SUSE-SU-2025:2173-1

The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2022-49775: tcp: cdg: allow tcpcdgrelease() to be called multiple times (bsc#1242245).
• CVE-2024-53168: net: make sockinuseadd() available (bsc#1234887).
• CVE-2024-56558: nfsd: make sure exp active before svcexportshow (bsc#1235100).
• CVE-2025-21999: proc: fix UAF in procgetinode() (bsc#1240802).
• CVE-2025-22056: netfilter: nfttunnel: fix geneveopt type confusion addition (bsc#1241525).
• CVE-2025-23145: mptcp: fix NULL pointer in canacceptnew_subflow (bsc#1242596).
• CVE-2025-37789: net: openvswitch: fix nested key length validation in the set() action (bsc#1242762).
• CVE-2024-28956: x86/its: Add support for ITS-safe indirect thunk (bsc#1242006).
• CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640).

The following non-security bugs were fixed:

• Drivers: hv: Allow vmbussendpacketmpb_desc() to create multiple ranges (bsc#1243737).
• Move upstreamed sched/membarrier patch into sorted section
• Remove debug flavor (bsc#1243919). This is only released in Leap, and we do not have Leap 15.4 anymore.
• Remove debug flavor (bsc#1243919). This is only released in Leap, and we do not have Leap 15.5 anymore.
• Use gcc-13 for build on SLE16 (jsc#PED-10028).
• arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (bsc#1242778).
• arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (bsc#1242778).
• arm64: insn: Add support for encoding DSB (bsc#1242778).
• arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (bsc#1242778).
• arm64: proton-pack: Expose whether the branchy loop k value (bsc#1242778).
• arm64: proton-pack: Expose whether the platform is mitigated by firmware (bsc#1242778).
• hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (bsc#1243737).
• hvnetvsc: Remove rmsgpgcnt (bsc#1243737).
• hvnetvsc: Use vmbussendpacketmpbdesc() to send VMBus messages (bsc#1243737).
• mtd: phram: Add the kernel lock down check (bsc#1232649).
• net :mana :Add remaining GDMA stats for MANA to ethtool (bsc#1234395).
• net :mana :Request a V2 response version for MANAQUERYGF_STAT (bsc#1234395).
• net: mana: Add gdma stats to ethtool output for mana (bsc#1234395).
• nvme-pci: acquire cqpolllock in nvmepollirqdisable (bsc#1223096).
• ocfs2: fix the issue with discontiguous allocation in the global_bitmap (git-fixes).
• powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW (bsc#1218470 ltc#204531).
• rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038).
• rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986)
• rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454)
• rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303)
• rpm/release-projects: Update the ALP projects again (bsc#1231293).
• rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570)
• scsi: core: Fix unremoved procfs host directory regression (git-fixes).
• tcp: Dump bound-only sockets in inet_diag (bsc#1204562).
• tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870).
• tpm: tis: Double the timeout B to 4s (bsc#1235870).
• x86/bhi: Do not set BHIDISS in 32-bit mode (bsc#1242778).
• x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778).
• x86/bpf: Call branch history clearing sequence on exit (bsc#1242778).