sles-15-sp7-chost-byos-v20260323 Package Source Changes

curl

- Security fixes:
  * CVE-2026-1965: Bad reuse of HTTP Negotiate connection (bsc#1259362)
  * CVE-2026-3783: Token leak with redirect and netrc (bsc#1259363)
  * CVE-2026-3784: Wrong proxy connection reuse with credentials (bsc#1259364)
  * CVE-2026-3805: Use after free in SMB connection reuse (bsc#1259365)
  * Add patches:
  - curl-CVE-2026-1965.patch
  - curl-CVE-2026-3783.patch
  - curl-CVE-2026-3784.patch
  - curl-CVE-2026-3805.patch

glibc

- nss-missing-checks.patch: nss: Missing checks in __nss_configure_lookup,
  __nss_database_get (bsc#1258319, BZ #28940)

grub2

- Support dm multipath bootlist on PowerPC (bsc#1254415)
  * 0001-ieee1275-support-dm-multipath-bootlist.patch

- Backport upstream's commit to prevent BIOS assert (bsc#1258022)
  * 0001-kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-t.patch

- Fix error "grub-core/script/lexer.c:352:out of memory" after PowerPC CAS
  Reboot (bsc#1254299)
  * 0001-Fix-PowerPC-CAS-reboot-to-evaluate-menu-context.patch

jq

- Add patch CVE-2025-9403.patch (CVE-2025-9403, bsc#1248600)

expat

- security update
- added patches
  CVE-2026-24515 [bsc#1257144], NULL dereference (CWE-476) due to function XML_ExternalEntityParserCreate() failing to copy the encoding handler data passed to XML_SetUnknownEncodingHandler() from the parent to the subparser
  * expat-CVE-2026-24515.patch
  CVE-2026-25210 [bsc#1257496], lack of buffer size check can lead to an integer overflow
  * expat-CVE-2026-25210.patch

gcc15

- Add gcc14-bsc1257463.patch to fix bogus expression simplification
  [bsc#1257463]

gnutls

- Add the functionality to allow to specify the hash algorithm for
  the PSK. This fixes a bug in the current implementation where the
  binder is always calculated with SHA256.
  * (bsc#1258083, jsc#PED-15752, jsc#PED-15753)
  * lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
  * tests/psk-file: Add testing for _credentials2 functions
  * lib/psk: add null check for binder algo
  * pre_shared_key: fix memleak when retrying with different binder algo
  * pre_shared_key: add null check on pskcred
  * Add patches:
  - gnutls-PSK-hash.patch
  - gnutls-PSK-hash-tests.patch
  - gnutls-PSK-hash-NULL-check.patch
  - gnutls-PSK-hash-NULL-check-pskcred.patch
  - gnutls-PSK-hash-fix-memleak.patch

- Security fix:
  * CVE-2025-14831: DoS via excessive resource consumption during
    certificate verification (bsc#1257960)
  * Add gnutls-CVE-2025-14831.patch

openldap2

- jsc#PED-15735 - expose ldap_log.h in -devel
  * 0246-Include-ldap_log.h-in-devel.patch
- retcon .changes to satisfy source validator

libpcap

- Fix bsc#1258668: Enable RMDA - Fix missing dependency in spec so libcap
  is built with  RMDA support.

python3

- CVE-2025-11468: preserving parens when folding comments in
  email headers (bsc#1257029, gh#python/cpython#143935).
  CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15282: basically the same as the previous patch for
  urllib library. (bsc#1257046, gh#python/cpython#143925)
  CVE-2025-15282-urllib-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch

libssh

- Security fixes:
  * CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049)
  * CVE-2026-0965: Possible Denial of Service when parsing unexpected
    configuration files (bsc#1258045)
  * CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054)
  * CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081)
  * CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080)
  * Add patches:
  - libssh-CVE-2026-0964-scp-Reject-invalid-paths-received-thro.patch
  - libssh-CVE-2026-0965-config-Do-not-attempt-to-read-non-regu.patch
  - libssh-CVE-2026-0966-misc-Avoid-heap-buffer-underflow-in-ss.patch
  - libssh-CVE-2026-0966-tests-Test-coverage-for-ssh_get_hexa.patch
  - libssh-CVE-2026-0966-doc-Update-guided-tour-to-use-SHA256-f.patch
  - libssh-CVE-2026-0967-match-Avoid-recursive-matching-ReDoS.patch
  - libssh-CVE-2026-0968-sftp-Sanitize-input-handling-in-sftp_p.patch

zlib

- Fix CVE-2026-27171, infinite loop via the crc32_combine64 and
  crc32_combine_gen64 functions due to missing checks for negative
  lengths (bsc#1258392)
  * CVE-2026-27171.patch

makedumpfile

- makedumpfile-Fix-data-race-in-multi-threading-mode.patch: Fix a
  data race in multi-threading mode (--num-threads=N)
  (bsc#1245569, bsc#1256455).

mdadm

- Update to version 4.4+39.g6e1c3b06:
  * platform-intel: Deal with hot-unplugged devices (bsc#1258265)
  * imsm: Fix UEFI backward compatibility for RAID10D4 (bsc#1257009)

- Update to version 4.4+37.gea219956:
- Backport upstream fixes from 4.5 (bsc#1257009)
  * Re-enable mdadm --monitor ... for /dev/mdX
  * Allow RAID0 to be created with v0.90 metadata
  * Moves memory management into Assemble to avoid null pointer dereference
  * Support non-absolute name during monitor scan
  * Don't set badblock flag when adding a new disk
  * Fix metadata corruption when managing new imsm array

syslogd

- Drop last sysvinit Requirement/Provide (PED-13698)

vim

* Update Vim to version 9.2.0110 (from 9.2.0045).
  * Specifically, this fixes bsc#1259051 / CVE-2026-28417.

* Update Vim to version 9.2.0045 (from 9.1.1629).
  * Fix bsc#1258229 CVE-2026-26269 as 9.2.0045 is not impacted (fixed
  upstream).
  * Fix bsc#1246602 CVE-2025-53906 as 9.2.0045 is not impacted (fixed
  upstream).
  * Drop obsolete or upstreamed patches:
  - vim-7.3-filetype_spec.patch
  - vim-7.4-filetype_apparmor.patch
  - vim-8.2.2411-globalvimrc.patch
  - vim-9.1.1683-avoid-null-dereference.patch
  * Refresh the following patches:
  - vim-7.3-filetype_changes.patch
  - vim-7.3-filetype_ftl.patch
  - vim-7.3-sh_is_bash.patch
  - vim-9.1.1134-revert-putty-terminal-colors.patch
  * Remove autoconf BuildRequires and drop the autoconf call in %build.
  * Add --with-wayland=no to COMMON_OPTIONS to explicitly disable wayland.
  * Package new Swedish (sv) man pages and clean up duplicate encodings
  (sv.ISO8859-1 and sv.UTF-8) during %install.