Some blacklisted SUSE kernel RPM changelog entries were removed in recent kernels
This document (000021742) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
Situation
As SUSE's and third party tooling would mark any CVE found in RPM changelog files as "fixed", this could lead to confusion about the fix status of a bug or CVE. In some SUSE Linux Enterprise Server kernels, CVEs/bugs/commits were marked as "blacklisted", specifically marked in a blacklist.conf file to indicate the code was not needed or not applicable in the kernel. Since this was marked in the changelog the implication was that the issue was resolved, but as noted "blacklisted" entries are not applicable.
SUSE kernel blacklist tooling is explained here:
https://github.com/SUSE/kernel-source/blob/master/blacklist.conf
https://github.com/SUSE/kernel-source/blob/master/README.blacklist
An example blacklist configuration file for SLES15-SP6 kernel:
https://github.com/SUSE/kernel-source/blob/SLE15-SP6/blacklist.conf
The changelog entries that contain the "blacklist.conf" entry, means the code that those bug/CVE/commit are blacklisted does not affect the kernel where this blacklist.conf is noted.
Resolution
In SLES12-SP5 several blacklisted CVEs/commits were introduced in kernel 4.12.14-122.222.1 and later removed in kernel 4.12.14-122.237.1.
An example of some of those CVEs/commits are:
CVE-2024-35956:
* Thu Jun 06 2024 dsterba@suse.com
- blacklist.conf: CVE-2024-35956 bsc#1224674: not applicable bsc#1225945
Quoting bsc#1225945#c11:
"So the upstream 6.5 kernel commit (1b53e51a4a8f ("btrfs: don't commit
transaction for every subvol create")
) was never backported to SLE, so that fix eb96e221937a ("btrfs: fix
unwritten extent buffer after snapshotting a new subvolume") was never
backported."
- commit 13b6119
CVE-2023-52808:
* Wed Jun 19 2024 lduncan@suse.com
- blacklist.conf: bsc#1225555 CVE-2023-52808
patches code not present
- commit 35c5de8
CVE-2021-47193:
* Wed Jun 19 2024 lduncan@suse.com
- blacklist.conf: bsc#1222879 CVE-2021-47193
breaks kABI
- commit 5ac2f95
CVE-2021-47328:
* Fri Jun 14 2024 lduncan@suse.com
- blacklist.conf: bsc#1225047 CVE-2021-47328: breaks kABI
Also, does not apply.
- commit 55744fb
Starting in recent kernels, including SLES12-SP5 kernel 4.12.14-122.237.1 and later a change was made to how "blacklist.conf" kernel RPM changelog entries are written to the kernel RPM changelogs.
The change was introduced by this commit:
https://github.com/SUSE/kernel-source/commit/f2923a31a4a8384712b634cc643905061ef23bde
commit f2923a31a4a8384712b634cc643905061ef23bde
Author: Ales Novak <alnovak@suse.cz>
Date: Wed Dec 4 09:12:45 2024 +0100
tar-up.sh: let out changes to blacklist.conf from changes
https://github.com/SUSE/kernel-source/blob/SLE15-SP6/scripts/tar-up.sh
SUSE kernel developers determined many of these blacklist.conf changelog entries were not needed to be written to the kernel RPM changelog. It was decided these "blacklist.conf" entries do not need to be stored in the kernel changelog.
The commits that contain the "blacklist.conf" entry, means those bug/cve/commit entries do not affect the kernel where this blacklist.conf is noted.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021742
- Creation Date: 17-Mar-2025
- Modified Date:02-Apr-2025
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com