The kernel creates PEM at the build time, and this contains some random bits, and I don't know whether we can suppress the randomness.

The list order for Symbols.list and ipa-clones.list could be sorted easily, I guess.  Adding Miroslav to Cc for those.

ipa-clones.list can be sorted. That is just a list of files which serves as an input for a tool we have.

Symbols.list is not so straightforward. It is a mapping between symbols and their parent objects (either vmlinux, or a kernel module). The list of symbols for each such object corresponds to "nm" output. It is important to keep the order of symbols. The objects can be appended randomly, but that is not a solution, I guess.

So, could you give an example of Symbols.list differences between builds? Maybe we could tweak rpm/klp-symbols script living in our kernel repository to be consistent.

(In reply to Takashi Iwai from comment #1)
> The kernel creates PEM at the build time, and this contains some random
> bits, and I don't know whether we can suppress the randomness.

Why does it create one?

IIRC it is created only on first build when rebuilding kernel during development so we could insert one. What is it used for?

(In reply to Michal Suchanek from comment #3)
> (In reply to Takashi Iwai from comment #1)
> > The kernel creates PEM at the build time, and this contains some random
> > bits, and I don't know whether we can suppress the randomness.
> 
> Why does it create one?

Because we set CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" :)

> IIRC it is created only on first build when rebuilding kernel during
> development so we could insert one. What is it used for?

If there is a mechanism to provide a PEM with a private key via OBS, that would work.  But, we currently take only the SSL cert, right?

Adding Joey to Cc.

(In reply to Takashi Iwai from comment #4)
> (In reply to Michal Suchanek from comment #3)
> > (In reply to Takashi Iwai from comment #1)
> > > The kernel creates PEM at the build time, and this contains some random
> > > bits, and I don't know whether we can suppress the randomness.
> > 
> > Why does it create one?
> 
> Because we set CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" :)

And we don't sign the modules in the kernel, we sign them with pesign-obs-integration and the key is random so it does not help anything AFAIK. Can we drop it or does anything require this option to be enabled?

How are modules signed when somebody just builds a tree locally without rpmbuild?

> 
> > IIRC it is created only on first build when rebuilding kernel during
> > development so we could insert one. What is it used for?
> 
> If there is a mechanism to provide a PEM with a private key via OBS, that
> would work.  But, we currently take only the SSL cert, right?

(In reply to Michal Suchanek from comment #5)
> (In reply to Takashi Iwai from comment #4)
> > (In reply to Michal Suchanek from comment #3)
> > > (In reply to Takashi Iwai from comment #1)
> > > > The kernel creates PEM at the build time, and this contains some random
> > > > bits, and I don't know whether we can suppress the randomness.
> > > 
> > > Why does it create one?
> > 
> > Because we set CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" :)
> 
> And we don't sign the modules in the kernel, we sign them with
> pesign-obs-integration and the key is random so it does not help anything
> AFAIK. Can we drop it or does anything require this option to be enabled?

Right, we should make this empty as mentioned in Documentation/kbuild/reproducible-builds.rst.

> How are modules signed when somebody just builds a tree locally without
> rpmbuild?

"make modules_install" invokes sign-file for each module.

(In reply to Takashi Iwai from comment #6)
> (In reply to Michal Suchanek from comment #5)
> > (In reply to Takashi Iwai from comment #4)
> > > (In reply to Michal Suchanek from comment #3)
> > > > (In reply to Takashi Iwai from comment #1)
> > > > > The kernel creates PEM at the build time, and this contains some random
> > > > > bits, and I don't know whether we can suppress the randomness.
> > > > 
> > > > Why does it create one?
> > > 
> > > Because we set CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" :)
> > 
> > And we don't sign the modules in the kernel, we sign them with
> > pesign-obs-integration and the key is random so it does not help anything
> > AFAIK. Can we drop it or does anything require this option to be enabled?
> 
> Right, we should make this empty as mentioned in
> Documentation/kbuild/reproducible-builds.rst.
> 
> > How are modules signed when somebody just builds a tree locally without
> > rpmbuild?
> 
> "make modules_install" invokes sign-file for each module.

And it uses this random key, right?

(In reply to Michal Suchanek from comment #5)
> (In reply to Takashi Iwai from comment #4)
> > (In reply to Michal Suchanek from comment #3)
> > > (In reply to Takashi Iwai from comment #1)
> > > > The kernel creates PEM at the build time, and this contains some random
> > > > bits, and I don't know whether we can suppress the randomness.
> > > 
> > > Why does it create one?
> > 
> > Because we set CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" :)
> 
> And we don't sign the modules in the kernel, we sign them with
> pesign-obs-integration and the key is random so it does not help anything
> AFAIK. Can we drop it or does anything require this option to be enabled?
> 
> How are modules signed when somebody just builds a tree locally without
> rpmbuild?
> 
> > 
> > > IIRC it is created only on first build when rebuilding kernel during
> > > development so we could insert one. What is it used for?
> > 
> > If there is a mechanism to provide a PEM with a private key via OBS, that
> > would work.  But, we currently take only the SSL cert, right?

(In reply to Takashi Iwai from comment #6)
> (In reply to Michal Suchanek from comment #5)
> > (In reply to Takashi Iwai from comment #4)
> > > (In reply to Michal Suchanek from comment #3)
> > > > (In reply to Takashi Iwai from comment #1)
> > > > > The kernel creates PEM at the build time, and this contains some random
> > > > > bits, and I don't know whether we can suppress the randomness.
> > > > 
> > > > Why does it create one?
> > > 
> > > Because we set CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" :)
> > 
> > And we don't sign the modules in the kernel, we sign them with
> > pesign-obs-integration and the key is random so it does not help anything
> > AFAIK. Can we drop it or does anything require this option to be enabled?
> 
> Right, we should make this empty as mentioned in
> Documentation/kbuild/reproducible-builds.rst.
> 

I agree that we can set CONFIG_MODULE_SIG_KEY to empty.

By default, kernel only includes certs/signing_key.x509 to system_certificate_list. I think that OBS put signkey certificate to certs/signing_key.x509 for embedded to kernel. So we don't need generate certs/signing_key.pem every time.

> > How are modules signed when somebody just builds a tree locally without
> > rpmbuild?
> 
> "make modules_install" invokes sign-file for each module.

SLE/openSUSE config do not set CONFIG_MODULE_SIG_ALL, so sign-file should not be invoked on OBS. Unless we set CONFIG_MODULE_SIG_ALL when local build.

(In reply to Michal Suchanek from comment #7)
> (In reply to Takashi Iwai from comment #6)
> > (In reply to Michal Suchanek from comment #5)
> > > (In reply to Takashi Iwai from comment #4)
> > > > (In reply to Michal Suchanek from comment #3)
> > > > > (In reply to Takashi Iwai from comment #1)
> > > > > > The kernel creates PEM at the build time, and this contains some random
> > > > > > bits, and I don't know whether we can suppress the randomness.
> > > > > 
> > > > > Why does it create one?
> > > > 
> > > > Because we set CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" :)
> > > 
> > > And we don't sign the modules in the kernel, we sign them with
> > > pesign-obs-integration and the key is random so it does not help anything
> > > AFAIK. Can we drop it or does anything require this option to be enabled?
> > 
> > Right, we should make this empty as mentioned in
> > Documentation/kbuild/reproducible-builds.rst.
> > 
> > > How are modules signed when somebody just builds a tree locally without
> > > rpmbuild?
> > 
> > "make modules_install" invokes sign-file for each module.
> 
> And it uses this random key, right?

It uses certs/signing_key.pem by default. And the signing_key.pem will not be re-generated when it exist.

I'm building test kernels with the empty CONFIG_MODULE_SIG_KEY in IBS home:tiwai:test:bsc1187167, and the build itself seems OK, so far.  This looks like the way to go.

Ok, so if I understand this correctly

 - for local non-rpm builds modules are not signed at all because we don't set CONFIG_MODULE_SIG_ALL and if people set it they can set CONFIG_MODULE_SIG_KEY as well
 - for OBS builds kernel is signed with pesign-obs-integration and CONFIG_MODULE_SIG_KEY is unused

-> we can drop CONFIG_MODULE_SIG_KEY without causing any regression for people using our configs, people with custom configs can configure what they want

(In reply to Miroslav Beneš from comment #2)
> Symbols.list is not so straightforward. It is a mapping between symbols and
> their parent objects (either vmlinux, or a kernel module). The list of
> symbols for each such object corresponds to "nm" output. It is important to
> keep the order of symbols. The objects can be appended randomly, but that is
> not a solution, I guess.
> 
> So, could you give an example of Symbols.list differences between builds?
> Maybe we could tweak rpm/klp-symbols script living in our kernel repository
> to be consistent.

I uploaded 2 samples to
/suse/bwiedemann/Export/temp/Symbols.list.tar.xz
aka https://w3.suse.de/~bwiedemann/temp/Symbols.list.tar.xz

I think the trick is to sort the file list, so overall nm output does not vary in order. I'll try this patch to
klp-symbols
-find "$MODVER_DIR" -iname '*.mod' | while read KMOD ; do
+find "$MODVER_DIR" -iname '*.mod' | sort | while read KMOD ; do

Hi Takashi,

I am also pushing kernel to IBS, but upload is low on my site.

(In reply to Takashi Iwai from comment #10)
> I'm building test kernels with the empty CONFIG_MODULE_SIG_KEY in IBS
> home:tiwai:test:bsc1187167, and the build itself seems OK, so far.  This
> looks like the way to go.

I believe that certs/signing_key.x509 still be embedded in kernel even CONFIG_MODULE_SIG_KEY is empty. Did you see the embedded key to load in dmesg?

Thanks!

(In reply to Michal Suchanek from comment #11)
> Ok, so if I understand this correctly
> 
>  - for local non-rpm builds modules are not signed at all because we don't
> set CONFIG_MODULE_SIG_ALL and if people set it they can set
> CONFIG_MODULE_SIG_KEY as well
>  - for OBS builds kernel is signed with pesign-obs-integration and
> CONFIG_MODULE_SIG_KEY is unused
> 
> -> we can drop CONFIG_MODULE_SIG_KEY without causing any regression for
> people using our configs, people with custom configs can configure what they
> want

That's my understanding, too.

(In reply to Joey Lee from comment #13)
> Hi Takashi,
> 
> I am also pushing kernel to IBS, but upload is low on my site.
> 
> (In reply to Takashi Iwai from comment #10)
> > I'm building test kernels with the empty CONFIG_MODULE_SIG_KEY in IBS
> > home:tiwai:test:bsc1187167, and the build itself seems OK, so far.  This
> > looks like the way to go.
> 
> I believe that certs/signing_key.x509 still be embedded in kernel even
> CONFIG_MODULE_SIG_KEY is empty. Did you see the embedded key to load in
> dmesg?

I haven't reached that point yet, still waiting for the build finish :)
Let's see.  You can fetch the kernel from IBS repo, too.

The result with the empty CONFIG_MODULE_SIG_KEY looks positive, so I pushed to for-next branch.  One bird shot down.

Created attachment 850207 [details]
[PATCH] Create Symbols.list and ipa-clones.list determistically

(In reply to Bernhard Wiedemann from comment #17)
> Created attachment 850207 [details]
> [PATCH] Create Symbols.list and ipa-clones.list determistically

Thanks, I will add it to packaging.

Very good.
CONFIG_MODULE_SIG_KEY="" and my patch together allowed for 2 bit-identical osc builds outside of OBS (so no extra signing).

Be sure to get fixes both into Factory and SLE.

Can we somehow make this bug public?

yes, change the classification field to openSUSE.

As the reporter you might be able to do that.

I pushed CONFIG_MODULE_SIG_KEY changes to master and stable branches, too.

The changes have been merged.  Let's close.

This breaks kernel module loading with secure boot , see bug 1187711

(Problem is that the signing key is no longer embedded into the built kernel.)

The CONFIG_MODULE_SIG_KEY change broke the signing, and it should be reverted.  Reopened.

Bernhard, how did you build the package for comparison?  Is it from the actual build in IBS project, or your local build?

I'm asking it because the build result differs between the local build and the build on BS.  The latter would fetch the project cert, but the former won't.

If that's the case (or in case where no project cert is available in BS), I'm thinking on providing a dummy cert in the source and use it consistently.

I had tested with 2 local builds, because if that is not able to reproduce binaries, comparing local with OBS often will not either.

Yes, a dummy-cert should do the trick.

(In reply to Bernhard Wiedemann from comment #31)
> I had tested with 2 local builds, because if that is not able to reproduce
> binaries, comparing local with OBS often will not either.
> 
> Yes, a dummy-cert should do the trick.

Is that sound from security PoV?

Locally built kernels will accept modules signed by this certificate.

If only having the public key in the package suffices it should be fine, otherwise it makes security of locally built kernels very questionable.

(In reply to Michal Suchanek from comment #33)
> (In reply to Bernhard Wiedemann from comment #31)
> > I had tested with 2 local builds, because if that is not able to reproduce
> > binaries, comparing local with OBS often will not either.
> > 
> > Yes, a dummy-cert should do the trick.
> 
> Is that sound from security PoV?
> 
> Locally built kernels will accept modules signed by this certificate.
> 
> If only having the public key in the package suffices it should be fine,
> otherwise it makes security of locally built kernels very questionable.

Well, the question is whether the secure boot is respected for the local build without any proper key passed.  As for now, the system generated a random key at the build time, and unless user safely moves / removes the private key after the build, it's not safer, either.

One another option would be to modify CONFIG_MODULE_SIG_KEY at the build time when no cert is found.  Maybe that's more feasible.

Created attachment 850571 [details]
PoC patch for set CONFIG_MODULE_SIG_KEY empty

would it be too ugly to do as a macro that can be used in both places where the certificate is searched?

A macro or a script for the search of crt files came to my mind, too, yeah.  Alternatively, the part creating certs/signing_key.pem can be moved at the place I've added (from %build to %prep), and run
  scripts/config --set-str CONFIG_MODULE_SIG_KEY ""
only if certs/signing_key.pem doesn't exist, instead.

In anyway, the PoC patch itself seems working on the local build test, at least.

I'll be on vacation from tomorrow, so feel free to cook and push to relevant branches.  Thanks!

Created attachment 850575 [details]
updated patch

Patch that moves the certificate search to %prep completely.

Needs testing

openSUSE-SU-2021:2184-1: An update that solves four vulnerabilities and has 107 fixes is now available.

Category: security (important)
Bug References: 1087082,1152489,1154353,1174978,1176447,1176771,1177666,1178134,1178378,1178612,1179610,1182999,1183712,1184259,1184436,1184631,1185195,1185428,1185497,1185570,1185589,1185675,1185701,1186155,1186286,1186460,1186463,1186472,1186501,1186672,1186677,1186681,1186752,1186885,1186928,1186949,1186950,1186951,1186952,1186953,1186954,1186955,1186956,1186957,1186958,1186959,1186960,1186961,1186962,1186963,1186964,1186965,1186966,1186967,1186968,1186969,1186970,1186971,1186972,1186973,1186974,1186976,1186977,1186978,1186979,1186980,1186981,1186982,1186983,1186984,1186985,1186986,1186987,1186988,1186989,1186990,1186991,1186992,1186993,1186994,1186995,1186996,1186997,1186998,1186999,1187000,1187001,1187002,1187003,1187038,1187039,1187050,1187052,1187067,1187068,1187069,1187072,1187143,1187144,1187167,1187334,1187344,1187345,1187346,1187347,1187348,1187349,1187350,1187351,1187357,1187711
CVE References: CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-64kb-5.3.18-59.10.1, kernel-debug-5.3.18-59.10.1, kernel-default-5.3.18-59.10.1, kernel-default-base-5.3.18-59.10.1.18.4.2, kernel-docs-5.3.18-59.10.1, kernel-kvmsmall-5.3.18-59.10.1, kernel-obs-build-5.3.18-59.10.1, kernel-obs-qa-5.3.18-59.10.1, kernel-preempt-5.3.18-59.10.1, kernel-source-5.3.18-59.10.1, kernel-syms-5.3.18-59.10.1, kernel-zfcpdump-5.3.18-59.10.1

SUSE-SU-2021:2184-1: An update that solves four vulnerabilities and has 107 fixes is now available.

Category: security (important)
Bug References: 1087082,1152489,1154353,1174978,1176447,1176771,1177666,1178134,1178378,1178612,1179610,1182999,1183712,1184259,1184436,1184631,1185195,1185428,1185497,1185570,1185589,1185675,1185701,1186155,1186286,1186460,1186463,1186472,1186501,1186672,1186677,1186681,1186752,1186885,1186928,1186949,1186950,1186951,1186952,1186953,1186954,1186955,1186956,1186957,1186958,1186959,1186960,1186961,1186962,1186963,1186964,1186965,1186966,1186967,1186968,1186969,1186970,1186971,1186972,1186973,1186974,1186976,1186977,1186978,1186979,1186980,1186981,1186982,1186983,1186984,1186985,1186986,1186987,1186988,1186989,1186990,1186991,1186992,1186993,1186994,1186995,1186996,1186997,1186998,1186999,1187000,1187001,1187002,1187003,1187038,1187039,1187050,1187052,1187067,1187068,1187069,1187072,1187143,1187144,1187167,1187334,1187344,1187345,1187346,1187347,1187348,1187349,1187350,1187351,1187357,1187711
CVE References: CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-59.10.1, kernel-preempt-5.3.18-59.10.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-59.10.1, kernel-livepatch-SLE15-SP3_Update_2-1-7.5.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-59.10.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-59.10.1, kernel-obs-build-5.3.18-59.10.1, kernel-preempt-5.3.18-59.10.1, kernel-source-5.3.18-59.10.1, kernel-syms-5.3.18-59.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-59.10.1, kernel-default-5.3.18-59.10.1, kernel-default-base-5.3.18-59.10.1.18.4.2, kernel-preempt-5.3.18-59.10.1, kernel-source-5.3.18-59.10.1, kernel-zfcpdump-5.3.18-59.10.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-59.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2021:2202-1: An update that solves four vulnerabilities and has 98 fixes is now available.

Category: security (important)
Bug References: 1152489,1154353,1174978,1176447,1176771,1178134,1178612,1179610,1183712,1184259,1184436,1184631,1185195,1185570,1185589,1185675,1185701,1186155,1186286,1186463,1186472,1186672,1186677,1186752,1186885,1186928,1186949,1186950,1186951,1186952,1186953,1186954,1186955,1186956,1186957,1186958,1186959,1186960,1186961,1186962,1186963,1186964,1186965,1186966,1186967,1186968,1186969,1186970,1186971,1186972,1186973,1186974,1186976,1186977,1186978,1186979,1186980,1186981,1186982,1186983,1186984,1186985,1186986,1186987,1186988,1186989,1186990,1186991,1186992,1186993,1186994,1186995,1186996,1186997,1186998,1186999,1187000,1187001,1187002,1187003,1187038,1187039,1187050,1187052,1187067,1187068,1187069,1187072,1187143,1187144,1187167,1187334,1187344,1187345,1187346,1187347,1187348,1187349,1187350,1187351,1187357,1187711
CVE References: CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-38.8.1, kernel-source-azure-5.3.18-38.8.1, kernel-syms-azure-5.3.18-38.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:2202-1: An update that solves four vulnerabilities and has 98 fixes is now available.

Category: security (important)
Bug References: 1152489,1154353,1174978,1176447,1176771,1178134,1178612,1179610,1183712,1184259,1184436,1184631,1185195,1185570,1185589,1185675,1185701,1186155,1186286,1186463,1186472,1186672,1186677,1186752,1186885,1186928,1186949,1186950,1186951,1186952,1186953,1186954,1186955,1186956,1186957,1186958,1186959,1186960,1186961,1186962,1186963,1186964,1186965,1186966,1186967,1186968,1186969,1186970,1186971,1186972,1186973,1186974,1186976,1186977,1186978,1186979,1186980,1186981,1186982,1186983,1186984,1186985,1186986,1186987,1186988,1186989,1186990,1186991,1186992,1186993,1186994,1186995,1186996,1186997,1186998,1186999,1187000,1187001,1187002,1187003,1187038,1187039,1187050,1187052,1187067,1187068,1187069,1187072,1187143,1187144,1187167,1187334,1187344,1187345,1187346,1187347,1187348,1187349,1187350,1187351,1187357,1187711
CVE References: CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-38.8.1, kernel-source-azure-5.3.18-38.8.1, kernel-syms-azure-5.3.18-38.8.1

(In reply to Michal Suchanek from comment #38)
> Created attachment 850575 [details]
> updated patch
> 
> Patch that moves the certificate search to %prep completely.

With this the certificate ends up in kernel-default-devel.

--- kernel-old/kernel-default-devel.x86_64/list 2021-06-30 18:25:33.225079208 +0200
+++ kernel-new/kernel-default-devel.x86_64/list 2021-06-30 18:29:47.140661361 +0200
@@ -35,6 +35,9 @@
 /usr/src/linux-@UNAME_R@-obj/x86_64/default/arch/x86/include/generated/uapi/asm/unistd_32.h
 /usr/src/linux-@UNAME_R@-obj/x86_64/default/arch/x86/include/generated/uapi/asm/unistd_64.h
 /usr/src/linux-@UNAME_R@-obj/x86_64/default/arch/x86/include/generated/uapi/asm/unistd_x32.h
+/usr/src/linux-@UNAME_R@-obj/x86_64/default/certs
+/usr/src/linux-@UNAME_R@-obj/x86_64/default/certs/signing_key.pem
+/usr/src/linux-@UNAME_R@-obj/x86_64/default/certs/x509.genkey
 /usr/src/linux-@UNAME_R@-obj/x86_64/default/include
 /usr/src/linux-@UNAME_R@-obj/x86_64/default/include/config
 /usr/src/linux-@UNAME_R@-obj/x86_64/default/include/config/60xx

There is another copy of the code searching for certificates

if test %CONFIG_MODULE_SIG = "y"; then
    for f in %_sourcedir/*.crt; do
            if ! test -s "$f"; then
                    continue
            fi
            h=$(openssl x509 -inform PEM -fingerprint -noout -in "$f")
            test -n "$h"
            cert=/etc/uefi/certs/$(echo "$h" | \
                sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt
            if test -e %buildroot/"$cert"; then
                    continue
            fi
            mkdir -p %buildroot/etc/uefi/certs
            openssl x509 -inform PEM -in "$f" -outform DER -out %buildroot/"$cert"
            certs=("${certs[@]}" "$cert")
    done
fi

(In reply to Michal Suchanek from comment #45)
> (In reply to Michal Suchanek from comment #38)
> > Created attachment 850575 [details]
> > updated patch
> > 
> > Patch that moves the certificate search to %prep completely.
> 
> With this the certificate ends up in kernel-default-devel.

Is the problem still persistent?

(In reply to Takashi Iwai from comment #50)
> (In reply to Michal Suchanek from comment #45)
> > (In reply to Michal Suchanek from comment #38)
> > > Created attachment 850575 [details]
> > > updated patch
> > > 
> > > Patch that moves the certificate search to %prep completely.
> > 
> > With this the certificate ends up in kernel-default-devel.
> 
> Is the problem still persistent?

Yes, I did not get to figuring out a better way yet.

Created attachment 852762 [details]
new patch

The %certs macro has been implemented as part of other changes so this patch became trivial.

Looks like it works - pushing to packaging again.

This is an autogenerated message for OBS integration:
This bug (1187167) was mentioned in
https://build.opensuse.org/request/show/923361 15.2 / kernel-source

SUSE-SU-2021:3339-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-rt-5.3.18-54.1
SUSE Linux Enterprise Module for Realtime 15-SP2 (src):    kernel-rt-5.3.18-54.1, kernel-rt_debug-5.3.18-54.1, kernel-source-rt-5.3.18-54.1, kernel-syms-rt-5.3.18-54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2021:3337-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    kernel-azure-5.3.18-18.69.1, kernel-source-azure-5.3.18-18.69.1, kernel-syms-azure-5.3.18-18.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2021:3447-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-default-5.3.18-24.86.2, kernel-default-base-5.3.18-24.86.2.9.40.2, kmod-25-6.10.1, perl-Bootloader-0.931-3.5.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    kernel-default-5.3.18-24.86.2, kernel-preempt-5.3.18-24.86.2
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-24.86.2, kernel-livepatch-SLE15-SP2_Update_20-1-5.3.2
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    kernel-default-5.3.18-24.86.2
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    kernel-docs-5.3.18-24.86.2, kernel-obs-build-5.3.18-24.86.2, kernel-preempt-5.3.18-24.86.2, kernel-source-5.3.18-24.86.2, kernel-syms-5.3.18-24.86.1, perl-Bootloader-0.931-3.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    kernel-default-5.3.18-24.86.2, kernel-default-base-5.3.18-24.86.2.9.40.2, kernel-preempt-5.3.18-24.86.2, kernel-source-5.3.18-24.86.2, kmod-25-6.10.1, perl-Bootloader-0.931-3.5.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-24.86.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:3447-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kmod-25-6.10.1

openSUSE-SU-2021:1357-1: An update that solves 6 vulnerabilities and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kernel-debug-5.3.18-lp152.95.1, kernel-default-5.3.18-lp152.95.1, kernel-default-base-5.3.18-lp152.95.1.lp152.8.44.1, kernel-docs-5.3.18-lp152.95.1, kernel-kvmsmall-5.3.18-lp152.95.1, kernel-obs-build-5.3.18-lp152.95.1, kernel-obs-qa-5.3.18-lp152.95.1, kernel-preempt-5.3.18-lp152.95.1, kernel-source-5.3.18-lp152.95.1, kernel-syms-5.3.18-lp152.95.1

openSUSE-SU-2021:1365-1: An update that solves 6 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292
CVE References: CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kmod-25-lp152.8.3.1, kmod-testsuite-25-lp152.8.3.2

openSUSE-SU-2021:1460-1: An update that solves 15 vulnerabilities and has 40 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1100416,1129735,1152489,1154353,1156395,1157177,1167773,1172073,1173604,1176940,1184673,1185762,1186109,1187167,1188563,1188876,1188983,1188985,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190941,1191229,1191238,1191241,1191315,1191317,1191343,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191731,1191800,1191934,1191958,1192036,1192040,1192041,1192107,1192145,1192267
CVE References: CVE-2018-13405,CVE-2021-33033,CVE-2021-34556,CVE-2021-3542,CVE-2021-35477,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kernel-debug-5.3.18-lp152.98.1, kernel-default-5.3.18-lp152.98.1, kernel-default-base-5.3.18-lp152.98.1.lp152.8.46.1, kernel-docs-5.3.18-lp152.98.1, kernel-kvmsmall-5.3.18-lp152.98.1, kernel-obs-build-5.3.18-lp152.98.1, kernel-obs-qa-5.3.18-lp152.98.1, kernel-preempt-5.3.18-lp152.98.1, kernel-source-5.3.18-lp152.98.1, kernel-syms-5.3.18-lp152.98.1

SUSE-SU-2021:3642-1: An update that solves 13 vulnerabilities and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1152472,1152489,1156395,1172073,1173604,1176447,1176774,1176914,1178134,1180100,1181147,1184673,1185762,1186063,1186109,1187167,1188563,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190801,1190941,1191229,1191240,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191645,1191663,1191731,1191800,1191867,1191934,1191958,1192040,1192041,1192074,1192107,1192145
CVE References: CVE-2021-33033,CVE-2021-34866,CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    kernel-rt-5.3.18-60.1
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-60.1, kernel-rt_debug-5.3.18-60.1, kernel-source-rt-5.3.18-60.1, kernel-syms-rt-5.3.18-60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2021:3641-1: An update that solves 13 vulnerabilities and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1152472,1152489,1156395,1172073,1173604,1176447,1176774,1176914,1178134,1180100,1181147,1184673,1185762,1186063,1186109,1187167,1188563,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190801,1190941,1191229,1191240,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191645,1191663,1191731,1191800,1191867,1191934,1191958,1192040,1192041,1192074,1192107,1192145
CVE References: CVE-2021-33033,CVE-2021-34866,CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-38.28.2, kernel-source-azure-5.3.18-38.28.2, kernel-syms-azure-5.3.18-38.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:3641-1: An update that solves 13 vulnerabilities and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1152472,1152489,1156395,1172073,1173604,1176447,1176774,1176914,1178134,1180100,1181147,1184673,1185762,1186063,1186109,1187167,1188563,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190801,1190941,1191229,1191240,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191645,1191663,1191731,1191800,1191867,1191934,1191958,1192040,1192041,1192074,1192107,1192145
CVE References: CVE-2021-33033,CVE-2021-34866,CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-38.28.2, kernel-source-azure-5.3.18-38.28.2, kernel-syms-azure-5.3.18-38.28.1

SUSE-SU-2021:3640-1: An update that solves 11 vulnerabilities and has 35 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1133021,1152489,1154353,1156395,1157177,1167773,1172073,1173604,1176940,1184673,1185762,1186063,1187167,1188563,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190941,1191229,1191241,1191315,1191317,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191731,1191800,1191934,1191958,1192040,1192041,1192107,1192145
CVE References: CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    kernel-azure-5.3.18-18.72.2, kernel-source-azure-5.3.18-18.72.2, kernel-syms-azure-5.3.18-18.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:3655-1: An update that solves 13 vulnerabilities and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1152472,1152489,1156395,1172073,1173604,1176447,1176774,1176914,1178134,1180100,1181147,1184673,1185762,1186063,1186109,1187167,1188563,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190801,1190941,1191229,1191240,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191645,1191663,1191731,1191800,1191867,1191934,1191958,1192040,1192041,1192074,1192107,1192145
CVE References: CVE-2021-33033,CVE-2021-34866,CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-59.30.1, kernel-64kb-5.3.18-59.30.1, kernel-debug-5.3.18-59.30.1, kernel-default-5.3.18-59.30.1, kernel-default-base-5.3.18-59.30.1.18.17.1, kernel-docs-5.3.18-59.30.1, kernel-kvmsmall-5.3.18-59.30.1, kernel-obs-build-5.3.18-59.30.1, kernel-obs-qa-5.3.18-59.30.1, kernel-preempt-5.3.18-59.30.1, kernel-source-5.3.18-59.30.1, kernel-syms-5.3.18-59.30.1, kernel-zfcpdump-5.3.18-59.30.1

SUSE-SU-2021:3658-1: An update that solves 11 vulnerabilities and has 35 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1152489,1154353,1156395,1157177,1167773,1172073,1173604,1176940,1184673,1185762,1186063,1187167,1188563,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190941,1191229,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191731,1191800,1191934,1191958,1192040,1192041,1192107,1192145
CVE References: CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-rt-5.3.18-57.1
SUSE Linux Enterprise Module for Realtime 15-SP2 (src):    kernel-rt-5.3.18-57.1, kernel-rt_debug-5.3.18-57.1, kernel-source-rt-5.3.18-57.1, kernel-syms-rt-5.3.18-57.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2021:3655-1: An update that solves 13 vulnerabilities and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1152472,1152489,1156395,1172073,1173604,1176447,1176774,1176914,1178134,1180100,1181147,1184673,1185762,1186063,1186109,1187167,1188563,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190801,1190941,1191229,1191240,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191645,1191663,1191731,1191800,1191867,1191934,1191958,1192040,1192041,1192074,1192107,1192145
CVE References: CVE-2021-33033,CVE-2021-34866,CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    kernel-default-5.3.18-59.30.1, kernel-default-base-5.3.18-59.30.1.18.17.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-59.30.1, kernel-preempt-5.3.18-59.30.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-59.30.1, kernel-livepatch-SLE15-SP3_Update_8-1-7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-59.30.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-59.30.1, kernel-obs-build-5.3.18-59.30.1, kernel-preempt-5.3.18-59.30.1, kernel-source-5.3.18-59.30.1, kernel-syms-5.3.18-59.30.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-59.30.1, kernel-default-5.3.18-59.30.1, kernel-default-base-5.3.18-59.30.1.18.17.1, kernel-preempt-5.3.18-59.30.1, kernel-source-5.3.18-59.30.1, kernel-zfcpdump-5.3.18-59.30.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-59.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:1477-1: An update that solves 15 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1100416,1129735,1152489,1154353,1156395,1157177,1167773,1172073,1173604,1176940,1184673,1185762,1186109,1187167,1188563,1188876,1188983,1188985,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190941,1191229,1191238,1191241,1191315,1191317,1191343,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191731,1191800,1191934,1191958,1192036,1192040,1192041,1192107,1192145,1192267,1192549
CVE References: CVE-2018-13405,CVE-2021-33033,CVE-2021-34556,CVE-2021-3542,CVE-2021-35477,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kernel-debug-5.3.18-lp152.102.1, kernel-default-5.3.18-lp152.102.1, kernel-default-base-5.3.18-lp152.102.1.lp152.8.49.1, kernel-docs-5.3.18-lp152.102.1, kernel-kvmsmall-5.3.18-lp152.102.1, kernel-obs-build-5.3.18-lp152.102.1, kernel-obs-qa-5.3.18-lp152.102.1, kernel-preempt-5.3.18-lp152.102.1, kernel-source-5.3.18-lp152.102.1, kernel-syms-5.3.18-lp152.102.1

SUSE-SU-2021:3675-1: An update that solves 15 vulnerabilities and has 56 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1089118,1094840,1133021,1152472,1152489,1154353,1156395,1157177,1167773,1172073,1173604,1176447,1176774,1176914,1176940,1178134,1180100,1180749,1181147,1184673,1185762,1186063,1186109,1187167,1188563,1188601,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190801,1190941,1191229,1191240,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191645,1191663,1191731,1191800,1191851,1191867,1191934,1191958,1191980,1192040,1192041,1192074,1192107,1192145,1192229,1192267,1192288,1192549
CVE References: CVE-2021-33033,CVE-2021-34866,CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-37159,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056,CVE-2021-43389
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    kernel-default-5.3.18-59.34.1, kernel-default-base-5.3.18-59.34.1.18.21.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-59.34.1, kernel-preempt-5.3.18-59.34.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-59.34.1, kernel-livepatch-SLE15-SP3_Update_9-1-7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-59.34.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-59.34.1, kernel-obs-build-5.3.18-59.34.1, kernel-preempt-5.3.18-59.34.1, kernel-source-5.3.18-59.34.1, kernel-syms-5.3.18-59.34.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-59.34.1, kernel-default-5.3.18-59.34.1, kernel-default-base-5.3.18-59.34.1.18.21.1, kernel-preempt-5.3.18-59.34.1, kernel-source-5.3.18-59.34.1, kernel-zfcpdump-5.3.18-59.34.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-59.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:3675-1: An update that solves 15 vulnerabilities and has 56 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1089118,1094840,1133021,1152472,1152489,1154353,1156395,1157177,1167773,1172073,1173604,1176447,1176774,1176914,1176940,1178134,1180100,1180749,1181147,1184673,1185762,1186063,1186109,1187167,1188563,1188601,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190801,1190941,1191229,1191240,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191645,1191663,1191731,1191800,1191851,1191867,1191934,1191958,1191980,1192040,1192041,1192074,1192107,1192145,1192229,1192267,1192288,1192549
CVE References: CVE-2021-33033,CVE-2021-34866,CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-37159,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056,CVE-2021-43389
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-59.34.1, kernel-64kb-5.3.18-59.34.1, kernel-debug-5.3.18-59.34.1, kernel-default-5.3.18-59.34.1, kernel-default-base-5.3.18-59.34.1.18.21.1, kernel-docs-5.3.18-59.34.1, kernel-kvmsmall-5.3.18-59.34.1, kernel-obs-build-5.3.18-59.34.1, kernel-obs-qa-5.3.18-59.34.1, kernel-preempt-5.3.18-59.34.1, kernel-source-5.3.18-59.34.1, kernel-syms-5.3.18-59.34.1, kernel-zfcpdump-5.3.18-59.34.1

SUSE-SU-2021:3754-1: An update that solves 11 vulnerabilities and has 37 fixes is now available.

Category: security (important)
Bug References: 1065729,1085030,1152489,1154353,1156395,1157177,1167773,1172073,1173604,1176940,1184673,1185762,1186063,1187167,1188563,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190941,1191229,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191731,1191800,1191934,1191958,1192040,1192041,1192107,1192145,1192267,1192549
CVE References: CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-default-5.3.18-24.93.1, kernel-default-base-5.3.18-24.93.1.9.42.5
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    kernel-default-5.3.18-24.93.1, kernel-preempt-5.3.18-24.93.1
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-24.93.1, kernel-livepatch-SLE15-SP2_Update_21-1-5.3.5
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    kernel-default-5.3.18-24.93.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    kernel-docs-5.3.18-24.93.1, kernel-obs-build-5.3.18-24.93.1, kernel-preempt-5.3.18-24.93.1, kernel-source-5.3.18-24.93.1, kernel-syms-5.3.18-24.93.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    kernel-default-5.3.18-24.93.1, kernel-default-base-5.3.18-24.93.1.9.42.5, kernel-preempt-5.3.18-24.93.1, kernel-source-5.3.18-24.93.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-24.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2022:0068-1: An update that solves 16 vulnerabilities and has 26 fixes is now available.

Category: security (important)
Bug References: 1114648,1124431,1167162,1169514,1172073,1179599,1183678,1183897,1184804,1185727,1185762,1187167,1189126,1189158,1189305,1189841,1190317,1190358,1190428,1191229,1191384,1191731,1191876,1192032,1192145,1192267,1192740,1192845,1192847,1192866,1192877,1192946,1192974,1193231,1193306,1193318,1193440,1193442,1193575,1193731,1194087,1194094
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.106.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.106.1, kernel-obs-build-4.12.14-122.106.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.106.1, kernel-source-4.12.14-122.106.1, kernel-syms-4.12.14-122.106.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.106.1, kgraft-patch-SLE12-SP5_Update_27-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.106.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2022:0080-1: An update that solves 18 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 1114648,1124431,1167162,1169514,1172073,1179599,1183678,1183897,1184804,1185727,1185762,1187167,1189126,1189158,1189305,1189841,1190317,1190358,1190428,1191229,1191384,1191731,1191876,1192032,1192145,1192267,1192740,1192845,1192847,1192866,1192877,1192946,1192974,1192987,1193231,1193306,1193318,1193440,1193442,1193575,1193669,1193727,1193731,1194001,1194087,1194094
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4002,CVE-2021-4083,CVE-2021-4149,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.85.1, kernel-source-azure-4.12.14-16.85.1, kernel-syms-azure-4.12.14-16.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2022:0090-1: An update that solves 15 vulnerabilities, contains one feature and has 18 fixes is now available.

Category: security (important)
Bug References: 1114648,1124431,1167162,1179599,1183678,1183897,1184804,1185727,1185762,1187167,1189126,1189305,1189841,1190358,1191229,1191384,1192032,1192145,1192267,1192740,1192845,1192847,1192877,1192946,1192974,1193231,1193306,1193318,1193440,1193442,1193731,1194087,1194094
CVE References: CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486
JIRA References: SLE-17288
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP5 (src):    kernel-rt-4.12.14-10.73.1, kernel-rt_debug-4.12.14-10.73.1, kernel-source-rt-4.12.14-10.73.1, kernel-syms-rt-4.12.14-10.73.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2022:0366-1: An update that solves 27 vulnerabilities and has 23 fixes is now available.

Category: security (critical)
Bug References: 1071995,1124431,1167162,1169514,1172073,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191241,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1193927,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195166,1195254
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    kernel-debug-4.12.14-197.105.1, kernel-default-4.12.14-197.105.1, kernel-kvmsmall-4.12.14-197.105.1, kernel-vanilla-4.12.14-197.105.1, kernel-zfcpdump-4.12.14-197.105.1
openSUSE Leap 15.3 (src):    kernel-debug-4.12.14-197.105.1, kernel-default-4.12.14-197.105.1, kernel-kvmsmall-4.12.14-197.105.1, kernel-vanilla-4.12.14-197.105.1, kernel-zfcpdump-4.12.14-197.105.1

SUSE-SU-2022:0367-1: An update that solves 27 vulnerabilities and has 23 fixes is now available.

Category: security (critical)
Bug References: 1071995,1124431,1167162,1169514,1172073,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191241,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193506,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195166,1195254
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330,CVE-2022-0435
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    kernel-default-4.12.14-150.83.1, kernel-docs-4.12.14-150.83.1, kernel-obs-build-4.12.14-150.83.1, kernel-source-4.12.14-150.83.1, kernel-syms-4.12.14-150.83.1, kernel-vanilla-4.12.14-150.83.1
SUSE Linux Enterprise Server 15-LTSS (src):    kernel-default-4.12.14-150.83.1, kernel-docs-4.12.14-150.83.1, kernel-obs-build-4.12.14-150.83.1, kernel-source-4.12.14-150.83.1, kernel-syms-4.12.14-150.83.1, kernel-vanilla-4.12.14-150.83.1, kernel-zfcpdump-4.12.14-150.83.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-150.83.1, kernel-livepatch-SLE15_Update_27-1-1.5.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    kernel-default-4.12.14-150.83.1, kernel-docs-4.12.14-150.83.1, kernel-obs-build-4.12.14-150.83.1, kernel-source-4.12.14-150.83.1, kernel-syms-4.12.14-150.83.1, kernel-vanilla-4.12.14-150.83.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    kernel-default-4.12.14-150.83.1, kernel-docs-4.12.14-150.83.1, kernel-obs-build-4.12.14-150.83.1, kernel-source-4.12.14-150.83.1, kernel-syms-4.12.14-150.83.1, kernel-vanilla-4.12.14-150.83.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2022:0366-1: An update that solves 27 vulnerabilities and has 23 fixes is now available.

Category: security (critical)
Bug References: 1071995,1124431,1167162,1169514,1172073,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191241,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1193927,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195166,1195254
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1, kernel-zfcpdump-4.12.14-197.105.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE Linux Enterprise Module for Live Patching 15-SP1 (src):    kernel-default-4.12.14-197.105.1, kernel-livepatch-SLE15-SP1_Update_28-1-3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    kernel-default-4.12.14-197.105.1
SUSE Enterprise Storage 6 (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1
SUSE CaaS Platform 4.0 (src):    kernel-default-4.12.14-197.105.1, kernel-docs-4.12.14-197.105.1, kernel-obs-build-4.12.14-197.105.1, kernel-source-4.12.14-197.105.1, kernel-syms-4.12.14-197.105.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2022:0371-1: An update that solves 27 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1071995,1124431,1167162,1169514,1172073,1177101,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193507,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195254
CVE References: CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330,CVE-2022-0435
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    kernel-default-4.12.14-95.88.1, kernel-source-4.12.14-95.88.1, kernel-syms-4.12.14-95.88.1
SUSE OpenStack Cloud 9 (src):    kernel-default-4.12.14-95.88.1, kernel-source-4.12.14-95.88.1, kernel-syms-4.12.14-95.88.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    kernel-default-4.12.14-95.88.1, kernel-source-4.12.14-95.88.1, kernel-syms-4.12.14-95.88.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    kernel-default-4.12.14-95.88.1, kernel-source-4.12.14-95.88.1, kernel-syms-4.12.14-95.88.1
SUSE Linux Enterprise Live Patching 12-SP4 (src):    kernel-default-4.12.14-95.88.1, kgraft-patch-SLE12-SP4_Update_24-1-6.5.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    kernel-default-4.12.14-95.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.