Removed rpms ============ - libavif13 - libopenssl1_1-32bit - librav1e0 Added rpms ========== - bluez-obexd - libgsttranscoder-1_0-0 - openssh-server-config-rootlogin Package Source Changes ====================== MozillaFirefox +- Firefox Extended Support Release 115.8.0 ESR + * Fixed: Various security fixes and other quality improvements. +- Mozilla Firefox ESR 115.8 + MFSA 2024-UNKNOWN (bsc#1220048) + * NO CVE-NUMBER ASSIGNED YET (bmo#1843752) + Out-of-bounds memory read in networking channels + * NO CVE-NUMBER ASSIGNED YET (bmo#1877879) + Alert dialog could have been spoofed on another site + * NO CVE-NUMBER ASSIGNED YET (bmo#1832627) + Fullscreen Notification could have been hidden by select + element + * NO CVE-NUMBER ASSIGNED YET (bmo#1833814) + Custom cursor could obscure the permission dialog + * NO CVE-NUMBER ASSIGNED YET (bmo#1860065) + Mouse cursor re-positioned unexpectedly could have led to + unintended permission grants + * NO CVE-NUMBER ASSIGNED YET (bmo#1864385) + Multipart HTTP Responses would accept the Set-Cookie header + in response parts + * NO CVE-NUMBER ASSIGNED YET (bmo#1874502) + Incorrect code generation on 32-bit ARM devices + * NO CVE-NUMBER ASSIGNED YET (bmo#1855686, bmo#1867982, bmo#1871498, + bmo#1872296, bmo#1873521, bmo#1873577, bmo#1873597, + bmo#1873866, bmo#1874080, bmo#1874740, bmo#1875795, + bmo#1875906, bmo#1876425, bmo#1878211, bmo#1878286) + Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, + and Thunderbird 115.8 + +- Recommend libfido2-udev on codestreams that exist, in order to try + to get security keys (e.g. Yubikeys) work out of the box. (bsc#1184272) + - Placeholder changelog-entry (bsc#1218955) + * Fixed: Various security fixes and other quality improvements. +- Mozilla Firefox ESR 115.7 + MFSA 2024-02 (bsc#1218955) + * CVE-2024-0741 (bmo#1864587) + Out of bounds write in ANGLE + * CVE-2024-0742 (bmo#1867152) + Failure to update user input timestamp + * CVE-2024-0746 (bmo#1660223) + Crash when listing printers on Linux + * CVE-2024-0747 (bmo#1764343) + Bypass of Content Security Policy when directive unsafe- + inline was set + * CVE-2024-0749 (bmo#1813463) + Phishing site popup could show local origin in address bar + * CVE-2024-0750 (bmo#1863083) + Potential permissions request bypass via clickjacking + * CVE-2024-0751 (bmo#1865689) + Privilege escalation through devtools + * CVE-2024-0753 (bmo#1870262) + HSTS policy on subdomain could bypass policy of upper domain + * CVE-2024-0755 (bmo#1868456, bmo#1871445, bmo#1873701) + Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, + and Thunderbird 115.7 autofs +- Use %patch -P N instead of deprecated %patchN. + +- update to 5.1.9 (bsc#1219508) + * fix kernel mount status notification. + * fix fedfs build flags. + * fix set open file limit. + * improve descriptor open error reporting. + * fix root offset error handling. + * fix fix root offset error handling. + * fix nonstrict fail handling of last offset mount. + * dont fail on duplicate offset entry tree add. + * fix loop under run in cache_get_offset_parent(). + * bailout on rpc systemerror. + * fix nfsv4 only mounts should not use rpcbind. + * simplify cache_add() a little. + * fix use after free in tree_mapent_delete_offset_tree(). + * fix memory leak in xdr_exports(). + * avoid calling pthread_getspecific() with NULL key_thread_attempt_id. + * fix sysconf(3) return handling. + * remove nonstrict parameter from tree_mapent_umount_offsets(). + * fix handling of incorrect return from umount_ent(). + * dont use initgroups() at spawn. + * fix bashism in configure. + * musl: fix missing include in hash.h. + * musl: define fallback dummy NSS config path + * musl: avoid internal stat.h definitions. + * musl: add missing include to hash.h for _WORDSIZE. + * musl: add missing include to log.h for pid_t. + * musl: define _SWORD_TYPE. + * add autofs_strerror_r() helper for musl. + * update configure. + * handle innetgr() not present in musl. + * fix missing unlock in sasl_do_kinit_ext_cc(). + * fix a couple of null cache locking problems. + * restore gcc flags after autoconf Kerberos 5 check. + * prepare for OpenLDAP SASL binding. + * let OpenLDAP handle SASL binding. + * configure: LDAP function checks ignore implicit declarations. + * improve debug logging of LDAP binds. + * improve debug logging of SASL binds. + * internal SASL logging only in debug log mode. + * more comprehensive verbose logging for LDAP maps. + * fix invalid tsv access. + * support SCRAM for SASL binding. + * ldap_sasl_interactive_bind() needs credentials for auto-detection. + * fix autofs regression due to positive_timeout. + * fix parse module instance mutex naming. + * serialise lookup module open and reinit. + * coverity fix for invalid access. + * fix hosts map deadlock on restart. + * fix deadlock with hosts map reload. + * fix memory leak in update_hosts_mounts(). + * fix minus only option handling in concat_options(). + * fix incorrect path for is_mounted() in try_remount(). + * fix additional tsv invalid access. + * fix use_ignore_mount_option description. + * include addtional log info for mounts. + * fail on empty replicated host name. + * improve handling of ENOENT in sss setautomntent(). + * don't immediately call function when waiting. + * define LDAP_DEPRECATED during LDAP configure check. + * fix return status of mount_autofs(). + * don't close lookup at umount. + * fix deadlock in lookups. + * dont delay expire. + * make amd mapent search function name clear. + * rename statemachine() to signal_handler(). + * make signal handling consistent. + * eliminate last remaining state_pipe usage. + * add function master_find_mapent_by_devid(). + * use device id to locate autofs_point when setting log priotity. + * add command pipe handling functions. + * switch to application wide command pipe. + * get rid of unused field submnt_count. + * fix mount tree startup reconnect. + * fix unterminated read in handle_cmd_pipe_fifo_message(). + * fix memory leak in sasl_do_kinit() + * fix fix mount tree startup reconnect. + * fix amd selector function matching. + * get rid entry thid field. + * continue expire immediately after submount check. + * eliminate realpath from mount of submount. + * eliminate root param from autofs mount and umount. + * remove redundant fstat from do_mount_direct(). + * get rid of strlen call in handle_packet_missing_direct(). + * remove redundant stat call in lookup_ghost(). + * set mapent dev and ino before adding to index. + * change to use printf functions in amd parser. + * dont call umount_subtree_mounts() on parent at umount. + * dont take parent source lock at mount shutdown. + * fix possible use after free in handle_mounts_exit(). + * make submount cleanup the same as top level mounts. + * add soucre parameter to module functions. + * add ioctlfd open helper. + * make open files limit configurable. + * use correct reference for IN6 macro call. + * dont probe interface that cant send packet. + * fix some sss error return cases. + * fix incorrect matching of cached wildcard key. + * fix expire retry looping. + * allow -null map in indirect maps. + * fix multi-mount check. + * fix let OpenLDAP handle SASL binding. + * always recreate credential cache. + * fix ldap_parse_page_control() check. + * fix typo in create_cmd_pipe_fifo(). + * add null check in master_kill(). + * be more careful with cmd pipe at exit. + * rename configure.in to configure.ac. + * update autoconf macros. + * update autoconf release. + * update autofs release. +- drop autofs-5-1-3-fix-unset-tsd-group-name-handling.patch, upstream + as ab8ca82 ("autofs-5.1.3 - fix unset tsd group name handling") +- drop autofs-Test-TCP-request-correctly-in-nfs_get_info.patch, + superseded by 80845bb ("autofs-5.1.8 - fix nfsv4 only mounts should + not use rpcbind") +- rebase autofs-5.1.1-dbus-udisks-monitor.patch atop 37fda2c + ("autofs-5.1.8 - add soucre parameter to module functions") + + +- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch + Fix off-by-one error in recursive map handling. (bsc#1209653) + + + + + +- autofs-5.1.6-fix-quoted-string-length-calc-in-expand.patch + Fix problem with quote handling + (bsc#1181715) + +- 0005-autofs-5.1.4-fix-incorrect-locking-in-sss-lookup.patch + Fix locking problem that causes deadlock when sss used. + (bsc#1196485) + +- 0004-autofs-5.1.3-add-port-parameter-to-rpc_ping.patch + Suppress portmap calls when port explicitly given + (bsc#1195697) + + + + +- Update pidfile path to /run from /var/run (bsc#1185155) + + + + + + + + + + -- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch - Fix off-by-one error in recursive map handling. (bsc#1209653) - -- autofs-5.1.6-fix-quoted-string-length-calc-in-expand.patch - Fix problem with quote handling - (bsc#1181715) - -- 0005-autofs-5.1.4-fix-incorrect-locking-in-sss-lookup.patch - Fix locking problem that causes deadlock when sss used. - (bsc#1196485) - -- 0004-autofs-5.1.3-add-port-parameter-to-rpc_ping.patch - Suppress portmap calls when port explicitly given - (bsc#1195697) - -- Update pidfile path to /run from /var/run (bsc#1185155) - bluez +- Add necessary Supplements (gnome-bluetooth, blueman, bluedevil5) + to bluez-obexd, so that file transfer features of the applications + can be used by default (bsc#1209153). +- Update the description of bluez-obexd. + +- add fix-link-key-address-type.patch - thanks to + pallaswept for identifying the right patch for the pairing + regression + +- update to 5.71: + * Fix issue with not registering CSIS service. + * Fix issue with registering pairing callbacks. + * Fix issue with corruption during discovery filter parsing. +- drop CVE-2023-45866.patch, + Fix-.device_probe-failing-if-SDP-record-is-not.patch: upstream +- update bluez-disable-broken-tests.diff: disable failing vcp test + duktape +- Ship libduktape206-32bit: needed by libproxy since version 0.5. + gcc7 +- Add gcc7-pr88345-min-func-alignment.diff to add support for + - fmin-function-alignment. [bsc#1214934] + +- Use %{_target_cpu} to determine host and build. + gdm +- Drop gdm-disable-wayland-on-mgag200-chipsets.patch: fixed + upstream since version 43.0. + glibc +- Add libnsl1 to baselibs.conf (bsc#1219640) + glibc:i686 +- Add libnsl1 to baselibs.conf (bsc#1219640) + gnome-shell +- Add gjs Requires, because ScreenSaver DBus daemon is a gjs + script. (bsc#1219359) + grub2 +- Fix grub.xen memdisk script doesn't look for /boot/grub/grub.cfg + (bsc#1219248) (bsc#1181762) + * grub2-xen-pv-firmware.cfg + * 0001-disk-Optimize-disk-iteration-by-moving-memdisk-to-th.patch + ipset +- Update to release 7.21 + * Save mode was broken; this was repaired. + +- Update to release 7.20 + * Bash completion utility updated + +- Update to release 7.19 + * Add json output to list command + +- Update to release 7.17 + * No userspace changes (kernel modules are not generated + here for openSUSE, see kernel-default instead) + +- Update to release 7.16 + * Add bitmask support to hash:netnet, hash:ipport, hash:ip + * Add support for new bitmask parameter + kernel-default +- Refresh + patches.suse/dm_blk_ioctl-implement-path-failover-for-SG_IO.patch. (bsc#1216776, bsc#1220277) +- commit 92057e0 + +- supported.conf: Mark adin driver as supported (jsc#PED-4736 bsc#1220218) +- commit ea21e8c + +- mm: move vma locking out of vma_prepare and dup_anon_vma + (bsc#1219558). +- Refresh patches.suse/mm-mmap-fix-vma_merge-case-7.patch. +- commit ce51ec9 + +- mmap: fix error paths with dup_anon_vma() (bsc#1219558). +- Refresh patches.suse/mm-mmap-fix-vma_merge-case-7.patch. +- commit 04c8742 + +- selftests/iommu: fix the config fragment (git-fixes). +- platform/x86: thinkpad_acpi: Only update profile if successfully + converted (git-fixes). +- platform/x86: intel-vbtn: Stop calling "VBDL" from + notify_handler (git-fixes). +- platform/x86: touchscreen_dmi: Allow partial (prefix) matches + for ACPI names (git-fixes). +- net: phy: realtek: Fix rtl8211f_config_init() for + RTL8211F(D)(I)-VD-CG PHY (git-fixes). +- selftests: bonding: set active slave to primary eth1 + specifically (git-fixes). +- crypto: virtio/akcipher - Fix stack overflow on memcpy + (git-fixes). +- can: netlink: Fix TDCO calculation using the old data bittiming + (git-fixes). +- can: j1939: Fix UAF in j1939_sk_match_filter during + setsockopt(SO_J1939_FILTER) (git-fixes). +- wifi: iwlwifi: mvm: fix a crash when we run out of stations + (git-fixes). +- wifi: iwlwifi: uninitialized variable in + iwl_acpi_get_ppag_table() (git-fixes). +- wifi: iwlwifi: Fix some error codes (git-fixes). +- wifi: mac80211: reload info pointer in ieee80211_tx_dequeue() + (git-fixes). +- spi-mxs: Fix chipselect glitch (git-fixes). +- spi: ppc4xx: Drop write-only variable (git-fixes). +- HID: wacom: generic: Avoid reporting a serial of '0' to + userspace (git-fixes). +- HID: wacom: Do not register input devices until after + hid_hw_start (git-fixes). +- commit aa892f5 + +- mm, mmap: fix vma_merge() case 7 with vma_ops->close + (bsc#1217313). +- commit 3278f37 + +- Refresh + patches.suse/dm_blk_ioctl-implement-path-failover-for-SG_IO.patch. +- commit 5d036a3 + +- Rename and refresh + patches.suse/cpufreq-ondemand-Set-default-up_threshold-to-30-on-multi-core-systems.patch. +- commit c52e450 + +- netfilter: nft_set_rbtree: skip end interval element from gc + (bsc#1220144 CVE-2024-26581). +- commit 66ac4ca + +- netfilter: nf_tables: nft_set_rbtree: fix spurious insertion + failure (git-fixes). +- commit 1616b86 + +- netfilter: nft_set_rbtree: skip sync GC for new elements in + this transaction (git-fixes). +- commit fe02f5f + +- net: micrel: Fix PTP frame parsing for lan8814 (git-fixes). +- commit fdde0d3 + +- tun: add missing rx stats accounting in tun_xdp_act (git-fixes). +- commit 54ceabf + +- tun: fix missing dropped counter in tun_xdp_act (git-fixes). +- commit 81acbf0 + +- Update patches.suse/powerpc-pseries-fix-accuracy-of-stolen-time.patch + (bsc#1215199 bsc#1220129 ltc#205683). +- commit 3a6e250 + +- nvme-fabrics: typo in nvmf_parse_key() (bsc#1219670). +- commit aaaca39 + +- scsi: ibmvfc: Open-code reset loop for target reset + (bsc#1220106). +- commit d127e55 + +- scsi: ibmvfc: Limit max hw queues by num_online_cpus() + (bsc#1220106). +- commit 3ef410b + +- sched/membarrier: reduce the ability to hammer on sys_membarrier + (git-fixes). +- commit 55d8e46 + +- RDMA/srpt: fix function pointer cast warnings (git-fixes) +- commit ddb0ea4 + +- RDMA/qedr: Fix qedr_create_user_qp error flow (git-fixes) +- commit f6e1202 + +- RDMA/srpt: Support specifying the srpt_service_guid parameter (git-fixes) +- commit 118994c + +- IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (git-fixes) +- commit 86d2329 + +- RDMA/irdma: Add AE for too many RNRS (git-fixes) +- commit 39a8fd9 + +- RDMA/irdma: Set the CQ read threshold for GEN 1 (git-fixes) +- commit d6a78b2 + +- RDMA/irdma: Validate max_send_wr and max_recv_wr (git-fixes) +- commit 4ad24ee + +- RDMA/irdma: Fix KASAN issue with tasklet (git-fixes) +- commit 3d431c6 + +- IB/mlx5: Don't expose debugfs entries for RRoCE general parameters if not supported (git-fixes) +- commit 5cf010f + +- RDMA/bnxt_re: Add a missing check in bnxt_qplib_query_srq (git-fixes) +- commit e1fcbb3 + +- RDMA/bnxt_re: Return error for SRQ resize (git-fixes) +- commit 154ab68 + +- RDMA/bnxt_re: Fix unconditional fence for newer adapters (git-fixes) +- commit f16dc69 + +- RDMA/bnxt_re: Remove a redundant check inside bnxt_re_vf_res_config (git-fixes) +- commit ec51b18 + +- RDMA/bnxt_re: Avoid creating fence MR for newer adapters (git-fixes) +- commit 1e41e8f + +- IB/hfi1: Fix a memleak in init_credit_return (git-fixes) +- commit 6060765 + +- mm,page_owner: Update Documentation regarding page_owner_stacks + (jsc-PED#7423). +- commit 84eb808 + +- series.conf: temporarily disable upstream patch + patches.suse/md-bitmap-don-t-use-index-for-pages-backing-the-bitm-d703.patch + (bsc#1219261) +- commit 57020cb + +- btrfs: don't clear qgroup reserved bit in release_folio + (bsc#1216196). +- commit 3546ef4 + +- btrfs: free qgroup pertrans reserve on transaction abort + (bsc#1216196). +- commit 48e3e79 + +- btrfs: fix qgroup_free_reserved_data int overflow (bsc#1216196). +- commit 56f38ab + +- btrfs: free qgroup reserve when ORDERED_IOERR is set + (bsc#1216196). +- commit c0918a8 + +- net: openvswitch: limit the number of recursions from action + sets (bsc#1219835 CVE-2024-1151). +- commit af45645 + +- lib/stackdepot: add depot_fetch_stack helper (jsc-PED#7423). +- commit 1be3e14 + +- powerpc/pseries/iommu: DLPAR add doesn't completely initialize + pci_controller (bsc#1215199). +- commit 5fb603b + +- igc: Remove temporary workaround (git-fixes). +- commit eb132b5 + +- igb: Fix string truncation warnings in igb_set_fw_version + (git-fixes). +- commit 605f8bb + +- net: ravb: Count packets instead of descriptors in GbEth RX path + (git-fixes). +- commit 2d0b099 + +- pppoe: Fix memory leak in pppoe_sendmsg() (git-fixes). +- commit 65a997a + +- ice: Add check for lport extraction to LAG init (git-fixes). +- commit 5cd2e68 + +- bnad: fix work_queue type mismatch (git-fixes). +- commit 1a2a9a7 + +- i40e: take into account XDP Tx queues when stopping rings + (git-fixes). +- commit f377fcb + +- i40e: avoid double calling i40e_pf_rxq_wait() (git-fixes). +- commit 925c60c + +- i40e: Fix wrong mask used during DCB config (git-fixes). +- commit 498f506 + +- i40e: Fix waiting for queues of all VSIs to be disabled + (git-fixes). +- commit 4a4e88c + +- octeontx2-af: Remove the PF_FUNC validation for NPC transmit + rules (git-fixes). +- commit 02c2bca + +- ionic: minimal work with 0 budget (git-fixes). +- commit c0e1f7f + +- i40e: Do not allow untrusted VF to remove administratively + set MAC (git-fixes). +- commit 530701b + +- lan966x: Fix crash when adding interface under a lag + (git-fixes). +- commit 4cc5718 + +- bonding: do not report NETDEV_XDP_ACT_XSK_ZEROCOPY (git-fixes). +- commit 905320f + +- net/mlx5: DPLL, Fix possible use after free after delayed work + timer triggers (git-fixes). +- commit 8d225a2 + +- timers: Tag (hr)timer softirq as hotplug safe (git-fixes). +- commit 37f54ca + +- blacklist.conf: false positive, fixed feature not backported +- commit 6569781 + +- Documentation: arm64: Correct SME ZA macros name (git-fixes). +- commit 2f32046 + +- docs: arm64: Move arm64 documentation under Documentation/arch/ + (git-fixes). +- Refresh + patches.suse/arm64-errata-Add-Cortex-A520-speculative-unprivilege.patch. +- Refresh + patches.suse/arm64-errata-Mitigate-Ampere1-erratum-AC03_CPU_.patch. +- Refresh + patches.suse/iommu-arm-smmu-v3-Document-MMU-700-erratum-281.patch. +- Refresh + patches.suse/iommu-arm-smmu-v3-Document-nesting-related-err.patch. +- Refresh + patches.suse/iommu-arm-smmu-v3-Work-around-MMU-600-erratum-.patch. +- commit dbd8870 + +- Delete + patches.suse/workqueue-Override-implicit-ordered-attribute-in-wor.patch. +- blacklist.conf: the patch caused a regression and has been reverted + upstream (bsc#1219509) +- commit 24b5f0d + +- Drop bcm5974 input patch causing a regression (bsc#1220030) +- commit 63d5a46 + +- lib/stackdepot: add refcount for records (jsc-PED#7423). +- commit 150e517 + +- net: qualcomm: rmnet: fix global oob in rmnet_policy + (git-fixes). +- commit 890ecf9 + +- Refresh + patches.suse/powerpc-pseries-papr-sysparm-use-u8-arrays-for-paylo.patch. +- commit ee4a898 + +- powerpc/64: Set task pt_regs->link to the LR value on scv entry + (bsc#1194869). +- powerpc: add crtsavres.o to always-y instead of extra-y + (bsc#1194869). +- powerpc/watchpoints: Annotate atomic context in more places + (bsc#1194869). +- powerpc/watchpoint: Disable pagefaults when getting user + instruction (bsc#1194869). +- powerpc/watchpoints: Disable preemption in thread_change_pc() + (bsc#1194869). +- powerpc/pseries: Rework lppaca_shared_proc() to avoid + DEBUG_PREEMPT (bsc#1194869). +- powerpc: Don't include lppaca.h in paca.h (bsc#1194869). +- powerpc/powernv: Fix fortify source warnings in opal-prd.c + (bsc#1194869). +- commit 72b942a + +- blacklist: Add more files for unsupported powerpc architectures +- commit 47ca633 + +- blacklist.conf: fix for config we don't have +- commit 6278860 + +- powerpc/kasan: Limit KASAN thread size increase to 32KB + (bsc#1215199). +- commit a664cb1 + +- leds: Change led_trigger_blink[_oneshot]() delay parameters + to pass-by-value (git-fixes). +- commit a5e7aeb + +- usb: ucsi_acpi: Quirk to ack a connector change ack cmd + (git-fixes). +- commit 3843488 + +- nvme-keyring: restrict match length for version '1' identifiers + (bsc#1219670). +- commit 131550a + +- Refresh sorted patches. +- commit 6f4c0b8 + +- block: sed-opal: handle empty atoms when parsing response + (jsc#PED-3545 git-fixes bsc#1220089 ltc#205305). +- commit c7fe618 + +- net: ravb: Wait for operating mode to be applied (git-fixes). +- commit 40520b1 + +- powerpc/pseries: fix accuracy of stolen time (bsc#1215199). +- powerpc/64s: Increase default stack size to 32KB (bsc#1215199). +- powerpc/mm: Fix null-pointer dereference in pgtable_cache_add + (bsc#1215199). +- powerpc/lib: Validate size for vector operations (bsc#1215199). +- commit b3e0008 + +- powerpc/iommu: Fix the missing iommu_group_put() during platform + domain attach (jsc#PED-7779 jsc#PED-7780 git-fixes). +- commit 06cae39 + +- mm,page_owner: Filter out stacks by a threshold (jsc-PED#7423). +- commit 4b9a1a9 + +- net: bcmgenet: Fix FCS generation for fragmented skbuffs (git-fixes). +- commit 15da81c + +- mm,page_owner: Display all stacks and their count + (jsc-PED#7423). +- commit 582b35c + +- mm,page_owner: Implement the tracking of the stacks count + (jsc-PED#7423). +- commit 9af4176 + +- mm,page_owner: Maintain own list of stack_records structs + (jsc-PED#7423). +- commit 332036c + +- lib/stackdepot: Move stack_record struct definition into the + header (jsc-PED#7423). +- commit 19fef81 + +- lib/stackdepot: Fix first entry having a 0-handle + (jsc-PED#7423). +- commit 3666049 + +- kallsyms: ignore ARMv4 thunks along with others (git-fixes). +- modpost: trim leading spaces when processing source files list + (git-fixes). +- kbuild: Fix changing ELF file type for output of gen_btf for + big endian (git-fixes). +- irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update (git-fixes). +- irqchip/irq-brcmstb-l2: Add write memory barrier before exit + (git-fixes). +- i2c: i801: Fix block process call transactions (git-fixes). +- i2c: qcom-geni: Correct I2C TRE sequence (git-fixes). +- commit 65eebf2 + +- nvme-fabrics: fix I/O connect error handling (git-fixes). +- commit b81dbf7 + +- xfs: reset XFS_ATTR_INCOMPLETE filter on node removal + (git-fixes). +- commit 387ed3b + +- xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real + (git-fixes). +- commit 73bc52b + +- xfs: don't leak recovered attri intent items (git-fixes). +- commit 3311908 + +- xfs: dquot recovery does not validate the recovered dquot + (git-fixes). +- commit 11dd393 + +- xfs: clean up dqblk extraction (git-fixes). +- commit 2a55daa + +- xfs: inode recovery does not validate the recovered inode + (git-fixes). +- commit eb71955 + +- xfs: handle nimaps=0 from xfs_bmapi_write in + xfs_alloc_file_space (git-fixes). +- commit a21b8a6 + +- xfs: introduce protection for drop nlink (git-fixes). +- commit c20e066 + +- xfs: rt stubs should return negative errnos when rt disabled + (git-fixes). +- commit 3d89caf + +- xfs: prevent rt growfs when quota is enabled (git-fixes). +- commit fff2e4b + +- xfs: hoist freeing of rt data fork extent mappings (git-fixes). +- commit 44ca58e + +- xfs: bump max fsgeom struct version (git-fixes). +- commit 7d7701a + +- driver core: fw_devlink: Improve detection of overlapping cycles + (git-fixes). +- driver core: Fix device_link_flag_is_sync_state_only() + (git-fixes). +- iio: adc: ad4130: only set GPIO_CTRL if pin is unused + (git-fixes). +- iio: adc: ad4130: zero-initialize clock init data (git-fixes). +- iio: accel: bma400: Fix a compilation problem (git-fixes). +- iio: commom: st_sensors: ensure proper DMA alignment + (git-fixes). +- staging: iio: ad5933: fix type mismatch regression (git-fixes). +- iio: adc: ad_sigma_delta: ensure proper DMA alignment + (git-fixes). +- iio: imu: adis: ensure proper DMA alignment (git-fixes). +- iio: imu: bno055: serdev requires REGMAP (git-fixes). +- iio: magnetometer: rm3100: add boundary check for the value + read from RM3100_REG_TMRC (git-fixes). +- iio: pressure: bmp280: Add missing bmp085 to SPI id table + (git-fixes). +- iio: core: fix memleak in iio_device_register_sysfs (git-fixes). +- thunderbolt: Fix setting the CNS bit in ROUTER_CS_5 (git-fixes). +- media: ir_toy: fix a memleak in irtoy_tx (git-fixes). +- media: Revert "media: rkisp1: Drop IRQF_SHARED" (git-fixes). +- commit 7fba7be + +- ASoC: amd: yc: Fix non-functional mic on Lenovo 82UU + (git-fixes). +- ALSA: hda/realtek: cs35l41: Add internal speaker support for + ASUS UM3402 with missing DSD (git-fixes). +- ALSA: hda: cs35l41: Support ASUS Zenbook UM3402YAR (git-fixes). +- ALSA: hda: cs35l41: Support additional ASUS Zenbook UX3402VA + (git-fixes). +- ALSA: hda: Increase default bdl_pos_adj for Apollo Lake + (git-fixes). +- ALSA: hda: Replace numeric device IDs with constant values + (git-fixes). +- ALSA: hda: generic: Remove obsolete call to ledtrig_audio_get + (git-fixes). +- ALSA: hda: Properly setup HDMI stream (git-fixes). +- commit 65b7327 + +- ALSA: hda: Add Lenovo Legion 7i gen7 sound quirk (git-fixes). +- commit 2ab077c + +- ALSA: hda/realtek: fix mute/micmute LED For HP mt645 + (git-fixes). +- ASoC: amd: yc: Add DMI quirk for Lenovo Ideapad Pro 5 16ARP8 + (git-fixes). +- ALSA: hda/realtek: add IDs for Dell dual spk platform + (git-fixes). +- ALSA: hda/conexant: Add quirk for SWS JS201D (git-fixes). +- commit 96b23dc + +- ALSA: usb-audio: More relaxed check of MIDI jack names + (git-fixes). +- ASoC: SOF: IPC3: fix message bounds on ipc ops (git-fixes). +- ASoC: q6dsp: fix event handler prototype (git-fixes). +- ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() + (git-fixes). +- ASoC: SOF: ipc3-topology: Fix pipeline tear down logic + (git-fixes). +- ASoC: cs35l56: Fix deadlock in ASP1 mixer register + initialization (git-fixes). +- ASoC: tas2781: add module parameter to tascodec_init() + (git-fixes). +- ASoC: cs35l56: fix reversed if statement in + cs35l56_dspwait_asp1tx_put() (git-fixes). +- ALSA: hda/realtek: cs35l41: Fix order and duplicates in quirks + table (git-fixes). +- ALSA: hda/realtek: cs35l41: Fix device ID / model name + (git-fixes). +- ALSA: hda/cs35l56: select intended config FW_CS_DSP (git-fixes). +- wifi: brcmfmac: Adjust n_channels usage for __counted_by + (git-fixes). +- USB: serial: option: add Fibocom FM101-GL variant (git-fixes). +- USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e + (git-fixes). +- USB: serial: cp210x: add ID for IMST iM871A-USB (git-fixes). +- usb: dwc3: pci: add support for the Intel Arrow Lake-H + (git-fixes). +- xhci: handle isoc Babble and Buffer Overrun events properly + (git-fixes). +- xhci: process isoc TD properly when there was a transaction + error mid TD (git-fixes). +- usb: dwc3: host: Set XHCI_SG_TRB_CACHE_SIZE_QUIRK (git-fixes). +- Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU + (git-fixes). +- selftests/net: change shebang to bash to support "source" + (git-fixes). +- selftests/net: convert pmtu.sh to run it in unique namespace + (git-fixes). +- selftests/net: convert unicast_extensions.sh to run it in + unique namespace (git-fixes). +- commit 1f8c296 + +- scsi: smartpqi: Bump driver version to 2.1.26-030 (bsc#1219987). +- scsi: smartpqi: Fix logical volume rescan race condition + (bsc#1219987). +- scsi: smartpqi: Add new controller PCI IDs (bsc#1219987). +- commit 343b48a + +- scsi: mpt3sas: Reload SBR without rebooting HBA (bsc#1219551). +- scsi: mpt3sas: Suppress a warning in debug kernel (bsc#1219551). +- scsi: mpt3sas: Replace dynamic allocations with local variables + (bsc#1219551). +- scsi: mpt3sas: Replace a dynamic allocation with a local + variable (bsc#1219551). +- scsi: mpt3sas: Fix typo of "TRIGGER" (bsc#1219551). +- scsi: mpt3sas: Fix an outdated comment (bsc#1219551). +- scsi: mpt3sas: Remove the iounit_pg8 member of the per-adapter + struct (bsc#1219551). +- scsi: mpt3sas: Use struct_size() for struct size calculations + (bsc#1219551). +- scsi: mpt3sas: Make MPI26_CONFIG_PAGE_PIOUNIT_1::PhyData a + flexible array (bsc#1219551). +- scsi: mpt3sas: Make MPI2_CONFIG_PAGE_SASIOUNIT_1::PhyData a + flexible array (bsc#1219551). +- scsi: mpt3sas: Make MPI2_CONFIG_PAGE_SASIOUNIT_0::PhyData a + flexible array (bsc#1219551). +- scsi: mpt3sas: Make MPI2_CONFIG_PAGE_RAID_VOL_0::PhysDisk a + flexible array (bsc#1219551). +- scsi: mpt3sas: Make MPI2_CONFIG_PAGE_IO_UNIT_8::Sensor a + flexible array (bsc#1219551). +- scsi: mpt3sas: Use flexible arrays when obviously possible + (bsc#1219551). +- commit 472a48e + +- nvme: enable retries for authentication commands (bsc#1186716). +- nvme: change __nvme_submit_sync_cmd() calling conventions + (bsc#1186716). +- nvme-auth: open-code single-use macros (bsc#1186716). +- nvme: use ctrl state accessor (bsc#1186716). +- commit f8cc1d3 + +- Delete patches.suse/scsi-lpfc-limit-irq-vectors-to-online-cpus-if-kdump-kernel.patch. + Should be addressed by the previously merged upstream solution (bsc#1218180 ltc#204476). +- commit ebf5676 + +- powerpc/smp: Remap boot CPU onto core 0 if >= nr_cpu_ids + (bsc#1218180 ltc#204476). +- powerpc/smp: Factor out assign_threads() (bsc#1218180 + ltc#204476). +- powerpc/smp: Lookup avail once per device tree node (bsc#1218180 + ltc#204476). +- powerpc/smp: Increase nr_cpu_ids to include the boot CPU + (bsc#1218180 ltc#204476). +- powerpc/smp: Adjust nr_cpu_ids to cover all threads of a core + (bsc#1218180 ltc#204476). +- commit 4c4f84a + +- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes). +- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes). +- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes). +- x86/entry_32: Add VERW just before userspace transition (git-fixes). +- x86/entry_64: Add VERW just before userspace transition (git-fixes). +- x86/bugs: Add asm helpers for executing VERW (git-fixes). +- commit 6f2943c + +- net: ethernet: mtk_wed: fix possible NULL pointer dereference + in mtk_wed_wo_queue_tx_clean() (git-fixes). +- commit f6c1c6f + +- net: ks8851: Fix TX stall caused by TX buffer overrun + (git-fixes). +- commit 309032b + +- net: mscc: ocelot: fix pMAC TX RMON stats for bucket 256-511 + and above (git-fixes). +- commit f51244f + +- net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 + and above (git-fixes). +- commit 0cdf0a3 + +- net: atlantic: fix double free in ring reinit logic (git-fixes). +- commit 7354340 + +- net: stmmac: Handle disabled MDIO busses from devicetree + (git-fixes). +- commit be25be7 + +- dpaa2-switch: do not ask for MDB, VLAN and FDB replay + (git-fixes). +- commit c6e8879 + +- dpaa2-switch: fix size of the dma_unmap (git-fixes). +- commit 23ea26f + +- stmmac: dwmac-loongson: drop useless check for compatible + fallback (git-fixes). +- commit 02807a5 + +- stmmac: dwmac-loongson: Make sure MDIO is initialized before + use (git-fixes). +- commit c27d9ce + +- net: fec: correct queue selection (git-fixes). +- commit 7f02173 + +- qca_spi: Fix reset behavior (git-fixes). +- commit f971346 + +- qca_debug: Fix ethtool -G iface tx behavior (git-fixes). +- commit 87b783f + +- qca_debug: Prevent crash on TX ring changes (git-fixes). +- commit a319e0e + +- clocksource: Replace all non-returning strlcpy with strscpy + (bsc#1219953). +- commit b844ff1 + +- x86/smpboot: Avoid pointless delay calibration if TSC is + synchronized (bsc#1219953). +- commit 7dfe12b + +- rcutorture: Add fqs_holdoff check before fqs_task is created + (bsc#1219953). +- commit d6f81ac + +- locktorture: Increase Hamming distance between call_rcu_chain + and rcu_call_chains (bsc#1219953). +- commit 82380d1 + +- asm-generic: qspinlock: fix queued_spin_value_unlocked() + implementation (bsc#1219953). +- commit a3ab6e9 + +- locktorture: Check the correct variable for allocation failure + (bsc#1219953). +- commit 5884e2f + +- rcutorture: Traverse possible cpu to set maxcpu in + rcu_nocb_toggle() (bsc#1219953). +- commit ac1c709 + +- rcutorture: Replace schedule_timeout*() 1-jiffy waits with HZ/20 + (bsc#1219953). +- commit de5b047 + +- locktorture: Rename readers_bind/writers_bind to + bind_readers/bind_writers (bsc#1219953). +- commit 1dc09ec + +- doc: Catch-up update for locktorture module parameters + (bsc#1219953). +- commit 19c054c + +- locktorture: Add call_rcu_chains module parameter (bsc#1219953). +- commit 9348bbf + +- locktorture: Add new module parameters to + lock_torture_print_module_parms() (bsc#1219953). +- commit 59c9dd5 + +- torture: Print out torture module parameters (bsc#1219953). +- commit f0a2f52 + +- locktorture: Add acq_writer_lim to complain about long + acquistion times (bsc#1219953). +- commit 495f129 + +- locktorture: Consolidate "if" statements in + lock_torture_writer() (bsc#1219953). +- commit 19cd3cf + +- locktorture: Alphabetize torture_param() entries (bsc#1219953). +- commit 4d45162 + +- locktorture: Add readers_bind and writers_bind module parameters + (bsc#1219953). +- commit d4bab3f + +- rcutorture: Fix stuttering races and other issues (bsc#1219953). +- commit 14a2209 + +- torture: Move rcutorture_sched_setaffinity() out of rcutorture + (bsc#1219953). +- commit ec64c16 + +- torture: Make torture_hrtimeout_ns() take an hrtimer mode + parameter (bsc#1219953). +- commit 7155d42 + +- torture: Share torture_random_state with torture_shuffle_tasks() + (bsc#1219953). +- commit abf8744 + +- locking/lockdep: Fix string sizing bug that triggers a + format-truncation compiler-warning (bsc#1219953). +- commit 23d08c5 + +- locking/debug: Fix debugfs API return value checks to use + IS_ERR() (bsc#1219953). +- commit 048609a + +- locking/ww_mutex/test: Make sure we bail out instead of livelock + (bsc#1219953). +- commit 4038509 + +- locking/ww_mutex/test: Fix potential workqueue corruption + (bsc#1219953). +- commit def0333 + +- locking/ww_mutex/test: Use prng instead of rng to avoid hangs + at bootup (bsc#1219953). +- commit aacf9cc + +- asm-generic: ticket-lock: Optimize arch_spin_value_unlocked() + (bsc#1219953). +- commit b967504 + +- futex: Use a folio instead of a page (bsc#1219953). +- commit a11123c + +- locking/seqlock: Do the lockdep annotation before locking in + do_write_seqcount_begin_nested() (bsc#1219953). +- commit d372072 + +- rcutorture: Stop right-shifting torture_random() return values + (bsc#1219953). +- commit a88dc75 + +- torture: Stop right-shifting torture_random() return values + (bsc#1219953). +- commit 9c51efc + +- torture: Move stutter_wait() timeouts to hrtimers (bsc#1219953). +- commit 8bcefe1 + +- torture: Move torture_shuffle() timeouts to hrtimers + (bsc#1219953). +- commit 24edc78 + +- torture: Move torture_onoff() timeouts to hrtimers + (bsc#1219953). +- commit c16d2c1 + +- torture: Make torture_hrtimeout_*() use TASK_IDLE (bsc#1219953). +- commit 15e523b + +- torture: Add lock_torture writer_fifo module parameter + (bsc#1219953). +- commit 86a51c8 + +- torture: Add a kthread-creation callback to + _torture_create_kthread() (bsc#1219953). +- commit a568efe + +- torture: Support randomized shuffling for proxy exec testing + (bsc#1219953). +- commit dfb6658 + +- rcutorture: Dump grace-period state upon rtort_pipe_count + incidents (bsc#1219953). +- commit 39c3645 + +- powerpc/kcsan: Properly instrument arch_spin_unlock() + (bsc#1219953). +- commit 49ef44f + +- locktorture: Add long_hold to adjust lock-hold delays + (bsc#1219953). +- commit 21a09d3 + +- intel_idle: add Sierra Forest SoC support (jsc#PED-5816). +- commit d8dfa47 + +- intel_idle: add Grand Ridge SoC support (jsc#PED-5816). +- commit be47fec + +- powerpc/pseries/papr-sysparm: use u8 arrays for payloads + (jsc#PED-4486 git-fixes). +- commit 8b94284 + +- PCI: Add PCIE_PME_TO_L2_TIMEOUT_US L2 ready timeout value + (git-fixes). +- commit a77e06b + +- PCI: dwc: Drop host prefix from struct dw_pcie_host_ops members + (git-fixes). +- commit 4a87954 + +- PCI: dwc: endpoint: Introduce .pre_init() and .deinit() + (git-fixes). +- commit 75c1ddc + +- PCI: dwc: Add host_post_init() callback (git-fixes). +- commit 5c6ab40 + +- PCI: dwc: Implement generic suspend/resume functionality + (git-fixes). +- commit 42b5947 + +- dmaengine: dw-edma: Rename dw_edma_core_ops structure to + dw_edma_plat_ops (git-fixes). +- commit a3742cf + +- blacklist.conf: obsoleted +- commit c534e08 + +- PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq() + (git-fixes). +- commit 686e708 + +- PCI: dwc: Use FIELD_GET/PREP() (git-fixes). +- commit 34f9411 + +- PCI/ASPM: Fix deadlock when enabling ASPM (git-fixes). +- commit aa4d6dc + +- PCI: qcom: Clean up ASPM comment (git-fixes). +- commit a57ad60 + +- PCI: qcom: Fix potential deadlock when enabling ASPM + (git-fixes). +- commit adc25b6 + +- PCI: qcom: Enable ASPM for platforms supporting 1.9.0 ops + (git-fixes). +- commit c63fc13 + +- PCI: qcom: Use PCIE_SPEED2MBS_ENC() macro for encoding link + speed (git-fixes). +- commit a80c081 + +- PCI: qcom: Do not advertise hotplug capability for IP v2.1.0 + (git-fixes). +- commit 756f736 + +- PCI: qcom: Do not advertise hotplug capability for IP v1.0.0 + (git-fixes). +- commit 00fef1b + +- PCI: qcom: Use post init sequence of IP v2.3.2 for v2.4.0 + (git-fixes). +- commit 2132a8c + +- PCI: qcom: Do not advertise hotplug capability for IP v2.3.2 + (git-fixes). +- commit 1e670bc + +- PCI: qcom: Do not advertise hotplug capability for IPs v2.3.3 + and v2.9.0 (git-fixes). +- commit 2b2b866 + +- PCI: qcom: Do not advertise hotplug capability for IPs v2.7.0 + and v1.9.0 (git-fixes). +- commit c7b4716 + +- blacklist.conf: false positive +- commit 88b8f1d + +- x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 + (git-fixes). +- commit 5367630 + +- pm: Introduce DEFINE_NOIRQ_DEV_PM_OPS() helper (git-fixes). +- commit 3f9a915 + +- platform: mellanox: Cosmetic changes (git-fixes). +- commit 201fef6 + +- blacklist.conf: false positive +- commit 569fb89 + +- blacklist.conf: stupid cleanup +- commit 7489b61 + +- platform/mellanox: mlxbf-bootctl: add NET dependency into + Kconfig (git-fixes). +- commit c7f1631 + +- platform/chrome: cros_ec_lpc: Remove EC panic shutdown timeout + (git-fixes). +- commit d61129c + +- maple_tree: do not preallocate nodes for slot stores + (bsc#1219404). +- commit 2307e38 + +- mm: always lock new vma before inserting into vma tree + (bsc#1219558). +- commit 4dd5f88 + +- mm: lock vma explicitly before doing vm_flags_reset and + vm_flags_reset_once (bsc#1219558). +- commit 3ebd604 + +- mm: replace mmap with vma write lock assertions when operating + on a vma (bsc#1219558). +- commit 50e3b4d + +- mm: for !CONFIG_PER_VMA_LOCK equate write lock assertion for + vma and mmap (bsc#1219558). +- commit b999b29 + +- mmap: fix vma_iterator in error path of vma_merge() + (bsc#1219558). +- commit af3b8c0 + +- mm: fix vm_brk_flags() to not bail out while holding lock + (bsc#1219558). +- commit 817bef2 + +- mm/mmap: change vma iteration order in do_vmi_align_munmap() + (bsc#1219558). +- commit 8f876cd + +- mm: set up vma iterator for vma_iter_prealloc() calls + (bsc#1219558). +- commit 2d402b6 + +- mm: use vma_iter_clear_gfp() in nommu (bsc#1219558). +- commit 666385f + +- mm: remove re-walk from mmap_region() (bsc#1219558). +- commit 85c7321 + +- mm: remove prev check from do_vmi_align_munmap() (bsc#1219558). +- commit d77a7e1 + +- mm: change do_vmi_align_munmap() tracking of VMAs to remove + (bsc#1219558). +- commit 595be09 + +- mm/mmap: clean up validate_mm() calls (bsc#1219558). +- Refresh patches.suse/mm-re-introduce-vm_flags-to-do_mmap.patch. +- commit 5726712 + +- mm/mmap: move vma operations to mm_struct out of the critical + section of file mapping lock (bsc#1219558). +- commit 4a16ce1 + +- maple_tree: add MAS_UNDERFLOW and MAS_OVERFLOW states + (bsc#1219558). +- maple_tree: add mas_is_active() to detect in-tree walks + (bsc#1219558). +- maple_tree: shrink struct maple_tree (bsc#1219558). +- maple_tree: clean up mas_wr_append() (bsc#1219558). +- maple_tree: reduce resets during store setup (bsc#1219558). +- maple_tree: refine mas_preallocate() node calculations + (bsc#1219558). +- maple_tree: move mas_wr_end_piv() below mas_wr_extend_null() + (bsc#1219558). +- maple_tree: adjust node allocation on mas_rebalance() + (bsc#1219558). +- maple_tree: re-introduce entry to mas_preallocate() arguments + (bsc#1219558). +- commit 911aa39 + +- maple_tree: introduce __mas_set_range() (bsc#1219558). +- maple_tree: add benchmarking for mas_prev() (bsc#1219558). +- maple_tree: add benchmarking for mas_for_each (bsc#1219558). +- maple_tree: Be more strict about locking (bsc#1219558). +- mm/mmap: change detached vma locking scheme (bsc#1219558). +- maple_tree: relax lockdep checks for on-stack trees + (bsc#1219558). +- maple_tree: mtree_insert: fix typo in kernel-doc description + of GFP flags (bsc#1219558). +- maple_tree: mtree_insert*: fix typo in kernel-doc description + (bsc#1219558). +- maple_tree: drop mas_first_entry() (bsc#1219558). +- maple_tree: replace mas_logical_pivot() with mas_safe_pivot() + (bsc#1219558). +- commit a3884af + +- maple_tree: update mt_validate() (bsc#1219558). +- maple_tree: make mas_validate_limits() check root node and + node limit (bsc#1219558). +- maple_tree: fix mas_validate_child_slot() to check last missed + slot (bsc#1219558). +- maple_tree: make mas_validate_gaps() to check metadata + (bsc#1219558). +- maple_tree: don't use MAPLE_ARANGE64_META_MAX to indicate no + gap (bsc#1219558). +- maple_tree: add a fast path case in mas_wr_slot_store() + (bsc#1219558). +- maple_tree: optimize mas_wr_append(), also improve duplicating + VMAs (bsc#1219558). +- maple_tree: add test for mas_wr_modify() fast path + (bsc#1219558). +- maple_tree: fix a few documentation issues (bsc#1219558). +- commit ed58165 + +- vm: fix move_vma() memory accounting being off (bsc#1219404). +- commit 8061f6c + +- mm: Update do_vmi_align_munmap() return semantics (bsc#1219404). +- Refresh patches.suse/mm-re-introduce-vm_flags-to-do_mmap.patch. +- commit 7580cf9 + +- mm: don't do validate_mm() unnecessarily and without mmap + locking (bsc#1219404). +- mm: validate the mm before dropping the mmap lock (bsc#1219404). +- mm: Always downgrade mmap_lock if requested (bsc#1219404). +- userfaultfd: fix regression in userfaultfd_unmap_prep() + (bsc#1219404). +- mm/mmap: separate writenotify and dirty tracking logic + (bsc#1219404). +- commit b6ee33d + +- maple_tree: add comments and some minor cleanups to + mas_wr_append() (bsc#1219404). +- Refresh + patches.suse/maple_tree-disable-mas_wr_append-when-other-re.patch. +- commit 8ab650e + +- maple_tree: relocate the declaration of mas_empty_area_rev() + (bsc#1219404). +- maple_tree: simplify and clean up mas_wr_node_store() + (bsc#1219404). +- maple_tree: rework mas_wr_slot_store() to be cleaner and more + efficient (bsc#1219404). +- maple_tree: add mas_wr_new_end() to calculate new_end accurately + (bsc#1219404). +- maple_tree: make the code symmetrical in mas_wr_extend_null() + (bsc#1219404). +- maple_tree: simplify mas_is_span_wr() (bsc#1219404). +- maple_tree: drop mas_{rev_}alloc() and mas_fill_gap() + (bsc#1219404). +- maple_tree: rework mtree_alloc_{range,rrange}() (bsc#1219404). +- commit d2740e9 + +- maple_tree: update testing code for mas_{next,prev,walk} + (bsc#1219404). +- Refresh + patches.suse/maple_tree-fix-32-bit-mas_next-testing.patch. +- commit befb467 + +- mm: avoid rewalk in mmap_region (bsc#1219404). +- mm: add vma_iter_{next,prev}_range() to vma iterator + (bsc#1219404). +- maple_tree: clear up index and last setting in single entry tree + (bsc#1219404). +- maple_tree: add mas_prev_range() and mas_find_range_rev + interface (bsc#1219404). +- maple_tree: introduce mas_prev_slot() interface (bsc#1219404). +- maple_tree: relocate mas_rewalk() and mas_rewalk_if_dead() + (bsc#1219404). +- maple_tree: add mas_next_range() and mas_find_range() interfaces + (bsc#1219404). +- maple_tree: introduce mas_next_slot() interface (bsc#1219404). +- maple_tree: change RCU checks to WARN_ON() instead of BUG_ON() + (bsc#1219404). +- commit ac1cd44 + +- maple_tree: make test code work without debug enabled + (bsc#1219404). +- Refresh + patches.suse/maple_tree-add-GFP_KERNEL-to-allocations-in-mas_expe.patch. +- commit c5591fa + +- maple_tree: fix testing mas_empty_area() (bsc#1219404). +- maple_tree: revise limit checks in mas_empty_area{_rev}() + (bsc#1219404). +- maple_tree: try harder to keep active node with mas_prev() + (bsc#1219404). +- maple_tree: try harder to keep active node after mas_next() + (bsc#1219404). +- mm/mmap: change do_vmi_align_munmap() for maple tree iterator + changes (bsc#1219404). +- maple_tree: mas_start() reset depth on dead node (bsc#1219404). +- maple_tree: remove unnecessary check from mas_destroy() + (bsc#1219404). +- mm: update vma_iter_store() to use MAS_WARN_ON() (bsc#1219404). +- mm: update validate_mm() to use vma iterator (bsc#1219404). +- commit b5f7997 + +- maple_tree: return error on mte_pivots() out of range + (bsc#1219404). +- maple_tree: use MAS_BUG_ON() prior to calling mas_meta_gap() + (bsc#1219404). +- maple_tree: use MAS_WR_BUG_ON() in mas_store_prealloc() + (bsc#1219404). +- maple_tree: use MAS_BUG_ON() in mas_set_height() (bsc#1219404). +- maple_tree: convert debug code to use MT_WARN_ON() and + MAS_WARN_ON() (bsc#1219404). +- maple_tree: convert BUG_ON() to MT_BUG_ON() (bsc#1219404). +- maple_tree: clean up mas_dfs_postorder() (bsc#1219404). +- maple_tree: avoid unnecessary ascending (bsc#1219404). +- maple_tree: fix static analyser cppcheck issue (bsc#1219404). +- commit e7b5e3b + +- maple_tree: update mas_preallocate() testing (bsc#1219404). +- commit 49b074b + +- livepatch: Add sample livepatch module (bsc#1218644). +- commit 87a7c27 + +- kbuild/modpost: integrate klp-convert (bsc#1218644). +- commit 1f6875e + +- livepatch: Add klp-convert tool (bsc#1218644). +- commit dd2884f + +- livepatch: Create and include UAPI headers (bsc#1218644). +- commit d3771a8 + +- dm: dm_blk_ioctl: implement path failover for SG_IO (bsc#1183045, bsc#1216776). +- commit 41f0e96 + libvirt +- Add SLE virtiofsd path to apparmor profiles + bsc#1219772 + +- Fix return value when libnetcontrol fails to initialize + boo#1219986 + mdadm +- Update mdadm-4.3 to latest status (jsc#PED-7542) + - Remove hardcoded checkpoint interval checking + 0001-Remove-hardcoded-checkpoint-interval-checking.patch + - monitor: refactor checkpoint update + 0002-monitor-refactor-checkpoint-update.patch + - Super-intel: Fix first checkpoint restart + 0003-Super-intel-Fix-first-checkpoint-restart.patch + - Grow: Move update_tail assign to Grow_reshape() + 0004-Grow-Move-update_tail-assign-to-Grow_reshape.patch + - Add understanding output section in man + 0005-Add-understanding-output-section-in-man.patch + +- Upgrade to mdadm-4.3 (jsc#PED-7542). Beside previous already back + ported patches, mdadm-4.3 has the following extra changes since + last update upto commit 582945c2d3bb, + - Fix null pointer for incremental in mdadm. + - Super1: fix truncation check for journal device. + - Fix some cases eyesore formatting. + - Bump minimum kernel version to 2.6.32. + - Remove the config files in mdcheck_start|continue service. + - Define DEV_MD_DIR, DEV_NUM_PREF, is_devname_ignore(), + ident_set_devname(). + - Enable RAID for SATA under VMD. + - Imsm: Fix possible segfault in check_no_platform() + - Imsm refactor on imsm_get_free_size(), merge_extents(). + - Imsm: return free space after volume for expand. + - Imsm: fix free space calculations. + - Add secure gethostname() wrapper. + - mdadm: Stop mdcheck_continue timer when mdcheck_start service can + finish check. + - Fix memory leak in files Assemble.c, Kill.c, Manage.c, mdadm.c. + - Fix unsafe string functions. + - platform-intel: limit guid length. + - Imsm: Add reading vmd register for finding imsm capability. + - Add compiler defenses flags. + - Assemble: fix redundant memory free. + - More regression test cases added into tests. + - Mdadm: set ident.devname if applicable. + - Mdadm: refactor ident->name handling. + - Mdadm: Follow POSIX Portable Character Set. + - Incremental: remove obsoleted calls to udisks. + - Fix race of "mdadm --add" and "mdadm --incremental". + - mdadm/ddf: Abort when raid disk is smaller in getinfo_super_ddf. + - mdadm/super1: Add MD_FEATURE_RAID0_LAYOUT if kernel>=5.4. + - Fix assembling RAID volume by using incremental. + - Mdmonitor: Improve udev event handling. + - Udev: Move udev_block() and udev_unblock() into udev.c. + - Manage: adjust checking subarray state in update_subarray. + - Super1: remove support for name= in config. + - Mdadm: fix update=resync regression. +- Rebase to keep consistent behavior for current code base. + - 1004-call-mdadm_env.sh-from-usr-libexec-mdadm.patch +- The following patches are moved from package because they are all + included in mdadm-4.3, + - 0001-Unify-error-message.patch + - 0002-mdadm-Fix-double-free.patch + - 0003-Grow_reshape-Add-r0-grow-size-error-message-and-upda.patch + - 0004-udev-adapt-rules-to-systemd-v247.patch + - 0005-Replace-error-prone-signal-with-sigaction.patch + - 0006-mdadm-Respect-config-file-location-in-man.patch + - 0007-mdadm-Update-ReadMe.patch + - 0008-mdadm-Update-config-man-regarding-default-files-and-.patch + - 0009-mdadm-Update-config-manual.patch + - 0010-Create-Build-use-default_layout.patch + - 0011-mdadm-add-map_num_s.patch + - 0012-mdmon-Stop-parsing-duplicate-options.patch + - 0013-Grow-block-n-on-external-volumes.patch + - 0014-Incremental-Fix-possible-memory-and-resource-leaks.patch + - 0015-Mdmonitor-Fix-segfault.patch + - 0016-Mdmonitor-Improve-logging-method.patch + - 0017-Fix-possible-NULL-ptr-dereferences-and-memory-leaks.patch + - 0018-imsm-Remove-possibility-for-get_imsm_dev-to-return-N.patch + - 0019-Revert-mdadm-fix-coredump-of-mdadm-monitor-r.patch + - 0020-util-replace-ioctl-use-with-function.patch + - 0021-mdadm-super1-restore-commit-45a87c2f31335-to-fix-clu.patch + - 0022-imsm-introduce-get_disk_slot_in_dev.patch + - 0023-imsm-use-same-slot-across-container.patch + - 0024-imsm-block-changing-slots-during-creation.patch + - 0025-mdadm-block-update-ppl-for-non-raid456-levels.patch + - 0026-mdadm-Fix-array-size-mismatch-after-grow.patch + - 0027-mdadm-Remove-dead-code-in-imsm_fix_size_mismatch.patch + - 0028-Monitor-use-devname-as-char-array-instead-of-pointer.patch + - 0029-Monitor-use-snprintf-to-fill-device-name.patch + - 0030-Makefile-Don-t-build-static-build-with-everything-an.patch + - 0031-DDF-Cleanup-validate_geometry_ddf_container.patch + - 0032-DDF-Fix-NULL-pointer-dereference-in-validate_geometr.patch + - 0033-mdadm-Grow-Fix-use-after-close-bug-by-closing-after-.patch + - 0034-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch + - 0035-mdadm-Fix-mdadm-r-remove-option-regression.patch + - 0036-mdadm-Fix-optional-write-behind-parameter.patch + - 0037-mdadm-Replace-obsolete-usleep-with-nanosleep.patch + - 0038-mdadm-remove-symlink-option.patch + - 0039-mdadm-move-data_offset-to-struct-shape.patch + - 0040-mdadm-Don-t-open-md-device-for-CREATE-and-ASSEMBLE.patch + - 0041-Grow-Split-Grow_reshape-into-helper-function.patch + - 0042-Assemble-check-if-device-is-container-before-schedul.patch + - 0043-super1-report-truncated-device.patch + - 0044-mdadm-Correct-typos-punctuation-and-grammar-in-man.patch + - 0046-Monitor-Fix-statelist-memory-leaks.patch + - 0047-mdadm-added-support-for-Intel-Alderlake-RST-on-VMD-p.patch + - 0048-mdadm-Add-Documentation-entries-to-systemd-services.patch + - 0049-ReadMe-fix-command-line-help.patch + - 0050-mdadm-replace-container-level-checking-with-inline.patch + - 0051-Mdmonitor-Omit-non-md-devices.patch + - 0052-mdmon-fix-segfault.patch + - 0053-util-remove-obsolete-code-from-get_md_name.patch + - 0054-mdmon-don-t-test-both-all-and-container_name.patch + - 0055-mdmon-change-systemd-unit-file-to-use-foreground.patch + - 0056-mdmon-Remove-need-for-KillMode-none.patch + - 0057-mdmon-Improve-switchroot-interactions.patch + - 0058-mdopen-always-try-create_named_array.patch + - 0059-Improvements-for-IMSM_NO_PLATFORM-testing.patch + - 0060-Grow-fix-possible-memory-leak.patch + - 0061-Grow-fix-can-t-change-bitmap-type-from-none-to-clustered.patch + - 0062-Manage-Block-unsafe-member-failing.patch + - 0063-Mdmonitor-Split-alert-into-separate-functions.patch + - 0064-Monitor-block-if-monitor-modes-are-combined.patch + - 0065-Update-mdadm-Monitor-manual.patch + - 0066-mdadm-create-ident_init.patch + - 0067-mdadm-Add-option-validation-for-update-subarray.patch + - 0068-Fix-update-subarray-on-active-volume.patch + - 0069-Add-code-specific-update-options-to-enum.patch + - 0070-super-ddf-Remove-update_super_ddf.patch + - 0071-super0-refactor-the-code-for-enum.patch + - 0072-super1-refactor-the-code-for-enum.patch + - 0073-super-intel-refactor-the-code-for-enum.patch + - 0074-Change-update-to-enum-in-update_super-and-update_sub.patch + - 0075-Manage-Incremental-code-refactor-string-to-enum.patch + - 0076-Change-char-to-enum-in-context-update-refactor-code.patch + - 0077-mdadm-udev-Don-t-handle-change-event-on-raw-devices.patch + - 0078-Manage-do-not-check-array-state-when-drive-is-remove.patch + - 0079-incremental-manage-do-not-verify-if-remove-is-safe.patch + - 0080-super-intel-make-freesize-not-required-for-chunk-siz.patch + - 0081-manage-move-comment-with-function-description.patch + - 0082-Fix-NULL-dereference-in-super_by_fd.patch + - 0083-Mdmonitor-Make-alert_info-global.patch + - 0084-Mdmonitor-Pass-events-to-alert-using-enums-instead-o.patch + - 0085-Mdmonitor-Add-helper-functions.patch + - 0086-Add-helpers-to-determine-whether-directories-or-file.patch + - 0087-Mdmonitor-Refactor-write_autorebuild_pid.patch + - 0088-Mdmonitor-Refactor-check_one_sharer-for-better-error.patch + - 0089-util.c-reorder-code-lines-in-parse_layout_faulty.patch + - 0090-util.c-fix-memleak-in-parse_layout_faulty.patch + - 0091-Detail.c-fix-memleak-in-Detail.patch + - 0092-isuper-intel.c-fix-double-free-in-load_imsm_mpb.patch + - 0093-super-intel.c-fix-memleak-in-find_disk_attached_hba.patch + - 0094-super-ddf.c-fix-memleak-in-get_vd_num_of_subarray.patch + - 0095-Create-goto-abort_locked-instead-of-return-1-in-erro.patch + - 0096-Create-remove-safe_mode_delay-local-variable.patch + - 0097-Create-Factor-out-add_disks-helpers.patch + - 0098-mdadm-Introduce-pr_info.patch + - 0099-mdadm-Add-write-zeros-option-for-Create.patch + - 0100-manpage-Add-write-zeroes-option-to-manpage.patch + - 0101-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch + - 0102-Use-existence-of-etc-initrd-release-to-detect-initrd.patch + - 0103-Create-Fix-checking-for-container-in-update_metadata.patch + mdevctl +- Add /usr/lib/mdevctl/scripts.d/{callouts,notifiers} directories + netcfg +- Add krb-prop entry, fix for bsc#1211886. + nftables +- port python-single-spec logic from Factory package to allow shipment of + python311 modules as well (bsc#1219253). + openssh -- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385). - This limits the use of shell metacharacters in host- and - user names. - -- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795). - This mitigates a prefix truncation attack that could be used to - undermine channel security. - -- Enhanced SELinux functionality. Added - * openssh-7.8p1-role-mls.patch - Proper handling of MLS systems and basis for other SELinux - improvements - * openssh-6.6p1-privsep-selinux.patch - Properly set contexts during privilege separation - * openssh-6.6p1-keycat.patch - Add ssh-keycat command to allow retrival of authorized_keys - on MLS setups with polyinstantiation - * openssh-6.6.1p1-selinux-contexts.patch - Additional changes to set the proper context during privilege - separation - * openssh-7.6p1-cleanup-selinux.patch - Various changes and putting the pieces together - For now we don't ship the ssh-keycat command, but we need the patch - for the other SELinux infrastructure - This change fixes issues like bsc#1214788, where the ssh daemon - needs to act on behalf of a user and needs a proper context for this - -- Add openssh-CVE-2023-38408-PKCS11-execution.patch, Abort if - requested to load a PKCS#11 provider that isnt a PKCS#11 - provider (bsc#1213504,CVE-2023-38408) +- Merge updates from openSUSE. Existing patches were rebased. +- Remove openssh-7.6p1-audit_race_condition.patch: Merged with + audit patch. +- Remove openssh-CVE-2021-28041-agent-double-free.patch: Fixed + upstream. +- Remove openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch: + Fixed upstream. +- Remove openssh-CVE-2023-38408-PKCS11-execution.patch: Fixed + upstream. +- Add cb4ed12f.patch from upstream, allowing newer versions of + zlib to be used. +- Add logind_set_tty.patch by Thorsten Kukuk. This informs + systemd-logind of the login TTY and prevents having to parse utmp, + which is deprecated by glibc. + +- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408): + = Security + * Fix CVE-2023-38408 - a condition where specific libaries loaded via + ssh-agent(1)'s PKCS#11 support could be abused to achieve remote + code execution via a forwarded agent socket if the following + conditions are met: + * Exploitation requires the presence of specific libraries on + the victim system. + * Remote exploitation requires that the agent was forwarded + to an attacker-controlled system. + Exploitation can also be prevented by starting ssh-agent(1) with an + empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring + an allowlist that contains only specific provider libraries. + This vulnerability was discovered and demonstrated to be exploitable + by the Qualys Security Advisory team. + In addition to removing the main precondition for exploitation, + this release removes the ability for remote ssh-agent(1) clients + to load PKCS#11 modules by default (see below). + = Potentially-incompatible changes + * ssh-agent(8): the agent will now refuse requests to load PKCS#11 + modules issued by remote clients by default. A flag has been added + to restore the previous behaviour "-Oallow-remote-pkcs11". + Note that ssh-agent(8) depends on the SSH client to identify + requests that are remote. The OpenSSH >=8.9 ssh(1) client does + this, but forwarding access to an agent socket using other tools + may circumvent this restriction. +- Update to openssh 9.3p1: + = Security + * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the + per-hop destination constraints (ssh-add -h ...) added in + OpenSSH 8.9, a logic error prevented the constraints from being + communicated to the agent. This resulted in the keys being added + without constraints. The common cases of non-smartcard keys and + keys without destination constraints are unaffected. This + problem was reported by Luci Stanescu. + * ssh(1): Portable OpenSSH provides an implementation of the + getrrsetbyname(3) function if the standard library does not + provide it, for use by the VerifyHostKeyDNS feature. A + specifically crafted DNS response could cause this function to + perform an out-of-bounds read of adjacent stack data, but this + condition does not appear to be exploitable beyond denial-of- + service to the ssh(1) client. + The getrrsetbyname(3) replacement is only included if the + system's standard library lacks this function and portable + OpenSSH was not compiled with the ldns library (--with-ldns). + getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to + fetch SSHFP records. This problem was found by the Coverity + static analyzer. + = New features + * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 + when outputting SSHFP fingerprints to allow algorithm + selection. bz3493 + * sshd(8): add a `sshd -G` option that parses and prints the + effective configuration without attempting to load private keys + and perform other checks. This allows usage of the option + before keys have been generated and for configuration + evaluation and verification by unprivileged users. + = Bugfixes + * scp(1), sftp(1): fix progressmeter corruption on wide displays; + bz3534 + * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing + usability of private keys as some systems are starting to + disable RSA/SHA1 in libcrypto. + * sftp-server(8): fix a memory leak. GHPR363 + * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol + compatibility code and simplify what's left. + * Fix a number of low-impact Coverity static analysis findings. + These include several reported via bz2687 + * ssh_config(5), sshd_config(5): mention that some options are + not first-match-wins. + * Rework logging for the regression tests. Regression tests will + now capture separate logs for each ssh and sshd invocation in + a test. + * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage + says it should; bz3532. + * ssh(1): ensure that there is a terminating newline when adding + a new entry to known_hosts; bz3529 + = Portability + * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of + mmap(2), madvise(2) and futex(2) flags, removing some + concerning kernel attack surface. + * sshd(8): improve Linux seccomp-bpf sandbox for older systems; + bz3537 +- Update to openssh 9.2p1: + = Security + * sshd(8): fix a pre-authentication double-free memory fault + introduced in OpenSSH 9.1. This is not believed to be + exploitable, and it occurs in the unprivileged pre-auth process + that is subject to chroot(2) and is further sandboxed on most + major platforms. + * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen + option would ignore its first argument unless it was one of the + special keywords "any" or "none", causing the permission list + to fail open if only one permission was specified. bz3515 + * ssh(1): if the CanonicalizeHostname and + CanonicalizePermittedCNAMEs options were enabled, and the + system/libc resolver did not check that names in DNS responses + were valid, then use of these options could allow an attacker + with control of DNS to include invalid characters (possibly + including wildcards) in names added to known_hosts files when + they were updated. These names would still have to match the + CanonicalizePermittedCNAMEs allow-list, so practical + exploitation appears unlikely. + = Potentially-incompatible changes + * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option + that controls whether the client-side ~C escape sequence that + provides a command-line is available. Among other things, the + ~C command-line could be used to add additional port-forwards + at runtime. + This option defaults to "no", disabling the ~C command-line + that was previously enabled by default. Turning off the + command-line allows platforms that support sandboxing of the + ssh(1) client (currently only OpenBSD) to use a stricter + default sandbox policy. + = New features + * sshd(8): add support for channel inactivity timeouts via a new + sshd_config(5) ChannelTimeout directive. This allows channels + that have not seen traffic in a configurable interval to be + automatically closed. Different timeouts may be applied to + session, X11, agent and TCP forwarding channels. + * sshd(8): add a sshd_config UnusedConnectionTimeout option to + terminate client connections that have no open channels for a + length of time. This complements the ChannelTimeout option + above. + * sshd(8): add a -V (version) option to sshd like the ssh client + has. + * ssh(1): add a "Host" line to the output of ssh -G showing the + original hostname argument. bz3343 + * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to + allow control over some SFTP protocol parameters: the copy + buffer length and the number of in-flight requests, both of + which are used during upload/download. Previously these could + be controlled in sftp(1) only. This makes them available in + both SFTP protocol clients using the same option character + sequence. + * ssh-keyscan(1): allow scanning of complete CIDR address ranges, + e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, + then it will be expanded to all possible addresses in the range + including the all-0s and all-1s addresses. bz#976 + * ssh(1): support dynamic remote port forwarding in escape + command-line's -R processing. bz#3499 + = Bugfixes + * ssh(1): when restoring non-blocking mode to stdio fds, restore + exactly the flags that ssh started with and don't just clobber + them with zero, as this could also remove the append flag from + the set. bz3523 + * ssh(1): avoid printf("%s", NULL) if using + UserKnownHostsFile=none and a hostkey in one of the system + known hosts file changes. + * scp(1): switch scp from using pipes to a socket-pair for + communication with its ssh sub-processes, matching how sftp(1) + operates. + * sshd(8): clear signal mask early in main(); sshd may have been + started with one or more signals masked (sigprocmask(2) is not + cleared on fork/exec) and this could interfere with various + things, e.g. the login grace timer. Execution environments that + fail to clear the signal mask before running sshd are clearly + broken, but apparently they do exist. + * ssh(1): warn if no host keys for hostbased auth can be loaded. + * sshd(8): Add server debugging for hostbased auth that is queued + and sent to the client after successful authentication, but + also logged to assist in diagnosis of HostbasedAuthentication + problems. bz3507 + * ssh(1): document use of the IdentityFile option as being usable + to list public keys as well as private keys. GHPR352 + * sshd(8): check for and disallow MaxStartups values less than or + equal to zero during config parsing, rather than failing later + at runtime. bz3489 + * ssh-keygen(1): fix parsing of hex cert expiry times specified + on the command-line when acting as a CA. + * scp(1): when scp(1) is using the SFTP protocol for transport + (the default), better match scp/rcp's handling of globs that + don't match the globbed characters but do match literally (e.g. + trying to transfer a file named "foo.[1]"). Previously scp(1) + in SFTP mode would not match these pathnames but legacy scp/rcp + mode would. bz3488 + * ssh-agent(1): document the "-O no-restrict-websafe" + command-line option. + * ssh(1): honour user's umask(2) if it is more restrictive then + the ssh default (022). + = Portability + * sshd(8): allow writev(2) in the Linux seccomp sandbox. This + seems to be used by recent glibcs at least in some + configurations during error conditions. bz3512. + * sshd(8): simply handling of SSH_CONNECTION PAM env var, + removing global variable and checking the return value from + pam_putenv. bz3508 + * sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was + mistakenly enabled during the OpenSSH 9.1 release cycle. + * misc: update autotools and regenerate the config files using + the latest autotools + * all: use -fzero-call-used-regs=used on clang 15 instead of + - fzero-call-used-reg=all, as some versions of clang 15 have + miscompile code when it was enabled. bz3475 + * sshd(8): defer PRNG seeding until after the initial + closefrom(2) call. PRNG seeding will initialize OpenSSL, and + some engine providers (e.g. Intel's QAT) will open descriptors + for their own use that closefrom(2) could clobber. bz3483 + * misc: in the poll(2)/ppoll(2) compatibility code, avoid + assuming the layout of fd_set. + * sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older + FreeBSD kernels. Some versions do not support using id 0 to + refer to the current PID for procctl, so try again with + getpid() explicitly before failing. + * configure.ac: fix -Wstrict-prototypes in configure test code. + Clang 16 now warns on this and legacy prototypes will be + removed in C23. GHPR355 + * configure.ac: fix setres*id checks to work with clang-16. glibc + has the prototypes for setresuid behind _GNU_SOURCE, and + clang 16 will error out on implicit function definitions. + bz3497 +- Update to openssh 9.1p1: + = Security + * ssh-keyscan(1): fix a one-byte overflow in SSH- banner + processing. + Reported by Qualys + * ssh-keygen(1): double free() in error path of file hashing step + in signing/verify code; GHPR333 + * ssh-keysign(8): double-free in error path introduced in + openssh-8.9 + = Potentially-incompatible changes + * The portable OpenSSH project now signs commits and release tags + using git's recent SSH signature support. The list of developer + signing keys is included in the repository as + .git_allowed_signers and is cross-signed using the PGP key that + is still used to sign release artifacts: + https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc + * ssh(1), sshd(8): SetEnv directives in ssh_config and + sshd_config are now first-match-wins to match other directives. + Previously if an environment variable was multiply specified + the last set value would have been used. bz3438 + * ssh-keygen(8): ssh-keygen -A (generate all default host key + types) will no longer generate DSA keys, as these are insecure + and have not been used by default for some years. + = New features + * ssh(1), sshd(8): add a RequiredRSASize directive to set a + minimum RSA key length. Keys below this length will be ignored + for user authentication and for host authentication in sshd(8). + ssh(1) will terminate a connection if the server offers an RSA + key that falls below this limit, as the SSH protocol does not + include the ability to retry a failed key exchange. + * sftp-server(8): add a "users-groups-by-id@openssh.com" + extension request that allows the client to obtain user/group + names that correspond to a set of uids/gids. + * sftp(1): use "users-groups-by-id@openssh.com" sftp-server + extension (when available) to fill in user/group names for + directory listings. + * sftp-server(8): support the "home-directory" extension request + defined in draft-ietf-secsh-filexfer-extensions-00. This + overlaps a bit with the existing "expand-path@openssh.com", but + some other clients support it. + * ssh-keygen(1), sshd(8): allow certificate validity intervals, + sshsig verification times and authorized_keys expiry-time + options to accept dates in the UTC time zone in addition to the + default of interpreting them in the system time zone. YYYYMMDD + and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if + suffixed with a 'Z' character. + Also allow certificate validity intervals to be specified in + raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. + This is intended for use by regress tests and other tools that + call ssh-keygen as part of a CA workflow. bz3468 + * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D + "/usr/libexec/sftp-server -el debug3" + * ssh-keygen(1): allow the existing -U (use agent) flag to work + with "-Y sign" operations, where it will be interpreted to + require that the private keys is hosted in an agent; bz3429 + = Bugfixes + * ssh-keygen(1): implement the "verify-required" certificate + option. + This was already documented when support for user-verified FIDO + keys was added, but the ssh-keygen(1) code was missing. + * ssh-agent(1): hook up the restrict_websafe command-line flag; + previously the flag was accepted but never actually used. + * sftp(1): improve filename tab completions: never try to + complete names to non-existent commands, and better match the + completion type (local or remote filename) against the argument + position being completed. + * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key + handling, especially relating to keys that request + user-verification. These should reduce the number of + unnecessary PIN prompts for keys that support intrinsic user + verification. GHPR302, GHPR329 + * ssh-keygen(1): when enrolling a FIDO resident key, check if a + credential with matching application and user ID strings + already exists and, if so, prompt the user for confirmation + before overwriting the credential. GHPR329 + * sshd(8): improve logging of errors when opening authorized_keys + files. bz2042 + * ssh(1): avoid multiplexing operations that could cause SIGPIPE + from causing the client to exit early. bz3454 + * ssh_config(5), sshd_config(5): clarify that the RekeyLimit + directive applies to both transmitted and received data. + GHPR328 + * ssh-keygen(1): avoid double fclose() in error path. + * sshd(8): log an error if pipe() fails while accepting a + connection. bz3447 + * ssh(1), ssh-keygen(1): fix possible NULL deref when built + without FIDO support. bz3443 + * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage. + GHPR294. + * sshd(8): ensure that authentication passwords are cleared from + memory in error paths. GHPR286 + * ssh(1), ssh-agent(1): avoid possibility of notifier code + executing kill(-1). GHPR286 + * ssh_config(5): note that the ProxyJump directive also accepts + the same tokens as ProxyCommand. GHPR305. + * scp(1): do not not ftruncate(3) files early when in sftp mode. + The previous behaviour of unconditionally truncating the + destination file would cause "scp ~/foo localhost:foo" and the + reverse "scp localhost:foo ~/foo" to delete all the contents of + their destination. bz3431 + * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' + is unable to load a private key; bz3429 + * sftp(1), scp(1): when performing operations that glob(3) a + remote path, ensure that the implicit working directory used to + construct that path escapes glob(3) characters. This prevents + glob characters from being processed in places they shouldn't, + e.g. "cd /tmp/a*/", "get *.txt" should have the get operation + treat the path "/tmp/a*" literally and not attempt to expand + it. + * ssh(1), sshd(8): be stricter in which characters will be + accepted in specifying a mask length; allow only 0-9. GHPR278 + * ssh-keygen(1): avoid printing hash algorithm twice when dumping + a KRL + * ssh(1), sshd(8): continue running local I/O for open channels + during SSH transport rekeying. This should make ~-escapes work + in the client (e.g. to exit) if the connection happened to have + stalled during a rekey event. + * ssh(1), sshd(8): avoid potential poll() spin during rekeying + * Further hardening for sshbuf internals: disallow "reparenting" + a hierarchical sshbuf and zero the entire buffer if + reallocation fails. GHPR287 + = Portability + * ssh(1), ssh-keygen(1), sshd(8): automatically enable the + built-in FIDO security key support if libfido2 is found and + usable, unless --without-security-key-builtin was requested. + * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello + FIDO device usable on Cygwin. The windows://hello FIDO device + will be automatically used by default on this platform unless + requested otherwise, or when probing resident FIDO credentials + (an operation not currently supported by WinHello). + * Portable OpenSSH: remove workarounds for obsolete and + unsupported versions of OpenSSL libcrypto. In particular, this + release removes fallback support for OpenSSL that lacks AES-CTR + or AES-GCM. Those AES cipher modes were added to OpenSSL prior + to the minimum version currently supported by OpenSSH, so this + is not expected to impact any currently supported + configurations. + * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current + Linux/glibc + * All: resync and clean up internal CSPRNG code. + * scp(1), sftp(1), sftp-server(8): avoid linking these programs + with unnecessary libraries. They are no longer linked against + libz and libcrypto. This may be of benefit to space constrained + systems using any of those components in isolation. + * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox + architectures. + * configure: remove special casing of crypt(). configure will no + longer search for crypt() in libcrypto, as it was removed from + there years ago. configure will now only search libc and + libcrypt. + * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in + its RSA implementation (CVE-2022-2274) on x86_64. + * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR322 + * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing + includes required by the XMSS code on some platforms. + * sshd(8): cache timezone data in capsicum sandbox. +- Update to openssh 9.0p1: + = Potentially-incompatible changes + * This release switches scp(1) from using the legacy scp/rcp + protocol to using the SFTP protocol by default. + Legacy scp/rcp performs wildcard expansion of remote filenames + (e.g. "scp host:* .") through the remote shell. This has the + side effect of requiring double quoting of shell + meta-characters in file names included on scp(1) command-lines, + otherwise they could be interpreted as shell commands on the + remote side. + This creates one area of potential incompatibility: scp(1) when + using the SFTP protocol no longer requires this finicky and + brittle quoting, and attempts to use it may cause transfers to + fail. We consider the removal of the need for double-quoting + shell characters in file names to be a benefit and do not + intend to introduce bug-compatibility for legacy scp/rcp in + scp(1) when using the SFTP protocol. + Another area of potential incompatibility relates to the use of + remote paths relative to other user's home directories, for + example - "scp host:~user/file /tmp". The SFTP protocol has no + native way to expand a ~user path. However, sftp-server(8) in + OpenSSH 8.7 and later support a protocol extension + "expand-path@openssh.com" to support this. + In case of incompatibility, the scp(1) client may be instructed + to use the legacy scp/rcp using the -O flag. + = New features + * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 + key exchange method by default + ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is + believed to resist attacks enabled by future quantum computers + and is paired with the X25519 ECDH key exchange (the previous + default) as a backstop against any weaknesses in NTRU Prime + that may be discovered in the future. The combination ensures + that the hybrid exchange offers at least as good security as + the status quo. + We are making this change now (i.e. ahead of cryptographically- + relevant quantum computers) to prevent "capture now, decrypt + later" attacks where an adversary who can record and store SSH + session ciphertext would be able to decrypt it once a + sufficiently advanced quantum computer is available. + * sftp-server(8): support the "copy-data" extension to allow + server-side copying of files/data, following the design in + draft-ietf-secsh-filexfer-extensions-00. bz2948 + * sftp(1): add a "cp" command to allow the sftp client to perform + server-side file copies. + = Bugfixes + * ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's + output fd closes without data in the channel buffer. bz3405 and + bz3411 + * sshd(8): pack pollfd array in server listen/accept loop. Could + cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE + * ssh-keygen(1): avoid NULL deref via the find-principals and + check-novalidate operations. bz3409 and GHPR307 respectively. + * scp(1): fix a memory leak in argument processing. bz3404 + * sshd(8): don't try to resolve ListenAddress directives in the + sshd re-exec path. They are unused after re-exec and parsing + errors (possible for example if the host's network + configuration changed) could prevent connections from being + accepted. + * sshd(8): when refusing a public key authentication request from + a client for using an unapproved or unsupported signature + algorithm include the algorithm name in the log message to make + debugging easier. + = Portability + * sshd(8): refactor platform-specific locked account check, + fixing an incorrect free() on platforms with both libiaf and + shadow passwords (probably only Unixware) GHPR284, + * ssh(1), sshd(8): Fix possible integer underflow in + scan_scaled(3) parsing of K/M/G/etc quantities. bz#3401. + * sshd(8): provide killpg implementation (mostly for Tandem + NonStop) GHPR301. + * Check for missing ftruncate prototype. GHPR301 + * sshd(8): default to not using sandbox when cross compiling. On + most systems poll(2) does not work when the number of FDs is + reduced with setrlimit, so assume it doesn't when cross + compiling and we can't run the test. bz#3398. + * sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix + sandbox violations on some (at least i386 and armhf) 32bit + Linux platforms. bz#3396. + * Improve detection of -fzero-call-used-regs=all support in + configure script. +- Add patch that explicitly adds -lz in Makefile.in to some + binaries which need it: + * fix-missing-lz.patch +- Rebase patches: + * openssh-7.7p1-fips.patch + * openssh-7.7p1-fips_checks.patch + * openssh-7.7p1-ldap.patch + * openssh-7.7p1-pam_check_locks.patch + * openssh-7.7p1-seccomp_ipc_flock.patch + * openssh-7.7p1-sftp_print_diagnostic_messages.patch + * openssh-7.7p1-systemd-notify.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.1p1-ed25519-use-openssl-rng.patch + * openssh-8.4p1-vendordir.patch + * openssh-reenable-dh-group14-sha1-default.patch + * openssh-whitelist-syscalls.patch + * wtmpdb.patch +- Fix setting libexec dir in the LDAP patch. +- Fix build in Leap 15.x which doesn't use %{_distconfdir} + +- Add _multibuild to define 2nd spec file as additional flavor. + Eliminates the need for source package links in OBS. + +- wtmpdb.patch: add support for wtmpdb to sshd [jsc#PED-3144] + +- Rename sshd.pamd to sshd-sle.pamd and fix order of pam_keyinit +- Add new sshd.pamd including postlogin-* config files + +- Remove BuildRequires for libtirpc, we don't use it + +- Remove pam_lastlog from sshd PAM config. sshd is doing the same, + too, which leads to e.g. duplicate entries in wtmp [bsc#1208243] + +- Adapt OpenSSH to build with OpenSSL 3, use new KDF API (bsc#1205042) + Add openssh-openssl-3.patch + +- limit to openssl < 3.0 as this version is not compatible (bsc#1205042) + next version update will fix it + +- Update openssh-8.1p1-audit.patch: Merge fix for race condition + (bsc#1115550, bsc#1174162). +- Add openssh-do-not-send-empty-message.patch, which prevents + superfluous newlines with empty MOTD files (bsc#1192439). + +- Use %_pam_vendordir + +- openssh-8.4p1-ssh_config_d.patch: admin overrides should take + priority (listed first) over package defaults + +- read ssh and sshd config file also from /usr/etc +- add openssh-server-config-rootlogin subpackage that enabled PermitRootLogin + +- Version update to 8.9p1: + = Security + * sshd(8): fix an integer overflow in the user authentication path + that, in conjunction with other logic errors, could have yielded + unauthenticated access under difficult to exploit conditions. + This situation is not exploitable because of independent checks in + the privilege separation monitor. Privilege separation has been + enabled by default in since openssh-3.2.2 (released in 2002) and + has been mandatory since openssh-7.5 (released in 2017). Moreover, + portable OpenSSH has used toolchain features available in most + modern compilers to abort on signed integer overflow since + openssh-6.5 (released in 2014). + Thanks to Malcolm Stagg for finding and reporting this bug. + = Potentially-incompatible changes + * sshd(8), portable OpenSSH only: this release removes in-built + support for MD5-hashed passwords. If you require these on your + system then we recommend linking against libxcrypt or similar. + * This release modifies the FIDO security key middleware interface + and increments SSH_SK_VERSION_MAJOR. + = New features + * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for + restricting forwarding and use of keys added to ssh-agent(1) + A detailed description of the feature is available at + https://www.openssh.com/agent-restrict.html and the protocol + extensions are documented in the PROTOCOL and PROTOCOL.agent + files in the source release. + * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid + ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the + default KEXAlgorithms list (after the ECDH methods but before the + prime-group DH ones). The next release of OpenSSH is likely to + make this key exchange the default method. + * ssh-keygen(1): when downloading resident keys from a FIDO token, + pass back the user ID that was used when the key was created and + append it to the filename the key is written to (if it is not the + default). Avoids keys being clobbered if the user created multiple + resident keys with the same application string but different user + IDs. + * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys + on tokens that provide user verification (UV) on the device itself, + including biometric keys, avoiding unnecessary PIN prompts. + * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to + perform matching of principals names against an allowed signers + file. To be used towards a TOFU model for SSH signatures in git. + * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added + to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at + authentication time. + * ssh-keygen(1): allow selection of hash at sshsig signing time + (either sha512 (default) or sha256). + * ssh(1), sshd(8): read network data directly to the packet input + buffer instead of indirectly via a small stack buffer. Provides a + modest performance improvement. + * ssh(1), sshd(8): read data directly to the channel input buffer, + providing a similar modest performance improvement. + * ssh(1): extend the PubkeyAuthentication configuration directive to + accept yes|no|unbound|host-bound to allow control over one of the + protocol extensions used to implement agent-restricted keys. + = Bugfixes + * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and + PubkeyAuthOptions can be used in a Match block. PR277. + * sshd(8): fix possible string truncation when constructing paths to + .rhosts/.shosts files with very long user home directory names. + * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 + exchange hashes + * ssh(1): don't put the TTY into raw mode when SessionType=none, + avoids ^C being unable to kill such a session. bz3360 + * scp(1): fix some corner-case bugs in SFTP-mode handling of + ~-prefixed paths. + * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to + select RSA keys when only RSA/SHA2 signature algorithms are + configured (this is the default case). Previously RSA keys were + not being considered in the default case. + * ssh-keysign(1): make ssh-keysign use the requested signature + algorithm and not the default for the key type. Part of unbreaking + hostbased auth for RSA/SHA2 keys. + * ssh(1): stricter UpdateHostkey signature verification logic on + the client- side. Require RSA/SHA2 signatures for RSA hostkeys + except when RSA/SHA1 was explicitly negotiated during initial + KEX; bz3375 + * ssh(1), sshd(8): fix signature algorithm selection logic for + UpdateHostkeys on the server side. The previous code tried to + prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some + cases. This will use RSA/SHA2 signatures for RSA keys if the + client proposed these algorithms in initial KEX. bz3375 + * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). + This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) + and sftp-server(8), as well as the sshd(8) listen loop and all + other FD read/writability checks. On platforms with missing or + broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is + available. + * ssh-keygen(1): the "-Y find-principals" command was verifying key + validity when using ca certs but not with simple key lifetimes + within the allowed signers file. + * ssh-keygen(1): make sshsig verify-time argument parsing optional + * sshd(8): fix truncation in rhosts/shosts path construction. + * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA + keys (we already did this for RSA keys). Avoids fatal errors for + PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B + "cryptoauthlib"; bz#3364 + * ssh(1), ssh-agent(1): improve the testing of credentials against + inserted FIDO: ask the token whether a particular key belongs to + it in cases where the token supports on-token user-verification + (e.g. biometrics) rather than just assuming that it will accept it. + Will reduce spurious "Confirm user presence" notifications for key + handles that relate to FIDO keys that are not currently inserted in at + least some cases. bz3366 + * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to + allow for the preceding two ECN bits. bz#3373 + * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" + option. + * ssh-keygen(1): fix a NULL deref when using the find-principals + function, when matching an allowed_signers line that contains a + namespace restriction, but no restriction specified on the + command-line + * ssh-agent(1): fix memleak in process_extension(); oss-fuzz + issue #42719 + * ssh(1): suppress "Connection to xxx closed" messages when LogLevel + is set to "error" or above. bz3378 + * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing + compressed packet data. bz3372 + * scp(1): when recursively transferring files in SFTP mode, create the + destination directory if it doesn't already exist to match scp(1) in + legacy RCP mode behaviour. + * scp(1): many improvements in error message consistency between scp(1) + in SFTP mode vs legacy RCP mode. + * sshd(8): fix potential race in SIGTERM handling PR289 + * ssh(1), ssh(8): since DSA keys are deprecated, move them to the + end of the default list of public keys so that they will be tried + last. PR295 + * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match + wildcard principals in allowed_signers files + = Portability + * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's + implementation does not work in a chroot when the kernel does not + have close_range(2). It tries to read from /proc/self/fd and when + that fails dies with an assertion of sorts. Instead, call + close_range(2) directly from our compat code and fall back if + that fails. bz#3349, + * OS X poll(2) is broken; use compat replacement. For character- + special devices like /dev/null, Darwin's poll(2) returns POLLNVAL + when polled with POLLIN. Apparently this is Apple bug 3710161 - + not public but a websearch will find other OSS projects + rediscovering it periodically since it was first identified in + 2005. + * Correct handling of exceptfds/POLLPRI in our select(2)-based + poll(2)/ppoll(2) compat implementation. + * Cygwin: correct checking of mbstowcs() return value. + * Add a basic SECURITY.md that refers people to the openssh.com + website. + * Enable additional compiler warnings and toolchain hardening flags, + including -Wbitwise-instead-of-logical, -Wmisleading-indentation, + - fzero-call-used-regs and -ftrivial-auto-var-init. + * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version + is not reliable. +- Rebased patches: + * openssh-7.7p1-ldap.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.4p1-vendordir.patch + * openssh-reenable-dh-group14-sha1-default.patch + +- Version update to 8.8p1: + = Security + * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise + supplemental groups when executing an AuthorizedKeysCommand or + AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or + AuthorizedPrincipalsCommandUser directive has been set to run the + command as a different user. Instead these commands would inherit + the groups that sshd(8) was started with. + Depending on system configuration, inherited groups may allow + AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to + gain unintended privilege. + Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are + enabled by default in sshd_config(5). + = Potentially-incompatible changes + * This release disables RSA signatures using the SHA-1 hash algorithm + by default. This change has been made as the SHA-1 hash algorithm is + cryptographically broken, and it is possible to create chosen-prefix + hash collisions for argv conversion. Multiple + backslashes were not being dequoted correctly and quoted space in + the middle of a string was being incorrectly split. GHPR223 + * ssh(1): return non-zero exit status when killed by signal; bz#3281 + * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum + packet size. Also handle zero-length reads that are not explicitly + banned by the spec. +- Additional changes from 8.5p1 release: + = Security + * ssh-agent(1): fixed a double-free memory corruption that was + introduced in OpenSSH 8.2 . We treat all such memory faults as + potentially exploitable. This bug could be reached by an attacker + with access to the agent socket. + = Potentially-incompatible changes + * ssh(1), sshd(8): this release changes the first-preference signature + algorithm from ECDSA to ED25519. + * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration + for interactive use prior to TCP connect. The connection phase of + the SSH session is time-sensitive and often explicitly interactive. + The ultimate interactive/bulk TOS/DSCP will be set after + authentication completes. + * ssh(1), sshd(8): remove the pre-standardization cipher + rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before + it was standardized in RFC4253 (2006), has been deprecated and + disabled by default since OpenSSH 7.2 (2016) and was only briefly + documented in ssh.1 in 2001. + * ssh(1), sshd(8): update/replace the experimental post-quantum + hybrid key exchange method based on Streamlined NTRU Prime coupled + with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org + method is replaced with sntrup761x25519-sha512@openssh.com. + * ssh(1): disable CheckHostIP by default. It provides insignificant + benefits while making key rotation significantly more difficult, + especially for hosts behind IP-based load-balancers. + = New features + * ssh(1): this release enables UpdateHostkeys by default subject to + some conservative preconditions: + - The key was matched in the UserKnownHostsFile (and not in the + GlobalKnownHostsFile). + - The same key does not exist under another name. + - A certificate host key is not in use. + - known_hosts contains no matching wildcard hostname pattern. + - VerifyHostKeyDNS is not enabled. + - The default UserKnownHostsFile is in use. + * ssh(1), sshd(8): add a new LogVerbose configuration directive for + that allows forcing maximum debug logging by file/function/line + pattern-lists. + * ssh(1): when prompting the user to accept a new hostkey, display + any other host names/addresses already associated with the key. + * ssh(1): allow UserKnownHostsFile=none to indicate that no + known_hosts file should be used to identify host keys. + * ssh(1): add a ssh_config KnownHostsCommand option that allows the + client to obtain known_hosts data from a command in addition to + the usual files. + * ssh(1): add a ssh_config PermitRemoteOpen option that allows the + client to restrict the destination when RemoteForward is used + with SOCKS. + * ssh(1): for FIDO keys, if a signature operation fails with a + "incorrect PIN" reason and no PIN was initially requested from the + user, then request a PIN and retry the operation. This supports + some biometric devices that fall back to requiring PIN when reading + of the biometric failed, and devices that require PINs for all + hosted credentials. + * sshd(8): implement client address-based rate-limiting via new + sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize + directives that provide more fine-grained control on a per-origin + address basis than the global MaxStartups limit. + = Bugfixes + * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to + make it easier to determine which connection they are associated + with in cases like scp -3, ProxyJump, etc. bz#3224 + * sshd(8): fix sshd_config SetEnv directives located inside Match + blocks. GHPR201 + * ssh(1): when requesting a FIDO token touch on stderr, inform the + user once the touch has been recorded. + * ssh(1): prevent integer overflow when ridiculously large + ConnectTimeout values are specified, capping the effective value + (for most platforms) at 24 days. bz#3229 + * ssh(1): consider the ECDSA key subtype when ordering host key + algorithms in the client. + * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to + PubkeyAcceptedAlgorithms. The previous name incorrectly suggested + that it control allowed key algorithms, when this option actually + specifies the signature algorithms that are accepted. The previous + name remains available as an alias. bz#3253 + * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and + HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. + * sftp-server(8): add missing lsetstat@openssh.com documentation + and advertisement in the server's SSH2_FXP_VERSION hello packet. + * ssh(1), sshd(8): more strictly enforce KEX state-machine by + banning packet types once they are received. Fixes memleak caused + by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). + * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit + platforms instead of being limited by LONG_MAX. bz#3206 + * Minor man page fixes (capitalization, commas, etc.) bz#3223 + * sftp(1): when doing an sftp recursive upload or download of a + read-only directory, ensure that the directory is created with + write and execute permissions in the interim so that the transfer + can actually complete, then set the directory permission as the + final step. bz#3222 + * ssh-keygen(1): document the -Z, check the validity of its argument + earlier and provide a better error message if it's not correct. + bz#2879 + * ssh(1): ignore comments at the end of config lines in ssh_config, + similar to what we already do for sshd_config. bz#2320 + * sshd_config(5): mention that DisableForwarding is valid in a + sshd_config Match block. bz3239 + * sftp(1): fix incorrect sorting of "ls -ltr" under some + circumstances. bz3248. + * ssh(1), sshd(8): fix potential integer truncation of (unlikely) + timeout values. bz#3250 + * ssh(1): make hostbased authentication send the signature algorithm + in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. + This make HostbasedAcceptedAlgorithms do what it is supposed to - + filter on signature algorithm and not key type. +- Rebased patches: + * openssh-7.7p1-IPv6_X_forwarding.patch + * openssh-7.7p1-X11_trusted_forwarding.patch + * openssh-7.7p1-X_forward_with_disabled_ipv6.patch + * openssh-7.7p1-cavstest-ctr.patch + * openssh-7.7p1-cavstest-kdf.patch + * openssh-7.7p1-disable_openssl_abi_check.patch + * openssh-7.7p1-eal3.patch + * openssh-7.7p1-enable_PAM_by_default.patch + * openssh-7.7p1-fips.patch + * openssh-7.7p1-fips_checks.patch + * openssh-7.7p1-host_ident.patch + * openssh-7.7p1-hostname_changes_when_forwarding_X.patch + * openssh-7.7p1-ldap.patch + * openssh-7.7p1-no_fork-no_pid_file.patch + * openssh-7.7p1-pam_check_locks.patch + * openssh-7.7p1-pts_names_formatting.patch + * openssh-7.7p1-remove_xauth_cookies_on_exit.patch + * openssh-7.7p1-seccomp_ipc_flock.patch + * openssh-7.7p1-seccomp_stat.patch + * openssh-7.7p1-send_locale.patch + * openssh-7.7p1-sftp_force_permissions.patch + * openssh-7.7p1-sftp_print_diagnostic_messages.patch + * openssh-7.7p1-systemd-notify.patch + * openssh-7.9p1-keygen-preserve-perms.patch + * openssh-7.9p1-revert-new-qos-defaults.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.1p1-seccomp-clock_gettime64.patch + * openssh-8.1p1-seccomp-clock_nanosleep.patch + * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch + * openssh-8.1p1-use-openssl-kdf.patch + * openssh-8.4p1-vendordir.patch + * openssh-fips-ensure-approved-moduli.patch + * openssh-link-with-sk.patch + * openssh-reenable-dh-group14-sha1-default.patch + * openssh-whitelist-syscalls.patch +- Removed openssh-fix-ssh-copy-id.patch (fixed upstream). +- openssh.keyring: rotated to new key from https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc + +- sshd-gen-keys-start: + - only source sysconfig file if it exists. + - create /etc/ssh if it does not exists. + Required for image based installation/updates. + +- The linux kernel has close_range(2) syscall which current glibc + uses to implement closefrom(3) which will be then used by openssh. + whitelist the new system call so closefrom does not fail or + fallback to iterating proc/self/fd (openssh-whitelist-syscalls.patch) + +- Don't move user-modified ssh_config and sshd_config files to + .rpmsave on upgrade. + +- Use pam_motd to unify motd message output [bsc#1185897] + (openssh-8.4p1-pam_motd.patch) + +- Change vendor configuration dir from /usr/share/ssh/ to + /usr/etc/ssh/. +- Remove upgrade enablement hack. This has been fixed in + systemd-rpm-macros (bsc#1180083). + +- Add support for vendor provided configuration files in + /usr/share/ssh/ (openssh-8.4p1-vendordir.patch) +- Move configuration files from /etc/ssh/ to /usr/share/ssh/ + +- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login + as root via password by default (is also upstream default). Comment + indicates that this was a temporary meassure that we now had for + five years, time to get rid of it (bsc#1173067) + +- Add openssh-whitelist-syscalls.patch (bsc#1182232), fixing + failure to accept connections on 32-bit platforms with + glibc 2.33+. + +- Add support for /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d + (openssh-8.4p1-ssh_config_d.patch) + openssh-askpass-gnome +- Update to openssh 9.3p2 + * No changes for askpass, see main package changelog for + details + +- openssh-askpass-gnome: require only openssh-clients, not the full + openssh (including -server), to avoid pulling in excessive + dependencies when installing git on Gnome (boo#1211446) + +- Update to openssh 9.3p1 + * No changes for askpass, see main package changelog for + details + +- Version upgrade to 8.8p1 + * No changes for askpass, see main package changelog for + details + pam-config +- Fix pam_gnome_keyring module for AUTH. + [pam-config-fix-pam_gnome_keyring.patch, bsc#1219767] + patterns-base +- Backport changes from SLE15-SP6 + * Enhanced base system: recommend openssh-server-config-rootlogin (bsc#1220594): + openssh in SLE15 has always allowed password root logins by default. + New openssh packaging split the configuration in a separate package. + Ensure it gets recommended in order to keep a consistent behaviour + with older Service Packs. + patterns-server +- kvm and xen: recommend openssh-server-config-rootlogin (bsc#1220594) + * openssh in SLE15 has always allowed password root logins by default. + New openssh packaging split the configuration in a separate package. + Ensure it gets recommended in order to keep a consistent behaviour + with older Service Packs. + protobuf-c +- update to 1.5.0: + * Use CMAKE_CURRENT_BINARY_DIR instead of CMAKE_BINARY_DIR + * remove deprecated functionality + * Avoid "unused variable" compiler warning + * Update autotools + * Support for new Google protobuf 22.x, 23.x releases + * Remove protobuf 2.x support + pulseaudio +- Do not BuildRequire pkgconfig(webrtc-audio-processing-1) on big + endian architectures (s390, s390x, ppc64) as the dependency is + not available: + * WebRTC echo canceller will be disabled there + +- Add cherry-picks to fix UCM crashes + * pulseaudio-replace-port-device-UCM-context-assertion-with-an-error.patch + * pulseaudio-check-UCM-verb-before-working-with-device-status.patch + qemu +- Backports and bugfixes: + * [openSUSE]: Increase default phys bits to 42, if host supports that + (bsc#1205978, bsc#1219977) + * vfio/pci: Clear MSI-X IRQ index always (bsc#1220275) + +- Just "prettify" the spec files a little: + * [openSUSE][RPM] Cosmetic fixes to spec files (copyright, sorting, etc) + +- Patchqueue shrinking and bugfixing (actually, more of a temporary + workaround, until a proper solution is found upstream): + * [openSUSE] roms/seabios: revert some upstream commits that + break a lot of use-cases + * [openSUSE] roms/seabios: Drop an old (and no longer necessary) + downstream patch (bsc#1219977) + +Update to latest stable version (8.2.1) +- Downstream changes: + * [openSUSE][RPM]: Install the VGA module "more often" (bsc#1219164) + * [openSUSE][RPM] Fix handling of qemu-kvm legacy package for RISCV + * [openSUSE][RPM] factor common definitions between qemu and qemu-linux-user spec files +- Upstream backports: + * target/arm: Fix incorrect aa64_tidcp1 feature check + * target/arm: Fix A64 scalar SQSHRN and SQRSHRN + * target/xtensa: fix OOB TLB entry access + * qtest: bump aspeed_smc-test timeout to 6 minutes + * monitor: only run coroutine commands in qemu_aio_context + * iotests: port 141 to Python for reliable QMP testing + * iotests: add filter_qmp_generated_node_ids() + * block/blklogwrites: Fix a bug when logging "write zeroes" operations. + * virtio-net: correctly copy vnet header when flushing TX (bsc#1218484, CVE-2023-6693) + * tcg/arm: Fix SIGILL in tcg_out_qemu_st_direct + * linux-user/riscv: Adjust vdso signal frame cfa offsets + * linux-user: Fixed cpu restore with pc 0 on SIGBUS + * block/io: clear BDRV_BLOCK_RECURSE flag after recursing in bdrv_co_block_status + * coroutine-ucontext: Save fake stack for pooled coroutine + * tcg/s390x: Fix encoding of VRIc, VRSa, VRSc insns + * accel/tcg: Revert mapping of PCREL translation block to multiple virtual addresses + * acpi/tests/avocado/bits: wait for 200 seconds for SHUTDOWN event from bits VM + * s390x/pci: drive ISM reset from subsystem reset + * s390x/pci: refresh fh before disabling aif + * s390x/pci: avoid double enable/disable of aif + * hw/scsi/esp-pci: set DMA_STAT_BCMBLT when BLAST command issued + * hw/scsi/esp-pci: synchronise setting of DMA_STAT_DONE with ESP completion interrupt + * hw/scsi/esp-pci: generate PCI interrupt from separate ESP and PCI sources + * hw/scsi/esp-pci: use correct address register for PCI DMA transfers + * migration/rdma: define htonll/ntohll only if not predefined + * hw/pflash: implement update buffer for block writes + * hw/pflash: use ldn_{be,le}_p and stn_{be,le}_p + * hw/pflash: refactor pflash_data_write() + * backends/cryptodev: Do not ignore throttle/backends Errors + * target/i386: pcrel: store low bits of physical address in data[0] + * target/i386: fix incorrect EIP in PC-relative translation blocks + * target/i386: Do not re-compute new pc with CF_PCREL + * load_elf: fix iterator's type for elf file processing + * target/hppa: Update SeaBIOS-hppa to version 15 + * target/hppa: Fix IOR and ISR on error in probe + * target/hppa: Fix IOR and ISR on unaligned access trap + * target/hppa: Export function hppa_set_ior_and_isr() + * target/hppa: Avoid accessing %gr0 when raising exception + * hw/hppa: Move software power button address back into PDC + * target/hppa: Fix PDC address translation on PA2.0 with PSW.W=0 + * hw/pci-host/astro: Add missing astro & elroy registers for NetBSD + * hw/hppa/machine: Disable default devices with --nodefaults option + * hw/hppa/machine: Allow up to 3840 MB total memory + * readthodocs: fully specify a build environment + * .gitlab-ci.d/buildtest.yml: Work around htags bug when environment is large + * target/s390x: Fix LAE setting a wrong access register + * tests/qtest/virtio-ccw: Fix device presence checking + * tests/acpi: disallow tests/data/acpi/virt/SSDT.memhp changes + * tests/acpi: update expected data files + * edk2: update binaries to git snapshot + * edk2: update build config, set PcdUninstallMemAttrProtocol = TRUE. + * edk2: update to git snapshot + * tests/acpi: allow tests/data/acpi/virt/SSDT.memhp changes + * util: fix build with musl libc on ppc64le + * tcg/ppc: Use new registers for LQ destination + * hw/intc/arm_gicv3_cpuif: handle LPIs in in the list registers + * hw/vfio: fix iteration over global VFIODevice list + * vfio/container: Replace basename with g_path_get_basename + * edu: fix DMA range upper bound check + * hw/net: cadence_gem: Fix MDIO_OP_xxx values + * audio/audio.c: remove trailing newline in error_setg + * chardev/char.c: fix "abstract device type" error message + * target/riscv: Fix mcycle/minstret increment behavior + * hw/net/can/sja1000: fix bug for single acceptance filter and standard frame + * target/i386: the sgx_epc_get_section stub is reachable + * configure: use a native non-cross compiler for linux-user + * include/ui/rect.h: fix qemu_rect_init() mis-assignment + * target/riscv/kvm: do not use non-portable strerrorname_np() + * iotests: Basic tests for internal snapshots + * vl: Improve error message for conflicting -incoming and -loadvm + * block: Fix crash when loading snapshot on inactive node +- Fixes: + * bsc#1218484 (CVE-2023-6693) + rdma-core +- Add kernel-boot-do-not-load-module-unsupported-on-s390.patch + to prevent autoload of module not supported on s390. (bsc#1219805) + rpm +- backport lua support for rpm.execute to ease migrating [bnc#1216752] + * new patch: luaexecute.diff + samba +- Update to 4.19.5 + * Windows 2016 fails to restore previous version of a file from + a shadow_copy2 snapshot; (bso#13688). + * Symlinks on AIX are broken in 4.19 (and a few version before + that); (bso#15549). + * Fake directory create times has no effect; (bso#12421). + * ctime mixed up with mtime by smbd; (bso#15550). + * samba-gpupdate --rsop fails if machine is not in a site; + (bso#15548). + * gpupdate: The root cert import when NDES is not available is + broken; (bso#15557). + * samba-gpupdate should print a useful message if cepces-submit + can't be found; (bso#15552). + * samba-gpupdate logging doesn't work; (bso#15558). + * smbpasswd reset permissions only if not 0600; (bso#15555). + systemd-rpm-macros +- Bump version to 15 + +- Order packages that requires systemd after systemd-sysvcompat when this part + of the transaction (bsc#1217964) + systemd-sysvcompat has been introduced recently and contains the compatibility + scripts used to support SysV init scripts. Make sure that the packages ordered + after systemd are also ordered after systemd-sysvcompat so theirs rpm + scriptlets can still rely on the compat scripts. + On distributions where systemd-sysvcompat doesn't exist, the new ordering + constraint should be a nop. + tigervnc +- buildrequire xorg-x11-server-source/-sdk >= 21.1.11 and trigger + rebuild with newer xorg-x11-server-source package (bsc#1219311, + bsc#1219205) + virtiofsd +- Spec: Adjust libvirt/virtiofsd interop config file to handle differences in + the definition of libexecdir macro on SLE and Tumbleweed (bsc#1219772) + -- Update to upstream version v1.7.2 (jsc#4980) +- Update to upstream version v1.7.2 (jsc#PED-4980) xfsprogs +- update to 6.6.0 + - xfs_scrub: add missing license and copyright information + - xfs_db: report the device associated with each io cursor + - libxfs: Fix UAF in a requeued EFI + - xfs_io: Add new option, to exercise log2_data_unit_size in kernel fscrypt_policy_v2 + - xfs_db: Add upport to read from external log device + - metadump: New metadump format + - xfs_quota: fix missing mount point warning + yast2 +- removed "journalctl --dmesg" from save_y2los +- 4.6.7 + +- replaced "journalctl --dmesg" with "journalctl -b" +- 4.6.6 + +- Allow host/domain names starting with an underscore (bsc#1219920) +- 4.6.5 + yast2-packager +- Display a better product summary for the SLE_HPC => SLES upgrade + (jsc#PED-7841) +- 4.6.8 + zchunk +- Add OpenSSL 3.x support: [jsc#PED-6570, bsc#1217722] + * Rework hash code to support openSSL 3.x EVP API [8be0795f] + * Update tests to handle zstd 1.5.4 [7b84aabb] + * Add upstream patches: + - zchunk-OpenSSL-3-EVP-API.patch + - zchunk-OpenSSL-3-tests.patch +