Bug 1184804 - move kernel out of /boot
move kernel out of /boot
Status: REOPENED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Kernel
Current
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Ludwig Nussel
E-mail List
https://lists.opensuse.org/archives/l...
:
Depends on: 1188142 1199873
Blocks: 1029961
  Show dependency treegraph
 
Reported: 2021-04-15 12:42 UTC by Ludwig Nussel
Modified: 2022-07-21 19:47 UTC (History)
10 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch (5.77 KB, patch)
2021-04-19 13:56 UTC, Ludwig Nussel
Details | Diff
additional fixup (1.50 KB, patch)
2021-06-28 12:02 UTC, Michal Suchanek
Details | Diff
patch with fixed kernel-default-base (17.21 KB, patch)
2021-06-29 08:58 UTC, Ludwig Nussel
Details | Diff
kernel-default-base owning modules dir (17.45 KB, patch)
2021-07-01 11:47 UTC, Ludwig Nussel
Details | Diff
installation-images patch (2.33 KB, patch)
2021-07-09 11:14 UTC, Jiri Slaby
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2021-04-15 12:42:31 UTC
One of the motivations for UsrMerge is to have all read-only parts of
the operating system in /usr. The kernel packages install files in /boot
though which isn't in line with that idea.
Having the kernel installed via rpm in /boot also causes issues with eg snapshots if /boot is on a separate partition.
So it make sense to store the rpm provided parts of the kernel packages where the rest of the OS is and manage /boot separately.

Looking at Fedora they install files like vmlinuz that used to be named
/boot/$name-$kver as (/usr)/lib/modules/$kver/$name instead. They
include /boot/$name-$kver as %ghost.
Comment 1 Ludwig Nussel 2021-04-15 12:45:18 UTC
As first step I'll move the files to /lib/modules/$kver/$name. The %post script will install the symlinks in /boot for now, just like it always did for eg /boot/vmlinuz.

Before we can manage /boot outside of the kernel's %post suse-module-tools needs to be adjusted to search in /lib instead.
Also, pesign-obs-integration needs adoptions.
Comment 2 Ludwig Nussel 2021-04-19 13:56:17 UTC
Created attachment 848502 [details]
patch

Move kernel related read-only files from /boot to /lib/modules/%kernelrelease-%build_flavor

The file names in /boot are included as %ghost links. The %post script creates symlinks for the kernel sysctl.conf System.map in %boot for now. Some tools require adjustments before we can drop those links.
Comment 3 Ludwig Nussel 2021-04-19 13:56:53 UTC
What's the process to submit/discuss the patch?
Comment 4 Takashi Iwai 2021-04-19 14:50:35 UTC
Let's get the consensus at first on opensuse-kernel ML.  As far as I read the thread, it wasn't convincing enough.
Comment 5 Ludwig Nussel 2021-04-19 15:59:49 UTC
Who needs to be convinced? The discussion seems to have been derailed by the usual subjects. Any relevant concerns I should pay attention to?
Comment 6 Takashi Iwai 2021-04-19 16:20:53 UTC
Are you sure that majority of people agreed with this movement?  Just ask there.
There are lots of technical details and they must have been clarified before moving on.

Basically Bugzilla is the place for reporting a bug.  We may report some enhancements, but the basic design issue should have been discussed somewhere else beforehand.
Comment 7 Ludwig Nussel 2021-06-17 15:07:00 UTC
For reference:

Fedora change:
https://src.fedoraproject.org/rpms/kernel/c/958df3c

openSUSE kernel Mailinglist discussion:
https://lists.opensuse.org/archives/list/kernel@lists.opensuse.org/thread/QWAZJHKGFI3Y6KQQCJ23IWQHL5YZRQ5P/
Comment 8 Michal Suchanek 2021-06-17 17:14:54 UTC
FTR the kernel packaging is shared between TW, Leap, SLE 15, and SLE 12 so that packaging fixes can be propagated across kernel versions.

Consequently this move should be optional - either by rpm/config.conf as are many other options or by distribution version.

Switching between the two is not difficult so long as a single rpm macro is defined at the start that controls the option throughout the spec file.
Comment 9 Ludwig Nussel 2021-06-25 13:43:24 UTC
https://build.opensuse.org/request/show/901652 is in so the last revision of my patch should be ready to be merged:
http://kerncvs.suse.de/gitweb/?p=kernel-source.git;a=commit;h=4f91341ea36f29d07c5493a7d88a89c1888ff28f

It leaves the files where they are in older releases.
Comment 10 Michal Suchanek 2021-06-25 15:40:34 UTC
I think the changes to kernel-subpackage-spec are superfluous because the changes to kernel-subpackage-build already detect usrmerge. I did not get to building a TW kernel with this change reverted, though.
Comment 11 Ludwig Nussel 2021-06-25 17:47:39 UTC
Depmod is called and it looks into /lib/modules. That's fine but requires the /lib -> usr/lib link as installed in the kernel-subpackage-spec
Comment 12 Ludwig Nussel 2021-06-28 11:16:04 UTC
--- a/rpm/kernel-subpackage-build
Alternative to the snippet in kernel-subpackage-spec would be something like

+++ b/rpm/kernel-subpackage-build
@@ -36,7 +36,7 @@ echo $USR/lib/modules/$KREL/modules.* | tr ' ' '\n' >> modules.flist
 
 tar -C / -cf- -T modules.flist | tar -C $RPM_BUILD_ROOT -xvf-
 
-moderr="$(/usr/sbin/depmod -b $RPM_BUILD_ROOT -e -F /boot/System.map-$KREL $KREL 2>&1 > /dev/null)"
+moderr="$(/usr/sbin/depmod -b $RPM_BUILD_ROOT/usr -e -F /boot/System.map-$KREL $KREL 2>&1 > /dev/null)"


Do you prefer that?
Comment 13 Michal Suchanek 2021-06-28 12:02:00 UTC
Created attachment 850594 [details]
additional fixup

I tried with this additional patch.

Simply 

moderr="$(/usr/sbin/depmod -b ${RPM_BUILD_ROOT}${USR} -e -F /boot/System.map-$KREL $KREL 2>&1 > /dev/null)"

instead of creating the symlink should also work
Comment 14 Ludwig Nussel 2021-06-28 12:31:41 UTC

    
Comment 15 Ludwig Nussel 2021-06-28 12:36:13 UTC
Looks like Bugzilla doesn't like emoji :-)
Do you want me to update my patch or do you want to apply your fix on top?
Comment 16 Michal Suchanek 2021-06-28 12:54:52 UTC
it's better if you update it
Comment 17 Michal Suchanek 2021-06-28 13:15:10 UTC
I get an error on i586 TW now:

[   95s] + /usr/lib/rpm/kernel/modflist kernel.flist modules modules.flist /lib/modules/5.13.0-rc7-3.g7895a48-default/modules.builtin
[   95s] Module usb-common built-in
[   95s] Module sd_mod built-in
[   95s] Module scsi_mod built-in
[   95s] Module virtio built-in
[   95s] Module xenblk missing
[   95s] Module xennet missing
[   95s] Module xen-.* missing
[   95s] Module autofs4 built-in
[   95s] Module ext4 built-in
[   95s] Module jbd2 built-in
[   95s] Module mbcache built-in
[   95s] Module asymmetric_keys built-in
[   95s] Module blake2b-256 missing
[   95s] Module sha256 missing
[   95s] Module xxhash64 missing
[   95s] Module crc32c missing
[   95s] + grep -v '^/usr/lib/modules'
[   95s] error: Bad exit status from /var/tmp/rpm-tmp.VDFIPe (%install)
Comment 18 Ludwig Nussel 2021-06-28 16:08:14 UTC
wasn't the only issue :-( working on update
Comment 19 Ludwig Nussel 2021-06-29 08:58:13 UTC
Created attachment 850632 [details]
patch with fixed kernel-default-base
Comment 20 Michal Suchanek 2021-06-30 17:09:26 UTC
Thanks for the updated patch. With the new subpackaging script the module directory becomes disowned:

--- kernel-old/kernel-default-base.x86_64/list  2021-06-30 18:25:46.281263400 +0200
+++ kernel-new/kernel-default-base.x86_64/list  2021-06-30 18:29:59.880841095 +0200
@@ -13,7 +13,6 @@
 /etc/uefi
 /etc/uefi/certs
 /etc/uefi/certs/3559CCE2.crt
-/lib/modules/@UNAME_R@-default
 /lib/modules/@UNAME_R@-default/kernel
 /lib/modules/@UNAME_R@-default/kernel/arch
 /lib/modules/@UNAME_R@-default/kernel/arch/x86

I think this is frowned upon.

However, previously /lib/modules was not owned by the kernel either. Is there something else that owns the directory, should the kernel own it, or is this already handled in a better way?
Comment 21 Michal Suchanek 2021-06-30 17:20:57 UTC
Nevermind, filesystem owns /lib/modules, and the kernel needs to own /lib/modules/$(uname -r)
Comment 22 Ludwig Nussel 2021-07-01 11:47:46 UTC
Created attachment 850705 [details]
kernel-default-base owning modules dir
Comment 23 Jiri Slaby 2021-07-02 06:22:04 UTC
There are failures in kernel-obs-build now:
>  + dracut --host-only --no-hostonly-cmdline '--drivers=loop dm-crypt essiv dm-mod dm-snapshot binfmt-misc fuse kqemu squashfs ext2 ext3 ext4 reiserfs btrfs xfs nf_conntrack_ipv6 binfmt_misc virtio_pci virtio_mmio virtio_blk virtio_rng fat vfat nls_cp437 nls_iso8859-1 ibmvscsi sd_mod e1000 ibmveth overlay' --force /tmp/initrd.kvm 5.12.13-1-default /boot/vmlinuz-5.13.0-4.gf094788-default
>
>  Unknown arguments: /boot/vmlinuz-5.13.0-4.gf094788-default
>
>  Usage: /usr/bin/dracut [OPTION]... [<initramfs> [<kernel-version>]]
>
>  Version: 055+suse.106.g760b0c69-1.3
>
>  Creates initial ramdisk images for preloading modules
>
>    -h, --help  Display all options
>
>  If a [LIST] has multiple arguments, then you have to put these in quotes.
>
>  For example:
>
>      # dracut --add-drivers "module1 module2"  ...
>
>  error: Bad exit status from /var/tmp/rpm-tmp.pGW3g8 (%build)

See e.g.:
https://build.suse.de/package/live_build_log/Devel:Kernel:master/kernel-obs-build/QA/x86_64
Comment 24 Jiri Slaby 2021-07-09 09:05:17 UTC
This appears to break installation-images:
https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:E/installation-images:openSUSE/standard/x86_64

> [  267s] theme=openSUSE libdeps=initrd image=initrd-base.xz tmpdir=initrd src=initrd filelist=initrd fs=cpio.xz bin/mk_image
> [  267s] creating solv file...
> [  267s] find: '/usr/src/packages/BUILD/installation-images-17.8/tmp/cache//kernel-default/rpm/boot': No such file or directory
> [  267s] Error: No kernel image identified! (Looking for "vmlinuz-".)
> [  267s] 
> [  267s] Compilation failed in require at bin/mk_image line 7.
Comment 25 Jiri Slaby 2021-07-09 11:14:13 UTC
Created attachment 850893 [details]
installation-images patch

This fixes some of the issues in installation-images. But there are many occurrences of /lib/modules and /boot in there. (And they are only %ghosts now.)
Comment 26 Jiri Slaby 2021-07-09 11:17:03 UTC
(In reply to Jiri Slaby from comment #25)
> Created attachment 850893 [details]
> installation-images patch
> 
> This fixes some of the issues in installation-images. But there are many
> occurrences of /lib/modules and /boot in there. (And they are only %ghosts
> now.)

For example the build errors out with:
> [  205s] cp: cannot stat '/usr/src/packages/BUILD/installation-images-17.8/tmp/cache//kernel-default/rpm//boot/vmlinuz': No such file or directory
> [  205s] mk_image: failed to move /boot/vmlinuz to /loader/linux
> [  205s]  in data/boot/boot.file_list line 11.
Comment 27 Jiri Slaby 2021-07-12 04:48:56 UTC
Another fallout: installing the master/stable kernel on Leap is broken with modules in /usr/lib now. I am going to revert the change in stable until the two issues gets resolved.
Comment 28 Jiri Slaby 2021-07-12 06:26:51 UTC
(In reply to Jiri Slaby from comment #27)
> Another fallout: installing the master/stable kernel on Leap is broken with
> modules in /usr/lib now. I am going to revert the change in stable until the
> two issues gets resolved.

And the culprit is:
# ll /boot/initrd*
lrwxrwxrwx 1 root root       32 Jul 12 08:22 initrd -> initrd-5.13.1-1.gbebf622-default
-rw------- 1 root root 12074304 Jun 23 08:08 initrd-5.3.18-255.g819abd3-default

That is: no initrd generated...
Comment 29 Takashi Iwai 2021-07-12 07:36:12 UTC
(In reply to Jiri Slaby from comment #27)
> Another fallout: installing the master/stable kernel on Leap is broken with
> modules in /usr/lib now. I am going to revert the change in stable until the
> two issues gets resolved.

Just to be sure: are you testing the kernel in OBS Kernel:stable, or in Kernel:stable:Backport?  The repo for installable stable kernels on Leap systems is the latter one, and the former is only for TW systems.
Comment 30 Jiri Slaby 2021-07-12 08:18:37 UTC
(In reply to Takashi Iwai from comment #29)
> Just to be sure: are you testing the kernel in OBS Kernel:stable, or in
> Kernel:stable:Backport?  The repo for installable stable kernels on Leap
> systems is the latter one, and the former is only for TW systems.

I installed the one from Kernel:stable as usual (following a report in Kernel:stable project comment). So, we should add some sort of dependence to Kernel:stable kernels. For example (untested):
%if UsrMerge
Requires: suse-release > 15
%endif

Kernel:stable:Backport indeed works.
Comment 31 Takashi Iwai 2021-07-12 08:44:19 UTC
(In reply to Jiri Slaby from comment #30)
> So, we should add some sort of dependence to
> Kernel:stable kernels. For example (untested):
> %if UsrMerge
> Requires: suse-release > 15
> %endif

A good idea, let's take something like this for avoiding the pitfalls.
Comment 32 Michal Suchanek 2021-07-12 12:14:37 UTC
(In reply to Takashi Iwai from comment #31)
> (In reply to Jiri Slaby from comment #30)
> > So, we should add some sort of dependence to
> > Kernel:stable kernels. For example (untested):
> > %if UsrMerge
> > Requires: suse-release > 15
> > %endif
> 
> A good idea, let's take something like this for avoiding the pitfalls.

Sorry, there is no way to detect usrmerge. It has been asked for in the usrmerge thread and it was rejected.

On Leap I see

suse-release = 15.3-lp153.146.1

which is arguably > 15

On TW there is 

suse-release = 20210606-1005.1

so if you wanted a hack 

%if %usrmerged
Requires: suse-release > 16
%endif

might work
Comment 33 Jiri Slaby 2021-07-12 15:32:04 UTC
(In reply to Michal Suchanek from comment #32)
> Sorry, there is no way to detect usrmerge. It has been asked for in the
> usrmerge thread and it was rejected.

Maybe it's time to reconsider? (I don't know the details, nor I know what msg/thread this was.)

> On Leap I see
> 
> suse-release = 15.3-lp153.146.1
> 
> which is arguably > 15
> 
> On TW there is 
> 
> suse-release = 20210606-1005.1
> 
> so if you wanted a hack 
> 
> %if %usrmerged
> Requires: suse-release > 16
> %endif
> 
> might work

Yeah, that's weird. I'd assumed to do it the same thing we are doing for cross-distribution ifs where TW check is:
%if 0%{?suse_version} > 1500


All this is mess :/. *-product could provide /usr/merged for usrmerged releases. And Kernel would just do the %if above and "Requires: /usr/merged" in it.


BTW, it looks like (maybe) pesign-obs-integration is broken by this change too (bug 1188142). All this has to be resolved before I revert the revert I did in the morning...
Comment 34 Takashi Iwai 2021-07-12 16:10:23 UTC
(In reply to Jiri Slaby from comment #33)
> (In reply to Michal Suchanek from comment #32)
> > Sorry, there is no way to detect usrmerge. It has been asked for in the
> > usrmerge thread and it was rejected.
> 
> Maybe it's time to reconsider? (I don't know the details, nor I know what
> msg/thread this was.)

I also support for having some usable and reasonable rpm condition to check UsrMerge.  e.g. we'd want to have a check in kernel-firmware package.  Already it has bitten lots of people and reported as bugs.
Comment 39 Michal Suchanek 2021-07-16 13:03:35 UTC
TW snapshot 20210602 (suse-release 20210602.something) brought GCC11 and supposedly usrmerge was brought together
TW snapshot 20210609 filesystem (15.5 -> 84.87)

- > filesysetem 84.87 is usrmerged
Comment 41 Swamp Workflow Management 2021-07-20 16:20:02 UTC
SUSE-SU-2021:2408-1: An update that solves 5 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1170511,1179243,1183871,1184114,1184804,1185308,1185791,1187215,1187585,1188036,1188062,1188080,1188116,1188121,1188176,1188267,1188268,1188269
CVE References: CVE-2021-22555,CVE-2021-33909,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    kernel-azure-5.3.18-18.58.1, kernel-source-azure-5.3.18-18.58.1, kernel-syms-azure-5.3.18-18.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 44 OBSbugzilla Bot 2021-07-21 11:11:10 UTC
This is an autogenerated message for OBS integration:
This bug (1184804) was mentioned in
https://build.opensuse.org/request/show/907471 15.2 / kernel-source
Comment 45 Swamp Workflow Management 2021-07-21 16:25:40 UTC
SUSE-SU-2021:2438-1: An update that solves 5 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1170511,1179243,1183871,1184114,1184804,1185308,1185791,1187215,1187585,1188036,1188062,1188080,1188116,1188121,1188176,1188267,1188268,1188269
CVE References: CVE-2021-22555,CVE-2021-33909,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-default-5.3.18-24.75.3, kernel-default-base-5.3.18-24.75.3.9.34.3
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    kernel-default-5.3.18-24.75.3, kernel-preempt-5.3.18-24.75.3
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-24.75.3, kernel-livepatch-SLE15-SP2_Update_17-1-5.3.3
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    kernel-default-5.3.18-24.75.3
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    kernel-docs-5.3.18-24.75.2, kernel-obs-build-5.3.18-24.75.3, kernel-preempt-5.3.18-24.75.3, kernel-source-5.3.18-24.75.2, kernel-syms-5.3.18-24.75.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    kernel-default-5.3.18-24.75.3, kernel-default-base-5.3.18-24.75.3.9.34.3, kernel-preempt-5.3.18-24.75.3, kernel-source-5.3.18-24.75.2
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-24.75.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 46 Swamp Workflow Management 2021-07-22 10:22:03 UTC
openSUSE-SU-2021:1076-1: An update that solves 5 vulnerabilities and has 24 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1155518,1170511,1176940,1179243,1180092,1183871,1184114,1184804,1185308,1185791,1186206,1187215,1187585,1188036,1188062,1188080,1188116,1188121,1188176,1188267,1188268,1188269,1188405,1188445
CVE References: CVE-2021-22555,CVE-2021-33909,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kernel-debug-5.3.18-lp152.84.1, kernel-default-5.3.18-lp152.84.1, kernel-default-base-5.3.18-lp152.84.1.lp152.8.38.1, kernel-docs-5.3.18-lp152.84.1, kernel-kvmsmall-5.3.18-lp152.84.1, kernel-obs-build-5.3.18-lp152.84.1, kernel-obs-qa-5.3.18-lp152.84.1, kernel-preempt-5.3.18-lp152.84.1, kernel-source-5.3.18-lp152.84.1, kernel-syms-5.3.18-lp152.84.1
Comment 48 Ludwig Nussel 2021-07-26 08:00:05 UTC
(In reply to Takashi Iwai from comment #34)
> (In reply to Jiri Slaby from comment #33)
> > (In reply to Michal Suchanek from comment #32)
> > > Sorry, there is no way to detect usrmerge. It has been asked for in the
> > > usrmerge thread and it was rejected.
> > 
> > Maybe it's time to reconsider? (I don't know the details, nor I know what
> > msg/thread this was.)
> 
> I also support for having some usable and reasonable rpm condition to check
> UsrMerge.  e.g. we'd want to have a check in kernel-firmware package. 
> Already it has bitten lots of people and reported as bugs.

Factory is UsrMerged. So if you are using %suse_version in the spec file to check if a package is building for Factory you also know when it's usrmerged. Anyway different discussion. Feel free include me into kernel-firmware bugs related to usrmerge.
Comment 49 Takashi Iwai 2021-07-26 08:07:57 UTC
(In reply to Ludwig Nussel from comment #48)
> (In reply to Takashi Iwai from comment #34)
> > (In reply to Jiri Slaby from comment #33)
> > > (In reply to Michal Suchanek from comment #32)
> > > > Sorry, there is no way to detect usrmerge. It has been asked for in the
> > > > usrmerge thread and it was rejected.
> > > 
> > > Maybe it's time to reconsider? (I don't know the details, nor I know what
> > > msg/thread this was.)
> > 
> > I also support for having some usable and reasonable rpm condition to check
> > UsrMerge.  e.g. we'd want to have a check in kernel-firmware package. 
> > Already it has bitten lots of people and reported as bugs.
> 
> Factory is UsrMerged. So if you are using %suse_version in the spec file to
> check if a package is building for Factory you also know when it's
> usrmerged. Anyway different discussion. Feel free include me into
> kernel-firmware bugs related to usrmerge.

Well, the point is how to detect and conflict if a package is for UsrMerge but the installed system isn't.  People try to update a firmware package built for TW onto a Leap system like before, and it breaks suddenly now.

Anyway, the kernel has already a check for such a case, and I copied a part of them to firmware packages, too.
Comment 51 Ludwig Nussel 2021-07-28 13:16:14 UTC
(In reply to Takashi Iwai from comment #49)
> (In reply to Ludwig Nussel from comment #48)
> > (In reply to Takashi Iwai from comment #34)
> > > (In reply to Jiri Slaby from comment #33)
> > > > (In reply to Michal Suchanek from comment #32)
> > > > > Sorry, there is no way to detect usrmerge. It has been asked for in the
> > > > > usrmerge thread and it was rejected.
> > > > 
> > > > Maybe it's time to reconsider? (I don't know the details, nor I know what
> > > > msg/thread this was.)
> > > 
> > > I also support for having some usable and reasonable rpm condition to check
> > > UsrMerge.  e.g. we'd want to have a check in kernel-firmware package. 
> > > Already it has bitten lots of people and reported as bugs.
> > 
> > Factory is UsrMerged. So if you are using %suse_version in the spec file to
> > check if a package is building for Factory you also know when it's
> > usrmerged. Anyway different discussion. Feel free include me into
> > kernel-firmware bugs related to usrmerge.
> 
> Well, the point is how to detect and conflict if a package is for UsrMerge
> but the installed system isn't.  People try to update a firmware package
> built for TW onto a Leap system like before, and it breaks suddenly now.

Can happen with anything you take from TW. Packages are hardly strictly tied to a specific distro.

> Anyway, the kernel has already a check for such a case, and I copied a part
> of them to firmware packages, too.

%if 0%{?suse_version} >= 1550
# make sure we have post-usrmerge filesystem package on TW
Conflicts:      filesystem < 84
%endif

That might cause issues in the future. Assuming SLE16 would use version 16 for the filesystem package the above condition would cause a conflict. You may want to use
Conflicts:      filesystem <= 15
Comment 52 Steffen Winterfeldt 2021-07-28 13:25:33 UTC
Cannot filesystem provide, say, 'usrmerge' and you Require or Conflict that
instead of some number?
Comment 53 Jiri Slaby 2021-07-29 04:27:36 UTC
(In reply to Ludwig Nussel from comment #51)
> (In reply to Takashi Iwai from comment #49)
> > Well, the point is how to detect and conflict if a package is for UsrMerge
> > but the installed system isn't.  People try to update a firmware package
> > built for TW onto a Leap system like before, and it breaks suddenly now.
> 
> Can happen with anything you take from TW. Packages are hardly strictly tied
> to a specific distro.

But the kernel is different. We always advertised Kernel:* can be installed on any distro...
Comment 54 Michal Suchanek 2021-07-29 08:46:47 UTC
(In reply to Ludwig Nussel from comment #51)
> (In reply to Takashi Iwai from comment #49)

> > Anyway, the kernel has already a check for such a case, and I copied a part
> > of them to firmware packages, too.
> 
> %if 0%{?suse_version} >= 1550
> # make sure we have post-usrmerge filesystem package on TW
> Conflicts:      filesystem < 84
> %endif
> 
> That might cause issues in the future. Assuming SLE16 would use version 16
> for the filesystem package the above condition would cause a conflict. You
> may want to use
> Conflicts:      filesystem <= 15

It sounds like filesystem-15.0-11.3.2.x86_64 from 15.3 would fulfill this condition which is wrong.

If anything it should be 

Conflicts:      filesystem < 16

and in any case it assumes the future v16 which is not yet released is usrmerged. Although it's likely we just don't know at this point.
Comment 55 Michal Suchanek 2021-07-29 08:48:10 UTC
(In reply to Steffen Winterfeldt from comment #52)
> Cannot filesystem provide, say, 'usrmerge' and you Require or Conflict that
> instead of some number?

Yes, that would be really helpful.
Comment 56 Ludwig Nussel 2021-07-30 12:15:26 UTC
(In reply to Steffen Winterfeldt from comment #52)
> Cannot filesystem provide, say, 'usrmerge' and you Require or Conflict that
> instead of some number?

Usually you do not require the filesystem package at all. So would have to use boolean deps ie something like Conflicts: (filesystem without usrmerge). No idea if that actually works, never tried.
Comment 57 Ludwig Nussel 2021-07-30 12:17:39 UTC
(In reply to Jiri Slaby from comment #53)
> (In reply to Ludwig Nussel from comment #51)
> > (In reply to Takashi Iwai from comment #49)
> > > Well, the point is how to detect and conflict if a package is for UsrMerge
> > > but the installed system isn't.  People try to update a firmware package
> > > built for TW onto a Leap system like before, and it breaks suddenly now.
> > 
> > Can happen with anything you take from TW. Packages are hardly strictly tied
> > to a specific distro.
> 
> But the kernel is different. We always advertised Kernel:* can be installed
> on any distro...

Well, in the case here you can. It's just not guaranteed that it works without adding some compat symlinks or install other adjusted userspace tooling. The safeguards discussed here ie conflicting with the filesystem package actually do prevent installation on older distros though (or cause severe havoc if someone tries to "fix" that by installing filesystem).
Comment 58 Ludwig Nussel 2021-07-30 12:20:02 UTC
(In reply to Michal Suchanek from comment #54)
>  [..]
> If anything it should be 
> 
> Conflicts:      filesystem < 16
> 
> and in any case it assumes the future v16 which is not yet released is
> usrmerged. Although it's likely we just don't know at this point.

Ah, yes of course. Whatever the next version might be we have to assume it increases the major version by at least one :-)
Comment 59 OBSbugzilla Bot 2021-08-02 14:40:40 UTC
This is an autogenerated message for OBS integration:
This bug (1184804) was mentioned in
https://build.opensuse.org/request/show/909804 Factory / pesign-obs-integration
Comment 61 Swamp Workflow Management 2021-08-03 16:17:29 UTC
SUSE-SU-2021:2599-1: An update that solves four vulnerabilities, contains three features and has 23 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1155518,1170511,1179243,1180092,1183871,1184114,1184804,1185308,1185791,1186206,1187215,1187585,1188036,1188080,1188116,1188121,1188176,1188267,1188268,1188269,1188405,1188525
CVE References: CVE-2021-22555,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: SLE-17042,SLE-17043,SLE-17268
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP2 (src):    kernel-rt-5.3.18-45.3, kernel-rt_debug-5.3.18-45.3, kernel-source-rt-5.3.18-45.3, kernel-syms-rt-5.3.18-45.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 67 Jiri Slaby 2021-08-05 08:46:32 UTC
The current solution breaks stagings as dimstars notes:
<dimstar_suse> https://build.opensuse.org/project/monitor/openSUSE:Factory:Staging:K?arch_x86_64=1&defaults=0&repo_standard=1&unresolvable=1
<dimstar_suse> nothing provides suse-release > 20210602 needed by kernel-default, (got version 1-33.4 provided by MicroOS-release), (got version 1-33.4 provided by openSUSE-release)

(In reply to Steffen Winterfeldt from comment #52)
> Cannot filesystem provide, say, 'usrmerge' and you Require or Conflict that
> instead of some number?

So what about this?
Comment 68 Dominique Leuenberger 2021-08-05 08:50:11 UTC
(In reply to Jiri Slaby from comment #67)
> (In reply to Steffen Winterfeldt from comment #52)
> > Cannot filesystem provide, say, 'usrmerge' and you Require or Conflict that
> > instead of some number?
> 
> So what about this?

It should not 'just require filesystem', I'd rather do something like:
> Conflicts: (filesystem without usrmerge) # hoping zypp understands that
or
> Requires: (wilesystem with usrmerge if usrmerge)

(both requring filesystem to add the capability to the provides)

Alternatively, the Conflicts: filesystem < 16 would be sufficient for most cases (if a user takes a really old TW snapshot and tries to install the kernel; those would not be protected)
Comment 69 Michael Chang 2021-08-05 10:04:40 UTC
Hi,

Sorry to disturb you. I came to this place from:

https://build.opensuse.org/request/show/910116

To verify the fix I have to setup UsrMerge kernel, but was not successful with installing kernel-default from Kernel:stable. FYI using these commands from tumbleweed.

> zypper addrepo https://download.opensuse.org/repositories/Kernel:stable/standard/Kernel:stable.repo
> zypper refresh
> zypper install kernel-default-5.13.8-1.1.g14162fe.x86_64

Please kindly advice me what I could have missed. Thanks in advanced.
Comment 70 Swamp Workflow Management 2021-08-05 15:31:46 UTC
SUSE-SU-2021:2599-2: An update that solves four vulnerabilities, contains three features and has 23 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1155518,1170511,1179243,1180092,1183871,1184114,1184804,1185308,1185791,1186206,1187215,1187585,1188036,1188080,1188116,1188121,1188176,1188267,1188268,1188269,1188405,1188525
CVE References: CVE-2021-22555,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: SLE-17042,SLE-17043,SLE-17268
Sources used:
SUSE MicroOS 5.0 (src):    kernel-rt-5.3.18-45.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 71 Ludwig Nussel 2021-08-06 13:49:34 UTC
(In reply to Michael Chang from comment #69)
> Hi,
> 
> Sorry to disturb you. I came to this place from:
> 
> https://build.opensuse.org/request/show/910116
> 
> To verify the fix I have to setup UsrMerge kernel, but was not successful
> with installing kernel-default from Kernel:stable. FYI using these commands
> from tumbleweed.
> 
> > zypper addrepo https://download.opensuse.org/repositories/Kernel:stable/standard/Kernel:stable.repo
> > zypper refresh
> > zypper install kernel-default-5.13.8-1.1.g14162fe.x86_64
> 
> Please kindly advice me what I could have missed. Thanks in advanced.

What's the error? If it's related to secure boot it probably needs https://build.opensuse.org/request/show/910151. Should get checked in any minute so I guess available Monday.
Comment 72 Michael Chang 2021-08-09 06:11:22 UTC
(In reply to Ludwig Nussel from comment #71)
> (In reply to Michael Chang from comment #69)

> What's the error? If it's related to secure boot it probably needs
> https://build.opensuse.org/request/show/910151. Should get checked in any
> minute so I guess available Monday.

Thanks. Although I did run into the secure boot error on my test, the problem I wanted to check here was different.

I installed kernel-default from Kernel:stable but didn't see the symlink
  /boot/$name-$kver to (/usr)/lib/modules/$kver/$name
created as what is outline by the discussion on opensuse-kernel mailing list, subject "Getting the kernel out of /boot".

Is it intended ? Should I use other repo to test that ?

Thanks for the time and patience.
Comment 73 Michael Chang 2021-08-09 06:33:24 UTC
(In reply to Michael Chang from comment #72)
> (In reply to Ludwig Nussel from comment #71)
> > (In reply to Michael Chang from comment #69)

> Is it intended ? Should I use other repo to test that ?

Scratch that. I have installed the kernel-default from Kernel:Head and that works for me to have a UsrMerge (/boot to /usr/..) to test.
Comment 74 Ludwig Nussel 2021-08-09 06:46:02 UTC
AFAIK Kernel:stable doesn't have the usrmerge change anymore so should actually work
Comment 75 Swamp Workflow Management 2021-08-10 13:19:46 UTC
openSUSE-SU-2021:2645-1: An update that solves 7 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1152472,1152489,1153274,1154353,1155518,1156395,1170511,1176447,1176940,1179243,1180092,1180814,1183871,1184114,1184350,1184631,1184804,1185308,1185377,1185791,1186194,1186206,1186482,1186483,1187215,1187476,1187495,1187585,1188036,1188080,1188101,1188121,1188126,1188176,1188267,1188268,1188269,1188323,1188366,1188405,1188445,1188504,1188620,1188683,1188703,1188720,1188746,1188747,1188748,1188752,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188893,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-38.17.1, kernel-source-azure-5.3.18-38.17.1, kernel-syms-azure-5.3.18-38.17.1
Comment 76 Swamp Workflow Management 2021-08-10 13:28:37 UTC
SUSE-SU-2021:2645-1: An update that solves 7 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1152472,1152489,1153274,1154353,1155518,1156395,1170511,1176447,1176940,1179243,1180092,1180814,1183871,1184114,1184350,1184631,1184804,1185308,1185377,1185791,1186194,1186206,1186482,1186483,1187215,1187476,1187495,1187585,1188036,1188080,1188101,1188121,1188126,1188176,1188267,1188268,1188269,1188323,1188366,1188405,1188445,1188504,1188620,1188683,1188703,1188720,1188746,1188747,1188748,1188752,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188893,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-38.17.1, kernel-source-azure-5.3.18-38.17.1, kernel-syms-azure-5.3.18-38.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 77 Swamp Workflow Management 2021-08-10 13:36:54 UTC
SUSE-SU-2021:2646-1: An update that solves four vulnerabilities and has 38 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1153274,1154353,1155518,1156395,1176940,1179243,1180092,1183871,1184114,1184350,1184631,1184804,1185377,1185902,1186194,1186206,1186482,1186483,1187476,1188101,1188405,1188445,1188504,1188620,1188683,1188746,1188747,1188748,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    kernel-azure-5.3.18-18.61.1, kernel-source-azure-5.3.18-18.61.1, kernel-syms-azure-5.3.18-18.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 78 Swamp Workflow Management 2021-08-10 13:44:04 UTC
SUSE-SU-2021:2643-1: An update that solves 10 vulnerabilities, contains one feature and has 33 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1153720,1170511,1176724,1176931,1176940,1179195,1181161,1183871,1184114,1184350,1184804,1185032,1185308,1185377,1185791,1185995,1186206,1186482,1186672,1187038,1187050,1187215,1187476,1187585,1187846,1188026,1188062,1188101,1188116,1188273,1188274,1188405,1188620,1188750,1188838,1188842,1188876,1188885,1188973
CVE References: CVE-2020-0429,CVE-2020-36385,CVE-2020-36386,CVE-2021-22543,CVE-2021-22555,CVE-2021-33909,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: SLE-10538
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP5 (src):    kernel-rt-4.12.14-10.54.1, kernel-rt_debug-4.12.14-10.54.1, kernel-source-rt-4.12.14-10.54.1, kernel-syms-rt-4.12.14-10.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 79 Swamp Workflow Management 2021-08-10 13:53:35 UTC
SUSE-SU-2021:2647-1: An update that solves 5 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1176724,1176931,1176940,1179195,1181161,1183871,1184114,1184350,1184804,1185377,1186206,1186482,1186483,1186672,1187038,1187476,1187846,1188026,1188101,1188405,1188620,1188750,1188838,1188876,1188885,1188973
CVE References: CVE-2020-0429,CVE-2020-36386,CVE-2021-22543,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.83.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.83.1, kernel-obs-build-4.12.14-122.83.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.83.1, kernel-source-4.12.14-122.83.1, kernel-syms-4.12.14-122.83.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.83.1, kgraft-patch-SLE12-SP5_Update_22-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 80 Swamp Workflow Management 2021-08-10 13:58:33 UTC
SUSE-SU-2021:2644-1: An update that solves 5 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1176724,1176931,1176940,1179195,1181161,1183871,1184114,1184350,1184804,1185377,1186206,1186482,1186483,1186672,1187038,1187476,1187846,1188026,1188101,1188405,1188620,1188750,1188838,1188876,1188885,1188973
CVE References: CVE-2020-0429,CVE-2020-36386,CVE-2021-22543,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.68.1, kernel-source-azure-4.12.14-16.68.1, kernel-syms-azure-4.12.14-16.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 81 Ludwig Nussel 2021-08-10 14:28:01 UTC
Jiri, the fixes for pesign-obs-integration and installation-images are in. Worth giving revert of b6ab3ded319fca797d007c541a190a308f940cf7 a try.
Comment 82 Jiri Slaby 2021-08-11 07:11:35 UTC
(In reply to Ludwig Nussel from comment #81)
> Jiri, the fixes for pesign-obs-integration and installation-images are in.
> Worth giving revert of b6ab3ded319fca797d007c541a190a308f940cf7 a try.

OK, great:
https://build.opensuse.org/request/show/911374
Comment 83 Swamp Workflow Management 2021-08-14 13:24:31 UTC
openSUSE-SU-2021:2687-1: An update that solves 7 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1152472,1152489,1153274,1154353,1155518,1156395,1170511,1176447,1176940,1179243,1180092,1180814,1183871,1184114,1184350,1184631,1184804,1185308,1185377,1185791,1186194,1186206,1186482,1186483,1187215,1187476,1187495,1187585,1188036,1188080,1188101,1188121,1188126,1188176,1188267,1188268,1188269,1188323,1188366,1188405,1188445,1188504,1188620,1188683,1188703,1188720,1188746,1188747,1188748,1188752,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188893,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-59.19.1, kernel-64kb-5.3.18-59.19.1, kernel-debug-5.3.18-59.19.1, kernel-default-5.3.18-59.19.1, kernel-default-base-5.3.18-59.19.1.18.10.1, kernel-docs-5.3.18-59.19.1, kernel-kvmsmall-5.3.18-59.19.1, kernel-obs-build-5.3.18-59.19.1, kernel-obs-qa-5.3.18-59.19.1, kernel-preempt-5.3.18-59.19.1, kernel-source-5.3.18-59.19.1, kernel-syms-5.3.18-59.19.1, kernel-zfcpdump-5.3.18-59.19.1
Comment 84 Swamp Workflow Management 2021-08-14 13:33:38 UTC
SUSE-SU-2021:2687-1: An update that solves 7 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1152472,1152489,1153274,1154353,1155518,1156395,1170511,1176447,1176940,1179243,1180092,1180814,1183871,1184114,1184350,1184631,1184804,1185308,1185377,1185791,1186194,1186206,1186482,1186483,1187215,1187476,1187495,1187585,1188036,1188080,1188101,1188121,1188126,1188176,1188267,1188268,1188269,1188323,1188366,1188405,1188445,1188504,1188620,1188683,1188703,1188720,1188746,1188747,1188748,1188752,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188893,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-59.19.1, kernel-preempt-5.3.18-59.19.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-59.19.1, kernel-livepatch-SLE15-SP3_Update_5-1-7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-59.19.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-59.19.1, kernel-obs-build-5.3.18-59.19.1, kernel-preempt-5.3.18-59.19.1, kernel-source-5.3.18-59.19.1, kernel-syms-5.3.18-59.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-59.19.1, kernel-default-5.3.18-59.19.1, kernel-default-base-5.3.18-59.19.1.18.10.1, kernel-preempt-5.3.18-59.19.1, kernel-source-5.3.18-59.19.1, kernel-zfcpdump-5.3.18-59.19.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-59.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 85 Jiri Slaby 2021-08-16 06:36:03 UTC
sr#911374 declined with this comment "Needs changes in mkinitrd first" by Fabian.
Comment 86 Ludwig Nussel 2021-08-16 07:16:47 UTC
dracut is in the works, please restage
Comment 87 Fabian Vogt 2021-08-16 07:23:23 UTC
(In reply to Jiri Slaby from comment #85)
> sr#911374 declined with this comment "Needs changes in mkinitrd first" by
> Fabian.

Not actually declined, just moved out of the staging to let the other packages into TW.

[Donnerstag, 12. August 2021] [10:14:11 CEST] <lnussel> yast seems to call mkinitrd always so wonder why the other dvds don't fail
[Donnerstag, 12. August 2021] [10:14:15 CEST] <lnussel> ah
[Donnerstag, 12. August 2021] [10:14:30 CEST] <lnussel> in that case all will fail
[Donnerstag, 12. August 2021] [10:14:56 CEST] <lnussel> mkinitrd was meant to be dropped though, does anyone know a bug number
[Donnerstag, 12. August 2021] [10:15:10 CEST] <fvogt> IIRC there was a jira ticket...
[Donnerstag, 12. August 2021] [10:41:25 CEST] <lnussel> found it but looks like the work is stalled
[Donnerstag, 12. August 2021] [10:41:29 CEST] <lnussel> so will have to fix mkinitrd
Comment 88 Jiri Slaby 2021-08-17 09:53:11 UTC
So now in microos openqa test:
> Failed to open file '/boot/sysctl.conf-5.13.9-1-default', ignoring: Permission denied

See:
https://openqa.opensuse.org/tests/1876405#step/journal_check/23

Maybe "usrmerged kernel needs selinux policy adjustments?"
Comment 89 Jiri Slaby 2021-08-17 10:57:02 UTC
(In reply to Jiri Slaby from comment #88)
> So now in microos openqa test:
> > Failed to open file '/boot/sysctl.conf-5.13.9-1-default', ignoring: Permission denied
> 
> See:
> https://openqa.opensuse.org/tests/1876405#step/journal_check/23
> 
> Maybe "usrmerged kernel needs selinux policy adjustments?"


> Aug 17 02:16:53.091395 localhost kernel: audit: type=1400 audit(1629166613.084:3): avc:  denied  { search } for  pid=457 comm="systemd-sysctl" name="modules" dev="vda2" ino=833 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0
> Aug 17 02:16:53.090940 localhost systemd[1]: Mounting FUSE Control File System...
> Aug 17 02:16:53.095085 localhost systemd-sysctl[457]: Failed to open file '/boot/sysctl.conf-5.13.9-1-default', ignoring: Permission denied
Comment 90 Ludwig Nussel 2021-08-17 11:08:30 UTC
Would have been be too easy if that worked :-)

Doesn't happen in my test system even though labels of sysctl files vary widely:
l -Z /usr/lib/systemd/systemd-sysctl /lib/modules/*/sysctl.conf /usr/lib/sysctl.d/* /etc/sysctl.conf*
-rw-r--r--. 1 root root system_u:object_r:system_conf_t:s0           196 Jul 27 10:23 /etc/sysctl.conf
-rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0        377 Aug 14 10:23 /lib/modules/5.13.10-2.g1f711ff-kvmsmall/sysctl.conf
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0                  2171 Jul 27 10:23 /usr/lib/sysctl.d/50-default.conf
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0                   252 Jul 27 10:23 /usr/lib/sysctl.d/51-network.conf
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0                    22 May 18 12:14 /usr/lib/sysctl.d/90-kubeadm.conf
lrwxrwxrwx. 1 root root system_u:object_r:lib_t:s0                    24 Aug  4 22:52 /usr/lib/sysctl.d/99-sysctl.conf -> ../../../etc/sysctl.conf
-rw-r--r--. 1 root root system_u:object_r:lib_t:s0                   387 Jul 26 12:52 /usr/lib/sysctl.d/README
-rwxr-xr-x. 1 root root system_u:object_r:systemd_sysctl_exec_t:s0 22832 Aug  4 22:52 /usr/lib/systemd/systemd-sysctl*


Will investigate. Maybe microos loads the policy already in initrd.
Comment 91 Ludwig Nussel 2021-08-17 15:15:49 UTC
is unclear to me why the issue is not reported in audit.log on regular TW, only in a microos install. The failure happens always. Anyway, the policy could be fixed indeed:
  allow systemd_sysctl_t modules_object_t:dir search;

*shrug*

However I wonder why we have that file at all though. If it ships with the kernel ie is tied to it wouldn't it make more sense to just compile those defaults into the kernel in the first place?

Also, maybe the reason for those settings are worth revisiting. For example the shm limits were increased upstream some years ago, maybe it's no longer required to override?

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=060028bac94bf60a65415d1d55a359c3a17d5c31

vm.dirty_ratio also seems to default to 20 anyway.
Comment 92 Michal Suchanek 2021-08-17 15:28:39 UTC
If there is a sysctl knob for something we don't patch the kernel but rather ship a configuration file that sets the value - regardless of changing upstream, and sometimes differently in different products, too.

The only case when patching the default makes sense is when the default causes a bug/security problem and it needs to be changed from the time the kernel boots to avoid the issue.
Comment 93 Ludwig Nussel 2021-08-17 16:02:11 UTC
(In reply to Michal Suchanek from comment #92)
> If there is a sysctl knob for something we don't patch the kernel but rather
> ship a configuration file that sets the value - regardless of changing
> upstream, and sometimes differently in different products, too.

I'd agree if the sysctl file was separate from the kernel ie you could reuse the same binary kernel with different settings (like a branding). That's not the case here though. The sysctl.conf ships with the kernel package and it's not a config file either. So it's just like a built in default except that it needs extra hacks in userspace. The config also has the disadvantage that you do not notice when the upstream default changes while a patch would fail to apply, forcing to rethink the setting :-)
Comment 94 Swamp Workflow Management 2021-08-17 16:21:56 UTC
SUSE-SU-2021:2756-1: An update that solves four vulnerabilities and has 37 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1153274,1154353,1155518,1156395,1176940,1179243,1180092,1183871,1184114,1184350,1184631,1184804,1185377,1186194,1186206,1186482,1186483,1187476,1188101,1188405,1188445,1188504,1188620,1188683,1188746,1188747,1188748,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-default-5.3.18-24.78.1, kernel-default-base-5.3.18-24.78.1.9.36.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    kernel-default-5.3.18-24.78.1, kernel-preempt-5.3.18-24.78.1
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-24.78.1, kernel-livepatch-SLE15-SP2_Update_18-1-5.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    kernel-default-5.3.18-24.78.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    kernel-docs-5.3.18-24.78.1, kernel-obs-build-5.3.18-24.78.1, kernel-preempt-5.3.18-24.78.1, kernel-source-5.3.18-24.78.1, kernel-syms-5.3.18-24.78.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    kernel-default-5.3.18-24.78.1, kernel-default-base-5.3.18-24.78.1.9.36.1, kernel-preempt-5.3.18-24.78.1, kernel-source-5.3.18-24.78.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-24.78.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 95 Michal Suchanek 2021-08-17 17:00:54 UTC
(In reply to Ludwig Nussel from comment #93)
> (In reply to Michal Suchanek from comment #92)
> > If there is a sysctl knob for something we don't patch the kernel but rather
> > ship a configuration file that sets the value - regardless of changing
> > upstream, and sometimes differently in different products, too.
> 
> I'd agree if the sysctl file was separate from the kernel ie you could reuse
> the same binary kernel with different settings (like a branding).

Why couldn't you?
The sysctl service can collect settings from multiple files. It makes sense to ship different defaults for -default and -rt kernel, and it makes sense to ship different defaults with product branding or other presets packages as well.

> That's not
> the case here though. The sysctl.conf ships with the kernel package and it's
> not a config file either. So it's just like a built in default except that
> it needs extra hacks in userspace. 

What extra hacks does it need?

> The config also has the disadvantage that
> you do not notice when the upstream default changes while a patch would fail
> to apply, forcing to rethink the setting :-)

The upstream default changing and rethinking the settings are two completely separate things. There not being a patch (one in -default and different one in -rt at that) that fails to apply when the default changes as well as when unrelated code changes is a feature.

Also every time some setting changes we get a bug report inquiring about the change.
Comment 96 Jiri Slaby 2021-08-18 07:57:36 UTC
(In reply to Jiri Slaby from comment #67)
> The current solution breaks stagings as dimstars notes:
> <dimstar_suse> nothing provides suse-release > 20210602 needed by
> kernel-default, (got version 1-33.4 provided by MicroOS-release), (got
> version 1-33.4 provided by openSUSE-release)

We are looping. This commit:
commit 913f755c87eeb930ad7b37aeb06742188009fea5 (origin/users/lnussel/packaging/for-next)
Author: Ludwig Nussel <ludwig.nussel@suse.de>
Date:   Mon Aug 9 13:13:03 2021 +0200

    Fix filesystem requirement and suse-release requires


added
Conflicts:      suse-release < 16

But MicroOS-release provides suse-release == 1... So Staging:G currently:
kernel-default conflicts with MicroOS-release

Commenting this out once again :(.
Comment 97 Ludwig Nussel 2021-08-18 08:00:11 UTC
(In reply to Michal Suchanek from comment #95)
> The sysctl service can collect settings from multiple files. It makes sense
> to ship different defaults for -default and -rt kernel, and it makes sense
> to ship different defaults with product branding or other presets packages
> as well.

What you say it correct but unrelated to the sysctl file in each of those kernel packages IMO :-)
rt and default are compiled with different configs already so with that mechanism you can also adjust the defaults for those sysctls. No external run time parsed file would needed to achieve different defaults for different flavors. Looking at "kernel.hung_task_timeout_secs = 0" that our kernels ship as sysctl file for example. That one actually is a kconfig option "CONFIG_DEFAULT_HUNG_TASK_TIMEOUT".  Is there a benefit from setting that via sysctl rather than just setting the kconfig option to our default?

Product branding on the other hand is not kernel specific. It would place drop-ins into /usr/lib/sysctl.d/. No kernel version or flavor involved. In fact the current mechanism specifically loads exactly one file that is /boot/sysctl.conf-%v and that one is owned by each individual kernel package. So there is no way to add any kernel version or flavor specific sysctl setting via extra package.
 
> > That's not
> > the case here though. The sysctl.conf ships with the kernel package and it's
> > not a config file either. So it's just like a built in default except that
> > it needs extra hacks in userspace. 
> 
> What extra hacks does it need?

    # cat /usr/lib/systemd/system/systemd-sysctl.service.d/50-kernel-uname_r.conf 
    [Unit]
    RequiresMountsFor=/boot
    
    [Service]
    ExecStartPre=-/usr/lib/systemd/systemd-sysctl /boot/sysctl.conf-%v


Added by suse-module-tools. So has to make an extra call of systemd-sysctl before the normal one. Reminds me that if that is crucial for the operation of the SUSE kernel, make sure it gets ported to Shanzhai products... :-/

Anyway, selinux policy change on the way, pending package maintainer review.
Comment 98 Ludwig Nussel 2021-08-18 08:02:40 UTC
(In reply to Jiri Slaby from comment #96)
> (In reply to Jiri Slaby from comment #67)
> > The current solution breaks stagings as dimstars notes:
> > <dimstar_suse> nothing provides suse-release > 20210602 needed by
> > kernel-default, (got version 1-33.4 provided by MicroOS-release), (got
> > version 1-33.4 provided by openSUSE-release)
> 
> We are looping. This commit:
> commit 913f755c87eeb930ad7b37aeb06742188009fea5
> (origin/users/lnussel/packaging/for-next)
> Author: Ludwig Nussel <ludwig.nussel@suse.de>
> Date:   Mon Aug 9 13:13:03 2021 +0200
> 
>     Fix filesystem requirement and suse-release requires
> 
> 
> added
> Conflicts:      suse-release < 16
> 
> But MicroOS-release provides suse-release == 1... So Staging:G currently:
> kernel-default conflicts with MicroOS-release
> 
> Commenting this out once again :(.

But then the previous code would not have worked either. So can't have any relation to suse-release then. Hold on. Have to clarify intentions of microos-release.
Comment 99 Jiri Slaby 2021-08-18 08:04:51 UTC
And I reverted UsrMerge for now too. When such a kernel submission is accepted (contains 4 stable releases and 1 CVE fix), I will revert the revert and we will try again. Hopefully, the selinux issue will be fixed in the meantime.
Comment 100 Ludwig Nussel 2021-08-18 08:06:30 UTC
It's a staging specific problem
Comment 101 Jiri Slaby 2021-08-18 08:07:06 UTC
(In reply to Ludwig Nussel from comment #98)
> But then the previous code would not have worked either. So can't have any
> relation to suse-release then. Hold on. Have to clarify intentions of
> microos-release.

It indeed did not, I commented that in stable:
https://github.com/SUSE/kernel-source/commit/967c6a8bfc85bc78dbcbb220e21cd9f1bb06f573#diff-93ffe7363053e66f7a48c65692989ab870fc78cfefeff633295f6830f3ce1f35
Comment 102 Michal Suchanek 2021-08-18 08:47:08 UTC
(In reply to Ludwig Nussel from comment #97)
> (In reply to Michal Suchanek from comment #95)
> > The sysctl service can collect settings from multiple files. It makes sense
> > to ship different defaults for -default and -rt kernel, and it makes sense
> > to ship different defaults with product branding or other presets packages
> > as well.
> 
> What you say it correct but unrelated to the sysctl file in each of those
> kernel packages IMO :-)
> rt and default are compiled with different configs already so with that
> mechanism you can also adjust the defaults for those sysctls. No external

The upstream mechanism provided for that purpose are the sysctl settings which we are using. Patching the kernel to change the defaults is a maintenanace nightmare, and completely avoidable one because the sysctl settings exist.

> run time parsed file would needed to achieve different defaults for
> different flavors. Looking at "kernel.hung_task_timeout_secs = 0" that our
> kernels ship as sysctl file for example. That one actually is a kconfig
> option "CONFIG_DEFAULT_HUNG_TASK_TIMEOUT".  Is there a benefit from setting

And many others aren't.

> that via sysctl rather than just setting the kconfig option to our default?
> 
> Product branding on the other hand is not kernel specific. It would place
> drop-ins into /usr/lib/sysctl.d/. No kernel version or flavor involved. In
> fact the current mechanism specifically loads exactly one file that is
> /boot/sysctl.conf-%v and that one is owned by each individual kernel
> package. So there is no way to add any kernel version or flavor specific
> sysctl setting via extra package.

The file provided by kernel is tracked in git per kernel version and flavor.

You could surely write a service that applies sysctl settings per kernel flavor but nobody cared to write one.

Sure, if the file was in some specific location for decades and then you say "shoo, nothing should be here anymore" then that requires some adjustment to the consumers of that file. However, the reason for those changes is the filesystem restructuring, not this sysctl file.
Comment 103 Ludwig Nussel 2021-08-18 08:59:31 UTC
(In reply to Michal Suchanek from comment #102)
> (In reply to Ludwig Nussel from comment #97)
> > run time parsed file would needed to achieve different defaults for
> > different flavors. Looking at "kernel.hung_task_timeout_secs = 0" that our
> > kernels ship as sysctl file for example. That one actually is a kconfig
> > option "CONFIG_DEFAULT_HUNG_TASK_TIMEOUT".  Is there a benefit from setting
> 
> And many others aren't.
> 
> > that via sysctl rather than just setting the kconfig option to our default?

Didn't answer my question though :-) I'm asking for the advantages of the sysctl method because of kconfig is actually equivalent or even better (because it avoids an external mechanism) then maybe it's worth introducing kconfig settings [upstream] for the other options too.
 
> > Product branding on the other hand is not kernel specific. It would place
> > drop-ins into /usr/lib/sysctl.d/. No kernel version or flavor involved. In
> > fact the current mechanism specifically loads exactly one file that is
> > /boot/sysctl.conf-%v and that one is owned by each individual kernel
> > package. So there is no way to add any kernel version or flavor specific
> > sysctl setting via extra package.
> 
> The file provided by kernel is tracked in git per kernel version and flavor.
> 
> You could surely write a service that applies sysctl settings per kernel
> flavor but nobody cared to write one.
> 
> Sure, if the file was in some specific location for decades and then you say
> "shoo, nothing should be here anymore" then that requires some adjustment to
> the consumers of that file. However, the reason for those changes is the
> filesystem restructuring, not this sysctl file.

You lost me here. From my PoV in the process of moving files around we discovered some old concept (per kernel sysctl file) and settings that are potentially outdated. I guess I shall file a separate bug for evaluating the settings to see what's actually left.
Comment 104 OBSbugzilla Bot 2021-08-19 12:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1184804) was mentioned in
https://build.opensuse.org/request/show/913055 Factory / suse-module-tools
Comment 105 Jiri Slaby 2021-08-20 07:20:19 UTC
Now resubmitted UsrMerged kernel in sr#913265.
Comment 106 Jiri Slaby 2021-08-24 15:01:16 UTC
(In reply to Jiri Slaby from comment #105)
> Now resubmitted UsrMerged kernel in sr#913265.

ACcepted. Can we close this now?
Comment 108 Ludwig Nussel 2021-08-26 05:57:44 UTC
closing. Thanks everyone for your patience!
Comment 109 Ludwig Nussel 2021-08-26 14:57:15 UTC
We need a small follow-up fix for split /usr. Overlooked that use case :/
http://kerncvs.suse.de/gitweb/?p=kernel-source.git;a=patch;h=c7b3d74f219f3b3c8113f76a20766752a1e15767
Comment 110 Jiri Slaby 2021-08-30 07:01:14 UTC
Ah, and we still need to sort out the "Conflicts:". stable differs from master:
-Conflicts:      suse-release < 16
+# FIXME: microos in stagings provides only release 1
+#Conflicts:      suse-release < 16
Comment 111 Ludwig Nussel 2021-08-30 07:20:02 UTC
IMO that code should be just removed from master too. The conflicts with filesystem is good enough already. As long as the master branch isn't intended to be submitted through staging it doesn't matter though.
Comment 113 OBSbugzilla Bot 2021-10-06 00:41:01 UTC
This is an autogenerated message for OBS integration:
This bug (1184804) was mentioned in
https://build.opensuse.org/request/show/923361 15.2 / kernel-source
Comment 119 Swamp Workflow Management 2021-10-12 13:19:40 UTC
SUSE-SU-2021:3338-1: An update that solves 6 vulnerabilities and has 54 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1171688,1173746,1174003,1176447,1176940,1177028,1178134,1184439,1184804,1185302,1185550,1185677,1185726,1185762,1187211,1188067,1188418,1188651,1188986,1189257,1189297,1189841,1189884,1190023,1190062,1190115,1190138,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190544,1190561,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-38.25.2, kernel-source-azure-5.3.18-38.25.2, kernel-syms-azure-5.3.18-38.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 120 Swamp Workflow Management 2021-10-12 13:32:59 UTC
openSUSE-SU-2021:3338-1: An update that solves 6 vulnerabilities and has 54 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1171688,1173746,1174003,1176447,1176940,1177028,1178134,1184439,1184804,1185302,1185550,1185677,1185726,1185762,1187211,1188067,1188418,1188651,1188986,1189257,1189297,1189841,1189884,1190023,1190062,1190115,1190138,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190544,1190561,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-38.25.2, kernel-source-azure-5.3.18-38.25.2, kernel-syms-azure-5.3.18-38.25.1
Comment 121 Swamp Workflow Management 2021-10-12 13:41:28 UTC
SUSE-SU-2021:3339-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-rt-5.3.18-54.1
SUSE Linux Enterprise Module for Realtime 15-SP2 (src):    kernel-rt-5.3.18-54.1, kernel-rt_debug-5.3.18-54.1, kernel-source-rt-5.3.18-54.1, kernel-syms-rt-5.3.18-54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 122 Swamp Workflow Management 2021-10-12 13:51:13 UTC
SUSE-SU-2021:3337-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    kernel-azure-5.3.18-18.69.1, kernel-source-azure-5.3.18-18.69.1, kernel-syms-azure-5.3.18-18.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 124 Swamp Workflow Management 2021-10-12 19:25:48 UTC
openSUSE-SU-2021:3387-1: An update that solves 7 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1171688,1173746,1174003,1176447,1176940,1177028,1178134,1184439,1184804,1185302,1185550,1185677,1185726,1185762,1187211,1188067,1188418,1188651,1188986,1189257,1189297,1189841,1189884,1190023,1190062,1190115,1190138,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190544,1190561,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3759,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-59.27.1, kernel-64kb-5.3.18-59.27.1, kernel-debug-5.3.18-59.27.1, kernel-default-5.3.18-59.27.1, kernel-default-base-5.3.18-59.27.1.18.15.1, kernel-docs-5.3.18-59.27.1, kernel-kvmsmall-5.3.18-59.27.1, kernel-obs-build-5.3.18-59.27.1, kernel-obs-qa-5.3.18-59.27.1, kernel-preempt-5.3.18-59.27.1, kernel-source-5.3.18-59.27.1, kernel-syms-5.3.18-59.27.1, kernel-zfcpdump-5.3.18-59.27.1
Comment 125 Swamp Workflow Management 2021-10-12 19:49:39 UTC
SUSE-SU-2021:3387-1: An update that solves 7 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1171688,1173746,1174003,1176447,1176940,1177028,1178134,1184439,1184804,1185302,1185550,1185677,1185726,1185762,1187211,1188067,1188418,1188651,1188986,1189257,1189297,1189841,1189884,1190023,1190062,1190115,1190138,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190544,1190561,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3759,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    kernel-default-5.3.18-59.27.1, kernel-default-base-5.3.18-59.27.1.18.15.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-59.27.1, kernel-preempt-5.3.18-59.27.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-59.27.1, kernel-livepatch-SLE15-SP3_Update_7-1-7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-59.27.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-59.27.1, kernel-obs-build-5.3.18-59.27.1, kernel-preempt-5.3.18-59.27.1, kernel-source-5.3.18-59.27.1, kernel-syms-5.3.18-59.27.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-59.27.1, kernel-default-5.3.18-59.27.1, kernel-default-base-5.3.18-59.27.1.18.15.1, kernel-preempt-5.3.18-59.27.1, kernel-source-5.3.18-59.27.1, kernel-zfcpdump-5.3.18-59.27.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-59.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 126 Swamp Workflow Management 2021-10-13 16:21:17 UTC
SUSE-SU-2021:3415-1: An update that solves 18 vulnerabilities and has 119 fixes is now available.

Category: security (important)
Bug References: 1065729,1124431,1127650,1135481,1148868,1152489,1154353,1159886,1167032,1167773,1168202,1170774,1171420,1171688,1173746,1174003,1175543,1176447,1176940,1177028,1177399,1178134,1180141,1180347,1181006,1181972,1184114,1184439,1184611,1184804,1185302,1185550,1185675,1185677,1185726,1185762,1185898,1187211,1187455,1187591,1187619,1188067,1188172,1188270,1188412,1188418,1188439,1188616,1188651,1188694,1188700,1188878,1188924,1188983,1188985,1188986,1189153,1189225,1189257,1189262,1189297,1189301,1189399,1189400,1189503,1189504,1189505,1189506,1189507,1189562,1189563,1189564,1189565,1189566,1189567,1189568,1189569,1189573,1189574,1189575,1189576,1189577,1189579,1189581,1189582,1189583,1189585,1189586,1189587,1189696,1189706,1189760,1189762,1189832,1189841,1189870,1189872,1189883,1189884,1190022,1190023,1190025,1190062,1190115,1190117,1190131,1190138,1190159,1190181,1190358,1190406,1190412,1190413,1190428,1190467,1190523,1190534,1190543,1190544,1190561,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191292,859220
CVE References: CVE-2020-12770,CVE-2020-3702,CVE-2021-34556,CVE-2021-35477,CVE-2021-3653,CVE-2021-3656,CVE-2021-3669,CVE-2021-3732,CVE-2021-3739,CVE-2021-3743,CVE-2021-3744,CVE-2021-3752,CVE-2021-3753,CVE-2021-3759,CVE-2021-3764,CVE-2021-38160,CVE-2021-38198,CVE-2021-40490
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    kernel-rt-5.3.18-57.1
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-57.1, kernel-rt_debug-5.3.18-57.1, kernel-source-rt-5.3.18-57.1, kernel-syms-rt-5.3.18-57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 127 Swamp Workflow Management 2021-10-15 10:24:29 UTC
SUSE-SU-2021:3447-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-default-5.3.18-24.86.2, kernel-default-base-5.3.18-24.86.2.9.40.2, kmod-25-6.10.1, perl-Bootloader-0.931-3.5.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    kernel-default-5.3.18-24.86.2, kernel-preempt-5.3.18-24.86.2
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-24.86.2, kernel-livepatch-SLE15-SP2_Update_20-1-5.3.2
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    kernel-default-5.3.18-24.86.2
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    kernel-docs-5.3.18-24.86.2, kernel-obs-build-5.3.18-24.86.2, kernel-preempt-5.3.18-24.86.2, kernel-source-5.3.18-24.86.2, kernel-syms-5.3.18-24.86.1, perl-Bootloader-0.931-3.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    kernel-default-5.3.18-24.86.2, kernel-default-base-5.3.18-24.86.2.9.40.2, kernel-preempt-5.3.18-24.86.2, kernel-source-5.3.18-24.86.2, kmod-25-6.10.1, perl-Bootloader-0.931-3.5.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-24.86.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 128 Swamp Workflow Management 2021-10-15 10:32:08 UTC
openSUSE-SU-2021:3447-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kmod-25-6.10.1
Comment 129 Swamp Workflow Management 2021-10-15 16:19:06 UTC
openSUSE-SU-2021:1357-1: An update that solves 6 vulnerabilities and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kernel-debug-5.3.18-lp152.95.1, kernel-default-5.3.18-lp152.95.1, kernel-default-base-5.3.18-lp152.95.1.lp152.8.44.1, kernel-docs-5.3.18-lp152.95.1, kernel-kvmsmall-5.3.18-lp152.95.1, kernel-obs-build-5.3.18-lp152.95.1, kernel-obs-qa-5.3.18-lp152.95.1, kernel-preempt-5.3.18-lp152.95.1, kernel-source-5.3.18-lp152.95.1, kernel-syms-5.3.18-lp152.95.1
Comment 130 Swamp Workflow Management 2021-10-18 16:24:46 UTC
openSUSE-SU-2021:1365-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kmod-25-lp152.8.3.1, kmod-testsuite-25-lp152.8.3.2
Comment 142 Swamp Workflow Management 2021-12-02 11:21:21 UTC
openSUSE-SU-2021:3876-1: An update that solves 43 vulnerabilities, contains one feature and has 26 fixes is now available.

Category: security (important)
Bug References: 1100416,1108488,1129735,1129898,1133374,1136513,1171420,1176724,1177666,1181158,1184673,1184804,1185377,1185726,1185758,1185973,1186078,1186109,1186390,1186482,1186672,1188062,1188063,1188172,1188563,1188601,1188616,1188838,1188876,1188983,1188985,1189057,1189262,1189291,1189399,1189400,1189706,1189846,1189884,1190023,1190025,1190067,1190115,1190117,1190159,1190276,1190349,1190351,1190479,1190534,1190601,1190717,1191193,1191315,1191317,1191349,1191457,1191628,1191790,1191800,1191888,1191961,1192045,1192267,1192379,1192400,1192775,1192781,1192802
CVE References: CVE-2018-13405,CVE-2018-9517,CVE-2019-3874,CVE-2019-3900,CVE-2020-0429,CVE-2020-12770,CVE-2020-3702,CVE-2020-4788,CVE-2021-0941,CVE-2021-20322,CVE-2021-22543,CVE-2021-31916,CVE-2021-33033,CVE-2021-33909,CVE-2021-34556,CVE-2021-34981,CVE-2021-3542,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3655,CVE-2021-3656,CVE-2021-3659,CVE-2021-3679,CVE-2021-3715,CVE-2021-37159,CVE-2021-3732,CVE-2021-3744,CVE-2021-3752,CVE-2021-3753,CVE-2021-37576,CVE-2021-3759,CVE-2021-3760,CVE-2021-3764,CVE-2021-3772,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-40490,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739
JIRA References: SLE-22573
Sources used:
openSUSE Leap 15.3 (src):    kernel-debug-4.12.14-197.102.2, kernel-default-4.12.14-197.102.2, kernel-kvmsmall-4.12.14-197.102.2, kernel-vanilla-4.12.14-197.102.2, kernel-zfcpdump-4.12.14-197.102.2
Comment 143 Swamp Workflow Management 2021-12-02 11:33:36 UTC
SUSE-SU-2021:3876-1: An update that solves 43 vulnerabilities, contains one feature and has 26 fixes is now available.

Category: security (important)
Bug References: 1100416,1108488,1129735,1129898,1133374,1136513,1171420,1176724,1177666,1181158,1184673,1184804,1185377,1185726,1185758,1185973,1186078,1186109,1186390,1186482,1186672,1188062,1188063,1188172,1188563,1188601,1188616,1188838,1188876,1188983,1188985,1189057,1189262,1189291,1189399,1189400,1189706,1189846,1189884,1190023,1190025,1190067,1190115,1190117,1190159,1190276,1190349,1190351,1190479,1190534,1190601,1190717,1191193,1191315,1191317,1191349,1191457,1191628,1191790,1191800,1191888,1191961,1192045,1192267,1192379,1192400,1192775,1192781,1192802
CVE References: CVE-2018-13405,CVE-2018-9517,CVE-2019-3874,CVE-2019-3900,CVE-2020-0429,CVE-2020-12770,CVE-2020-3702,CVE-2020-4788,CVE-2021-0941,CVE-2021-20322,CVE-2021-22543,CVE-2021-31916,CVE-2021-33033,CVE-2021-33909,CVE-2021-34556,CVE-2021-34981,CVE-2021-3542,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3655,CVE-2021-3656,CVE-2021-3659,CVE-2021-3679,CVE-2021-3715,CVE-2021-37159,CVE-2021-3732,CVE-2021-3744,CVE-2021-3752,CVE-2021-3753,CVE-2021-37576,CVE-2021-3759,CVE-2021-3760,CVE-2021-3764,CVE-2021-3772,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-40490,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739
JIRA References: SLE-22573
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-default-4.12.14-197.102.2, kernel-docs-4.12.14-197.102.2, kernel-obs-build-4.12.14-197.102.1, kernel-source-4.12.14-197.102.2, kernel-syms-4.12.14-197.102.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-default-4.12.14-197.102.2, kernel-docs-4.12.14-197.102.2, kernel-obs-build-4.12.14-197.102.1, kernel-source-4.12.14-197.102.2, kernel-syms-4.12.14-197.102.2, kernel-zfcpdump-4.12.14-197.102.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-default-4.12.14-197.102.2, kernel-docs-4.12.14-197.102.2, kernel-obs-build-4.12.14-197.102.1, kernel-source-4.12.14-197.102.2, kernel-syms-4.12.14-197.102.2
SUSE Linux Enterprise Module for Live Patching 15-SP1 (src):    kernel-default-4.12.14-197.102.2, kernel-livepatch-SLE15-SP1_Update_27-1-3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-default-4.12.14-197.102.2, kernel-docs-4.12.14-197.102.2, kernel-obs-build-4.12.14-197.102.1, kernel-source-4.12.14-197.102.2, kernel-syms-4.12.14-197.102.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-default-4.12.14-197.102.2, kernel-docs-4.12.14-197.102.2, kernel-obs-build-4.12.14-197.102.1, kernel-source-4.12.14-197.102.2, kernel-syms-4.12.14-197.102.2
SUSE Linux Enterprise High Availability 15-SP1 (src):    kernel-default-4.12.14-197.102.2
SUSE Enterprise Storage 6 (src):    kernel-default-4.12.14-197.102.2, kernel-docs-4.12.14-197.102.2, kernel-obs-build-4.12.14-197.102.1, kernel-source-4.12.14-197.102.2, kernel-syms-4.12.14-197.102.2
SUSE CaaS Platform 4.0 (src):    kernel-default-4.12.14-197.102.2, kernel-docs-4.12.14-197.102.2, kernel-obs-build-4.12.14-197.102.1, kernel-source-4.12.14-197.102.2, kernel-syms-4.12.14-197.102.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 144 Swamp Workflow Management 2021-12-07 20:22:25 UTC
SUSE-SU-2021:3969-1: An update that solves 37 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1085235,1085308,1087078,1087082,1100394,1102640,1105412,1108488,1129898,1133374,1171420,1173489,1174161,1181854,1184804,1185377,1185726,1185758,1186109,1186482,1188172,1188563,1188601,1188838,1188876,1188983,1188985,1189057,1189262,1189291,1189399,1189400,1189706,1189846,1189884,1190023,1190025,1190067,1190117,1190159,1190351,1190479,1190534,1190601,1190717,1191193,1191315,1191317,1191790,1191800,1191961,1192045,1192267,1192379,1192400,1192775,1192781,1192802
CVE References: CVE-2018-3639,CVE-2018-9517,CVE-2019-3874,CVE-2019-3900,CVE-2020-12770,CVE-2020-3702,CVE-2021-0941,CVE-2021-20320,CVE-2021-20322,CVE-2021-22543,CVE-2021-31916,CVE-2021-33033,CVE-2021-34556,CVE-2021-34981,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3655,CVE-2021-3656,CVE-2021-3659,CVE-2021-3679,CVE-2021-37159,CVE-2021-3732,CVE-2021-3744,CVE-2021-3752,CVE-2021-3753,CVE-2021-37576,CVE-2021-3760,CVE-2021-3764,CVE-2021-3772,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-40490,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    kernel-default-4.12.14-150.78.1, kernel-docs-4.12.14-150.78.2, kernel-obs-build-4.12.14-150.78.2, kernel-source-4.12.14-150.78.1, kernel-syms-4.12.14-150.78.1, kernel-vanilla-4.12.14-150.78.1
SUSE Linux Enterprise Server 15-LTSS (src):    kernel-default-4.12.14-150.78.1, kernel-docs-4.12.14-150.78.2, kernel-obs-build-4.12.14-150.78.2, kernel-source-4.12.14-150.78.1, kernel-syms-4.12.14-150.78.1, kernel-vanilla-4.12.14-150.78.1, kernel-zfcpdump-4.12.14-150.78.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-150.78.1, kernel-livepatch-SLE15_Update_26-1-1.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    kernel-default-4.12.14-150.78.1, kernel-docs-4.12.14-150.78.2, kernel-obs-build-4.12.14-150.78.2, kernel-source-4.12.14-150.78.1, kernel-syms-4.12.14-150.78.1, kernel-vanilla-4.12.14-150.78.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    kernel-default-4.12.14-150.78.1, kernel-docs-4.12.14-150.78.2, kernel-obs-build-4.12.14-150.78.2, kernel-source-4.12.14-150.78.1, kernel-syms-4.12.14-150.78.1, kernel-vanilla-4.12.14-150.78.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150.78.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 145 Swamp Workflow Management 2021-12-08 14:19:31 UTC
SUSE-SU-2021:3972-1: An update that solves 40 vulnerabilities and has 47 fixes is now available.

Category: security (important)
Bug References: 1087082,1100416,1108488,1129735,1129898,1133374,1153720,1171420,1176724,1176931,1180624,1181854,1181855,1183050,1183861,1184673,1184804,1185377,1185677,1185726,1185727,1185758,1185973,1186063,1186482,1186483,1186672,1188026,1188172,1188563,1188601,1188613,1188838,1188842,1188876,1188983,1188985,1189057,1189262,1189278,1189291,1189399,1189400,1189418,1189420,1189706,1189846,1189884,1190023,1190025,1190067,1190115,1190117,1190118,1190159,1190276,1190349,1190350,1190351,1190432,1190479,1190534,1190601,1190717,1191193,1191315,1191317,1191318,1191529,1191530,1191628,1191660,1191790,1191801,1191813,1191961,1192036,1192045,1192048,1192267,1192379,1192400,1192444,1192549,1192775,1192781,1192802
CVE References: CVE-2018-13405,CVE-2018-9517,CVE-2019-3874,CVE-2019-3900,CVE-2020-0429,CVE-2020-12770,CVE-2020-3702,CVE-2021-0941,CVE-2021-20322,CVE-2021-22543,CVE-2021-31916,CVE-2021-34556,CVE-2021-34981,CVE-2021-3542,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3655,CVE-2021-3656,CVE-2021-3659,CVE-2021-3679,CVE-2021-3715,CVE-2021-37159,CVE-2021-3732,CVE-2021-3744,CVE-2021-3752,CVE-2021-3753,CVE-2021-37576,CVE-2021-3759,CVE-2021-3760,CVE-2021-3764,CVE-2021-3772,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-40490,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    kernel-default-4.12.14-95.83.2, kernel-source-4.12.14-95.83.2, kernel-syms-4.12.14-95.83.2
SUSE OpenStack Cloud 9 (src):    kernel-default-4.12.14-95.83.2, kernel-source-4.12.14-95.83.2, kernel-syms-4.12.14-95.83.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    kernel-default-4.12.14-95.83.2, kernel-source-4.12.14-95.83.2, kernel-syms-4.12.14-95.83.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    kernel-default-4.12.14-95.83.2, kernel-source-4.12.14-95.83.2, kernel-syms-4.12.14-95.83.2
SUSE Linux Enterprise Live Patching 12-SP4 (src):    kernel-default-4.12.14-95.83.2, kgraft-patch-SLE12-SP4_Update_23-1-6.3.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    kernel-default-4.12.14-95.83.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 149 Swamp Workflow Management 2022-01-13 17:19:29 UTC
SUSE-SU-2022:0068-1: An update that solves 16 vulnerabilities and has 26 fixes is now available.

Category: security (important)
Bug References: 1114648,1124431,1167162,1169514,1172073,1179599,1183678,1183897,1184804,1185727,1185762,1187167,1189126,1189158,1189305,1189841,1190317,1190358,1190428,1191229,1191384,1191731,1191876,1192032,1192145,1192267,1192740,1192845,1192847,1192866,1192877,1192946,1192974,1193231,1193306,1193318,1193440,1193442,1193575,1193731,1194087,1194094
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.106.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.106.1, kernel-obs-build-4.12.14-122.106.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.106.1, kernel-source-4.12.14-122.106.1, kernel-syms-4.12.14-122.106.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.106.1, kgraft-patch-SLE12-SP5_Update_27-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.106.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 150 Swamp Workflow Management 2022-01-14 14:27:08 UTC
SUSE-SU-2022:0080-1: An update that solves 18 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 1114648,1124431,1167162,1169514,1172073,1179599,1183678,1183897,1184804,1185727,1185762,1187167,1189126,1189158,1189305,1189841,1190317,1190358,1190428,1191229,1191384,1191731,1191876,1192032,1192145,1192267,1192740,1192845,1192847,1192866,1192877,1192946,1192974,1192987,1193231,1193306,1193318,1193440,1193442,1193575,1193669,1193727,1193731,1194001,1194087,1194094
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4002,CVE-2021-4083,CVE-2021-4149,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.85.1, kernel-source-azure-4.12.14-16.85.1, kernel-syms-azure-4.12.14-16.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 151 Swamp Workflow Management 2022-01-17 20:19:04 UTC
SUSE-SU-2022:0090-1: An update that solves 15 vulnerabilities, contains one feature and has 18 fixes is now available.

Category: security (important)
Bug References: 1114648,1124431,1167162,1179599,1183678,1183897,1184804,1185727,1185762,1187167,1189126,1189305,1189841,1190358,1191229,1191384,1192032,1192145,1192267,1192740,1192845,1192847,1192877,1192946,1192974,1193231,1193306,1193318,1193440,1193442,1193731,1194087,1194094
CVE References: CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486
JIRA References: SLE-17288
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP5 (src):    kernel-rt-4.12.14-10.73.1, kernel-rt_debug-4.12.14-10.73.1, kernel-source-rt-4.12.14-10.73.1, kernel-syms-rt-4.12.14-10.73.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 160 Swamp Workflow Management 2022-02-10 20:18:59 UTC
openSUSE-SU-2022:0366-1: An update that solves 27 vulnerabilities and has 23 fixes is now available.

Category: security (critical)
Bug References: 1071995,1124431,1167162,1169514,1172073,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191241,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1193927,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195166,1195254
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    kernel-debug-4.12.14-197.105.1, kernel-default-4.12.14-197.105.1, kernel-kvmsmall-4.12.14-197.105.1, kernel-vanilla-4.12.14-197.105.1, kernel-zfcpdump-4.12.14-197.105.1
openSUSE Leap 15.3 (src):    kernel-debug-4.12.14-197.105.1, kernel-default-4.12.14-197.105.1, kernel-kvmsmall-4.12.14-197.105.1, kernel-vanilla-4.12.14-197.105.1, kernel-zfcpdump-4.12.14-197.105.1
Comment 161 Swamp Workflow Management 2022-02-10 20:37:27 UTC
SUSE-SU-2022:0367-1: An update that solves 27 vulnerabilities and has 23 fixes is now available.

Category: security (critical)
Bug References: 1071995,1124431,1167162,1169514,1172073,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191241,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193506,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195166,1195254
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330,CVE-2022-0435
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    kernel-default-4.12.14-150.83.1, kernel-docs-4.12.14-150.83.1, kernel-obs-build-4.12.14-150.83.1, kernel-source-4.12.14-150.83.1, kernel-syms-4.12.14-150.83.1, kernel-vanilla-4.12.14-150.83.1
SUSE Linux Enterprise Server 15-LTSS (src):    kernel-default-4.12.14-150.83.1, kernel-docs-4.12.14-150.83.1, kernel-obs-build-4.12.14-150.83.1, kernel-source-4.12.14-150.83.1, kernel-syms-4.12.14-150.83.1, kernel-vanilla-4.12.14-150.83.1, kernel-zfcpdump-4.12.14-150.83.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-150.83.1, kernel-livepatch-SLE15_Update_27-1-1.5.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    kernel-default-4.12.14-150.83.1, kernel-docs-4.12.14-150.83.1, kernel-obs-build-4.12.14-150.83.1, kernel-source-4.12.14-150.83.1, kernel-syms-4.12.14-150.83.1, kernel-vanilla-4.12.14-150.83.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    kernel-default-4.12.14-150.83.1, kernel-docs-4.12.14-150.83.1, kernel-obs-build-4.12.14-150.83.1, kernel-source-4.12.14-150.83.1, kernel-syms-4.12.14-150.83.1, kernel-vanilla-4.12.14-150.83.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 162 Swamp Workflow Management 2022-02-10 20:43:05 UTC
SUSE-SU-2022:0366-1: An update that solves 27 vulnerabilities and has 23 fixes is now available.

Category: security (critical)
Bug References: 1071995,1124431,1167162,1169514,1172073,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191241,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1193927,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195166,1195254
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1, kernel-zfcpdump-4.12.14-197.105.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE Linux Enterprise Module for Live Patching 15-SP1 (src):    kernel-default-4.12.14-197.105.1, kernel-livepatch-SLE15-SP1_Update_28-1-3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    kernel-default-4.12.14-197.105.1
SUSE Enterprise Storage 6 (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE CaaS Platform 4.0 (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 163 Swamp Workflow Management 2022-02-11 11:28:57 UTC
SUSE-SU-2022:0371-1: An update that solves 27 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1071995,1124431,1167162,1169514,1172073,1177101,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193507,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195254
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330,CVE-2022-0435
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    kernel-default-4.12.14-95.88.1, kernel-source-4.12.14-95.88.1, kernel-syms-4.12.14-95.88.1
SUSE OpenStack Cloud 9 (src):    kernel-default-4.12.14-95.88.1, kernel-source-4.12.14-95.88.1, kernel-syms-4.12.14-95.88.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    kernel-default-4.12.14-95.88.1, kernel-source-4.12.14-95.88.1, kernel-syms-4.12.14-95.88.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    kernel-default-4.12.14-95.88.1, kernel-source-4.12.14-95.88.1, kernel-syms-4.12.14-95.88.1
SUSE Linux Enterprise Live Patching 12-SP4 (src):    kernel-default-4.12.14-95.88.1, kgraft-patch-SLE12-SP4_Update_24-1-6.5.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    kernel-default-4.12.14-95.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.