Bug 784994

Summary: VIA padlock support on 64 systems accidentally removed.
Product: [openSUSE] openSUSE 12.2 Reporter: Franz Wudy <franz.wudy>
Component: BasesystemAssignee: Guan Jun He <gjhe>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: 64bit   
OS: openSUSE 12.2   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patch to enable via-padlock to x86_64 gcc.

Description Franz Wudy 2012-10-14 00:25:27 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1

Running OpenSUSE 12.2 final - 64 bit.

Trying to use padlock engine support under openssl with a VIA NANO X2 processor.
Does not work:

$ openssl engine padlock
140353542751912:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521:
140353542751912:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=padlock

$ openssl version
OpenSSL 1.0.1c 10 May 2012


That is a really sad thing as the hardware support of AES encryption is an important thing considering that the processor itself is pretty weak...

Sure enough looking at the sources reveals:

openssl-1.0-1c/engines/e_padlock.c
{...}
#undef COMPILE_HW_PADLOCK
#if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
     (defined(_MSC_VER) && defined(_M_IX86))
#  define COMPILE_HW_PADLOCK
# endif
#endif
{...}

The engine is not being compiled during the build process (64 bit).

There are lots of fixes and patches around.
I found one on the SUSE build machine:
https://build.opensuse.org/package/files?package=openssl&project=Base%3ASystem&rev=68
openssl-padlock-x86_64-head.patch

This patch would allow for the engine to build (I did not test it though - just limited knowledge of how to do that). With revision 69 this patch disappeared without any comment.

Is it possible to re-enable this functionality, please?
I'd be glad to help and test patches or rpms.

One dangerous thing happens if you believe that padlock works on a 64 bit machine as it used to work out of the box on 32 bit machines: Enabling the permanent use of padlock renders your system pretty useless. Openssl is not working any more (without any fallback) and leaves you with all kinds of problems, no Apache, no yast software utility, etc....

Other distributions btw. started to patch on the distri level:
E.g. Fedora: 
* Thu Apr 28 2011 Tomas Mraz <tmraz at redhat.com> 1.0.0d-3
- add support for VIA Padlock on 64bit arch from upstream (#617539)


Thanks / Gruesse - 
Franz




Reproducible: Always

Steps to Reproduce:
1.openssl engine padlock
2.
3.
Actual Results:  
140353542751912:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521:
140353542751912:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=padlock

Expected Results:  
expected it to work :-)

$ cat /proc/cpuinfo
processor       : 0
vendor_id       : CentaurHauls
cpu family      : 6
model           : 15
model name      : VIA Nano X2 U4025 @ 1.2 GHz
stepping        : 12
cpu MHz         : 1067.000
cache size      : 1024 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc rep_good nopl pni monitor vmx est tm2 ssse3 cx16 xtpr sse4_1 popcnt rng rng_en ace ace_en ace2 phe phe_en pmm pmm_en lahf_lm ida
bogomips        : 2400.14
clflush size    : 64
cache_alignment : 128
address sizes   : 36 bits physical, 48 bits virtual
power management:

processor       : 1
vendor_id       : CentaurHauls
cpu family      : 6
model           : 15
model name      : VIA Nano X2 U4025 @ 1.2 GHz
stepping        : 12
cpu MHz         : 1067.000
cache size      : 1024 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
apicid          : 2
initial apicid  : 2
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc rep_good nopl pni monitor vmx est tm2 ssse3 cx16 xtpr sse4_1 popcnt rng rng_en ace ace_en ace2 phe phe_en pmm pmm_en lahf_lm ida
bogomips        : 2400.14
clflush size    : 64
cache_alignment : 128
address sizes   : 36 bits physical, 48 bits virtual
power management:

$uname -a
Linux verleihnix 3.4.6-2.10-desktop #1 SMP PREEMPT x86_64 x86_64 x86_64 GNU/Linux
Comment 1 Petr Cerny 2012-10-15 13:50:11 UTC 
openssl rather than openssh issue
Comment 2 Guan Jun He 2012-11-12 09:06:24 UTC 
Created attachment 512782 [details]
patch to enable via-padlock to x86_64 gcc.
Comment 3 Guan Jun He 2012-11-12 09:08:11 UTC 
please help to test the patch attached, thanks.
Comment 4 Franz Wudy 2012-11-14 18:21:58 UTC 
Thanks Mr. He.
I got the sources downloaded and the engine patched.
./Configure and ./make went through without any problems.


Testing:

/usr/src/packages/SOURCES/openssl-1.0.1c/openssl-1.0.1c/apps # ./openssl version -a
OpenSSL 1.0.1c 10 May 2012
built on: Wed Nov 14 12:57:23 EST 2012
platform: linux-x86_64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/ssl"




/usr/src/packages/SOURCES/openssl-1.0.1c/openssl-1.0.1c/apps # ./openssl speed -evp aes-128-ecb -engine padlock
engine "padlock" set.
Doing aes-128-ecb for 3s on 16 size blocks: 21636360 aes-128-ecb's in 2.99s
Doing aes-128-ecb for 3s on 64 size blocks: 17974821 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 256 size blocks: 9937132 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 1024 size blocks: 3528344 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 8192 size blocks: 502598 aes-128-ecb's in 3.00s
OpenSSL 1.0.1c 10 May 2012
built on: Wed Nov 14 12:57:23 EST 2012
options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-ecb     115779.85k   383462.85k   847968.60k  1204341.42k  1372427.61k



WOW! from 50850.47k to 1372427.61k. That's an improvement!

Seems to work.

I am not brave enough to issue a "make install" on the live machine.

Do you think it would be possible to include the patch on your building machines and deliver it with the next update?

Thanks for your help.

Franz
Comment 5 Franz Wudy 2012-11-14 18:25:18 UTC 
BTW:
The outputs from the original build:


# openssl version -a
OpenSSL 1.0.1c 10 May 2012
built on: 2012-05-10 19:31:27.000000000 +0000
platform: linux-x86_64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -std=gnu99 -Wa,--noexecstack -fomit-frame-pointer -DTERMIO -DPURIFY -DSSL_FORBID_ENULL -D_GNU_SOURCE -Wall -fstack-protector -Wa,--noexecstack  -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/ssl"


openssl speed -evp aes-128-ecb -engine padlock
invalid engine "padlock"
140484370863784:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521:
140484370863784:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=padlock
140484370863784:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libpadlock.so): libpadlock.so: cannot open shared object file: No such file or directory
140484370863784:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
140484370863784:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
Doing aes-128-ecb for 3s on 16 size blocks: 8468331 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 64 size blocks: 2315304 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 256 size blocks: 588843 aes-128-ecb's in 3.00s
Doing aes-128-ecb for 3s on 1024 size blocks: 148641 aes-128-ecb's in 2.99s
Doing aes-128-ecb for 3s on 8192 size blocks: 18623 aes-128-ecb's in 3.00s
OpenSSL 1.0.1c 10 May 2012
built on: 2012-05-10 19:31:27.000000000 +0000
options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -std=gnu99 -Wa,--noexecstack -fomit-frame-pointer -DTERMIO -DPURIFY -DSSL_FORBID_ENULL -D_GNU_SOURCE -Wall -fstack-protector -Wa,--noexecstack  -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-ecb      45164.43k    49393.15k    50247.94k    50905.81k    50853.21k



Some of the compiler options are a little different. Also IDEA cipher is under the options list now.

Franz
Comment 6 Guan Jun He 2012-11-15 04:37:37 UTC 
please help to do more test, not only speed, but also correctness. 

We are considering to deliver the update.
Comment 7 Franz Wudy 2012-11-15 14:35:08 UTC 
okay. 
I en-crypted the ogg manual pages file once using the "old" openssl and once using the "new" openssl. Then I de-crypted the files again.
Then I created SHA1 hashes of the so treated files:

$ ./sha1sum ogg*
77c0951aa2c0b4ea6dc2aabf7d0c538dc26f1ae3  ogg123
9f8655b24807f4ea36c04b33e73ba78a497ac008  ogg123_old_enc
77c0951aa2c0b4ea6dc2aabf7d0c538dc26f1ae3  ogg123_old_enc_dec
843f9dd825c1b7fabd1e4e2031fe397ba0fed3e1  ogg123_new_enc
77c0951aa2c0b4ea6dc2aabf7d0c538dc26f1ae3  ogg123_new_enc_dec


ogg123 is the original file.
ogg123_old_enc is the the file encrypted using the old openssl.
ogg123_old_enc_dec is the again de-crypted files.
As expected the hashes match.

Same for files ogg123_new_enc and ogg123_new_enc_dec only using the new openssl.
In this case hashes match, too.

So as far as I am concerned the correctness is ensured.

Let me know if you need more.

Franz
Comment 8 Guan Jun He 2012-11-16 03:24:39 UTC 
That's good! thanks a lot for your help.

We will do more test and deliver an update.
Comment 9 Benjamin Brunner 2012-11-26 09:32:49 UTC 
Update released for openSUSE 12.2. Resolved fixed.
Comment 10 Swamp Workflow Management 2012-11-26 10:06:41 UTC 
openSUSE-RU-2012:1539-1: An update that has one recommended fix can now be installed.

Category: recommended (low)
Bug References: 784994
CVE References: 
Sources used:
openSUSE 12.2 (src):    openssl-1.0.1c-2.4.1
Comment 11 Swamp Workflow Management 2012-11-26 10:07:03 UTC 
openSUSE-RU-2012:1543-1: An update that has one recommended fix can now be installed.

Category: recommended (low)
Bug References: 784994
CVE References: 
Sources used:
openSUSE 12.2 (src):    openssl-1.0.1c-2.4.1
Comment 12 Swamp Workflow Management 2012-11-26 10:07:21 UTC 
openSUSE-RU-2012:1546-1: An update that has one recommended fix can now be installed.

Category: recommended (low)
Bug References: 784994
CVE References: 
Sources used:
openSUSE 12.2 (src):    openssl-1.0.1c-2.4.1
Comment 13 Swamp Workflow Management 2014-02-18 14:04:48 UTC 
openSUSE-RU-2014:0249-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: recommended (moderate)
Bug References: 670526,720601,784994,793420,802184,803004,849377,856687,857203
CVE References: CVE-2011-0014,CVE-2012-4929,CVE-2013-6449,CVE-2013-6450
Sources used:
openSUSE 11.4 (src):    openssh-5.8p1-7.2, openssh-askpass-gnome-5.8p1-7.1, openssl-1.0.1e-53.1
Comment 14 Swamp Workflow Management 2022-02-16 21:12:32 UTC 
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available.

Category: feature (moderate)
Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668
CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712
JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135
Sources used:
SUSE Manager Tools 12-BETA (src):    venv-salt-minion-3002.2-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.