openSUSE: 2023:4035-1: important: the Linux Kernel Security Advisory Update
Description
The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: * CVE-2023-39194: Fixed an out of bounds read in the XFRM subsystem (bsc#1215861). * CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860). * CVE-2023-39192: Fixed an out of bounds read in the netfilter (bsc#1215858). * CVE-2023-42754: Fixed a NULL pointer dereference in the IPv4 stack that could lead to denial of service (bsc#1215467). * CVE-2023-4389: Fixed a reference counting issue in the Btrfs filesystem that could be exploited in order to leak internal kernel information or crash the system (bsc#1214351). * CVE-2023-5345: fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. (bsc#1215899) * CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges (bsc#1215150). * CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95% (bsc#1212703). * CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalatio (bsc#1215275). * CVE-2023-4622: Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation (bsc#1215117). * CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115). * CVE-2023-4155: Fixed a flaw in KVM AMD Secure Encrypted Virtualization (SEV). An attacker can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages. (bsc#1214022) The following non-security bugs were fixed: * ALSA: hda/realtek: Splitting the UX3402 into two separate models (git- fixes). * arm64: module-plts: inline linux/moduleloader.h (git-fixes) * arm64: module: Use module_init_layout_section() to spot init sections (git- fixes) * arm64: sdei: abort running SDEI handlers during crash (git-fixes) * arm64: tegra: Update AHUB clock parent and rate (git-fixes) * arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git- fixes) * ASoC: amd: yc: Fix non-functional mic on Lenovo 82QF and 82UG (git-fixes). * ASoC: hdaudio.c: Add missing check for devm_kstrdup (git-fixes). * ASoC: imx-audmix: Fix return error with devm_clk_get() (git-fixes). * ASoC: meson: spdifin: start hw on dai probe (git-fixes). * ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode (git- fixes). * ASoC: rt5640: Fix sleep in atomic context (git-fixes). * ASoC: rt5640: Revert "Fix sleep in atomic context" (git-fixes). * ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol (git-fixes). * ASoC: SOF: core: Only call sof_ops_free() on remove if the probe was successful (git-fixes). * ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates (git-fixes). * blk-iocost: fix divide by 0 error in calc_lcoefs() (bsc#1214986). * blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost (bsc#1214992). * block/mq-deadline: use correct way to throttling write requests (bsc#1214993). * bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322). * clocksource: hyper-v: Mark hyperv tsc page unencrypted in sev-snp enlightened guest (bsc#1206453). * drivers: hv: Mark percpu hvcall input arg page unencrypted in SEV-SNP enlightened guest (bsc#1206453). * Drivers: hv: vmbus: Bring the post_msg_page back for TDX VMs with the paravisor (bsc#1206453). * Drivers: hv: vmbus: Support >64 VPs for a fully enlightened TDX/SNP VM (bsc#1206453). * Drivers: hv: vmbus: Support fully enlightened TDX guests (bsc#1206453). * drm/ast: Add BMC virtual connector (bsc#1152472) Backporting changes: * rename ast_device to ast_private * drm/ast: report connection status on Display Port. (bsc#1152472) Backporting changes: * rename ast_device to ast_private * context changes * drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808). * drm/meson: fix memory leak on ->hpd_notify callback (git-fixes). * drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling (git-fixes). * drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() (git-fixes). * ext4: avoid potential data overflow in next_linear_group (bsc#1214951). * ext4: correct inline offset when handling xattrs in inode body (bsc#1214950). * ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (bsc#1214954). * ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943). * ext4: fix wrong unit use in ext4_mb_new_blocks (bsc#1214944). * ext4: get block from bh in ext4_free_blocks for fast commit replay (bsc#1214942). * ext4: reflect error codes from ext4_multi_mount_protect() to its callers (bsc#1214941). * ext4: Remove ext4 locking of moved directory (bsc#1214957). * ext4: set goal start correctly in ext4_mb_normalize_request (bsc#1214940). * fs: Establish locking order for unrelated directories (bsc#1214958). * fs: Lock moved directories (bsc#1214959). * fs: lockd: avoid possible wrong NULL parameter (git-fixes). * fs: no need to check source (bsc#1215752). * fuse: nlookup missing decrement in fuse_direntplus_link (bsc#1215581). * gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479). * gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479). * gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479). * gve: Changes to add new TX queues (bsc#1214479). * gve: Control path for DQO-QPL (bsc#1214479). * gve: fix frag_list chaining (bsc#1214479). * gve: Fix gve interrupt names (bsc#1214479). * gve: RX path for DQO-QPL (bsc#1214479). * gve: trivial spell fix Recive to Receive (bsc#1214479). * gve: Tx path for DQO-QPL (bsc#1214479). * gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479). * gve: use vmalloc_array and vcalloc (bsc#1214479). * gve: XDP support GQI-QPL: helper function changes (bsc#1214479). * hwrng: virtio - add an internal buffer (git-fixes). * hwrng: virtio - always add a pending request (git-fixes). * hwrng: virtio - do not wait on cleanup (git-fixes). * hwrng: virtio - do not waste entropy (git-fixes). * hwrng: virtio - Fix race on data_avail and actual data (git-fixes). * i915/pmu: Move execlist stats initialization to execlist specific setup (git-fixes). * iommu/virtio: Detach domain on endpoint release (git-fixes). * iommu/virtio: Return size mapped for a detached domain (git-fixes). * jbd2: check 'jh->b_transaction' before removing it from checkpoint (bsc#1214953). * jbd2: correct the end of the journal recovery scan range (bsc#1214955). * jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949). * jbd2: fix checkpoint cleanup performance regression (bsc#1214952). * jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948). * jbd2: recheck chechpointing non-dirty buffer (bsc#1214945). * jbd2: remove journal_clean_one_cp_list() (bsc#1214947). * jbd2: remove t_checkpoint_io_list (bsc#1214946). * jbd2: restore t_checkpoint_io_list to maintain kABI (bsc#1214946). * kernel-binary: Move build-time definitions together Move source list and build architecture to buildrequires to aid in future reorganization of the spec template. * kernel-binary: python3 is needed for build At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18 Other simimlar scripts may exist. * KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes (git-fixes bsc#1215915). * KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896). * KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916). * KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894). * KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895). * KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911). * KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues (git-fixes). * KVM: x86/mmu: Include mmu.h in spte.h (git-fixes). * loop: Fix use-after-free issues (bsc#1214991). * loop: loop_set_status_from_info() check before assignment (bsc#1214990). * module: Expose module_init_layout_section() (git-fixes) * net: do not allow gso_size to be set to GSO_BY_FRAGS (git-fixes). * net: mana: Add page pool for RX buffers (bsc#1214040). * net: mana: Configure hwc timeout from hardware (bsc#1214037). * net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes). * NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git- fixes). * nfs/blocklayout: Use the passed in gfp flags (git-fixes). * NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes). * NFSD: da_addr_body field missing in some GETDEVICEINFO replies (git-fixes). * nfsd: fix change_info in NFSv4 RENAME replies (git-fixes). * nfsd: Fix race to FREE_STATEID and cl_revoked (git-fixes). * NFSv4: Fix dropped lock for racing OPEN and delegation return (git-fixes). * NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes). * NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes). * NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes). * NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info (git-fixes). * nvme-auth: use chap->s2 to indicate bidirectional authentication (bsc#1214543). * nvme-tcp: add recovery_delay to sysfs (bsc#1201284). * nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284). * nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284). * nvme-tcp: make 'err_work' a delayed work (bsc#1201284). * platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() (git- fixes). * platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() (git-fixes). * platform/x86: intel_scu_ipc: Do not override scu in intel_scu_ipc_dev_simple_command() (git-fixes). * platform/x86: intel_scu_ipc: Fail IPC send if still busy (git-fixes). * pNFS: Fix assignment of xprtdata.cred (git-fixes). * powerpc/fadump: make is_kdump_kernel() return false when fadump is active (bsc#1212639 ltc#202582). * printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875). * quota: add new helper dquot_active() (bsc#1214998). * quota: factor out dquot_write_dquot() (bsc#1214995). * quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963). * quota: fix warning in dqgrab() (bsc#1214962). * quota: Properly disable quotas when add_dquot_ref() fails (bsc#1214961). * quota: rename dquot_active() to inode_quota_active() (bsc#1214997). * RDMA/siw: Fabricate a GID on tun and loopback devices (git-fixes) * scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo (git-fixes). * scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git- fixes). * scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes). * scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). * scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() (git- fixes). * scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() (git-fixes). * scsi: storvsc: Handle additional SRB status values (git-fixes). * scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes bsc#1215941). * selftests: mlxsw: Fix test failure on Spectrum-4 (jsc#PED-1549). * spi: Add TPM HW flow flag (bsc#1213534) * spi: tegra210-quad: Enable TPM wait polling (bsc#1213534) * spi: tegra210-quad: set half duplex flag (bsc#1213534) * SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes). * tpm_tis_spi: Add hardware wait polling (bsc#1213534) * uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes). * udf: Fix extension of the last extent in the file (bsc#1214964). * udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965). * udf: Fix off-by-one error when discarding preallocation (bsc#1214966). * udf: Fix uninitialized array access for some pathnames (bsc#1214967). * Update metadata * usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes). * usb: ehci: move new member has_ci_pec_bug into hole (git-fixes). * vhost_vdpa: fix the crash in unmap a large memory (git-fixes). * vhost-scsi: unbreak any layout for response (git-fixes). * vhost: allow batching hint without size (git-fixes). * vhost: allow batching hint without size (git-fixes). * vhost: fix hung thread due to erroneous iotlb entries (git-fixes). * vhost: handle error while adding split ranges to iotlb (git-fixes). * virtio_net: add checking sq is full inside xdp xmit (git-fixes). * virtio_net: Fix probe failed when modprobe virtio_net (git-fixes). * virtio_net: reorder some funcs (git-fixes). * virtio_net: separate the logic of checking whether sq is full (git-fixes). * virtio_ring: fix avail_wrap_counter in virtqueue_add_packed (git-fixes). * virtio-blk: set req->state to MQ_RQ_COMPLETE after polling I/O is finished (git-fixes). * virtio-mmio: do not break lifecycle of vm_dev (git-fixes). * virtio-net: fix race between set queues and probe (git-fixes). * virtio-net: set queues after driver_ok (git-fixes). * virtio-rng: make device ready before making request (git-fixes). * virtio: acknowledge all features before access (git-fixes). * vmcore: remove dependency with is_kdump_kernel() for exporting vmcore (bsc#1212639 ltc#202582). * x86/coco: Allow CPU online/offline for a TDX VM with the paravisor on Hyper-V (bsc#1206453). * x86/coco: Export cc_vendor (bsc#1206453). * x86/hyperv: Add hv_write_efer() for a TDX VM with the paravisor (bsc#1206453). * x86/hyperv: Add hyperv-specific handling for VMMCALL under SEV-ES (bsc#1206453). * x86/hyperv: Add missing 'inline' to hv_snp_boot_ap() stub (bsc#1206453). * x86/hyperv: Add sev-snp enlightened guest static key (bsc#1206453) * x86/hyperv: Add smp support for SEV-SNP guest (bsc#1206453). * x86/hyperv: Add VTL specific structs and hypercalls (bsc#1206453). * x86/hyperv: Fix serial console interrupts for fully enlightened TDX guests (bsc#1206453). * x86/hyperv: Fix undefined reference to isolation_type_en_snp without CONFIG_HYPERV (bsc#1206453). * x86/hyperv: Introduce a global variable hyperv_paravisor_present (bsc#1206453). * x86/hyperv: Mark hv_ghcb_terminate() as noreturn (bsc#1206453). * x86/hyperv: Mark Hyper-V vp assist page unencrypted in SEV-SNP enlightened guest (bsc#1206453). * x86/hyperv: Move the code in ivm.c around to avoid unnecessary ifdef's (bsc#1206453). * x86/hyperv: Remove hv_isolation_type_en_snp (bsc#1206453). * x86/hyperv: Set Virtual Trust Level in VMBus init message (bsc#1206453). * x86/hyperv: Support hypercalls for fully enlightened TDX guests (bsc#1206453). * x86/hyperv: Use TDX GHCI to access some MSRs in a TDX VM with the paravisor (bsc#1206453). * x86/hyperv: Use vmmcall to implement Hyper-V hypercall in sev-snp enlightened guest (bsc#1206453). * x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git- fixes). * x86/srso: Do not probe microcode in a guest (git-fixes). * x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). * x86/srso: Fix srso_show_state() side effect (git-fixes). * x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). * xen: remove a confusing comment on auto-translated guest I/O (git-fixes). * xprtrdma: Remap Receive buffers after a reconnect (git-fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update.
Patch
## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2023-4035=1 openSUSE-SLE-15.5-2023-4035=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2023-4035=1 * SUSE Linux Enterprise Live Patching 15-SP5 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP5-2023-4035=1 * SUSE Real Time Module 15-SP5 zypper in -t patch SUSE-SLE-Module-RT-15-SP5-2023-4035=1
Package List
* openSUSE Leap 15.5 (noarch) * kernel-source-rt-5.14.21-150500.13.21.1 * kernel-devel-rt-5.14.21-150500.13.21.1 * openSUSE Leap 15.5 (x86_64) * ocfs2-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * reiserfs-kmp-rt-5.14.21-150500.13.21.1 * reiserfs-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt_debug-vdso-5.14.21-150500.13.21.1 * kernel-rt_debug-devel-5.14.21-150500.13.21.1 * ocfs2-kmp-rt-5.14.21-150500.13.21.1 * kernel-rt-extra-debuginfo-5.14.21-150500.13.21.1 * kernel-livepatch-SLE15-SP5-RT_Update_6-debugsource-1-150500.11.3.1 * gfs2-kmp-rt-5.14.21-150500.13.21.1 * kselftests-kmp-rt-5.14.21-150500.13.21.1 * kernel-rt-devel-5.14.21-150500.13.21.1 * kernel-rt_debug-debugsource-5.14.21-150500.13.21.1 * kernel-syms-rt-5.14.21-150500.13.21.1 * kernel-rt_debug-livepatch-devel-5.14.21-150500.13.21.1 * kernel-rt-optional-5.14.21-150500.13.21.1 * kernel-rt_debug-devel-debuginfo-5.14.21-150500.13.21.1 * kernel-livepatch-5_14_21-150500_13_21-rt-1-150500.11.3.1 * kernel-rt-livepatch-devel-5.14.21-150500.13.21.1 * kernel-rt-debuginfo-5.14.21-150500.13.21.1 * kselftests-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * dlm-kmp-rt-5.14.21-150500.13.21.1 * cluster-md-kmp-rt-5.14.21-150500.13.21.1 * kernel-livepatch-5_14_21-150500_13_21-rt-debuginfo-1-150500.11.3.1 * dlm-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-optional-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-devel-debuginfo-5.14.21-150500.13.21.1 * gfs2-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt_debug-vdso-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-vdso-5.14.21-150500.13.21.1 * kernel-rt-extra-5.14.21-150500.13.21.1 * kernel-rt_debug-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-livepatch-5.14.21-150500.13.21.1 * cluster-md-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-vdso-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-debugsource-5.14.21-150500.13.21.1 * openSUSE Leap 15.5 (nosrc x86_64) * kernel-rt_debug-5.14.21-150500.13.21.1 * kernel-rt-5.14.21-150500.13.21.1 * SUSE Linux Enterprise Micro 5.5 (nosrc x86_64) * kernel-rt-5.14.21-150500.13.21.1 * SUSE Linux Enterprise Micro 5.5 (x86_64) * kernel-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-debugsource-5.14.21-150500.13.21.1 * SUSE Linux Enterprise Live Patching 15-SP5 (x86_64) * kernel-livepatch-5_14_21-150500_13_21-rt-1-150500.11.3.1 * kernel-livepatch-SLE15-SP5-RT_Update_6-debugsource-1-150500.11.3.1 * kernel-livepatch-5_14_21-150500_13_21-rt-debuginfo-1-150500.11.3.1 * SUSE Real Time Module 15-SP5 (x86_64) * ocfs2-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt_debug-vdso-5.14.21-150500.13.21.1 * kernel-rt_debug-devel-5.14.21-150500.13.21.1 * ocfs2-kmp-rt-5.14.21-150500.13.21.1 * gfs2-kmp-rt-5.14.21-150500.13.21.1 * kernel-rt-vdso-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-devel-5.14.21-150500.13.21.1 * kernel-syms-rt-5.14.21-150500.13.21.1 * kernel-rt_debug-devel-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-debuginfo-5.14.21-150500.13.21.1 * dlm-kmp-rt-5.14.21-150500.13.21.1 * cluster-md-kmp-rt-5.14.21-150500.13.21.1 * dlm-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-devel-debuginfo-5.14.21-150500.13.21.1 * gfs2-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt_debug-vdso-debuginfo-5.14.21-150500.13.21.1 * kernel-rt-vdso-5.14.21-150500.13.21.1 * kernel-rt_debug-debuginfo-5.14.21-150500.13.21.1 * cluster-md-kmp-rt-debuginfo-5.14.21-150500.13.21.1 * kernel-rt_debug-debugsource-5.14.21-150500.13.21.1 * kernel-rt-debugsource-5.14.21-150500.13.21.1 * SUSE Real Time Module 15-SP5 (noarch) * kernel-source-rt-5.14.21-150500.13.21.1 * kernel-devel-rt-5.14.21-150500.13.21.1 * SUSE Real Time Module 15-SP5 (nosrc x86_64) * kernel-rt_debug-5.14.21-150500.13.21.1 * kernel-rt-5.14.21-150500.13.21.1
References
* #1152472 * #1202845 * #1206453 * #1213808 * #1214941 * #1214942 * #1214943 * #1214944 * #1214950 * #1214951 * #1214954 * #1214957 * #1214986 * #1214992 * #1214993 * #1215322 * #1215523 * #1215877 * #1215894 * #1215895 * #1215896 * #1215911 * #1215915 * #1215916 ## References: * https://www.suse.com/security/cve/CVE-2023-1206.html * https://www.suse.com/security/cve/CVE-2023-39192.html * https://www.suse.com/security/cve/CVE-2023-39193.html * https://www.suse.com/security/cve/CVE-2023-39194.html * https://www.suse.com/security/cve/CVE-2023-4155.html * https://www.suse.com/security/cve/CVE-2023-42753.html * https://www.suse.com/security/cve/CVE-2023-42754.html * https://www.suse.com/security/cve/CVE-2023-4389.html * https://www.suse.com/security/cve/CVE-2023-4622.html * https://www.suse.com/security/cve/CVE-2023-4623.html * https://www.suse.com/security/cve/CVE-2023-4921.html * https://www.suse.com/security/cve/CVE-2023-5345.html * https://bugzilla.suse.com/show_bug.cgi?id=1152472 * https://bugzilla.suse.com/show_bug.cgi?id=1202845 * https://bugzilla.suse.com/show_bug.cgi?id=1206453 * https://bugzilla.suse.com/show_bug.cgi?id=1213808 * https://bugzilla.suse.com/show_bug.cgi?id=1214941 * https://bugzilla.suse.com/show_bug.cgi?id=1214942 * https://bugzilla.suse.com/show_bug.cgi?id=1214943 * https://bugzilla.suse.com/show_bug.cgi?id=1214944 * https://bugzilla.suse.com/show_bug.cgi?id=1214950 * https://bugzilla.suse.com/show_bug.cgi?id=1214951 * https://bugzilla.suse.com/show_bug.cgi?id=1214954 * https://bugzilla.suse.com/show_bug.cgi?id=1214957 * https://bugzilla.suse.com/show_bug.cgi?id=1214986 * https://bugzilla.suse.com/show_bug.cgi?id=1214992 * https://bugzilla.suse.com/show_bug.cgi?id=1214993 * https://bugzilla.suse.com/show_bug.cgi?id=1215322 * https://bugzilla.suse.com/show_bug.cgi?id=1215523 * https://bugzilla.suse.com/show_bug.cgi?id=1215877 * https://bugzilla.suse.com/show_bug.cgi?id=1215894 * https://bugzilla.suse.com/show_bug.cgi?id=1215895 * https://bugzilla.suse.com/show_bug.cgi?id=1215896 * https://bugzilla.suse.com/show_bug.cgi?id=1215911 * https://bugzilla.suse.com/show_bug.cgi?id=1215915 * https://bugzilla.suse.com/show_bug.cgi?id=1215916