SUSE-SU-2025:01966-1

CVE-2022-49775: tcp: cdg: allow tcpcdgrelease() to be called multiple times (bsc#1242245).
CVE-2024-53168: net: make sockinuseadd() available (bsc#1234887).
CVE-2024-56558: nfsd: make sure exp active before svcexportshow (bsc#1235100).
CVE-2025-21999: proc: fix UAF in procgetinode() (bsc#1240802).
CVE-2025-22056: netfilter: nfttunnel: fix geneveopt type confusion addition (bsc#1241525).
CVE-2025-23145: mptcp: fix NULL pointer in canacceptnew_subflow (bsc#1242596).
CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762).

The following non-security bugs were fixed:

Drivers: hv: Allow vmbussendpacketmpb_desc() to create multiple ranges (bsc#1243737).
Remove debug flavor (bsc#1243919).
arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778).
arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778).
arm64: insn: Add support for encoding DSB (bsc#1242778).
arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778).
arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778).
arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778).
hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (bsc#1243737).
hvnetvsc: Remove rmsgpgcnt (bsc#1243737).
hvnetvsc: Use vmbussendpacketmpbdesc() to send VMBus messages (bsc#1243737).
mtd: phram: Add the kernel lock down check (bsc#1232649).
net :mana :Add remaining GDMA stats for MANA to ethtool (bsc#1234395).
net :mana :Request a V2 response version for MANAQUERYGF_STAT (bsc#1234395).
net: mana: Add gdma stats to ethtool output for mana (bsc#1234395).
nvme-pci: acquire cqpolllock in nvmepollirqdisable (bsc#1223096).
ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes).
powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531).
scsi: core: Fix unremoved procfs host directory regression (git-fixes).
tcp: Dump bound-only sockets in inet_diag (bsc#1204562).
tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870).
tpm: tis: Double the timeout B to 4s (bsc#1235870).
x86/bhi: Do not set BHIDISS in 32-bit mode (bsc#1242778).
x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778).
x86/bpf: Call branch history clearing sequence on exit (bsc#1242778).

References

Affected packages

SUSE:Linux Enterprise Micro 5.5 / kernel-rt

Package

Name: kernel-rt
Purl: pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.14.21-150500.13.97.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-rt": "5.14.21-150500.13.97.1",
            "kernel-devel-rt": "5.14.21-150500.13.97.1",
            "kernel-source-rt": "5.14.21-150500.13.97.1"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.5 / kernel-source-rt

Package

Name: kernel-source-rt
Purl: pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Enterprise%20Micro%205.5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.14.21-150500.13.97.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-rt": "5.14.21-150500.13.97.1",
            "kernel-devel-rt": "5.14.21-150500.13.97.1",
            "kernel-source-rt": "5.14.21-150500.13.97.1"
        }
    ]
}