In vSphere 7.0.x, the Update Manager plug-in, used for administering vSphere Update Manager, is replaced with the Lifecycle Manager plug-in. Administrative operations for vSphere Update Manager are still available under the Lifecycle Manager plug-in, along with new capabilities for vSphere Lifecycle Manager. The typical way to apply patches to ESXi 7.0.x hosts is by using the vSphere Lifecycle Manager. For details, see About vSphere Lifecycle Manager and vSphere Lifecycle Manager Baselines and Images. You can also update ESXi hosts without using the Lifecycle Manager plug-in, and use an image profile instead. To do this, you must manually download the patch offline bundle ZIP file from the Product Patches page and use the esxcli software profile update command. For more information, see the Upgrading Hosts by Using ESXCLI Commands and the VMware ESXi Upgrade guide.

The Swapper Intel Patch

Discontinuation of Trusted Platform Module (TPM) 1.2 in a future major vSphere release: VMware intends in a future major vSphere release to discontinue support of TPM 1.2 and associated features such as TPM 1.2 with TXT. To get full use of vSphere features, you can use TPM 2.0 instead of TPM 1.2. Support for TPM 1.2 continues in all vSphere 7.0.x releases, updates, and patches. However, you will not see a deprecation warning for TPM 1.2 during installation or updates of 7.0.x releases.

The ESXi and esx-update bulletins are dependent on each other. Always include both in a single ESXi host patch baseline or include the rollup bulletin in the baseline to avoid failure during host patching. Updates the crx, vsanhealth, vsan, gc, esx-xserver, clusterstore, vdfs, native-misc-drivers, cpu-microcode, esx-dvfilter-generic-fastpath, and esx-base VIBs to resolve the following issues:

The ESXi and esx-update bulletins are dependent on each other. Always include both in a single ESXi host patch baseline or include the rollup bulletin in the baseline to avoid failure during host patching. Updates the vdfs, esx-xserver, esx-base, esx-dvfilter-generic-fastpath, crx, native-misc-drivers, cpu-microcode, gc, vsanhealth, clusterstore, vsan, and esx-base VIBs to resolve the following issues:

If you attempt to update your environment to 7.0 Update 2 from an earlier version of ESXi 7.0 by using vSphere Lifecycle Manager patch baselines, UEFI booting of ESXi hosts might stop with an error such as: Loading /boot.cfg Failed to load crypto64.efi Fatal error: 15 (Not found)

In earlier releases of vCenter Server you could configure independent proxy settings for vCenter Server and vSphere Update Manager. After an upgrade to vSphere 7.0, vSphere Update Manager service becomes part of the vSphere Lifecycle Manager service. For the vSphere Lifecycle Manager service, the proxy settings are configured from the vCenter Server appliance settings. If you had configured Update Manager to download patch updates from the Internet through a proxy server but the vCenter Server appliance had no proxy setting configuration, after a vCenter Server upgrade to version 7.0, the vSphere Lifecycle Manager fails to connect to the VMware depot and is unable to download patches or updates.

This enhancement provides additional features and a patch for a potential data corruption bug. The compiler barrier is now set to a static inline function compiler_barrier. No name conflict occurs with the hardware store barrier, when implementing hardware fencing for non-temporal memcpy variants, while using a function pointer. As a result, RHEL 8.6 now includes pmdk version 1.11.1.

Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently covered kernels and use cases, the support window for each live patch will be decreased from 12 to 6 months for every minor, major and zStream version of the kernel. It means that on the day a kernel live patch is released, it will cover every minor release and scheduled errata kernel delivered in the past 6 months. For example, 8.4.x will have a one-year support window, but 8.4.x+1 will have 6 months.

The patch for BZ#2095764, released with the RHBA-2022:5816 advisory, introduced the following regression: The DNF upgrade using security filters, such as the --security option, can skip upgrading obsoleted packages. This issue happens specifically when an installed package is obsoleted by a different available package, and an advisory exists for the available package.

NetworkManager activates interfaces alphabetically by interface names. However, if an interface appears later during the boot, for example, because the kernel needs more time to discover it, NetworkManager activates this interface later. NetworkManager does not support setting a priority on bond and team ports. Consequently, the order in which NetworkManager activates ports of these devices is not always predictable. To work around this problem, write a dispatcher script.

Upgrading the system is only supported from the most recent patch level.Make sure the latest system updates are installed by either running zypper patch or by starting the YaST module Online Update.An upgrade on a system that is not fully patched may fail.

Complementing the Kernel Live Patching (KLP), SUSE now offers an infrastructure for live patching user-space applications.SUSE has enabled the system libraries glibc, libgcrypt, and openssl for live patching.

The technology targets patching shared libraries at runtime and is part of the SUSE Linux Enterprise Live Patching extension.The respective packages are libpulp0, the live patching core that must be pre-loaded into the application on start, and libpulp-tools containing the essential tools for building and deployment of patches.Next, there are containers for the future live patches for each library, for example glibc-livepatches for glibc, that will receive the fixes through future maintenance updates.

Deprecated with SUSE Linux Enterprise Server for Arm 15 SP3,SP4 removes the support for rev. 1.0silicon by dropping patches from the kernel.This will now result in failure to boot on rev. 1.0 silicon due to akernel panic (SError interrupt request).

SUSE has intellectual property rights relating to technology embodied in the product that is described in this document.In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at and one or more additional patents or pending patent applications in the U.S. and other countries.

If set to 1, true or yes, then I915_ENGINE_CLASS_COMPUTE will besupported. For OpenGL, iris will attempt to use a compute enginefor compute dispatches if one is detected. For Vulkan, anvil willadvertise support for a compute queue if a compute engine isdetected.

The Ubuntu kernel carries an out of tree patchet, known as "LSM: Module stacking for AppArmor" upstream, to enable stackable LSMs for containers. The revision the Ubuntu kernel carries is an older one, from 2020, and has some slight divergences from the latest revision in development.

One such divergence, is support for Landlock as a stackable LSM. When the stackable LSM patchset was applied, Landlock was still in development and not mainlined yet, and wasn't present in the earlier revision of the "LSM: Module stacking for AppArmor" patchset. Support for this was added by us.

LSM: Security Framework initializinglandlock: Up and running.LSM support for eBPF activeKernel panic - not syncing: security_add_hooks Too many LSMs registered.CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-46-generic #49-UbuntuHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014Call Trace: show_stack+0x52/0x5c dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 panic+0x149/0x321 security_add_hooks+0x45/0x13a apparmor_init+0x189/0x1ef initialize_lsm+0x54/0x74 ordered_lsm_init+0x379/0x392 security_init+0x40/0x49 start_kernel+0x466/0x4dc x86_64_start_reservations+0x24/0x2a x86_64_start_kernel+0xe4/0xef secondary_startup_64_no_verify+0xc2/0xcb ---[ end Kernel panic - not syncing: security_add_hooks Too many LSMs registered. ]---

I feel that simply fixing this small bug is less regression risk than reverting the entire 25 patch patchset and applying the latest V37 upstream patchset, which has undergone significant changes from mid 2020. I think its best we consume the newer patchset once it makes its way into mainline in a future kernel instead.

[ 0.355151] LSM: Security Framework initializing[ 0.356309] landlock: Up and running.[ 0.357186] LSM support for eBPF active[ 0.358143] Kernel panic - not syncing: security_add_hooks Too many LSMs registered.[ 0.359849] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-52-generic #58-Ubuntu[ 0.360292] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014[ 0.360292] Call Trace:[ 0.360292] [ 0.360292] show_stack+0x52/0x5c[ 0.360292] dump_stack_lvl+0x4a/0x63[ 0.360292] dump_stack+0x10/0x16[ 0.360292] panic+0x149/0x321[ 0.360292] security_add_hooks+0x45/0x13a[ 0.360292] apparmor_init+0x189/0x1ef[ 0.360292] initialize_lsm+0x54/0x74[ 0.360292] ordered_lsm_init+0x379/0x392[ 0.360292] security_init+0x40/0x49[ 0.360292] start_kernel+0x454/0x4ca[ 0.360292] x86_64_start_reservations+0x24/0x2a[ 0.360292] x86_64_start_kernel+0xfb/0x106[ 0.360292] secondary_startup_64_no_verify+0xc2/0xcb[ 0.360292] [ 0.360292] ---[ end Kernel panic - not syncing: security_add_hooks Too many LSMs registered. ]---

* [Ubuntu 22.04] mpt3sas: Request to include latest bug fix patches (LP: #1965927) - scsi: mpt3sas: Remove scsi_dma_map() error messages - scsi: mpt3sas: Update persistent trigger pages from sysfs interface 2ff7e9595c