attacks. * Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch Package cloud-regionsrv-client was updated: - Update to version 10.1.7 (bsc#1220164, bsc#1220165) + Fix the failover path to a new target update server. At present a new server is not found since credential validation fails. We targeted the server detected in down condition to verify the credentials instead of the replacement server. Package docker was updated: - Vendor latest buildkit v0.11: Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that vendors in the latest v0.11 buildkit branch including bugfixes for the following: * bsc#1219438: CVE-2024-23653 * bsc#1219268: CVE-2024-23652 * bsc#1219267: CVE-2024-23651 - rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - switch from %patchN to %patch -PN syntax - remove unused rpmlint filters and add filters to silence pointless bash &amp; zsh completion warnings Package _product:SLES-release was updated: Package openssh was updated: - remember the enabled state of sshd state, so openssh8,4 can pick it up. bsc#1220110 - Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385). This limits the use of shell metacharacters in host- and user names. Package grub2 was updated: - Make consistent check to enable relative path on btrfs (bsc#1174567) (bsc#1216912) * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-12-sp5-v20240308-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-12-sp5-v20240308-x86-64 cloud-regionsrv-client-10.1.7-52.108.1 cloud-regionsrv-client-plugin-gce-1.0.0-52.108.1 containerd-1.7.8-16.91.7 docker-24.0.7_ce-98.106.1 grub2-2.02-172.1 grub2-i386-pc-2.02-172.1 grub2-x86_64-efi-2.02-172.1 kernel-default-4.12.14-122.194.1 libpython3_4m1_0-3.4.10-25.124.1 libssh4-0.9.8-3.12.2 libsuseconnect-1.7.0~git0.5338270-3.9.1 libxml2-2-2.9.4-46.71.1 mozilla-nss-certs-3.90.2-58.111.1 openssh-7.2p2-81.12.1 python3-3.4.10-25.124.1 python3-base-3.4.10-25.124.1 sudo-1.8.27-4.45.1 supportutils-plugin-suse-public-cloud-1.0.9-6.22.1 suseconnect-ng-1.7.0~git0.5338270-3.9.1 suseconnect-ruby-bindings-1.7.0~git0.5338270-3.9.1 timezone-2024a-74.79.1 vim-9.1.0111-17.29.1 vim-data-common-9.1.0111-17.29.1 cloud-regionsrv-client-10.1.7-52.108.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 cloud-regionsrv-client-plugin-gce-1.0.0-52.108.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 containerd-1.7.8-16.91.7 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 docker-24.0.7_ce-98.106.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 grub2-2.02-172.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 grub2-i386-pc-2.02-172.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 grub2-x86_64-efi-2.02-172.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 kernel-default-4.12.14-122.194.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 libpython3_4m1_0-3.4.10-25.124.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 libssh4-0.9.8-3.12.2 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 libsuseconnect-1.7.0~git0.5338270-3.9.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 libxml2-2-2.9.4-46.71.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 mozilla-nss-certs-3.90.2-58.111.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 openssh-7.2p2-81.12.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 python3-3.4.10-25.124.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 python3-base-3.4.10-25.124.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 sudo-1.8.27-4.45.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 supportutils-plugin-suse-public-cloud-1.0.9-6.22.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 suseconnect-ng-1.7.0~git0.5338270-3.9.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 suseconnect-ruby-bindings-1.7.0~git0.5338270-3.9.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 timezone-2024a-74.79.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 vim-9.1.0111-17.29.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 vim-data-common-9.1.0111-17.29.1 as a component of Public Cloud Image google/sles-12-sp5-v20240308-x86-64 A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. CVE-2019-14889 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL. CVE-2020-16135 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability. CVE-2020-1730 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Integer Overflow or Wraparound vulnerability in openEuler kernel on Linux (filesystem modules) allows Forced Integer Overflow.This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from 5.10.0-60.18.0 before 5.10.0-183.0.0. CVE-2021-33631 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange. CVE-2021-3634 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service. CVE-2023-1667 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 moderate A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK. CVE-2023-2283 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 moderate The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. CVE-2023-27043 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libpython3_4m1_0-3.4.10-25.124.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:python3-3.4.10-25.124.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:python3-base-3.4.10-25.124.1 moderate An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) CVE-2023-40217 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libpython3_4m1_0-3.4.10-25.124.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:python3-3.4.10-25.124.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:python3-base-3.4.10-25.124.1 important Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. CVE-2023-42465 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:sudo-1.8.27-4.45.1 moderate Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides a certain initial portion of the to be transferred data, these parts are directly translated into what Linux calls SKB fragments. Such converted request parts can, when for a particular SKB they are all of length zero, lead to a de-reference of NULL in core networking code. CVE-2023-46838 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this "could be exploited in a real world scenario." This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. CVE-2023-47233 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate Use After Free in GitHub repository vim/vim prior to 9.0.1857. CVE-2023-4750 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48231 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48232 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48233 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48234 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48235 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48236 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-48237 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue. CVE-2023-48706 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVE-2023-48795 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 important In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free. CVE-2023-51042 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload. CVE-2023-51043 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. CVE-2023-51385 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:openssh-7.2p2-81.12.1 moderate An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition. CVE-2023-51780 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 important An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition. CVE-2023-51782 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. CVE-2023-5388 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:mozilla-nss-certs-3.90.2-58.111.1 moderate A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter. CVE-2023-6004 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 moderate An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access. CVE-2023-6040 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service. CVE-2023-6356 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. CVE-2023-6535 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service. CVE-2023-6536 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 moderate An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. CVE-2023-6597 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libpython3_4m1_0-3.4.10-25.124.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:python3-3.4.10-25.124.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:python3-base-3.4.10-25.124.1 moderate A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection. CVE-2023-6918 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libssh4-0.9.8-3.12.2 important A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file. CVE-2024-0340 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 low A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free. CVE-2024-0775 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 important A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. CVE-2024-1086 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:kernel-default-4.12.14-122.194.1 important Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. CVE-2024-22667 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-9.1.0111-17.29.1 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:vim-data-common-9.1.0111-17.29.1 moderate BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options. CVE-2024-23651 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:docker-24.0.7_ce-98.106.1 important BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature. CVE-2024-23652 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:docker-24.0.7_ce-98.106.1 moderate BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources. CVE-2024-23653 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:docker-24.0.7_ce-98.106.1 moderate An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. CVE-2024-25062 Public Cloud Image google/sles-12-sp5-v20240308-x86-64:libxml2-2-2.9.4-46.71.1 important