Bugzilla – Bug 1106751
iptables does not work with kernel-default-base
Last modified: 2022-12-23 13:32:26 UTC
Initially reported as https://github.com/kubic-project/automation/pull/474#issuecomment-417329301 Docker (and cri-o) do not work in Kubic VM images as iptables does not work: g47:~ # iptables -L iptables: No chain/target/match by that name.
The missing module is: bpfilter! in ip_sockglue.c: int ip_setsockopt(struct sock *sk, int level, int optname, char __user *optval, unsigned int optlen) { int err; ... err = do_ip_setsockopt(sk, level, optname, optval, optlen); #ifdef CONFIG_BPFILTER if (optname >= BPFILTER_IPT_SO_SET_REPLACE && optname < BPFILTER_IPT_SET_MAX) err = bpfilter_ip_set_sockopt(sk, optname, optval, optlen); #endif #ifdef CONFIG_NETFILTER /* we need to exclude all possible ENOPROTOOPTs except default case */ if (err == -ENOPROTOOPT && optname != IP_HDRINCL && ...) err = nf_setsockopt(sk, PF_INET, optname, optval, optlen); #endif } we see that nf_setsockopt is only called if bpfilter_ip_set_sockopt returns -ENOPROTOOPT. However, it does the following: int (*bpfilter_process_sockopt)(struct sock *sk, int optname, char __user *optval, unsigned int optlen, bool is_set); EXPORT_SYMBOL_GPL(bpfilter_process_sockopt); ... if (!bpfilter_process_sockopt) { int err = request_module("bpfilter"); if (err) return err; if (!bpfilter_process_sockopt) return -ECHILD; } return bpfilter_process_sockopt(sk, optname, optval, optlen, is_set); It implements lazy-loading of the module on the first call and if that fails, returns a value != -ENOPROTOOPT, which thus breaks netfilter. Here the value is 256, which is not even an error code and actually ends up in the userspace program. Confirmed by systemtap (forcing err to -92) and loading bpfilter also makes it succeed. @kstreitova: This was actually handled wrongly in iptables itself, a missing memset(&info, 0, sizeof(info)); in libiptc.c caused it to read garbage. It would be nice to have that fixed as well, even if it's ultimately a kernel bug.
Thanks for identifying this! I pushed the fix to my branch master and stable user branches. Another fix would be to change CONFIG_BPFILTER_UMH to y, but we'd like to keep modular as much as possible in general.
Looks like the bug is back - kernel-default-base in TW is missing bpfilter again. Additionally, the split of kernel-source and kernel-default-base means that TW does currently not rebuild kernel-default-base at all. This means that kernel-default is at 5.0.5 while kernel-default-base remains at 5.0.3 indefinitely.
*** Bug 1131393 has been marked as a duplicate of this bug. ***
(In reply to Fabian Vogt from comment #1) > @kstreitova: This was actually handled wrongly in iptables itself, a missing > memset(&info, 0, sizeof(info)); in libiptc.c caused it to read garbage. It > would be nice > to have that fixed as well, even if it's ultimately a kernel bug. Could you be a little bit more specific, please? Or even better, can you provide a patch if you've already identified where the problem lies? Thanks!
(In reply to Kristyna Streitova from comment #5) > (In reply to Fabian Vogt from comment #1) > > @kstreitova: This was actually handled wrongly in iptables itself, a missing > > memset(&info, 0, sizeof(info)); in libiptc.c caused it to read garbage. It > > would be nice > > to have that fixed as well, even if it's ultimately a kernel bug. > > Could you be a little bit more specific, please? Or even better, can you > provide a patch if you've already identified where the problem lies? Thanks! Sure: diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index a6e70571..8c03ab42 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -1303,6 +1303,7 @@ TC_INIT(const char *tablename) { struct xtc_handle *h; STRUCT_GETINFO info; + memset(&info, 0, sizeof(info)); unsigned int tmp; socklen_t s; int sockfd; Without this, iptables -L reads garbage from the struct as the kernel never filled it in the bugged case, leading to weird issues like mmapping a few TiB of memory.
(In reply to Fabian Vogt from comment #3) > Looks like the bug is back - kernel-default-base in TW is missing bpfilter > again. > > Additionally, the split of kernel-source and kernel-default-base means that > TW does currently not rebuild kernel-default-base at all. This means that > kernel-default is at 5.0.5 while kernel-default-base remains at 5.0.3 > indefinitely. @msuchanek: Do you plan to revert the split in master/stable as well soon?
Don't we have some OBS setup instead? Putting back to kernel-source is a step back, make the whole effort useless. FWIW, the same problem is applied to a package like perf. We need a general solution in OBS.
(In reply to Takashi Iwai from comment #8) > Don't we have some OBS setup instead? Putting back to kernel-source is a > step back, make the whole effort useless. > > FWIW, the same problem is applied to a package like perf. We need a general > solution in OBS. I can only think of a hacky way to (ab)use the rebuild bot: Add a fake "-rebuildme" subpackage to kernel-default-base.spec which has %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default). As the subpackage turns uninstallable once kernel-default changed, it would be rebuilt. @dimstar, @lnussel: Any better idea?
(In reply to Fabian Vogt from comment #9) > I can only think of a hacky way to (ab)use the rebuild bot: Add a fake > "-rebuildme" subpackage to kernel-default-base.spec which has > %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default). > > As the subpackage turns uninstallable once kernel-default changed, it would > be rebuilt. > > @dimstar, @lnussel: Any better idea? Yucks - let alone this can't work (ignoring the non-escaped %{version} for now): The release counter is not under control on kernel-default-base: it is - and will remain for a while, at 1.x, until it gets direct source changes, when it turns into 2.x - and actually, weirdly, now it is 1.2.1.6... WTH) So having a requires on a kernel version-release would only make it rebuild forever in an attempt to reach the checking/rebuild counter of kernel-default If anything, we'd need to add it to the parent/child rebuild trigger, as in: https://github.com/openSUSE/openSUSE-release-tools/blob/master/rebuildpacs.pl#L77 But that is also 'just' a workaround - OBS itself has no support for this (except switching to rebuild=direct|transitive, which is too expensive for TW)
I must be missing something. kernel-default-base now BuildRequires kernel-default-devel. Since this binary package is built from kernel-default, it must change whenever kernel-default is rebuilt, triggering a rebuild of kernel-default-base (because of meta change). Why does it not happen for kernel-default-base?
well, if we wanted to rely on rebuildpacs.pl that can be done in a more easy way, it has a list of special packages built in. so just add yet another one :) As long as kernel-default-base has bcntsynctag on kernel-source it should be rebuilt automatically with rebuild counter sync by OBS though.
(In reply to Dominique Leuenberger from comment #10) > (In reply to Fabian Vogt from comment #9) > > I can only think of a hacky way to (ab)use the rebuild bot: Add a fake > > "-rebuildme" subpackage to kernel-default-base.spec which has > > %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default). > > > > As the subpackage turns uninstallable once kernel-default changed, it would > > be rebuilt. > > > > @dimstar, @lnussel: Any better idea? > > Yucks - let alone this can't work (ignoring the non-escaped %{version} for > now): > > The release counter is not under control on kernel-default-base: it is - and > will remain for a while, at 1.x, until it gets direct source changes, when > it turns into 2.x - and actually, weirdly, now it is 1.2.1.6... WTH) The kernel version from git is part of the Release: field in the .spec. > So having a requires on a kernel version-release would only make it rebuild > forever in an attempt to reach the checking/rebuild counter of kernel-default It wouldn't - kernel-default-base.spec is separate from kernel-default.spec > If anything, we'd need to add it to the parent/child rebuild trigger, as in: > https://github.com/openSUSE/openSUSE-release-tools/blob/master/rebuildpacs. > pl#L77 Yes, that's cleaner. > But that is also 'just' a workaround - OBS itself has no support for this > (except switching to rebuild=direct|transitive, which is too expensive for > TW) (In reply to Petr Tesařík from comment #11) > I must be missing something. > > kernel-default-base now BuildRequires kernel-default-devel. Since this > binary package is built from kernel-default, it must change whenever > kernel-default is rebuilt, triggering a rebuild of kernel-default-base > (because of meta change). > > Why does it not happen for kernel-default-base? TW does not have rebuild=transient/direct enabled, this is intentional. > (In reply to Ludwig Nussel from comment #12) > well, if we wanted to rely on rebuildpacs.pl that can be done in a more easy > way, it has a list of special packages built in. so just add yet another one > :) > > As long as kernel-default-base has bcntsynctag on kernel-source it should be > rebuilt automatically with rebuild counter sync by OBS though. That might work as well, but would require special configuration everywhere... The current design of a split kernel-default-base.spec has multiple issues: - Needs to be handled separately for maintenance submissions - Is missing debuginfo and debugsources - This rebuild issue
No, I do not plan to revert kernel-default-base If you need a module add it to the module list in kernel-default-base.spec
(In reply to Michal Suchanek from comment #14) > No, I do not plan to revert kernel-default-base > > If you need a module add it to the module list in kernel-default-base.spec I wonder how it got missing - it was working fine before the split. Can you check whether other modules got lost as well? If not, I'll file a sr.
I took the base module list from SLE15. The stable list is missing dw_mmc-bluefield (bsc#1118752) The SLE15 list is missing bpfilter With the separate kernel-default-base you can build it against any kernel that supports it (15 SP1, master, stable) so you can keep just one copy of this module list.
(In reply to Fabian Vogt from comment #6) > diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c > index a6e70571..8c03ab42 100644 > --- a/libiptc/libiptc.c > +++ b/libiptc/libiptc.c > @@ -1303,6 +1303,7 @@ TC_INIT(const char *tablename) > { > struct xtc_handle *h; > STRUCT_GETINFO info; > + memset(&info, 0, sizeof(info)); > unsigned int tmp; > socklen_t s; > int sockfd; > > > Without this, iptables -L reads garbage from the struct as the kernel never > filled it in the bugged case, leading to weird issues like mmapping a few > TiB of memory. Thanks! I've submitted this patch to openSUSE:Factory via sr#691502. It was also reported upstream: https://bugzilla.netfilter.org/show_bug.cgi?id=1331
(In reply to Michal Suchanek from comment #16) > I took the base module list from SLE15. > > The stable list is missing dw_mmc-bluefield (bsc#1118752) > > The SLE15 list is missing bpfilter > > With the separate kernel-default-base you can build it against any kernel > that supports it (15 SP1, master, stable) so you can keep just one copy of > this module list. Ok, I added bpfilter back to the list of networking modules, and created sr 691520. Confirmed to work - iptables -L works and docker starts.
This is an autogenerated message for OBS integration: This bug (1106751) was mentioned in https://build.opensuse.org/request/show/691558 Factory / kernel-default-base
(In reply to Dominique Leuenberger from comment #10) > So having a requires on a kernel version-release would only make it rebuild > forever in an attempt to reach the checking/rebuild counter of kernel-default Why forever? Only until it's built against the current kernel. > > If anything, we'd need to add it to the parent/child rebuild trigger, as in: > https://github.com/openSUSE/openSUSE-release-tools/blob/master/rebuildpacs. > pl#L77 This will not work. You are supposed to be able to build arbitrary subpackages, not just -base. (In reply to Fabian Vogt from comment #9) > > I can only think of a hacky way to (ab)use the rebuild bot: Add a fake > "-rebuildme" subpackage to kernel-default-base.spec which has > %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default). > > As the subpackage turns uninstallable once kernel-default changed, it would > be rebuilt. I will add an empty subpackage and try rebuilding the kernel with it.
(In reply to Michal Suchanek from comment #20) > (In reply to Fabian Vogt from comment #9) > > > > I can only think of a hacky way to (ab)use the rebuild bot: Add a fake > > "-rebuildme" subpackage to kernel-default-base.spec which has > > %(rpm -q --qf 'Requires: %{name} = %{version}-%{release}\n' kernel-default). > > > > As the subpackage turns uninstallable once kernel-default changed, it would > > be rebuilt. > > I will add an empty subpackage and try rebuilding the kernel with it. Note that this will only have an effect inside openSUSE:Factory as that's what the bot is running against. So it can't really be tested, other than verifying that OBS says it's not installable.
Can I run this bot against other repository?
(In reply to Michal Suchanek from comment #22) > Can I run this bot against other repository? The source is at https://github.com/openSUSE/openSUSE-release-tools/blob/master/rebuildpacs.pl I'm not sure whether it works against projects which don't contain an entire distro as it only looks for dependencies inside the project itself.
This is an autogenerated message for OBS integration: This bug (1106751) was mentioned in https://build.opensuse.org/request/show/714223 15.0 / kernel-source
SUSE-SU-2019:1829-1: An update that solves 11 vulnerabilities and has 71 fixes is now available. Category: security (important) Bug References: 1051510,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1131645,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136598,1136922,1136935,1137103,1137194,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814 CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11599,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819 Sources used: SUSE Linux Enterprise Module for Public Cloud 15 (src): kernel-azure-4.12.14-5.33.1, kernel-source-azure-4.12.14-5.33.1, kernel-syms-azure-4.12.14-5.33.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): kernel-azure-4.12.14-5.33.1, kernel-source-azure-4.12.14-5.33.1, kernel-syms-azure-4.12.14-5.33.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1855-1: An update that solves 12 vulnerabilities and has 73 fixes is now available. Category: security (important) Bug References: 1051510,1061840,1065600,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1131645,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136598,1136922,1136935,1137103,1137194,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139751,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814 CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11478,CVE-2019-11599,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819 Sources used: SUSE Linux Enterprise Workstation Extension 15 (src): kernel-default-4.12.14-150.27.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): kernel-default-4.12.14-150.27.1, kernel-docs-4.12.14-150.27.1, kernel-obs-qa-4.12.14-150.27.1 SUSE Linux Enterprise Module for Legacy Software 15 (src): kernel-default-4.12.14-150.27.1 SUSE Linux Enterprise Module for Development Tools 15 (src): kernel-docs-4.12.14-150.27.1, kernel-obs-build-4.12.14-150.27.1, kernel-source-4.12.14-150.27.1, kernel-syms-4.12.14-150.27.1, kernel-vanilla-4.12.14-150.27.1 SUSE Linux Enterprise Module for Basesystem 15 (src): kernel-default-4.12.14-150.27.1, kernel-source-4.12.14-150.27.1, kernel-zfcpdump-4.12.14-150.27.1 SUSE Linux Enterprise High Availability 15 (src): kernel-default-4.12.14-150.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1851-1: An update that solves 11 vulnerabilities and has 77 fixes is now available. Category: security (important) Bug References: 1051510,1061840,1065600,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136811,1136922,1137103,1137194,1137221,1137366,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139751,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140948,821419,945811 CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11478,CVE-2019-11599,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819 Sources used: SUSE Linux Enterprise Live Patching 12-SP4 (src): kgraft-patch-SLE12-SP4_Update_6-1-6.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1855-1: An update that solves 12 vulnerabilities and has 73 fixes is now available. Category: security (important) Bug References: 1051510,1061840,1065600,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1131645,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136598,1136922,1136935,1137103,1137194,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139751,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814 CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11478,CVE-2019-11599,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819 Sources used: SUSE Linux Enterprise Workstation Extension 15 (src): kernel-default-4.12.14-150.27.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): kernel-default-4.12.14-150.27.1, kernel-docs-4.12.14-150.27.1, kernel-obs-qa-4.12.14-150.27.1 SUSE Linux Enterprise Module for Live Patching 15 (src): kernel-default-4.12.14-150.27.1, kernel-livepatch-SLE15_Update_12-1-1.5.1 SUSE Linux Enterprise Module for Legacy Software 15 (src): kernel-default-4.12.14-150.27.1 SUSE Linux Enterprise Module for Development Tools 15 (src): kernel-docs-4.12.14-150.27.1, kernel-obs-build-4.12.14-150.27.1, kernel-source-4.12.14-150.27.1, kernel-syms-4.12.14-150.27.1, kernel-vanilla-4.12.14-150.27.1 SUSE Linux Enterprise Module for Basesystem 15 (src): kernel-default-4.12.14-150.27.1, kernel-source-4.12.14-150.27.1, kernel-zfcpdump-4.12.14-150.27.1 SUSE Linux Enterprise High Availability 15 (src): kernel-default-4.12.14-150.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1851-1: An update that solves 11 vulnerabilities and has 77 fixes is now available. Category: security (important) Bug References: 1051510,1061840,1065600,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128432,1128902,1128910,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136811,1136922,1137103,1137194,1137221,1137366,1137429,1137625,1137728,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139751,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140948,821419,945811 CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11478,CVE-2019-11599,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP4 (src): kernel-default-4.12.14-95.24.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): kernel-docs-4.12.14-95.24.1, kernel-obs-build-4.12.14-95.24.1 SUSE Linux Enterprise Server 12-SP4 (src): kernel-default-4.12.14-95.24.1, kernel-source-4.12.14-95.24.1, kernel-syms-4.12.14-95.24.1 SUSE Linux Enterprise Live Patching 12-SP4 (src): kgraft-patch-SLE12-SP4_Update_6-1-6.5.1 SUSE Linux Enterprise High Availability 12-SP4 (src): kernel-default-4.12.14-95.24.1 SUSE Linux Enterprise Desktop 12-SP4 (src): kernel-default-4.12.14-95.24.1, kernel-source-4.12.14-95.24.1, kernel-syms-4.12.14-95.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1716-1: An update that solves 7 vulnerabilities and has 45 fixes is now available. Category: security (important) Bug References: 1051510,1071995,1088047,1094555,1098633,1106383,1106751,1109137,1114279,1119532,1120423,1124167,1127155,1128902,1128910,1131645,1132154,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1136157,1136935,1137103,1137194,1137625,1137728,1137884,1138589,1138719,1139771,1139782,1139865,1140133,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814 CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11599,CVE-2019-12614 Sources used: openSUSE Leap 15.0 (src): kernel-debug-4.12.14-lp150.12.67.1, kernel-default-4.12.14-lp150.12.67.1, kernel-docs-4.12.14-lp150.12.67.1, kernel-kvmsmall-4.12.14-lp150.12.67.1, kernel-obs-build-4.12.14-lp150.12.67.1, kernel-obs-qa-4.12.14-lp150.12.67.1, kernel-source-4.12.14-lp150.12.67.1, kernel-syms-4.12.14-lp150.12.67.1, kernel-vanilla-4.12.14-lp150.12.67.1
SUSE-SU-2019:2430-1: An update that solves 45 vulnerabilities and has 474 fixes is now available. Category: security (important) Bug References: 1050242,1050549,1051510,1052904,1053043,1055117,1055121,1055186,1056787,1058115,1061840,1064802,1065600,1065729,1066129,1070872,1071995,1075020,1082387,1082555,1083647,1083710,1085535,1085536,1088047,1088804,1093389,1094555,1096003,1098633,1099658,1102247,1103186,1103259,1103990,1103991,1103992,1104745,1106011,1106284,1106383,1106751,1108193,1108838,1108937,1109837,1110946,1111331,1111666,1111696,1112063,1112128,1112178,1112374,1113722,1113956,1114279,1114427,1114542,1114638,1114685,1115688,1117114,1117158,1117561,1118139,1119113,1119222,1119532,1119680,1120091,1120318,1120423,1120566,1120843,1120902,1122767,1122776,1123080,1123454,1123663,1124503,1124839,1125703,1126206,1126356,1126704,1127034,1127175,1127315,1127371,1127374,1127611,1127616,1128052,1128415,1128432,1128544,1128902,1128904,1128971,1128979,1129138,1129273,1129693,1129770,1129845,1130195,1130425,1130527,1130567,1130579,1130699,1130836,1130937,1130972,1131326,1131427,1131438,1131451,1131467,1131488,1131530,1131565,1131574,1131587,1131645,1131659,1131673,1131847,1131848,1131851,1131900,1131934,1131935,1132044,1132219,1132226,1132227,1132365,1132368,1132369,1132370,1132372,1132373,1132384,1132390,1132397,1132402,1132403,1132404,1132405,1132407,1132411,1132412,1132413,1132414,1132426,1132527,1132531,1132555,1132558,1132561,1132562,1132563,1132564,1132570,1132571,1132572,1132589,1132618,1132673,1132681,1132726,1132828,1132894,1132943,1132982,1133005,1133016,1133021,1133094,1133095,1133115,1133149,1133176,1133188,1133190,1133311,1133320,1133401,1133486,1133529,1133547,1133584,1133593,1133612,1133616,1133667,1133668,1133672,1133674,1133675,1133698,1133702,1133731,1133738,1133769,1133772,1133774,1133778,1133779,1133780,1133825,1133850,1133851,1133852,1133897,1134090,1134097,1134160,1134162,1134199,1134200,1134201,1134202,1134203,1134204,1134205,1134223,1134303,1134354,1134390,1134393,1134395,1134397,1134399,1134459,1134460,1134461,1134597,1134600,1134607,1134618,1134651,1134671,1134730,1134738,1134743,1134760,1134806,1134810,1134813,1134848,1134936,1134945,1134946,1134947,1134948,1134949,1134950,1134951,1134952,1134953,1134972,1134974,1134975,1134980,1134981,1134983,1134987,1134989,1134990,1134994,1134995,1134998,1134999,1135006,1135007,1135008,1135018,1135021,1135024,1135026,1135027,1135028,1135029,1135031,1135033,1135034,1135035,1135036,1135037,1135038,1135039,1135041,1135042,1135044,1135045,1135046,1135047,1135049,1135051,1135052,1135053,1135055,1135056,1135058,1135100,1135120,1135153,1135278,1135281,1135296,1135309,1135312,1135314,1135315,1135316,1135320,1135323,1135330,1135335,1135492,1135542,1135556,1135603,1135642,1135661,1135758,1135897,1136156,1136157,1136161,1136188,1136206,1136215,1136217,1136264,1136271,1136333,1136342,1136343,1136345,1136347,1136348,1136353,1136424,1136428,1136430,1136432,1136434,1136435,1136438,1136439,1136456,1136460,1136461,1136462,1136467,1136469,1136477,1136478,1136498,1136573,1136586,1136598,1136881,1136922,1136935,1136978,1136990,1137103,1137151,1137152,1137153,1137162,1137194,1137201,1137224,1137232,1137233,1137236,1137366,1137372,1137429,1137444,1137458,1137534,1137535,1137584,1137586,1137609,1137625,1137728,1137739,1137752,1137811,1137827,1137884,1137985,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138263,1138291,1138293,1138336,1138374,1138375,1138589,1138681,1138719,1138732,1138874,1138879,1139358,1139619,1139712,1139751,1139771,1139865,1140133,1140139,1140228,1140322,1140328,1140405,1140424,1140428,1140454,1140463,1140559,1140575,1140577,1140637,1140652,1140658,1140676,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140903,1140945,1140948,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992,1141312,1141401,1141402,1141452,1141453,1141454,1141478,1141558,1142023,1142052,1142083,1142112,1142115,1142119,1142220,1142221,1142254,1142350,1142351,1142354,1142359,1142450,1142623,1142673,1142701,1142868,1143003,1143045,1143105,1143185,1143189,1143191,1143209,1143507 CVE References: CVE-2017-5753,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-16871,CVE-2018-16880,CVE-2018-20836,CVE-2018-20855,CVE-2018-7191,CVE-2019-10124,CVE-2019-10638,CVE-2019-10639,CVE-2019-11085,CVE-2019-11091,CVE-2019-1125,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11487,CVE-2019-11599,CVE-2019-11810,CVE-2019-11811,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12380,CVE-2019-12382,CVE-2019-12456,CVE-2019-12614,CVE-2019-12817,CVE-2019-12818,CVE-2019-12819,CVE-2019-13233,CVE-2019-13631,CVE-2019-13648,CVE-2019-14283,CVE-2019-14284,CVE-2019-3846,CVE-2019-3882,CVE-2019-5489,CVE-2019-8564,CVE-2019-9003,CVE-2019-9500,CVE-2019-9503 Sources used: SUSE Linux Enterprise Module for Realtime 15-SP1 (src): kernel-rt-4.12.14-14.8.1, kernel-rt_debug-4.12.14-14.8.1, kernel-source-rt-4.12.14-14.8.1, kernel-syms-rt-4.12.14-14.8.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): kernel-rt-4.12.14-14.8.1, kernel-rt_debug-4.12.14-14.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2450-1: An update that solves 21 vulnerabilities and has 160 fixes is now available. Category: security (important) Bug References: 1012382,1051510,1053043,1055117,1061840,1065600,1065729,1068032,1071995,1083647,1083710,1088047,1094555,1098633,1102247,1106383,1106751,1109137,1111666,11123080,1112824,1113722,1114279,1115688,1117158,1118139,1119222,1120423,1120566,1124167,1124503,1127034,1127155,1127315,1128432,1128902,1128910,1129770,1130972,1132154,1132390,1133021,1133401,1133738,1134097,1134303,1134390,1134393,1134395,1134399,1134671,1135296,1135335,1135556,1135642,1135661,1136157,1136424,1136598,1136811,1136896,1136922,1136935,1136990,1137103,1137162,1137194,1137366,1137372,1137429,1137444,1137458,1137534,1137535,1137584,1137586,1137609,1137625,1137728,1137739,1137752,1137811,1137827,1137884,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138291,1138293,1138374,1138375,1138589,1138719,1139358,1139751,1139771,1139782,1139865,1140133,1140139,1140322,1140328,1140405,1140424,1140428,1140575,1140577,1140637,1140652,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140903,1140945,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992,1141401,1141402,1141452,1141453,1141454,1141478,1141488,1142023,1142112,1142220,1142221,1142265,1142350,1142351,1142354,1142359,1142450,1142701,1142868,1143003,1143045,1143105,1143185,1143189,1143191,1143507 CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2018-20855,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-1125,CVE-2019-11477,CVE-2019-11478,CVE-2019-11599,CVE-2019-11810,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819,CVE-2019-13631,CVE-2019-13648,CVE-2019-14283,CVE-2019-14284,CVE-2019-3846 Sources used: SUSE Linux Enterprise Real Time Extension 12-SP4 (src): kernel-rt-4.12.14-8.3.1, kernel-rt_debug-4.12.14-8.3.1, kernel-source-rt-4.12.14-8.3.1, kernel-syms-rt-4.12.14-8.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2756-1: An update that solves 44 vulnerabilities and has 368 fixes is now available. Category: security (important) Bug References: 1012382,1047238,1050911,1051510,1053043,1054914,1055117,1056686,1060662,1061840,1061843,1064597,1064701,1065600,1065729,1066369,1071009,1071306,1071995,1078248,1082555,1083647,1083710,1085030,1085536,1085539,1086103,1087092,1088047,1090734,1091171,1093205,1094555,1098633,1102097,1102247,1104902,1104967,1106061,1106284,1106383,1106434,1106751,1108382,1109137,1109158,1111666,1112178,1112894,1112899,1112902,1112903,1112905,1112906,1112907,1113722,1114279,1114542,1115688,1117158,1118139,1118689,1119086,1119222,1119532,1120423,1120566,1120876,1120902,1120937,1123034,1123080,1123105,1123959,1124167,1124370,1124503,1127034,1127155,1127315,1127988,1128432,1128902,1128910,1129424,1129519,1129664,1129770,1130972,1131107,1131281,1131304,1131565,1132154,1132390,1132686,1133021,1133401,1134097,1134291,1134303,1134390,1134671,1134881,1134882,1135219,1135296,1135335,1135556,1135642,1135661,1135897,1136157,1136261,1136811,1136896,1136935,1136990,1137069,1137162,1137221,1137366,1137372,1137429,1137444,1137458,1137534,1137535,1137584,1137586,1137609,1137625,1137728,1137739,1137752,1137811,1137827,1137865,1137884,1137959,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138374,1138375,1138539,1138589,1138719,1139020,1139021,1139101,1139500,1139771,1139782,1139865,1140012,1140133,1140139,1140155,1140322,1140328,1140405,1140424,1140426,1140428,1140487,1140637,1140652,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140903,1140945,1140948,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992,1141013,1141401,1141402,1141450,1141452,1141453,1141454,1141478,1141543,1141554,1142019,1142076,1142109,1142112,1142117,1142118,1142119,1142129,1142220,1142221,1142350,1142351,1142354,1142359,1142450,1142496,1142541,1142635,1142685,1142701,1142857,1142868,1143003,1143105,1143185,1143300,1143466,1143507,1143765,1143841,1143843,1144123,1144333,1144474,1144518,1144718,1144813,1144880,1144886,1144912,1144920,1144979,1145010,1145024,1145051,1145059,1145189,1145235,1145300,1145302,1145388,1145389,1145390,1145391,1145392,1145393,1145394,1145395,1145396,1145397,1145408,1145409,1145661,1145678,1145687,1145920,1145922,1145934,1145937,1145940,1145941,1145942,1146042,1146074,1146084,1146163,1146285,1146346,1146351,1146352,1146361,1146376,1146378,1146381,1146391,1146399,1146413,1146425,1146512,1146514,1146516,1146519,1146524,1146526,1146529,1146531,1146540,1146543,1146547,1146550,1146575,1146589,1146664,1146678,1146938,1148031,1148032,1148033,1148034,1148035,1148093,1148133,1148192,1148196,1148198,1148202,1148303,1148363,1148379,1148394,1148527,1148574,1148616,1148617,1148619,1148698,1148712,1148859,1148868,1149053,1149083,1149104,1149105,1149106,1149197,1149214,1149224,1149313,1149325,1149376,1149413,1149418,1149424,1149446,1149522,1149527,1149539,1149552,1149555,1149591,1149602,1149612,1149626,1149651,1149652,1149713,1149940,1149959,1149963,1149976,1150025,1150033,1150112,1150381,1150423,1150562,1150727,1150860,1150861,1150933,1151350,1151610,1151667,1151671,1151891,1151955,1152024,1152025,1152026,1152161,1152325,1152457,1152460,1152466,1152972,1152974,1152975 CVE References: CVE-2017-18551,CVE-2017-18595,CVE-2018-20976,CVE-2018-21008,CVE-2019-10207,CVE-2019-11479,CVE-2019-14814,CVE-2019-14815,CVE-2019-14816,CVE-2019-14821,CVE-2019-14835,CVE-2019-15030,CVE-2019-15031,CVE-2019-15090,CVE-2019-15098,CVE-2019-15117,CVE-2019-15118,CVE-2019-15211,CVE-2019-15212,CVE-2019-15214,CVE-2019-15215,CVE-2019-15216,CVE-2019-15217,CVE-2019-15218,CVE-2019-15219,CVE-2019-15220,CVE-2019-15221,CVE-2019-15222,CVE-2019-15239,CVE-2019-15290,CVE-2019-15291,CVE-2019-15292,CVE-2019-15538,CVE-2019-15666,CVE-2019-15902,CVE-2019-15917,CVE-2019-15919,CVE-2019-15920,CVE-2019-15921,CVE-2019-15924,CVE-2019-15926,CVE-2019-15927,CVE-2019-9456,CVE-2019-9506 Sources used: SUSE Linux Enterprise Real Time Extension 12-SP4 (src): kernel-rt-4.12.14-8.6.1, kernel-rt_debug-4.12.14-8.6.1, kernel-source-rt-4.12.14-8.6.1, kernel-syms-rt-4.12.14-8.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
With those many updates released this can probably be counted as fixed.