SUSE-SU-2025:02321-1

The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2021-47557: net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1207361 bsc#1225468).
• CVE-2021-47595: net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1207361 bsc#1226552).
• CVE-2023-52924: netfilter: nf_tables: do not skip expired elements during walk (bsc#1236821).
• CVE-2023-52925: netfilter: nf_tables: do not fail inserts if duplicate has expired (bsc#1236822).
• CVE-2024-26808: netfilter: nftchainfilter: handle NETDEV_UNREGISTER for inet/ingress basechain (bsc#1222634).
• CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfcworkerwake_up() (bsc#1225820).
• CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095).
• CVE-2024-28956: x86/its: Add support for ITS-safe indirect thunk (bsc#1242006).
• CVE-2024-36978: net: sched: schmultiq: fix possible OOB write in multiqtune() (bsc#1226514).
• CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827).
• CVE-2024-53125: bpf: synclinkedregs() must preserve subreg_def (bsc#1234156).
• CVE-2024-53141: netfilter: ipset: add missing range check in bitmapipuadt (bsc#1234381).
• CVE-2024-53197: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices (bsc#1235464).
• CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637).
• CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159).
• CVE-2025-21702: pfifotailenqueue: Drop new packet when sch->limit == 0 (bsc#1237312).
• CVE-2025-21703: netem: Update sch->q.qlen before qdisctreereduce_backlog() (bsc#1237313).
• CVE-2025-21756: vsock: Orphan socket after transport release (bsc#1238876).
• CVE-2025-23141: KVM: x86: Acquire SRCU in KVMGETMP_STATE to protect guest memory accesses (bsc#1242782).
• CVE-2025-37752: netsched: schsfq: move the limit validation (bsc#1242504).
• CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640).
• CVE-2025-37823: netsched: hfsc: Fix a potential UAF in hfscdequeue() too (bsc#1242924).
• CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330).
• CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832).
• CVE-2025-38000: schhfsc: Fix qlen accounting bug when using peek in hfscenqueue() (bsc#1244277).
• CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234).
• CVE-2025-38014: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (bsc#1244732).
• CVE-2025-38060: bpf: abort verification if env->curstate->loopentry != NULL (bsc#1245155).
• CVE-2025-38083: netsched: prio: fix a race in priotune() (bsc#1245183).

The following non-security bugs were fixed:

• ALSA: usb-audio: Fix a DMA to stack memory bug (git-fixes).
• Fix conditional for selecting gcc-13 Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).')
• Fix reference in 'netsched: schsfq: use a temporary work area for validating configuration' (bsc#1242504)
• MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build')
• MyBS: Do not build kernel-obs-qa with limitpackages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limitpackages also on multibuild')
• MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed.
• Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82
• Use gcc-13 for build on SLE16 (jsc#PED-10028).
• add nf_tables for iptables non-legacy network handling This is needed for example by docker on the Alpine Linux distribution, but can also be used on openSUSE.
• bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)')
• check-for-config-changes: Fix flag name typo
• doc/README.SUSE: Point to the updated version of LKMPG
• hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431).
• kernel-obs-qa: Use srchash for dependency as well
• kernel-source: Also replace bin/env
• kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env'
• kernel-source: Remove log.sh from sources
• mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
• mm/hugetlb: fix hugepmdunshare() vs GUP-fast race (bsc#1245431).
• mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431).
• netsched: schfifo: implement lockless _fifodump() (bsc#1237312)
• netsched: schsfq: use a temporary work area for validating configuration (bsc#1232504)
• ovl: fix use inode directly in rcu-walk mode (bsc#1241900).
• packaging: Turn gcc version into config.sh variable Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).')
• powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790).
• powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790).
• rpm/check-for-config-changes: Add GCCASMFLAGOUTPUTBROKEN
• rpm/check-for-config-changes: Add GCCASMFLAGOUTPUTBROKEN Both spellings are actually used
• rpm/check-for-config-changes: add LDCAN to IGNOREDCONFIGSRE
• rpm/check-for-config-changes: add more to IGNOREDCONFIGSRE Useful when someone tries (needs) to build the kernel with clang.
• rpm/check-for-config-changes: ignore DRMMSMVALIDATEXML This option is dynamically enabled to build-test different configurations. This makes runoldconfig.sh complain sporadically for arm64.
• rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038).
• rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986) sleversion was obsoleted for SLE16. It has to be combined with suseversion check.
• rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev & systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659)
• rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454)
• rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303)
• rpm/package-descriptions: Add rt and rt_debug descriptions
• rpm/release-projects: Update the ALP projects again (bsc#1231293).
• rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570)
• rpm: Stop using iskotdqa macro
• scsi: storvsc: Do not report the host packet status as the hv status (git-fixes).
• scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455).