Bug 1106751 - iptables does not work with kernel-default-base
iptables does not work with kernel-default-base
Status: CONFIRMED
: 1131393 (view as bug list)
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Kernel
Current
Other Other
: P5 - None : Critical (vote)
: ---
Assigned To: Michal Kubeček
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-31 12:12 UTC by Fabian Vogt
Modified: 2022-07-21 17:24 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Vogt 2018-08-31 12:12:56 UTC
Initially reported as https://github.com/kubic-project/automation/pull/474#issuecomment-417329301

Docker (and cri-o) do not work in Kubic VM images as iptables does not work:

g47:~ # iptables -L
iptables: No chain/target/match by that name.
Comment 1 Fabian Vogt 2018-09-06 12:27:32 UTC
The missing module is: bpfilter!

in ip_sockglue.c:

int ip_setsockopt(struct sock *sk, int level, int optname, char __user *optval, unsigned int optlen) {
        int err;
...
        err = do_ip_setsockopt(sk, level, optname, optval, optlen);
#ifdef CONFIG_BPFILTER
        if (optname >= BPFILTER_IPT_SO_SET_REPLACE && optname < BPFILTER_IPT_SET_MAX)
                err = bpfilter_ip_set_sockopt(sk, optname, optval, optlen);
#endif
#ifdef CONFIG_NETFILTER
        /* we need to exclude all possible ENOPROTOOPTs except default case */
        if (err == -ENOPROTOOPT && optname != IP_HDRINCL && ...)
                err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
#endif
}

we see that nf_setsockopt is only called if bpfilter_ip_set_sockopt returns -ENOPROTOOPT.

However, it does the following:

int (*bpfilter_process_sockopt)(struct sock *sk, int optname,
                                char __user *optval,
                                unsigned int optlen, bool is_set);
EXPORT_SYMBOL_GPL(bpfilter_process_sockopt);

...
        if (!bpfilter_process_sockopt) {
                int err = request_module("bpfilter");

                if (err)
                        return err;
                if (!bpfilter_process_sockopt)
                        return -ECHILD;
        }
        return bpfilter_process_sockopt(sk, optname, optval, optlen, is_set);

It implements lazy-loading of the module on the first call and if that fails, returns
a value != -ENOPROTOOPT, which thus breaks netfilter. Here the value is 256, which is
not even an error code and actually ends up in the userspace program.

Confirmed by systemtap (forcing err to -92) and loading bpfilter also makes it succeed.

@kstreitova: This was actually handled wrongly in iptables itself, a missing
memset(&info, 0, sizeof(info)); in libiptc.c caused it to read garbage. It would be nice
to have that fixed as well, even if it's ultimately a kernel bug.
Comment 2 Takashi Iwai 2018-09-07 09:20:08 UTC
Thanks for identifying this!  I pushed the fix to my branch master and stable user branches.

Another fix would be to change CONFIG_BPFILTER_UMH to y, but we'd like to keep modular as much as possible in general.
Comment 3 Fabian Vogt 2019-04-03 13:38:10 UTC
Looks like the bug is back - kernel-default-base in TW is missing bpfilter again.

Additionally, the split of kernel-source and kernel-default-base means that TW does currently not rebuild kernel-default-base at all. This means that kernel-default is at 5.0.5 while kernel-default-base remains at 5.0.3 indefinitely.
Comment 4 Fabian Vogt 2019-04-03 13:40:01 UTC
*** Bug 1131393 has been marked as a duplicate of this bug. ***
Comment 5 Kristyna Streitova 2019-04-03 20:13:54 UTC
(In reply to Fabian Vogt from comment #1)
> @kstreitova: This was actually handled wrongly in iptables itself, a missing
> memset(&info, 0, sizeof(info)); in libiptc.c caused it to read garbage. It
> would be nice
> to have that fixed as well, even if it's ultimately a kernel bug.

Could you be a little bit more specific, please? Or even better, can you provide a patch if you've already identified where the problem lies? Thanks!
Comment 6 Fabian Vogt 2019-04-04 07:24:14 UTC
(In reply to Kristyna Streitova from comment #5)
> (In reply to Fabian Vogt from comment #1)
> > @kstreitova: This was actually handled wrongly in iptables itself, a missing
> > memset(&info, 0, sizeof(info)); in libiptc.c caused it to read garbage. It
> > would be nice
> > to have that fixed as well, even if it's ultimately a kernel bug.
> 
> Could you be a little bit more specific, please? Or even better, can you
> provide a patch if you've already identified where the problem lies? Thanks!

Sure:

diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index a6e70571..8c03ab42 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1303,6 +1303,7 @@ TC_INIT(const char *tablename)
 {
        struct xtc_handle *h;
        STRUCT_GETINFO info;
+       memset(&info, 0, sizeof(info));
        unsigned int tmp;
        socklen_t s;
        int sockfd;


Without this, iptables -L reads garbage from the struct as the kernel never filled it in the bugged case, leading to weird issues like mmapping a few TiB of memory.
Comment 7 Fabian Vogt 2019-04-04 07:25:54 UTC
(In reply to Fabian Vogt from comment #3)
> Looks like the bug is back - kernel-default-base in TW is missing bpfilter
> again.
> 
> Additionally, the split of kernel-source and kernel-default-base means that
> TW does currently not rebuild kernel-default-base at all. This means that
> kernel-default is at 5.0.5 while kernel-default-base remains at 5.0.3
> indefinitely.

@msuchanek: Do you plan to revert the split in master/stable as well soon?
Comment 8 Takashi Iwai 2019-04-04 07:41:43 UTC
Don't we have some OBS setup instead?  Putting back to kernel-source is a step back, make the whole effort useless.

FWIW, the same problem is applied to a package like perf.  We need a general solution in OBS.
Comment 9 Fabian Vogt 2019-04-04 07:48:35 UTC
(In reply to Takashi Iwai from comment #8)
> Don't we have some OBS setup instead?  Putting back to kernel-source is a
> step back, make the whole effort useless.
>
> FWIW, the same problem is applied to a package like perf.  We need a general
> solution in OBS.

I can only think of a hacky way to (ab)use the rebuild bot: Add a fake "-rebuildme" subpackage to kernel-default-base.spec which has
%(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default).

As the subpackage turns uninstallable once kernel-default changed, it would be rebuilt.

@dimstar, @lnussel: Any better idea?
Comment 10 Dominique Leuenberger 2019-04-04 07:59:15 UTC
(In reply to Fabian Vogt from comment #9)
> I can only think of a hacky way to (ab)use the rebuild bot: Add a fake
> "-rebuildme" subpackage to kernel-default-base.spec which has
> %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default).
> 
> As the subpackage turns uninstallable once kernel-default changed, it would
> be rebuilt.
> 
> @dimstar, @lnussel: Any better idea?

Yucks - let alone this can't work (ignoring the non-escaped %{version} for now):

The release counter is not under control on kernel-default-base: it is - and will remain for a while, at 1.x, until it gets direct source changes, when it turns into 2.x - and actually, weirdly, now it is 1.2.1.6... WTH)

So having a requires on a kernel version-release would only make it rebuild forever in an attempt to reach the checking/rebuild counter of kernel-default

If anything, we'd need to add it to the parent/child rebuild trigger, as in: https://github.com/openSUSE/openSUSE-release-tools/blob/master/rebuildpacs.pl#L77

But that is also 'just' a workaround - OBS itself has no support for this (except switching to rebuild=direct|transitive, which is too expensive for TW)
Comment 11 Petr Tesařík 2019-04-04 08:01:29 UTC
I must be missing something.

kernel-default-base now BuildRequires kernel-default-devel. Since this binary package is built from kernel-default, it must change whenever kernel-default is rebuilt, triggering a rebuild of kernel-default-base (because of meta change).

Why does it not happen for kernel-default-base?
Comment 12 Ludwig Nussel 2019-04-04 08:01:40 UTC
well, if we wanted to rely on rebuildpacs.pl that can be done in a more easy way, it has a list of special packages built in. so just add yet another one :)

As long as kernel-default-base has bcntsynctag on kernel-source it should be rebuilt automatically with rebuild counter sync by OBS though.
Comment 13 Fabian Vogt 2019-04-04 08:09:18 UTC
(In reply to Dominique Leuenberger from comment #10)
> (In reply to Fabian Vogt from comment #9)
> > I can only think of a hacky way to (ab)use the rebuild bot: Add a fake
> > "-rebuildme" subpackage to kernel-default-base.spec which has
> > %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default).
> > 
> > As the subpackage turns uninstallable once kernel-default changed, it would
> > be rebuilt.
> > 
> > @dimstar, @lnussel: Any better idea?
> 
> Yucks - let alone this can't work (ignoring the non-escaped %{version} for
> now):
> 
> The release counter is not under control on kernel-default-base: it is - and
> will remain for a while, at 1.x, until it gets direct source changes, when
> it turns into 2.x - and actually, weirdly, now it is 1.2.1.6... WTH)

The kernel version from git is part of the Release: field in the .spec.

> So having a requires on a kernel version-release would only make it rebuild
> forever in an attempt to reach the checking/rebuild counter of kernel-default

It wouldn't - kernel-default-base.spec is separate from kernel-default.spec

> If anything, we'd need to add it to the parent/child rebuild trigger, as in:
> https://github.com/openSUSE/openSUSE-release-tools/blob/master/rebuildpacs.
> pl#L77

Yes, that's cleaner.

> But that is also 'just' a workaround - OBS itself has no support for this
> (except switching to rebuild=direct|transitive, which is too expensive for
> TW)

(In reply to Petr Tesařík from comment #11)
> I must be missing something.
> 
> kernel-default-base now BuildRequires kernel-default-devel. Since this
> binary package is built from kernel-default, it must change whenever
> kernel-default is rebuilt, triggering a rebuild of kernel-default-base
> (because of meta change).
> 
> Why does it not happen for kernel-default-base?

TW does not have rebuild=transient/direct enabled, this is intentional.

> (In reply to Ludwig Nussel from comment #12)
> well, if we wanted to rely on rebuildpacs.pl that can be done in a more easy
> way, it has a list of special packages built in. so just add yet another one
> :)
> 
> As long as kernel-default-base has bcntsynctag on kernel-source it should be
> rebuilt automatically with rebuild counter sync by OBS though.

That might work as well, but would require special configuration everywhere...

The current design of a split kernel-default-base.spec has multiple issues:
- Needs to be handled separately for maintenance submissions
- Is missing debuginfo and debugsources
- This rebuild issue
Comment 14 Michal Suchanek 2019-04-04 10:06:41 UTC
No, I do not plan to revert kernel-default-base

If you need a module add it to the module list in kernel-default-base.spec
Comment 15 Fabian Vogt 2019-04-04 10:34:35 UTC
(In reply to Michal Suchanek from comment #14)
> No, I do not plan to revert kernel-default-base
> 
> If you need a module add it to the module list in kernel-default-base.spec

I wonder how it got missing - it was working fine before the split.
Can you check whether other modules got lost as well?

If not, I'll file a sr.
Comment 16 Michal Suchanek 2019-04-04 10:56:39 UTC
I took the base module list from SLE15.

The stable list is missing dw_mmc-bluefield (bsc#1118752)

The SLE15 list is missing bpfilter

With the separate kernel-default-base you can build it against any kernel that supports it (15 SP1, master, stable) so you can keep just one copy of this module list.
Comment 17 Kristyna Streitova 2019-04-04 12:09:06 UTC
(In reply to Fabian Vogt from comment #6)
> diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
> index a6e70571..8c03ab42 100644
> --- a/libiptc/libiptc.c
> +++ b/libiptc/libiptc.c
> @@ -1303,6 +1303,7 @@ TC_INIT(const char *tablename)
>  {
>         struct xtc_handle *h;
>         STRUCT_GETINFO info;
> +       memset(&info, 0, sizeof(info));
>         unsigned int tmp;
>         socklen_t s;
>         int sockfd;
> 
> 
> Without this, iptables -L reads garbage from the struct as the kernel never
> filled it in the bugged case, leading to weird issues like mmapping a few
> TiB of memory.

Thanks! I've submitted this patch to openSUSE:Factory via sr#691502.

It was also reported upstream: https://bugzilla.netfilter.org/show_bug.cgi?id=1331
Comment 18 Fabian Vogt 2019-04-04 12:49:16 UTC
(In reply to Michal Suchanek from comment #16)
> I took the base module list from SLE15.
> 
> The stable list is missing dw_mmc-bluefield (bsc#1118752)
> 
> The SLE15 list is missing bpfilter
> 
> With the separate kernel-default-base you can build it against any kernel
> that supports it (15 SP1, master, stable) so you can keep just one copy of
> this module list.

Ok, I added bpfilter back to the list of networking modules, and created sr 691520. Confirmed to work - iptables -L works and docker starts.
Comment 19 Swamp Workflow Management 2019-04-04 15:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1106751) was mentioned in
https://build.opensuse.org/request/show/691558 Factory / kernel-default-base
Comment 20 Michal Suchanek 2019-04-10 12:08:01 UTC
(In reply to Dominique Leuenberger from comment #10)
 
> So having a requires on a kernel version-release would only make it rebuild
> forever in an attempt to reach the checking/rebuild counter of kernel-default

Why forever?

Only until it's built against the current kernel.

> 
> If anything, we'd need to add it to the parent/child rebuild trigger, as in:
> https://github.com/openSUSE/openSUSE-release-tools/blob/master/rebuildpacs.
> pl#L77

This will not work. You are supposed to be able to build arbitrary subpackages, not just -base.

(In reply to Fabian Vogt from comment #9)
> 
> I can only think of a hacky way to (ab)use the rebuild bot: Add a fake
> "-rebuildme" subpackage to kernel-default-base.spec which has
> %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default).
> 
> As the subpackage turns uninstallable once kernel-default changed, it would
> be rebuilt.

I will add an empty subpackage and try rebuilding the kernel with it.
Comment 21 Fabian Vogt 2019-04-10 12:19:02 UTC
(In reply to Michal Suchanek from comment #20)
> (In reply to Fabian Vogt from comment #9)
> > 
> > I can only think of a hacky way to (ab)use the rebuild bot: Add a fake
> > "-rebuildme" subpackage to kernel-default-base.spec which has
> > %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default).
> > 
> > As the subpackage turns uninstallable once kernel-default changed, it would
> > be rebuilt.
> 
> I will add an empty subpackage and try rebuilding the kernel with it.

Note that this will only have an effect inside openSUSE:Factory as that's what the bot is running against. So it can't really be tested, other than verifying that OBS says it's not installable.
Comment 22 Michal Suchanek 2019-04-10 18:37:19 UTC
Can I run this bot against other repository?
Comment 23 Fabian Vogt 2019-04-11 09:24:15 UTC
(In reply to Michal Suchanek from comment #22)
> Can I run this bot against other repository?

The source is at https://github.com/openSUSE/openSUSE-release-tools/blob/master/rebuildpacs.pl

I'm not sure whether it works against projects which don't contain an entire distro as it only looks for dependencies inside the project itself.
Comment 29 Swamp Workflow Management 2019-07-09 13:31:04 UTC
This is an autogenerated message for OBS integration:
This bug (1106751) was mentioned in
https://build.opensuse.org/request/show/714223 15.0 / kernel-source
Comment 32 Swamp Workflow Management 2019-07-12 16:13:47 UTC
SUSE-SU-2019:1829-1: An update that solves 11 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 1051510,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1131645,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136598,1136922,1136935,1137103,1137194,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11599,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    kernel-azure-4.12.14-5.33.1, kernel-source-azure-4.12.14-5.33.1, kernel-syms-azure-4.12.14-5.33.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    kernel-azure-4.12.14-5.33.1, kernel-source-azure-4.12.14-5.33.1, kernel-syms-azure-4.12.14-5.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Swamp Workflow Management 2019-07-15 19:22:49 UTC
SUSE-SU-2019:1855-1: An update that solves 12 vulnerabilities and has 73 fixes is now available.

Category: security (important)
Bug References: 1051510,1061840,1065600,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1131645,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136598,1136922,1136935,1137103,1137194,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139751,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11478,CVE-2019-11599,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    kernel-default-4.12.14-150.27.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    kernel-default-4.12.14-150.27.1, kernel-docs-4.12.14-150.27.1, kernel-obs-qa-4.12.14-150.27.1
SUSE Linux Enterprise Module for Legacy Software 15 (src):    kernel-default-4.12.14-150.27.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    kernel-docs-4.12.14-150.27.1, kernel-obs-build-4.12.14-150.27.1, kernel-source-4.12.14-150.27.1, kernel-syms-4.12.14-150.27.1, kernel-vanilla-4.12.14-150.27.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    kernel-default-4.12.14-150.27.1, kernel-source-4.12.14-150.27.1, kernel-zfcpdump-4.12.14-150.27.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Swamp Workflow Management 2019-07-15 19:43:19 UTC
SUSE-SU-2019:1851-1: An update that solves 11 vulnerabilities and has 77 fixes is now available.

Category: security (important)
Bug References: 1051510,1061840,1065600,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136811,1136922,1137103,1137194,1137221,1137366,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139751,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140948,821419,945811
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11478,CVE-2019-11599,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819
Sources used:
SUSE Linux Enterprise Live Patching 12-SP4 (src):    kgraft-patch-SLE12-SP4_Update_6-1-6.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2019-07-15 19:55:37 UTC
SUSE-SU-2019:1855-1: An update that solves 12 vulnerabilities and has 73 fixes is now available.

Category: security (important)
Bug References: 1051510,1061840,1065600,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1131645,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136598,1136922,1136935,1137103,1137194,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139751,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11478,CVE-2019-11599,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    kernel-default-4.12.14-150.27.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    kernel-default-4.12.14-150.27.1, kernel-docs-4.12.14-150.27.1, kernel-obs-qa-4.12.14-150.27.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-150.27.1, kernel-livepatch-SLE15_Update_12-1-1.5.1
SUSE Linux Enterprise Module for Legacy Software 15 (src):    kernel-default-4.12.14-150.27.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    kernel-docs-4.12.14-150.27.1, kernel-obs-build-4.12.14-150.27.1, kernel-source-4.12.14-150.27.1, kernel-syms-4.12.14-150.27.1, kernel-vanilla-4.12.14-150.27.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    kernel-default-4.12.14-150.27.1, kernel-source-4.12.14-150.27.1, kernel-zfcpdump-4.12.14-150.27.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Swamp Workflow Management 2019-07-15 20:15:40 UTC
SUSE-SU-2019:1851-1: An update that solves 11 vulnerabilities and has 77 fixes is now available.

Category: security (important)
Bug References: 1051510,1061840,1065600,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136811,1136922,1137103,1137194,1137221,1137366,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139751,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140948,821419,945811
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11478,CVE-2019-11599,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    kernel-default-4.12.14-95.24.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    kernel-docs-4.12.14-95.24.1, kernel-obs-build-4.12.14-95.24.1
SUSE Linux Enterprise Server 12-SP4 (src):    kernel-default-4.12.14-95.24.1, kernel-source-4.12.14-95.24.1, kernel-syms-4.12.14-95.24.1
SUSE Linux Enterprise Live Patching 12-SP4 (src):    kgraft-patch-SLE12-SP4_Update_6-1-6.5.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    kernel-default-4.12.14-95.24.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    kernel-default-4.12.14-95.24.1, kernel-source-4.12.14-95.24.1, kernel-syms-4.12.14-95.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 38 Swamp Workflow Management 2019-07-19 10:16:00 UTC
openSUSE-SU-2019:1716-1: An update that solves 7 vulnerabilities and has 45 fixes is now available.

Category: security (important)
Bug References: 1051510,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128902,1128910,1131645,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136935,1137103,1137194,1137625,1137728,1137884,1138589,1138719,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11599,CVE-2019-12614
Sources used:
openSUSE Leap 15.0 (src):    kernel-debug-4.12.14-lp150.12.67.1, kernel-default-4.12.14-lp150.12.67.1, kernel-docs-4.12.14-lp150.12.67.1, kernel-kvmsmall-4.12.14-lp150.12.67.1, kernel-obs-build-4.12.14-lp150.12.67.1, kernel-obs-qa-4.12.14-lp150.12.67.1, kernel-source-4.12.14-lp150.12.67.1, kernel-syms-4.12.14-lp150.12.67.1, kernel-vanilla-4.12.14-lp150.12.67.1
Comment 43 Swamp Workflow Management 2019-09-23 13:24:05 UTC
SUSE-SU-2019:2430-1: An update that solves 45 vulnerabilities and has 474 fixes is now available.

Category: security (important)
Bug References: 1050242,1050549,1051510,1052904,1053043,1055117,1055121,1055186,1056787,1058115,1061840,1064802,1065600,1065729,1066129,1070872,1071995,1075020,1082387,1082555,1083647,1083710,1085535,1085536,1088047,1088804,1093389,1094555,1096003,1098633,1099658,1102247,1103186,1103259,1103990,1103991,1103992,1104745,1106011,1106284,1106383,1106751,1108193,1108838,1108937,1109837,1110946,1111331,1111666,1111696,1112063,1112128,1112178,1112374,1113722,1113956,1114279,1114427,1114542,1114638,1114685,1115688,1117114,1117158,1117561,1118139,1119113,1119222,1119532,1119680,1120091,1120318,1120423,1120566,1120843,1120902,1122767,1122776,1123080,1123454,1123663,1124503,1124839,1125703,1126206,1126356,1126704,1127034,1127175,1127315,1127371,1127374,1127611,1127616,1128052,1128415,1128432,1128544,1128902,1128904,1128971,1128979,1129138,1129273,1129693,1129770,1129845,1130195,1130425,1130527,1130567,1130579,1130699,1130836,1130937,1130972,1131326,1131427,1131438,1131451,1131467,1131488,1131530,1131565,1131574,1131587,1131645,1131659,1131673,1131847,1131848,1131851,1131900,1131934,1131935,1132044,1132219,1132226,1132227,1132365,1132368,1132369,1132370,1132372,1132373,1132384,1132390,1132397,1132402,1132403,1132404,1132405,1132407,1132411,1132412,1132413,1132414,1132426,1132527,1132531,1132555,1132558,1132561,1132562,1132563,1132564,1132570,1132571,1132572,1132589,1132618,1132673,1132681,1132726,1132828,1132894,1132943,1132982,1133005,1133016,1133021,1133094,1133095,1133115,1133149,1133176,1133188,1133190,1133311,1133320,1133401,1133486,1133529,1133547,1133584,1133593,1133612,1133616,1133667,1133668,1133672,1133674,1133675,1133698,1133702,1133731,1133738,1133769,1133772,1133774,1133778,1133779,1133780,1133825,1133850,1133851,1133852,1133897,1134090,1134097,1134160,1134162,1134199,1134200,1134201,1134202,1134203,1134204,1134205,1134223,1134303,1134354,1134390,1134393,1134395,1134397,1134399,1134459,1134460,1134461,1134597,1134600,1134607,1134618,1134651,1134671,1134730,1134738,1134743,1134760,1134806,1134810,1134813,1134848,1134936,1134945,1134946,1134947,1134948,1134949,1134950,1134951,1134952,1134953,1134972,1134974,1134975,1134980,1134981,1134983,1134987,1134989,1134990,1134994,1134995,1134998,1134999,1135006,1135007,1135008,1135018,1135021,1135024,1135026,1135027,1135028,1135029,1135031,1135033,1135034,1135035,1135036,1135037,1135038,1135039,1135041,1135042,1135044,1135045,1135046,1135047,1135049,1135051,1135052,1135053,1135055,1135056,1135058,1135100,1135120,1135153,1135278,1135281,1135296,1135309,1135312,1135314,1135315,1135316,1135320,1135323,1135330,1135335,1135492,1135542,1135556,1135603,1135642,1135661,1135758,1135897,1136156,1136157,1136161,1136188,1136206,1136215,1136217,1136264,1136271,1136333,1136342,1136343,1136345,1136347,1136348,1136353,1136424,1136428,1136430,1136432,1136434,1136435,1136438,1136439,1136456,1136460,1136461,1136462,1136467,1136469,1136477,1136478,1136498,1136573,1136586,1136598,1136881,1136922,1136935,1136978,1136990,1137103,1137151,1137152,1137153,1137162,1137194,1137201,1137224,1137232,1137233,1137236,1137366,1137372,1137429,1137444,1137458,1137534,1137535,1137584,1137586,1137609,1137625,1137728,1137739,1137752,1137811,1137827,1137884,1137985,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138263,1138291,1138293,1138336,1138374,1138375,1138589,1138681,1138719,1138732,1138874,1138879,1139358,1139619,1139712,1139751,1139771,1139865,1140133,1140139,1140228,1140322,1140328,1140405,1140424,1140428,1140454,1140463,1140559,1140575,1140577,1140637,1140652,1140658,1140676,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140903,1140945,1140948,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992,1141312,1141401,1141402,1141452,1141453,1141454,1141478,1141558,1142023,1142052,1142083,1142112,1142115,1142119,1142220,1142221,1142254,1142350,1142351,1142354,1142359,1142450,1142623,1142673,1142701,1142868,1143003,1143045,1143105,1143185,1143189,1143191,1143209,1143507
CVE References: CVE-2017-5753,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-16871,CVE-2018-16880,CVE-2018-20836,CVE-2018-20855,CVE-2018-7191,CVE-2019-10124,CVE-2019-10638,CVE-2019-10639,CVE-2019-11085,CVE-2019-11091,CVE-2019-1125,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11487,CVE-2019-11599,CVE-2019-11810,CVE-2019-11811,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12380,CVE-2019-12382,CVE-2019-12456,CVE-2019-12614,CVE-2019-12817,CVE-2019-12818,CVE-2019-12819,CVE-2019-13233,CVE-2019-13631,CVE-2019-13648,CVE-2019-14283,CVE-2019-14284,CVE-2019-3846,CVE-2019-3882,CVE-2019-5489,CVE-2019-8564,CVE-2019-9003,CVE-2019-9500,CVE-2019-9503
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP1 (src):    kernel-rt-4.12.14-14.8.1, kernel-rt_debug-4.12.14-14.8.1, kernel-source-rt-4.12.14-14.8.1, kernel-syms-rt-4.12.14-14.8.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    kernel-rt-4.12.14-14.8.1, kernel-rt_debug-4.12.14-14.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 44 Swamp Workflow Management 2019-09-24 16:13:31 UTC
SUSE-SU-2019:2450-1: An update that solves 21 vulnerabilities and has 160 fixes is now available.

Category: security (important)
Bug References: 1012382,1051510,1053043,1055117,1061840,1065600,1065729,1068032,1071995,1083647,1083710,1088047,1094555,1098633,1102247,1106383,1106751,1109137,1111666,11123080,1112824,1113722,1114279,1115688,1117158,1118139,1119222,1120423,1120566,1124167,1124503,1127034,1127155,1127315,1128432,1128902,1128910,1129770,1130972,1132154,1132390,1133021,1133401,1133738,1134097,1134303,1134390,1134393,1134395,1134399,1134671,1135296,1135335,1135556,1135642,1135661,1136157,1136424,1136598,1136811,1136896,1136922,1136935,1136990,1137103,1137162,1137194,1137366,1137372,1137429,1137444,1137458,1137534,1137535,1137584,1137586,1137609,1137625,1137728,1137739,1137752,1137811,1137827,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139358,1139751,1139771,1139782,1139865,1140133,1140139,1140322,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140652,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140903,1140945,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992,1141401,1141402,1141452,1141453,1141454,1141478,1141488,1142023,1142112,1142220,1142221,1142265,1142350,1142351,1142354,1142359,1142450,1142701,1142868,1143003,1143045,1143105,1143185,1143189,1143191,1143507
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2018-20855,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-1125,CVE-2019-11477,CVE-2019-11478,CVE-2019-11599,CVE-2019-11810,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819,CVE-2019-13631,CVE-2019-13648,CVE-2019-14283,CVE-2019-14284,CVE-2019-3846
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP4 (src):    kernel-rt-4.12.14-8.3.1, kernel-rt_debug-4.12.14-8.3.1, kernel-source-rt-4.12.14-8.3.1, kernel-syms-rt-4.12.14-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 47 Swamp Workflow Management 2019-10-23 19:19:59 UTC
SUSE-SU-2019:2756-1: An update that solves 44 vulnerabilities and has 368 fixes is now available.

Category: security (important)
Bug References: 1012382,1047238,1050911,1051510,1053043,1054914,1055117,1056686,1060662,1061840,1061843,1064597,1064701,1065600,1065729,1066369,1071009,1071306,1071995,1078248,1082555,1083647,1083710,1085030,1085536,1085539,1086103,1087092,1088047,1090734,1091171,1093205,1094555,1098633,1102097,1102247,1104902,1104967,1106061,1106284,1106383,1106434,1106751,1108382,1109137,1109158,1111666,1112178,1112894,1112899,1112902,1112903,1112905,1112906,1112907,1113722,1114279,1114542,1115688,1117158,1118139,1118689,1119086,1119222,1119532,1120423,1120566,1120876,1120902,1120937,1123034,1123080,1123105,1123959,1124167,1124370,1124503,1127034,1127155,1127315,1127988,1128432,1128902,1128910,1129424,1129519,1129664,1129770,1130972,1131107,1131281,1131304,1131565,1132154,1132390,1132686,1133021,1133401,1134097,1134291,1134303,1134390,1134671,1134881,1134882,1135219,1135296,1135335,1135556,1135642,1135661,1135897,1136157,1136261,1136811,1136896,1136935,1136990,1137069,1137162,1137221,1137366,1137372,1137429,1137444,1137458,1137534,1137535,1137584,1137586,1137609,1137625,1137728,1137739,1137752,1137811,1137827,1137865,1137884,1137959,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138374,1138375,1138539,1138589,1138719,1139020,1139021,1139101,1139500,1139771,1139782,1139865,1140012,1140133,1140139,1140155,1140322,1140328,1140405,1140424,1140426,1140428,1140487,1140637,1140652,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140903,1140945,1140948,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992,1141013,1141401,1141402,1141450,1141452,1141453,1141454,1141478,1141543,1141554,1142019,1142076,1142109,1142112,1142117,1142118,1142119,1142129,1142220,1142221,1142350,1142351,1142354,1142359,1142450,1142496,1142541,1142635,1142685,1142701,1142857,1142868,1143003,1143105,1143185,1143300,1143466,1143507,1143765,1143841,1143843,1144123,1144333,1144474,1144518,1144718,1144813,1144880,1144886,1144912,1144920,1144979,1145010,1145024,1145051,1145059,1145189,1145235,1145300,1145302,1145388,1145389,1145390,1145391,1145392,1145393,1145394,1145395,1145396,1145397,1145408,1145409,1145661,1145678,1145687,1145920,1145922,1145934,1145937,1145940,1145941,1145942,1146042,1146074,1146084,1146163,1146285,1146346,1146351,1146352,1146361,1146376,1146378,1146381,1146391,1146399,1146413,1146425,1146512,1146514,1146516,1146519,1146524,1146526,1146529,1146531,1146540,1146543,1146547,1146550,1146575,1146589,1146664,1146678,1146938,1148031,1148032,1148033,1148034,1148035,1148093,1148133,1148192,1148196,1148198,1148202,1148303,1148363,1148379,1148394,1148527,1148574,1148616,1148617,1148619,1148698,1148712,1148859,1148868,1149053,1149083,1149104,1149105,1149106,1149197,1149214,1149224,1149313,1149325,1149376,1149413,1149418,1149424,1149446,1149522,1149527,1149539,1149552,1149555,1149591,1149602,1149612,1149626,1149651,1149652,1149713,1149940,1149959,1149963,1149976,1150025,1150033,1150112,1150381,1150423,1150562,1150727,1150860,1150861,1150933,1151350,1151610,1151667,1151671,1151891,1151955,1152024,1152025,1152026,1152161,1152325,1152457,1152460,1152466,1152972,1152974,1152975
CVE References: CVE-2017-18551,CVE-2017-18595,CVE-2018-20976,CVE-2018-21008,CVE-2019-10207,CVE-2019-11479,CVE-2019-14814,CVE-2019-14815,CVE-2019-14816,CVE-2019-14821,CVE-2019-14835,CVE-2019-15030,CVE-2019-15031,CVE-2019-15090,CVE-2019-15098,CVE-2019-15117,CVE-2019-15118,CVE-2019-15211,CVE-2019-15212,CVE-2019-15214,CVE-2019-15215,CVE-2019-15216,CVE-2019-15217,CVE-2019-15218,CVE-2019-15219,CVE-2019-15220,CVE-2019-15221,CVE-2019-15222,CVE-2019-15239,CVE-2019-15290,CVE-2019-15291,CVE-2019-15292,CVE-2019-15538,CVE-2019-15666,CVE-2019-15902,CVE-2019-15917,CVE-2019-15919,CVE-2019-15920,CVE-2019-15921,CVE-2019-15924,CVE-2019-15926,CVE-2019-15927,CVE-2019-9456,CVE-2019-9506
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP4 (src):    kernel-rt-4.12.14-8.6.1, kernel-rt_debug-4.12.14-8.6.1, kernel-source-rt-4.12.14-8.6.1, kernel-syms-rt-4.12.14-8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.