aaa_base
- fix (bsc#1194883) - aaa_base: Set net.ipv4.ping_group_range to
  allow ICMP ping
- added patches
  + git-40-d004657a244d75b372a107c4f6097b42ba1992d5.patch
- Port change from Thu Sep 30 08:51:55 UTC 2022 forword to
  current version which includes a rename of patch
    git-13-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
  to
    git-43-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
  as otherwise autopatch macro does not work anymore
- Include all fixes and changes for systemwide inputrc to remove
  the 8 bit escape sequence which interfere with UTF-8 multi byte
  characters as well as support the vi mode of readline library.
  This is done with the patches
  * git-41-f00ca2600331602241954533a1b1610d1da57edf.patch
  * git-42-f39a8d18719c3b34373e0e36098f0f404121b5c5.patch
  before the changed patch
    git-13-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
  rename it to
    git-43-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
  and also add the patches
  * git-44-425f3e9b44ba9ead865d70ff6690d5f2869442dc.patch
  * git-45-bf0a31597d0ed3562bfc5e6be0ade2fe5dc1f7a1.patch
apache2
- modified patches
  % apache2-CVE-2022-23943.patch (refreshed)
- security update
- added patches
  fix CVE-2022-23943 [bsc#1197098], heap out-of-bounds write in mod_sed
  + apache2-CVE-2022-23943.patch
  fix CVE-2022-22720 [bsc#1197095], HTTP request smuggling due to incorrect error handling
  + apache2-CVE-2022-22720.patch
  fix CVE-2022-22719 [bsc#1197091], use of uninitialized value of in r:parsebody in mod_lua
  + apache2-CVE-2022-22719.patch
  fix CVE-2022-22721 [bsc#1197096], possible buffer overflow with very large or unlimited LimitXMLRequestBody
  + apache2-CVE-2022-22721.patch
- security update
augeas
- support new chrony 4.1 options (jsc#SLE-17334)
  augeas-new_options_for_chrony.patch
autofs
- autofs-5.1.6-fix-quoted-string-length-calc-in-expand.patch
  Fix problem with quote handling
  (bsc#1181715)
- 0005-autofs-5.1.4-fix-incorrect-locking-in-sss-lookup.patch
  Fix locking problem that causes deadlock when sss used.
  (bsc#1196485)
- 0004-autofs-5.1.3-add-port-parameter-to-rpc_ping.patch
  Suppress portmap calls when port explicitly given
  (bsc#1195697)
avahi
- Downgrade python3-Twisted to a Recommends. It is not available
  on SLED or PackageHub, and it is only needed by avahi-bookmarks
  (bsc#1196282).
- Add avahi-bookmarks-import-warning.patch: fix warning when
  twisted is not available.
- Replace avahi-0.6.31-systemd-order.patch with
  avahi-add-resolv-conf-to-inotify.patch: re-read configuration
  when resolv.conf changes, per discussion on the bug
  (boo#1194561).
- Have python3-avahi require python3-dbus-python, not the
  python 2 dbus-1-python package (bsc#1195614).
- Reinstate avahi-0.6.31-systemd-order.patch (boo#1194561).
  This can probably go away if/when gh#lathiat/avahi#118 is fixed.
- Drop avahi-0.6.32-suppress-resolv-conf-warning.patch: we should
  no longer need this given the above patch.
- Move sftp-ssh and ssh services to the doc directory. They allow
  a host's up/down status to be easily discovered and should not
  be enabled by default (boo#1179060).
bind
- When using forwarders, bogus NS records supplied by, or via, those
  forwarders may be cached and used by named if it needs to recurse
  for any reason, causing it to obtain and pass on potentially
  incorrect answers.
  [CVE-2021-25220, bsc#1197135, bind-9.16.27-0001-CVE-2021-25220.patch]
binutils
- Add binutils-add-z16-name.diff so that the now official name
  z16 for arch14 is recognized.  [bsc#1198237]
c3p0
- update to version c3p0 0.9.5.5 and
  mchange-commons-java 0.2.19
  * Address CVE-2018-20433
  * Address CVE-2019-5427 - XML-config parsing related attacks
    (bsc#1133198)
  * Properly implement the JDBC 4.1 abort method
  Removed:
  * fix-CVE-2018-20433.patch included upstream
- build with log4j mapper
- Change:
  * c3p0-embed-mchange-common.patch
- Enhanced for RHEL8
cifs-utils
- CVE-2022-27239: mount.cifs: fix length check for ip option
  parsing; (bsc#1197216) (bso#15025); CVE-2022-27239.
  * add 0016-CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch
cloud-init
- Update to version 21.4 (bsc#1192343, jsc#PM-3181)
  + Also include VMWare functionality for (jsc#PM-3175)
  + Remove patches included upstream:
  - cloud-init-purge-cache-py-ver-change.patch
  - cloud-init-update-test-characters-in-substitution-unit-test.patch
  + Forward port:
  - cloud-init-write-routes.patch
  - cloud-init-no-tempnet-oci.patch
  + Add cloud-init-vmware-test.patch
  - Test is system dependend, not properly mocked
  + Azure: fallback nic needs to be reevaluated during reprovisioning
    (#1094) [Anh Vo]
  + azure: pps imds (#1093) [Anh Vo]
  + testing: Remove calls to 'install_new_cloud_init' (#1092)
  + Add LXD datasource (#1040)
  + Fix unhandled apt_configure case. (#1065) [Brett Holman]
  + Allow libexec for hotplug (#1088)
  + Add necessary mocks to test_ovf unit tests (#1087)
  + Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336)
  + distros: Remove a completed "/TODO"/ comment (#1086)
  + cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083)
    [dermotbradley]
  + Add "/install hotplug"/ module (SC-476) (#1069) (LP: #1946003)
  + hosts.alpine.tmpl: rearrange the order of short and long hostnames
    (#1084) [dermotbradley]
  + Add max version to docutils
  + cloudinit/dmi.py: Change warning to debug to prevent console display
    (#1082) [dermotbradley]
  + remove unnecessary EOF string in
    disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele
    Giuseppe Esposito]
  + Add module 'write-files-deferred' executed in stage 'final' (#916)
    [Lucendio]
  + Bump pycloudlib to fix CI (#1080)
  + Remove pin in dependencies for jsonschema (#1078)
  + Add "/Google"/ as possible system-product-name (#1077) [vteratipally]
  + Update Debian security suite for bullseye (#1076) [Johann Queuniet]
  + Leave the details of service management to the distro (#1074)
    [Andy Fiddaman]
  + Fix typos in setup.py (#1059) [Christian Clauss]
  + Update Azure _unpickle (SC-500) (#1067) (LP: #1946644)
  + cc_ssh.py: fix private key group owner and permissions (#1070)
    [Emanuele Giuseppe Esposito]
  + VMware: read network-config from ISO (#1066) [Thomas Weißschuh]
  + testing: mock sleep in gce unit tests (#1072)
  + CloudStack: fix data-server DNS resolution (#1004)
    [Olivier Lemasle] (LP: #1942232)
  + Fix unit test broken by pyyaml upgrade (#1071)
  + testing: add get_cloud function (SC-461) (#1038)
  + Inhibit sshd-keygen@.service if cloud-init is active (#1028)
    [Ryan Harper]
  + VMWARE: search the deployPkg plugin in multiarch dir (#1061)
    [xiaofengw-vmware] (LP: #1944946)
  + Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493)
  + Use specified tmp location for growpart (#1046) [jshen28]
  + .gitignore: ignore tags file for ctags users (#1057) [Brett Holman]
  + Allow comments in runcmd and report failed commands correctly (#1049)
    [Brett Holman] (LP: #1853146)
  + tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050)
    [Paride Legovini]
  + Allow disabling of network activation (SC-307) (#1048) (LP: #1938299)
  + renderer: convert relative imports to absolute (#1052) [Paride Legovini]
  + Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045)
    [Vlastimil Holer]
  + integration-requirements: bump the pycloudlib commit (#1047)
    [Paride Legovini]
  + Allow Vultr to set MTU and use as-is configs (#1037) [eb3095]
  + pin jsonschema in requirements.txt (#1043)
  + testing: remove cloud_tests (#1020)
  + Add andgein as contributor (#1042) [Andrew Gein]
  + Make wording for module frequency consistent (#1039) [Nicolas Bock]
  + Use ascii code for growpart (#1036) [jshen28]
  + Add jshen28 as contributor (#1035) [jshen28]
  + Skip test_cache_purged_on_version_change on Azure (#1033)
  + Remove invalid ssh_import_id from examples (#1031)
  + Cleanup Vultr support (#987) [eb3095]
  + docs: update cc_disk_setup for fs to raw disk (#1017)
  + HACKING.rst: change contact info to James Falcon (#1030)
  + tox: bump the pinned flake8 and pylint version (#1029)
    [Paride Legovini] (LP: #1944414)
  + Add retries to DataSourceGCE.py when connecting to GCE (#1005)
    [vteratipally]
  + Set Azure to apply networking config every BOOT (#1023)
  + Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603)
  + docs: fix typo and include sudo for report bugs commands (#1022)
    [Renan Rodrigo] (LP: #1940236)
  + VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun]
  + Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798)
  + Integration test upgrades for the 21.3-1 SRU (#1001)
  + Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans]
  + Improve ug_util.py (#1013) [Shreenidhi Shedi]
  + Support openEuler OS (#1012) [zhuzaifangxuele]
  + ssh_utils.py: ignore when sshd_config options are not key/value pairs
    (#1007) [Emanuele Giuseppe Esposito]
  + Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006)
  + cc_update_etc_hosts: Use the distribution-defined path for the hosts
    file (#983) [Andy Fiddaman]
  + Add CloudLinux OS support (#1003) [Alexandr Kravchenko]
  + puppet config: add the start_agent option (#1002) [Andrew Bogott]
  + Fix `make style-check` errors (#1000) [Shreenidhi Shedi]
  + Make cloud-id copyright year (#991) [Andrii Podanenko]
  + Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi]
  + Update ds-identify to pass shellcheck (#979) [Andrew Kutz]
  + Azure: Retry dhcp on timeouts when polling reprovisiondata (#998)
    [aswinrajamannar]
  + testing: Fix ssh keys integration test (#992)
- From 21.3
  + Azure: During primary nic detection, check interface status continuously
    before rebinding again (#990) [aswinrajamannar]
  + Fix home permissions modified by ssh module (SC-338) (#984)
    (LP: #1940233)
  + Add integration test for sensitive jinja substitution (#986)
  + Ignore hotplug socket when collecting logs (#985) (LP: #1940235)
  + testing: Add missing mocks to test_vmware.py (#982)
  + add Zadara Edge Cloud Platform to the supported clouds list (#963)
    [sarahwzadara]
  + testing: skip upgrade tests on LXD VMs (#980)
  + Only invoke hotplug socket when functionality is enabled (#952)
  + Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz]
  + cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi]
  + Replace broken httpretty tests with mock (SC-324) (#973)
  + Azure: Check if interface is up after sleep when trying to bring it up
    (#972) [aswinrajamannar]
  + Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi]
  + Azure: Logging the detected interfaces (#968) [Moustafa Moustafa]
  + Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz]
  + Azure: Limit polling network metadata on connection errors (#961)
    [aswinrajamannar]
  + Update inconsistent indentation (#962) [Andrew Kutz]
  + cc_puppet: support AIO installations and more (#960) [Gabriel Nagy]
  + Add Puppet contributors to CLA signers (#964) [Noah Fontes]
  + Datasource for VMware (#953) [Andrew Kutz]
  + photon: refactor hostname handling and add networkd activator (#958)
    [sshedi]
  + Stop copying ssh system keys and check folder permissions (#956)
    [Emanuele Giuseppe Esposito]
  + testing: port remaining cloud tests to integration testing framework
    (SC-191) (#955)
  + generate contents for ovf-env.xml when provisioning via IMDS (#959)
    [Anh Vo]
  + Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski]
  + Implementing device_aliases as described in docs (#945)
    [Mal Graty] (LP: #1867532)
  + testing: fix test_ssh_import_id.py (#954)
  + Add ability to manage fallback network config on PhotonOS (#941) [sshedi]
  + Add VZLinux support (#951) [eb3095]
  + VMware: add network-config support in ovf-env.xml (#947) [PengpengSun]
  + Update pylint to v2.9.3 and fix the new issues it spots (#946)
    [Paride Legovini]
  + Azure: mount default provisioning iso before try device listing (#870)
    [Anh Vo]
  + Document known hotplug limitations (#950)
  + Initial hotplug support (#936)
  + Fix MIME policy failure on python version upgrade (#934)
  + run-container: fixup the centos repos baseurls when using http_proxy
    (#944) [Paride Legovini]
  + tools: add support for building rpms on rocky linux (#940)
  + ssh-util: allow cloudinit to merge all ssh keys into a custom user
    file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito]
    (LP: #1911680)
  + VMware: new "/allow_raw_data"/ switch (#939) [xiaofengw-vmware]
  + bump pycloudlib version (#935)
  + add renanrodrigo as a contributor (#938) [Renan Rodrigo]
  + testing: simplify test_upgrade.py (#932)
  + freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder]
  + Add new network activators to bring up interfaces (#919)
  + Detect a Python version change and clear the cache (#857)
    [Robert Schweikert]
  + cloud_tests: fix the Impish release name (#931) [Paride Legovini]
  + Removed distro specific network code from Photon (#929) [sshedi]
  + Add support for VMware PhotonOS (#909) [sshedi]
  + cloud_tests: add impish release definition (#927) [Paride Legovini]
  + docs: fix stale links rename master branch to main (#926)
  + Fix DNS in NetworkState (SC-133) (#923)
  + tests: Add 'adhoc' mark for integration tests (#925)
  + Fix the spelling of "/DigitalOcean"/ (#924) [Mark Mercado]
  + Small Doc Update for ReportEventStack and Test (#920) [Mike Russell]
  + Replace deprecated collections.Iterable with abc replacement (#922)
    (LP: #1932048)
  + testing: OCI availability domain is now required (SC-59) (#910)
  + add DragonFlyBSD support (#904) [Gonéri Le Bouder]
  + Use instance-data-sensitive.json in jinja templates (SC-117) (#917)
    (LP: #1931392)
  + doc: Update NoCloud docs stating required files (#918) (LP: #1931577)
  + build-on-netbsd: don't pin a specific py3 version (#913)
    [Gonéri Le Bouder]
  + Create the log file with 640 permissions (#858) [Robert Schweikert]
  + Allow braces to appear in dhclient output (#911) [eb3095]
  + Docs: Replace all freenode references with libera (#912)
  + openbsd/net: flush the route table on net restart (#908)
    [Gonéri Le Bouder]
  + Add Rocky Linux support to cloud-init (#906) [Louis Abel]
  + Add "/esposem"/ as contributor (#907) [Emanuele Giuseppe Esposito]
  + Add integration test for #868 (#901)
  + Added support for importing keys via primary/security mirror clauses
    (#882) [Paul Goins] (LP: #1925395)
  + [examples] config-user-groups expire in the future (#902)
    [Geert Stappers]
  + BSD: static network, set the mtu (#894) [Gonéri Le Bouder]
  + Add integration test for lp-1920939 (#891)
  + Fix unit tests breaking from new httpretty version (#903)
  + Allow user control over update events (#834)
  + Update test characters in substitution unit test (#893)
  + cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886)
    [dermotbradley]
  + Add AlmaLinux OS support (#872) [Andrew Lukoshko]
- systemctl location (bsc#1193531)
  - Add cloud-init-sysctl-not-in-bin.patch
  - The sytemctl executable is not necessarily in '/bin'
- Remove unneeded BuildRequires on python3-nose.
  + Still need to consider the "/network"/ configuration option
cloud-regionsrv-client
- Update to version 10.0.3 (bsc#1198389)
  - Descend into the extension tree even if top level module is recommended
  - Cache license state for AHB support to detect type switch
  - Properly clean suse.com credentials when switching from SCC to update
    infrastructure
  - New log message to indicate base product registration success
- Update to version 10.0.2
  + Fix name of logfile in error message
  + Fix variable scoping to properly detect registration error
  + Cleanup any artifacts on registration failure
  + Fix latent bug with /etc/hosts population
  + Do not throw error when attemting to unregister a system that is not
    registered
  + Skip extension registration if the extension is recommended by the
    baseproduct as it gets automatically installed
- Update to version 10.0.1 (bsc#1197113)
  + Provide status feedback on registration, success or failure
  + Log warning message if data provider is configured but no data
    can be retrieved
- Update -addon-azure to 1.0.3 follow up fix for (bsc#1195414, bsc#1195564)
  + The repo enablement timer cannot depend on guestregister.service
- Update -addon-azure to 1.0.2 (bsc#1196305)
  + The is-registered() function expects a string of the update server FQDN.
    The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
    in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
  + Lower case the region hint to reduce issues with Azure region name
    case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
  + Refactor removes check_registration() function in utils implementation
  + Only start the registration service for PAYG images
  - addon-azure sub-package to version 1.0.1
cobbler
- Fix issues with installation module logging and validation (bsc#1195918)
- Added:
  * v3-1-2-log-pollution-3.patch
- Move configuration files ownership to apache (bsc#1195906)
- Make configuration files only readable by root (bsc#1193671, CVE-2021-45083)
- Remove hardcoded test credentials (bsc#1193673)
- Prevent log pollution (bsc#1193675)
- Missing sanity check on MongoDB configuration file (bsc#1193676)
- Incomplete template sanatization (bsc#1193678, CVE-2021-45082)
- Added:
  * v3-1-2-incomplete-template-sanatization.patch
  * v3-1-2-log-pollution-1.patch
  * v3-1-2-log-pollution-2.patch
  * v3-1-2-mongodb-sanatiy-check.patch
  * v3-1-2-remove-testing-auth.patch
- Modified (updated fuzz):
  * fix-for-old-str.join-usage.diff
  * remove-redundant-json-suffix.diff
  * v3-1-2-arbitrary-file-read-write-plus-RCE.patch
containerd
- Add patch for CVE-2022-23648. bsc#1196441
  + CVE-2022-23648.patch
- Update to containerd v1.4.12 for Docker 20.10.11-ce. bsc#1192814
  bsc#1193273 CVE-2021-41190
- Update to containerd v1.4.11, to fix CVE-2021-41103. bsc#1191355
- Switch to Go 1.16.x compiler, in line with upstream.
coreutils
- coreutils-df-fuse-portal-dummy.patch:
  df: Add "/fuse.portal"/ as a dummy file system (used in flatpak
  implementations). (bsc#1189152)
crash
- Fix module loading (bsc#1190743 ltc#194414).
  + crash-mod-fix-module-object-file-lookup.patch
cyrus-sasl
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
cyrus-sasl-saslauthd
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
docker
- Update to Docker 20.10.12-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201012>.
- Remove CHANGELOG.md. It hasn't been maintained since 2017, and all of the
  changelogs are currently only available online.
- Update to Docker 20.10.11-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201011>. bsc#1192814
  bsc#1193273 CVE-2021-41190
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
  - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Update to Docker 20.10.9-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20109>. bsc#1191355
  CVE-2021-41089 bsc#1191015 CVE-2021-41091 bsc#1191434
  CVE-2021-41092 bsc#1191334 CVE-2021-41103 bsc#1191121
- Update to Docker 20.10.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20106>. bsc#1184768
- Update to Docker 20.10.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20105>. bsc#1182947
dracut
- Update to version 049.1+suse.228.g07676562:
  * fix(network): consistent use of "/$gw"/ for gateway (bsc#1192685)
  * fix(install): handle builtin modules (bsc#1194716)
e2fsprogs
- libss-add-newer-libreadline.so.7-to-dlopen-path.patch: libss: Add support
  for libreadline.so.7 for Leap 15.3 (bsc#1196939)
expat
- Security fixes:
  * (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
    breaks biboumi, ClairMeta, jxmlease, libwbxml,
    openleadr-python, rnv, xmltodict
  - Added expat-CVE-2022-25236-relax-fix.patch
- Security fixes:
  * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
    attackers to insert namespace-separator characters into
    namespace URIs
  - Added expat-CVE-2022-25236.patch
  * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
    2.4.5 does not check whether a UTF-8 character is valid in a
    certain context.
  - Added expat-CVE-2022-25235.patch
  * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
    build_model() via uncontrolled recursion
  - Added expat-CVE-2022-25313.patch
  - The fix upstream introduced a regression that was later
    amended in 2.4.6 version
    + Added expat-CVE-2022-25313-fix-regression.patch
  * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
  - Added expat-CVE-2022-25314.patch
  * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
  - Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
  * Expat (aka libexpat) before 2.4.4 has a signed integer overflow
    in XML_GetBuffer, for configurations with a nonzero
    XML_CONTEXT_BYTES
  * Add tests for CVE-2022-23852.
  * Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
  * Fix unsigned integer overflow in function doProlog triggered
    by large content in element type declarations when there is
    an element declaration handler present (from a prior call to
    XML_SetElementDeclHandler).
  * Add expat-CVE-2022-23990.patch
  * Added expat-CVE-2022-22827.patch
fence-agents
- (bsc#1196350) fence_gce updates pull from Clusterlabs repo
  - Apply proposed upstream patch
    0001-fence_gce-Add-timeouts-and-failure-options-458.patch
filesystem
- Add /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)
gcc11
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Add gcc11-D-dependence-fix.patch to fix memory corruption when
  creating dependences with the D language frontend.
- Sync cross.spec.in to avoid trying to build cross-aarch64-gcc1-bootstrap
  on aarch64 which is unresolvable.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recommends.
glibc
- pthread-rwlock-trylock-stalls.patch: nptl: Fix pthread_rwlock_try*lock
  stalls (bsc#1195560, BZ #23844)
- clnt-create-unix-overflow.patch: Buffer overflow in sunrpc clnt_create
  for "/unix"/ (CVE-2022-23219, bsc#1194768, BZ #22542)
- svcunix-create-overflow.patch: Buffer overflow in sunrpc svcunix_create
  (CVE-2022-23218, bsc#1194770, BZ #28768)
- getcwd-erange.patch: getcwd: Set errno to ERANGE for size == 1
  (CVE-2021-3999, bsc#1194640, BZ #28769)
- pop-fail-stack.patch: Assertion failure in pop_fail_stack when executing
  a malformed regexp (CVE-2015-8985, bsc#1193625, BZ #21163)
gnutls
- Security fix: [bsc#1196167, CVE-2021-4209]
  * Null pointer dereference in MD_UPDATE
  * Add gnutls-CVE-2021-4209.patch
grub2
- Fix grub-install error when efi system partition is created as mdadm software
  raid1 device (bsc#1179981) (bsc#1195204)
  * 0001-install-fix-software-raid1-on-esp.patch
- Fix error in grub-install when linux root device is on lvm thin volume
  (bsc#1192622) (bsc#1191974)
  * 0001-grub-install-bailout-root-device-probing.patch
- Fix error not a btrfs filesystem on s390x (bsc#1187645)
  * 80_suse_btrfs_snapshot
- Add support for simplefb (boo#1193532).
  * grub2-simplefb.patch
hibernate5
- Fix potential SQL injection CVE-2020-25638 (bsc#1193832)
- Added:
  * 0001-HHH-14225-CVE-2020-25638-Potential-for-SQL-injection.patch
hwdata
- Update to version 0.357 (bsc#1196332):
  + Updated pci, usb and vendor ids.
- Update to version 0.356:
  + Updated pci, usb and vendor ids.
java-11-openjdk
- Update to upstream tag jdk-11.0.14.1+1
  * Changes:
    + JDK-8280786: Build failure on Solaris after 8262392
    + JDK-8218546: Unable to connect to https://google.com using
    java.net.HttpClient
    + JDK-8281324: Bump update version for OpenJDK: jdk-11.0.14.1
- Update to upstream tag jdk-11.0.14+9 (January 2022 CPU)
  * New features
    + JDK-8248238: Implementation: JEP 388: Windows AArch64 Support
  * Security fixes
    + JDK-8217375: jarsigner breaks old signature with long lines
    in manifest
    + JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if
    zip has dir named "/."/ inside
    + JDK-8264934, CVE-2022-21248, bnc#1194926: Enhance cross VM serialization
    + JDK-8268488: More valuable DerValues
    + JDK-8268494: Better inlining of inlined interfaces
    + JDK-8268512: More content for ContentInfo
    + JDK-8268795: Enhance digests of Jar files
    + JDK-8268801: Improve PKCS attribute handling
    + JDK-8268813, CVE-2022-21283, bnc#1194937: Better String matching
    + JDK-8269151: Better construction of EncryptedPrivateKeyInfo
    + JDK-8269944: Better HTTP transport redux
    + JDK-8270386, CVE-2022-21291, bsc#1194925: Better verification
    of scan methods
    + JDK-8270392, CVE-2022-21293, bsc#1194935: Improve String
    constructions
    + JDK-8270416, CVE-2022-21294, bsc#1194934: Enhance construction
    of Identity maps
    + JDK-8270492, CVE-2022-21282, bsc#1194933: Better resolution of
    URIs
    + JDK-8270498, CVE-2022-21296, bsc#1194932: Improve SAX Parser
    configuration management
    + JDK-8270646, CVE-2022-21299, bsc#1194931: Improved scanning of
    XML entities
    + JDK-8270952, CVE-2022-21277, bsc#1194930: Improve TIFF file
    handling
    + JDK-8271962: Better TrueType font loading
    + JDK-8271968: Better canonical naming
    + JDK-8271987: Manifest improved manifest entries
    + JDK-8272014, CVE-2022-21305, bsc#1194939: Better array
    indexing
    + JDK-8272026, CVE-2022-21340, bsc#1194940: Verify Jar
    Verification
    + JDK-8272236, CVE-2022-21341, bsc#1194941: Improve serial forms
    for transport
    + JDK-8272272: Enhance jcmd communication
    + JDK-8272462: Enhance image handling
    + JDK-8273290: Enhance sound handling
    + JDK-8273756, CVE-2022-21360, bsc#1194929: Enhance BMP image
    support
    + JDK-8273838, CVE-2022-21365, bsc#1194928: Enhanced BMP
    processing
    + JDK-8274096, CVE-2022-21366, bsc#1194927: Improve decoding of
    image files
    + JDK-8279541: Improve HarfBuzz
  * Other changes
    + JDK-6849922: java/awt/Choice/ChoiceKeyEventReaction/
    /ChoiceKeyEventReaction.html fails
    + JDK-7105119: [TEST_BUG] [macosx] In test
    UIDefaults.toString() must be called with the invokeLater()
    + JDK-7151826: [TEST_BUG] [macosx] The test
    javax/swing/JPopupMenu/4966112/bug4966112.java not for mac
    + JDK-7179006: [macosx] Print-to-file doesn't work: printing to
    the default printer instead
    + JDK-8015602: [macosx] Test javax/swing/SpringLayout/4726194/
    /bug4726194.java fails on MacOSX
    + JDK-8034084: nsk.nsk/jvmti/ThreadStart/threadstart003 Wrong
    number of thread end events
    + JDK-8039261: [TEST_BUG]: There is not a minimal security
    level in Java Preferences and the TestApplet.html is blocked.
    + JDK-8047218: [TEST_BUG] java/awt/FullScreen/AltTabCrashTest/
    /AltTabCrashTest.java fails with exception
    + JDK-8075909: [TEST_BUG] The regression-swing case failed as
    it does not have the 'Open' button when select 'subdir' folder
    with NimbusLAF
    + JDK-8078219: Verify lack of @test tag in files in java/net
    test directory
    + JDK-8080569: java/lang/ProcessBuilder/DestroyTest.java fails
    with "/RuntimeException: Process terminated prematurely"/
    + JDK-8081652: [TESTBUG] java/lang/management/ThreadMXBean/
    /ThreadMXBeanStateTest.java timed out intermittently
    + JDK-8129310: java/net/Socket/asyncClose/AsyncClose.java fails
    intermittently
    + JDK-8131745: java/lang/management/ThreadMXBean/
    /AllThreadIds.java still fails intermittently
    + JDK-8136517: [macosx] Test java/awt/Focus/8073453/
    /AWTFocusTransitionTest.java fails on MacOSX
    + JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/
    /4251579/bug4251579.java failure due to timing
    + JDK-8143021: [TEST_BUG] Test javax/swing/JColorChooser/
    /Test6541987.java fails
    + JDK-8159597: [TEST_BUG] closed/javax/swing/JPopupMenu/4760494/
    /bug4760494.java leaves key pressed
    + JDK-8159904: [TEST_BUG] Failure on solaris of
    java/awt/Window/MultiWindowApp/MultiWindowAppTest.java
    + JDK-8163086: java/awt/Window/TranslucentJAppletTest/
    /TranslucentJAppletTest.java fails
    + JDK-8165828: [TEST_BUG] The reg case: javax/swing/plaf/metal/
    /MetalIcons/MetalHiDPIIconsTest.java failed as No Metal Look
    and Feel
    + JDK-8169953: JComboBox/8057893: ComboBoxEdited event is not
    fired! on Windows
    + JDK-8169954: JFileChooser/8021253: java.lang.RuntimeException:
    Default button is not pressed
    + JDK-8169959: javax/swing/JTable/6263446/bug6263446.java:
    Table should be editing
    + JDK-8171381: [TEST_BUG] [macos] javax/swing/JPopupMenu/
    /7156657/bug7156657.java fails on OS X
    + JDK-8171998: javax/swing/JMenu/4692443/bug4692443.java fails
    on Windows
    + JDK-8174819: java/nio/file/WatchService/LotsOfEvents.java
    fails intermittently
    + JDK-8179880: Refactor javax/security shell tests to plain
    java tests
    + JDK-8180568: Refactor javax/crypto shell tests to plain java
    tests
    + JDK-8180569: Refactor sun/security/krb5/ shell tests to plain
    java tests
    + JDK-8180571: Refactor sun/security/pkcs11 shell tests to
    plain java tests and fix failures
    + JDK-8180573: Refactor sun/security/tools shell tests to plain
    java tests
    + JDK-8187649: ArrayIndexOutOfBoundsException in
    java.util.JapaneseImperialCalendar
    + JDK-8190753: (zipfs): Accessing a large entry (> 2^31 bytes)
    leads to a negative initial size for ByteArrayOutputStream
    + JDK-8195703: BasicJDWPConnectionTest.java: 'App exited
    unexpectedly with 2'
    + JDK-8196096: javax/swing/JPopupMenu/6580930/bug6580930.java
    fails
    + JDK-8197560: test javax/swing/JTree/8003400/Test8003400.java
    fails
    + JDK-8197800: Test java/awt/Focus/NonFocusableWindowTest/
    /NoEventsTest.java fails on Windows
    + JDK-8197811: Test java/awt/Choice/PopupPosTest/
    /PopupPosTest.java fails on Windows
    + JDK-8198616: java/awt/Focus/6378278/InputVerifierTest.java
    fails on mac
    + JDK-8198617: java/awt/Focus/6382144/EndlessLoopTest.java
    fails on mac
    + JDK-8198619: java/awt/Focus/FocusTraversalPolicy/
    /ButtonGroupLayoutTraversal/ButtonGroupLayoutTraversalTest.java
    fails on mac
    + JDK-8198623: java/awt/KeyboardFocusmanager/TypeAhead/
    /EnqueueWithDialogButtonTest/EnqueueWithDialogButtonTest.java
    fails on mac
    + JDK-8198624: java/awt/KeyboardFocusmanager/TypeAhead/
    /SubMenuShowTest/SubMenuShowTest.html fails on mac
    + JDK-8199138: Add RISC-V support to Zero
    + JDK-8199529: javax/swing/text/Utilities/8142966/
    /SwingFontMetricsTest.java fails on windows
    + JDK-8201224: Make string buffer size dynamic in
    mlvmJvmtiUtils.c
    + JDK-8202342: [Graal] fromTonga/nsk/jvmti/unit/
    /FollowReferences/followref003/TestDescription.java fails with
    "/Location mismatch"/ errors
    + JDK-8204161: [TESTBUG] auto failed with the "/Applet thread
    threw exception: java.lang.UnsupportedOperationException"/
    exception
    + JDK-8206085: Refactor
    langtools/tools/javac/versions/Versions.java
    + JDK-8207936: TestZipFile failed with java.lang.AssertionError
    exception
    + JDK-8208242: Add @requires to vmTestbase/gc/g1 tests
    + JDK-8209611: use C++ compiler for hotspot tests
    + JDK-8210182: Remove macros for C compilation from vmTestBase
    but non jvmti
    + JDK-8210198: Clean up JNI_ENV_ARG for
    vmTestbase/jvmti/Get[A-F] tests
    + JDK-8210205: build fails on AIX in hotspot cpp tests (for
    example getstacktr001.cpp)
    + JDK-8210242: [TESTBUG] vmTestbase/nsk/stress/jni/
    /jnistress001.java crashes with EXCEPTION_ACCESS_VIOLATION
    on windows-x86
    + JDK-8210353: Move java/util/Arrays/TimSortStackSize2.java
    back to tier1
    + JDK-8210385: Clean up JNI_ENV_ARG and factorize the macros
    for vmTestbase/jvmti[A-N] tests
    + JDK-8210392: assert(Compile::current()->live_nodes() <
    Compile::current()->max_node_limit()) failed: Live Node limit
    exceeded limit
    + JDK-8210395: Add doc to SecurityTools.java
    + JDK-8210429: Clean up JNI_ENV_ARG for
    vmTestbase/jvmti/Get[G-Z] tests
    + JDK-8210481: Remove #ifdef cplusplus from vmTestbase
    + JDK-8210593: Clean up JNI_ENV_ARG and factorize the macros
    for vmTestbase/jvmti[N-R] tests
    + JDK-8210665: Clean up JNI_ENV_ARG and factorize the macros
    for vmTestbase/jvmti[R-U] tests
    + JDK-8210689: Remove the multi-line old C style for string
    literals
    + JDK-8210700: Clean up JNI_ENV_ARG and factorize the macros
    for vmTestbase/jvmti/unit tests
    + JDK-8210726: Fix up a few minor nits forgotten by JDK-8210665
    + JDK-8210920: Native C++ tests are not using CXXFLAGS
    + JDK-8210984: [TESTBUG] hs203t003 fails with "/# ERROR:
    hs203t003.cpp, 218: NSK_CPP_STUB2 ( ResumeThread, jvmti,
    thread)"/
    + JDK-8211036: Remove the NSK_STUB macros from vmTestbase for
    non jvmti
    + JDK-8211131: Remove the NSK_CPP_STUB macros from vmTestbase
    for jvmti/[G-I]*
    + JDK-8211148: var in implicit lambdas shouldn't be accepted
    for source < 11
    + JDK-8211171: move JarUtils to top-level testlibrary
    + JDK-8211227: Inconsistent TLS protocol version in debug output
    + JDK-8211261: Remove the NSK_CPP_STUB macros from vmTestbase
    for jvmti/[A-G]*
    + JDK-8211432: [REDO] Handle JNIGlobalRefLocker.cpp
    + JDK-8211782: Remove the NSK_CPP_STUB macros from vmTestbase
    for jvmti/[I-S]*
    + JDK-8211801: Remove the NSK_CPP_STUB macros from vmTestbase
    for jvmti/scenarios/[A-E]
    + JDK-8211899: Remove the NSK_CPP_STUB macros from vmTestbase
    for jvmti/scenarios/[E-M]
    + JDK-8211905: Remove multiple casts for EM06 file
    + JDK-8211999: Window positioning bugs due to overlapping
    GraphicsDevice bounds (Windows/HiDPI)
    + JDK-8212082: Remove the NSK_CPP_STUB macros for remaining
    vmTestbase/jvmti/[sS]*
    + JDK-8212083: Handle remaining gc/lock native code and fix two
    strings
    + JDK-8212148: Remove remaining NSK_CPP_STUBs
    + JDK-8213110: Remove the use of applets in automatic tests
    + JDK-8213189: Make restricted headers in HTTP Client
    configurable and remove Date by default
    + JDK-8213263: fix legal headers in test/langtools
    + JDK-8213296: Fix legal headers in test/jdk/java/net
    + JDK-8213301: Fix legal headers in jdk logging tests
    + JDK-8213305: Fix legal headers in test/java/math
    + JDK-8213306: Fix legal headers in test/java/nio
    + JDK-8213328: Update test copyrights in test/java/util/zip and
    test/jdk/tools
    + JDK-8213330: Fix legal headers in i18n tests
    + JDK-8213707: [TEST] vmTestbase/nsk/stress/except/
    /except011.java failed due to wrong class name
    + JDK-8214469: [macos] PIT: java/awt/Choice/
    /ChoiceKeyEventReaction/ChoiceKeyEventReaction.java fails
    + JDK-8215410: Regression test for JDK-8214994
    + JDK-8215568: Refactor SA clhsdb tests to use ClhsdbLauncher
    + JDK-8215624: Add parallel heap iteration for jmap u2013histo
    + JDK-8215889: assert(!_unloading) failed: This oop is not
    available to unloading class loader data with ZGC
    + JDK-8216318: The usage of Disposer in the java.awt.Robot can
    be deleted
    + JDK-8216417: cleanup of IPv6 scope-id handling
    + JDK-8217377: javax/swing/JPopupMenu/6583251/bug6583251.java
    failed with UnsupportedOperation exception
    + JDK-8217438: Adapt tools//launcher/Test7029048.java for AIX
    + JDK-8217633: Configurable extensions with system properties
    + JDK-8217882: java/net/httpclient/MaxStreams.java failed once
    + JDK-8217903: java/net/httpclient/Response204.java fails with
    404
    + JDK-8218483: Crash in
    "/assert(_daemon_threads_count->get_value() > daemon_count)
    failed: thread count mismatch 5 : 5"/
    + JDK-8219986: Change to Xcode 10.1 for building on Macosx at
    Oracle
    + JDK-8220575: Correctly format test URI's that contain a
    retrieved IPv6 address
    + JDK-8221259: New tests for java.net.Socket to exercise long
    standing behavior
    + JDK-8221305: java/awt/FontMetrics/MaxAdvanceIsMax.java fails
    on MacOS + Solaris
    + JDK-8221902: PIT: javax/swing/JRadioButton/FocusTraversal/
    /FocusTraversal.java fails on ubuntu
    + JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/
    /IconifyTest.java fails on ubuntu18.04
    + JDK-8222446: assert(C->env()->system_dictionary_modification_counter_changed())
    failed: Must invalidate if TypeFuncs differ
    + JDK-8223137: Rename predicate 'do_unroll_only()' to
    'is_unroll_only()'.
    + JDK-8223138: Small clean-up in loop-tree support.
    + JDK-8223139: Rename mandatory policy-do routines.
    + JDK-8223140: Clean-up in 'ok_to_convert()'
    + JDK-8223141: Change (count) suffix _ct into _cnt.
    + JDK-8223400: Replace some enums with static const members in
    hotspot/runtime
    + JDK-8223658: Performance regression of XML.validation in
    13-b19
    + JDK-8223923: C2: Missing interference with mismatched unsafe
    accesses
    + JDK-8224829: AsyncSSLSocketClose.java has timing issue
    + JDK-8225083: Remove Google certificate that is expiring in
    December 2021
    + JDK-8226514: Replace wildcard address with loopback or local
    host in tests - part 17
    + JDK-8226943: compile error in libfollowref003.cpp  with XCode
    10.2 on macosx
    + JDK-8228442: DHKeyExchange/LegacyDHEKeyExchange.java failed
    due to "/SSLException: An established connection was aborted by
    the software in your host machine"/
    + JDK-8228508: [TESTBUG] java/net/httpclient/SmokeTest.java
    fails on Windows7
    + JDK-8229935: [TEST_BUG]: bug8132119.java inconsistently
    positions text
    + JDK-8230019: [REDO] compiler/types/correctness/* tests fail
    with "/assert(recv == __null || recv->is_klass()) failed: wrong
    type"/
    + JDK-8230067: Add optional automatic retry when running jtreg
    tests
    + JDK-8230228: [TESTBUG] Several runtime/ErrorHandling tests
    may fail on some platforms
    + JDK-8231501: VM crash in
    MethodData::clean_extra_data(CleanExtraDataClosure*):
    fatal error: unexpected tag 99
    + JDK-8233403: Improve verbosity of some httpclient tests
    + JDK-8233550: [TESTBUG] JTree tests fail regularly on MacOS
    + JDK-8233552: [TESTBUG] JTable Test bug7068740.java fails on
    MacOS
    + JDK-8233553: [TESTBUG] JSpinner test bug4973721.java fails on
    MacOS
    + JDK-8233555: [TESTBUG] JRadioButton tests failing on MacoS
    + JDK-8233556: [TESTBUG] JPopupMenu tests fail on MacOS
    + JDK-8233559: [TESTBUG] TestNimbusOverride.java is failing on
    macos
    + JDK-8233560: [TESTBUG] ToolTipManager/Test6256140.java  is
    failing on macos
    + JDK-8233561: [TESTBUG] Swing text test bug8014863.java fails
    on macos
    + JDK-8233562: [TESTBUG] Swing StyledEditorKit test
    bug4506788.java fails on MacOS
    + JDK-8233564: [TESTBUG] MouseComboBoxTest.java is failing
    + JDK-8233566: [TESTBUG] KeyboardFocusManager tests failing on
    MacoS
    + JDK-8233567: [TESTBUG] FocusSubRequestTest.java fails on macos
    + JDK-8233569: [TESTBUG] JTextComponent test bug6361367.java
    fails on macos
    + JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is
    failing on macos
    + JDK-8233634: [TESTBUG] Swing text test bug4278839.java fails
    on macos
    + JDK-8233635: [TESTBUG] ProgressMonitorEscapeKeyPress.java
    fails on macos
    + JDK-8233637: [TESTBUG] Swing
    ActionListenerCalledTwiceTest.java fails on macos
    + JDK-8233638: [TESTBUG] Swing test
    ScreenMenuBarInputTwice.java fails on macos
    + JDK-8233641: [TESTBUG] JMenuItem test bug4171437.java fails
    on macos
    + JDK-8233642: [TESTBUG] JMenuBar test bug 4750590.java  fails
    on macos
    + JDK-8233643: [TESTBUG] JMenu test bug4515762.java fails on
    macos
    + JDK-8233644: [TESTBUG] JInternalFrame test bug8020708.java is
    failing on macos
    + JDK-8233647: [TESTBUG] JColorChooser/Test8051548.java is
    failing on macos
    + JDK-8234802: [TESTBUG] Test Right Mouse Button Drag Gesture
    Recognition in all the platforms
    + JDK-8234823: java/net/Socket/Timeouts.java testcase
    testTimedConnect2() fails on Windows 10
    + JDK-8235784: java/lang/invoke/VarHandles/
    /VarHandleTestByteArrayAsInt.java fails due to timeout with
    fastdebug bits
    + JDK-8236042: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java
    fails with -Xcomp -XX:TieredStopAtLevel=1
    + JDK-8236177: assert(status == 0) failed: error ETIMEDOUT(60),
    cond_wait
    + JDK-8236596: HttpClient leaves HTTP/2 sockets in CLOSE_WAIT,
    when using proxy tunnel
    + JDK-8237354: Add option to jcmd to write a gzipped heap dump
    + JDK-8237589: Fix copyright header formatting
    + JDK-8238677: java/net/httpclient/ssltest/CertificateTest.java
    should not specify TLS version
    + JDK-8239334: Tab Size does not work correctly in JTextArea
    with setLineWrap on
    + JDK-8239422: [TESTBUG]
    compiler/c1/TestPrintIRDuringConstruction.java failed when C1
    is disabled
    + JDK-8239827: The test OpenByUNCPathNameTest.java should be
    changed to be manual
    + JDK-8240256: Better resource cleaning for SunPKCS11 Provider
    + JDK-8242044: Add basic HTTP/1.1 support to the HTTP/2 Test
    Server
    + JDK-8242526: PIT: javax/swing/JInternalFrame/8020708/
    /bug8020708.java fails in mach5 ubuntu system
    + JDK-8242793: Incorrect copyright header in
    ContinuousCallSiteTargetChange.java
    + JDK-8243543: jtreg test security/infra/java/security/cert/
    /CertPathValidator/certification/BuypassCA.java fails
    + JDK-8244292: Headful clients failing with
  - -illegal-access=deny
    + JDK-8245147: Refactor and improve utility of
    test/langtools/tools/javac/versions/Versions.java
    + JDK-8245165: Update bug id for
    javax/swing/text/StyledEditorKit/4506788/bug4506788.java in
    ProblemList
    + JDK-8245665: Test WeakAlg.java should only make sure no
    warning for weak signature algorithms by keytool on root CA
    + JDK-8246114: java/net/MulticastSocket/Promiscuous.java fails
    after 8241072 (multi-homed systems)
    + JDK-8246807: Incorrect copyright header in
    TimeZoneDatePermissionCheck.sh
    + JDK-8247403: JShell: No custom input (e.g. from GUI) possible
    with JavaShellToolBuilder
    + JDK-8247510: typo in IllegalHandshakeMessage
    + JDK-8248187: [TESTBUG] javax/swing/plaf/basic/
    /BasicGraphicsUtils/8132119/bug8132119.java fails with String
    is not properly drawn
    + JDK-8248341: ProblemList java/lang/management/ThreadMXBean/
    /ThreadMXBeanStateTest.java
    + JDK-8248500: AArch64: Remove the r18 dependency on Windows
    AArch64
    + JDK-8248899: security/infra/java/security/cert/
    /CertPathValidator/certification/QuoVadisCA.java fails,
    Certificate has been revoked
    + JDK-8249195: Change to Xcode 11.3.1 for building on Macos at
    Oracle
    + JDK-8250521: Configure initial RTO to use minimal retry for
    loopback connections on Windows
    + JDK-8250810: Push missing parts of JDK-8248817
    + JDK-8250839: Improve test template SSLEngineTemplate with
    SSLContextTemplate
    + JDK-8250863: Build error with GCC 10 in NetworkInterface.c
    and k_standard.c
    + JDK-8250888: nsk/jvmti/scenarios/general_functions/GF08/
    /gf08t001/TestDriver.java fails
    + JDK-8251155: HostIdentifier fails to canonicalize hostnames
    starting with digits
    + JDK-8251377: [macos11] JTabbedPane selected tab text is
    barely legible
    + JDK-8251570: JDK-8215624 causes assert(worker_id <
    _n_workers) failed: Invalid worker_id
    + JDK-8251930: AArch64: Native types mismatch in hotspot
    + JDK-8252049: Native memory leak in ciMethodData ctor
    + JDK-8252051: Make mlvmJvmtiUtils strncpy uses GCC 10.x
    friendly
    + JDK-8252114: Windows-AArch64: Enable and test ZGC and
    ShenandoahGC
    + JDK-8253015: Aarch64: Move linux code out from generic CPU
    feature detection
    + JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java
    fail on big screens
    + JDK-8253497: Core Libs Terminology Refresh
    + JDK-8253682: The AppletInitialFocusTest1.java is unstable
    + JDK-8253763: ParallelObjectIterator should have virtual
    destructor
    + JDK-8253866: Security Libs Terminology Refresh
    + JDK-8254802: ThrowingPushPromisesAsStringCustom.java fails in
    "/try throwing in GET_BODY"/
    + JDK-8255227: java/net/httpclient/FlowAdapterPublisherTest.java
    intermittently failing with TestServer: start exception:
    java.io.IOException: Invalid preface
    + JDK-8255264: Support for identifying the full range of IPv4
    localhost addresses on Windows
    + JDK-8255716: AArch64: Regression: JVM crashes if manually
    offline a core
    + JDK-8255722: Create a new test for rotated blit
    + JDK-8256009: Remove src/hotspot/share/adlc/Test/i486.ad
    + JDK-8256066: Tests use deprecated TestNG API that is no
    longer available in new versions
    + JDK-8256152: tests fail because of ambiguous method resolution
    + JDK-8256182: Update qemu-debootstrap cross-compilation recipe
    + JDK-8256201: java/awt/FullScreen/FullscreenWindowProps/
    /FullscreenWindowProps.java failed
    + JDK-8256202: Some tweaks for jarsigner tests
    PosixPermissionsTest and SymLinkTest
    + JDK-8256372: [macos] Unexpected symbol was displayed on
    JTextField with Monospaced font
    + JDK-8256956: RegisterImpl::max_slots_per_register is
    incorrect on AMD64
    + JDK-8258457: testlibrary_tests/ctw/JarDirTest.java fails with
    InvalidPathException on windows
    + JDK-8258855: Two tests sun/security/krb5/auto/
    /ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java
    failed on OL8.3
    + JDK-8259237: Demo selection changes with left/right arrow
    key. No need to press space for selection.
    + JDK-8260571: Add PrintMetaspaceStatistics to print metaspace
    statistics upon VM exit
    + JDK-8260690: JConsole User Guide Link from the Help menu is
    not accessible by keyboard
    + JDK-8261036: Reduce classes loaded by CleanerFactory
    initialization
    + JDK-8261071: AArch64: Refactor interpreter native wrappers
    + JDK-8261075: Create stubRoutines.inline.hpp with SafeFetch
    implementation
    + JDK-8261236: C2: ClhsdbJstackXcompStress test fails when
    StressGCM is enabled
    + JDK-8261297: NMT: Final report should use scale 1
    + JDK-8261661: gc/stress/TestReclaimStringsLeaksMemory.java
    fails because Reserved memory size is too big
    + JDK-8261916: gtest/GTestWrapper.java
    vmErrorTest.unimplemented1_vm_assert failed
    + JDK-8262438: sun/security/ssl/SSLLogger/
    /LoggingFormatConsistency.java failed with "/SocketException:
    Socket is closed"/
    + JDK-8262731: [macOS] Exception from "/Printable.print"/ is
    swallowed during "/PrinterJob.print"/
    + JDK-8262844: (fs) FileStore.supportsFileAttributeView might
    return false negative in case of ext3
    + JDK-8263059: security/infra/java/security/cert/
    /CertPathValidator/certification/ComodoCA.java fails due to
    revoked cert
    + JDK-8263068: Rename safefetch.hpp to safefetch.inline.hpp
    + JDK-8263303: C2 compilation fails with assert(found_sfpt)
    failed: no node in loop that's not input to safepoint
    + JDK-8263362: Avoid division by 0 in
    java/awt/font/TextJustifier.java justify
    + JDK-8263773: Reenable German localization for builds at Oracle
    + JDK-8263897: compiler/c2/aarch64/TestVolatilesSerial.java
    failed with "/java.lang.RuntimeException: Wrong method"/
    + JDK-8264526: javax/swing/text/html/parser/Parser/8078268/
    /bug8078268.java timeout
    + JDK-8264824: java/net/Inet6Address/B6206527.java doesn't
    close ServerSocket properly
    + JDK-8265019: Update tests for additional TestNG test
    permissions
    + JDK-8265173: [test] divert spurious log output away from
    stream under test in ProcessBuilder Basic test
    + JDK-8265524: Upgrading JSZip from v3.2.2 to v3.6.0
    + JDK-8266182: Automate manual steps listed in the test
    jdk/sun/security/pkcs12/ParamsTest.java
    + JDK-8266579: Update test/jdk/java/lang/ProcessHandle/
    /PermissionTest.java & test/jdk/java/sql/testng/util/
    /TestPolicy.java
    + JDK-8266949: Check possibility to disable OperationTimedOut
    on Unix
    + JDK-8267246: -XX:MaxRAMPercentage=0 is unreasonable for jtreg
    tests on many-core machines
    + JDK-8267256: Extend minimal retry for loopback connections on
    Windows to PlainSocketImpl
    + JDK-8267304: Bump global JTReg memory limit to 768m
    + JDK-8267652: c2 loop unrolling by 8 results in reading memory
    past array
    + JDK-8268019: C2: assert(no_dead_loop) failed: dead loop
    detected
    + JDK-8268093: Manual Testcase: "/sun/security/krb5/config/
    /native/TestDynamicStore.java"/ Fails with NPE
    + JDK-8268555: Update HttpClient tests that use ITestContext to
    jtreg 6+1
    + JDK-8268672: C2: assert(!loop->is_member(u_loop)) failed: can
    be in outer loop or out of both loops only
    + JDK-8269034: AccessControlException for SunPKCS11 daemon
    threads
    + JDK-8269426: Rename test/jdk/java/lang/invoke/t8150782 to
    accessClassAndFindClass
    + JDK-8269574: C2: Avoid redundant uncommon traps in
    GraphKit::builtin_throw() for JVMTI exception events
    + JDK-8269656: The test test/langtools/tools/javac/versions/
    /Versions.java has duplicate test cycles
    + JDK-8269768: JFR Terminology Refresh
    + JDK-8269951: [macos] Focus not painted in JButton when
    setBorderPainted(false) is invoked
    + JDK-8269984: [macos] JTabbedPane title looks like  disabled
    + JDK-8269993: [Test]: java/net/httpclient/
    /DigestEchoClientSSL.java contains redundant @run tags
    + JDK-8270116: Expand ButtonGroupLayoutTraversalTest.java to
    run in all LaFs, including Aqua on macOS
    + JDK-8270216: [macOS] Update named used for Java run loop mode
    + JDK-8270280: security/infra/java/security/cert/
    /CertPathValidator/certification/LetsEncryptCA.java OCSP
    response error
    + JDK-8270290: NTLM authentication fails if HEAD request is used
    + JDK-8270317: Large Allocation in CipherSuite
    + JDK-8270344: Session resumption errors
    + JDK-8270517: Add Zero support for LoongArch
    + JDK-8270533: AArch64: size_fits_all_mem_uses should return
    false if its output is a CAS
    + JDK-8270886: Crash in
    PhaseIdealLoop::verify_strip_mined_scheduling
    + JDK-8271287: jdk/jshell/CommandCompletionTest.java fails with
    "/lists don't have the same size expected"/
    + JDK-8271340: Crash PhaseIdealLoop::clone_outer_loop
    + JDK-8271341: Opcode() != Op_If && Opcode() != Op_RangeCheck)
    || outcnt() == 2 assert failure with Test7179138_1.java
    + JDK-8271459: C2: Missing NegativeArraySizeException when
    creating StringBuilder with negative capacity
    + JDK-8271490: [ppc] [s390]: Crash in
    JavaThread::pd_get_top_frame_for_profiling
    + JDK-8271560: sun/security/ssl/DHKeyExchange/
    /LegacyDHEKeyExchange.java still fails due to "/An established
    connection was aborted by the software in your host machine"/
    + JDK-8271567: AArch64: AES Galois CounterMode (GCM)
    interleaved implementation using vector instructions
    + JDK-8272180: Upgrade JSZip from v3.6.0 to v3.7.1
    + JDK-8272181: Windows-AArch64:Backport fix of `Backtracing
    broken on PAC enabled systems`
    + JDK-8272316: Wrong Boot JDK help message in 11
    + JDK-8272318: Improve performance of HeapDumpAllTest
    + JDK-8272342: [TEST_BUG] java/awt/print/PrinterJob/
    /PageDialogMarginTest.java catches all exceptions
    + JDK-8272570: C2: crash in PhaseCFG::global_code_motion
    + JDK-8272574: C2: assert(false) failed: Bad graph detected in
    build_loop_late
    + JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh
    fails after JDK-8266182
    + JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/
    /security/cert/CertPathValidator/certification/BuypassCA.java
    no longer needs ocspEnabled
    + JDK-8272720: Fix the implementation of loop unrolling
    heuristic with LoopPercentProfileLimit
    + JDK-8272783: Epsilon: Refactor tests to improve performance
    + JDK-8272806: [macOS] "/Apple AWT Internal Exception"/ when
    input method is changed
    + JDK-8272828: Add correct licenses to jszip.md
    + JDK-8272836: Limit run time for java/lang/invoke/LFCaching
    tests
    + JDK-8272850: Drop zapping values in the Zap* option
    descriptions
    + JDK-8272902: Bump update version for OpenJDK: jdk-11.0.14
    + JDK-8272914: Create hotspot:tier2 and hotspot:tier3 test
    groups
    + JDK-8272966: test/jdk/java/awt/Robot/FlushCurrentEvent.java
    fails by timeout
    + JDK-8273026: Slow LoginContext.login() on multi threading
    application
    + JDK-8273229: Update OS detection code to recognize Windows
    Server 2022
    + JDK-8273235: tools/launcher/HelpFlagsTest.java Fails on
    Windows 32bit
    + JDK-8273308: PatternMatchTest.java fails on CI
    + JDK-8273314: Add tier4 test groups
    + JDK-8273342: Null pointer dereference in
    classFileParser.cpp:2817
    + JDK-8273358: macOS Monterey does not have the font Times
    needed by Serif
    + JDK-8273373: Zero: Cannot invoke JVM in primordial threads on
    Zero
    + JDK-8273498: compiler/c2/Test7179138_1.java timed out
    + JDK-8273541: Cleaner Thread creates with normal priority
    instead of MAX_PRIORITY - 2
    + JDK-8273547: [11u] [JVMCI] Partial module-info.java backport
    of JDK-8223332
    + JDK-8273606: Zero: SPARC64 build fails with si_band type
    mismatch
    + JDK-8273646: Add openssl from path variable also in to
    Default System Openssl Path in OpensslArtifactFetcher
    + JDK-8273671: Backport of 8260616 misses one JNF header
    inclusion removal
    + JDK-8273790: Potential cyclic dependencies between Gregorian
    and CalendarSystem
    + JDK-8273795: Zero SPARC64 debug builds fail due to missing
    interpreter fields
    + JDK-8273826: Correct Manifest file name and NPE checks
    + JDK-8273894: ConcurrentModificationException raised every
    time ReferralsCache drops referral
    + JDK-8273924: ArrayIndexOutOfBoundsException thrown in
    java.util.JapaneseImperialCalendar.add()
    + JDK-8273961: jdk/nio/zipfs/ZipFSTester.java fails if file
    path contains '+' character
    + JDK-8273968: JCK javax_xml tests fail in CI
    + JDK-8274056: JavaAccessibilityUtilities leaks JNI objects
    + JDK-8274083: Update testing docs to mention tiered testing
    + JDK-8274293: Build failure on macOS with Xcode 13.0 as vfork
    is deprecated
    + JDK-8274326: [macos] Ensure initialisation of sun/lwawt/
    /macosx/CAccessibility in JavaComponentAccessibility.m
    + JDK-8274329: Fix non-portable HotSpot code in
    MethodMatcher::parse_method_pattern
    + JDK-8274381: missing CAccessibility definitions in JNI code
    + JDK-8274407: (tz) Update Timezone Data to 2021c
    + JDK-8274467: TestZoneInfo310.java fails with tzdata2021b
    + JDK-8274468: TimeZoneTest.java fails with tzdata2021b
    + JDK-8274522: java/lang/management/ManagementFactory/
    /MXBeanException.java test fails with Shenandoah
    + JDK-8274642: jdk/jshell/CommandCompletionTest.java fails with
    NoSuchElementException after JDK-8271287
    + JDK-8274773: [TESTBUG] UnsafeIntrinsicsTest intermittently
    fails on weak memory model platform
    + JDK-8274779: HttpURLConnection: HttpClient and HttpsClient
    incorrectly check request method when set to POST
    + JDK-8274840: Update OS detection code to recognize Windows 11
    + JDK-8274860: gcc 10.2.1 produces an uninitialized warning in
    sharedRuntimeTrig.cpp
    + JDK-8275051: Shenandoah: Correct ordering of requested gc
    cause and gc request flag
    + JDK-8275131: Exceptions after a touchpad gesture on macOS
    + JDK-8275713: TestDockerMemoryMetrics test fails on recent runc
    + JDK-8275766: (tz) Update Timezone Data to 2021e
    + JDK-8275849: TestZoneInfo310.java fails with tzdata2021e
    + JDK-8276066: Reset LoopPercentProfileLimit for x86 due to
    suboptimal performance
    + JDK-8276139: TestJpsHostName.java not reliable, better to
    expand HostIdentifierCreate.java test
    + JDK-8276157: C2: Compiler stack overflow during escape
    analysis on Linux x86_32
    + JDK-8276201: Shenandoah: Race results degenerated GC to enter
    wrong entry point
    + JDK-8276536: Update TimeZoneNames files to follow the changes
    made by JDK-8275766
    + JDK-8276550: Use SHA256 hash in build.tools.depend.Depend
    + JDK-8276774: Cookie stored in CookieHandler not sent if user
    headers contain cookie
    + JDK-8276854: Windows GHA builds fail due to broken Cygwin
    + JDK-8277029: JMM GetDiagnosticXXXInfo APIs should verify
    output array sizes
    + JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString()
    throws NPE
    + JDK-8277529: SIGSEGV in C2 CompilerThread
    Node::rematerialize() compiling Packet::readUnsignedTrint
    + JDK-8277815: Fix mistakes in legal header backports
- Removed patch:
  * riscv64-zero.patch
    + integrated upstream
- Modified patch:
  * fips.patch
    + rediff to changed context
kernel-default
- drm: drm_file struct kABI compatibility workaround
  (bsc#1197914).
- commit dd24982
- drm: use the lookup lock in drm_is_current_master (bsc#1197914).
- drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
- drm: serialize drm_file.master with a new spinlock
  (bsc#1197914).
- drm: add a locked version of drm_is_current_master
  (bsc#1197914).
- commit 82a498a
- blacklist.conf: Add reverted/reverting swiotlb change (CVE-2022-0854 bsc#1196823 bsc#1197460)
- commit 8d52c36
- Reinstate some of "/swiotlb: rework "/fix info leak with
  DMA_FROM_DEVICE"/"/ (CVE-2022-0854 bsc#1196823).
- swiotlb: fix info leak with DMA_FROM_DEVICE (CVE-2022-0854
  bsc#1196823).
- commit ff554b5
- netfilter: nf_tables: initialize registers in nft_do_chain()
  (CVE-2022-1016 bsc#1197227).
- commit 7111961
- Delete
  patches.suse/net-tipc-validate-domain-record-count-on-input.patch.
  This was the original work-in-progress patch for CVE-2022-0435 /
  bsc#1195254. Later, a proper backport of mainline commit 9aa422ad3266
  ("/tipc: improve size validations for received domain records"/) was added as
  patches.suse/tipc-improve-size-validations-for-received-domain-re.patch but
  this patch was left in place. As it adds the check a bit later than
  upstream fix, it did not cause a conflict so nobody noticed the duplicity.
- commit ef08708
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- commit 2237578
- can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb
  in error path (CVE-2022-28389 bsc#1198033).
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28388 bsc#1198032).
- can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28390 bsc#1198031).
- commit d6e6523
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
  mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
  patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit db7647d
- net: sched: fix use-after-free in tc_new_tfilter()
  (CVE-2022-1055 bsc#1197702).
- commit 4c7dc78
- Add CVE tags to
  patches.suse/ext4-fix-kernel-infoleak-via-ext4_extent_header.patch
  (bsc#1189562 bsc#1196761 CVE-2022-0850).
- commit f3cb08f
- powerpc/mm/numa: skip NUMA_NO_NODE onlining in
  parse_numa_properties() (bsc#1179639 ltc#189002 git-fixes).
- commit 73583c9
- esp: Fix possible buffer overflow in ESP transformation
  (bsc#1197131 CVE-2022-0886 CVE-2022-27666).
- commit 39a5891
- cifs: use the correct max-length for dentry_path_raw()
  (bsc1196196).
- commit 10cddb2
- quota: check block number when reading the block in quota file
  (bsc#1197366 CVE-2021-45868).
- commit a7d4915
- netfilter: conntrack: don't refresh sctp entries in closed state
  (bsc#1197389).
- commit c3afd15
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
  bsc#1197331).
- commit 12628f8
- ALSA: pcm: Fix races among concurrent prealloc proc writes
  (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
  hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
  changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
  calls (CVE-2022-1048 bsc#1197331).
- commit aee063f
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
  (bsc#1196018).
- commit 1580ab2
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32
  (bsc#1196018).
- commit 1cdc779
- sr9700: sanity check for packet length (bsc#1196836
  CVE-2022-26966).
- commit edaafdd
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- commit f0d0e90
- aio: fix use-after-free due to missing POLLFREE handling
  (CVE-2021-39698 bsc#1196956).
- aio: keep poll requests on waitqueue until completed
  (CVE-2021-39698 bsc#1196956).
- signalfd: use wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- binder: use wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- wait: add wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- commit b026506
- rpm/kernel-source.spec.in: call fdupes per subpackage
  It is a waste of time to do a global fdupes when we have
  subpackages.
- commit 1da8439
- af_unix: fix garbage collect vs MSG_PEEK (CVE-2021-0920
  bsc#1193731).
- commit 7040fdd
- Refresh patches.suse/xfrm-fix-mtu-regression.patch.
- commit 8d867d6
- xen/netfront: react properly to failing
  gnttab_end_foreign_access_ref() (bsc#1196488, XSA-396,
  CVE-2022-23042).
- commit fe0a923
- xen/gnttab: fix gnttab_end_foreign_access() without page
  specified (bsc#1196488, XSA-396, CVE-2022-23041).
- commit 58c801b
- xen/pvcalls: use alloc/free_pages_exact() (bsc#1196488,
  XSA-396, CVE-2022-23041).
- commit afb2dba
- xen/9p: use alloc/free_pages_exact() (bsc#1196488, XSA-396,
  CVE-2022-23041).
- commit cee63b9
- xen/usb: don't use gnttab_end_foreign_access() in
  xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- commit b1d434d
- xen/gntalloc: don't use gnttab_query_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23039).
- commit a4ec4aa
- xen/scsifront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23038).
- commit fd9cb30
- xen/netfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23037).
- commit 4e33999
- xen/blkfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23036).
- commit 4334af7
- xen/grant-table: add gnttab_try_end_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23036, CVE-2022-23038).
- commit 19b769a
- xen/xenbus: don't let xenbus_grant_ring() remove grants in
  error case (bsc#1196488, XSA-396, CVE-2022-23040).
- commit 5aacf1f
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- commit 174a64f
- usb: host: xen-hcd: add missing unlock in error path
  (git-fixes).
- commit daa9ea7
- Refresh
  patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch.
- commit d9066f6
- Refresh
  patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch.
- commit 5c41eb3
- rpm/kernel-docs.spec.in: use %%license for license declarations
  Limited to SLE15+ to avoid compatibility nightmares.
- commit 73d560e
- rpm/*.spec.in: Use https:// urls
- commit 77b5f8e
- Hand over the maintainership to SLE15-SP3 maintainers
- commit 0c92742
- SUNRPC: avoid race between mod_timer() and del_timer_sync()
  (bnc#1195403).
- commit fffe0fc
- nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  (CVE-2022-26490 bsc#1196830).
- commit fd10ace
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 1dafeb6
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- commit 8c8ae13
- kernel-binary.spec: Also exclude the kernel signing key from devel package.
  There is a check in OBS that fails when it is included. Also the key is
  not reproducible.
  Fixes: bb988d4625a3 ("/kernel-binary: Do not include sourcedir in certificate path."/)
- commit 68fa069
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- commit 88ba5ec
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
  (bsc#1196584).
- commit 4f3bbf5
- x86/speculation: Use generic retpoline by default on AMD
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit bed48b1
- gve: Recording rx queue before sending to napi (jsc#SLE-23652).
- gve: fix the wrong AdminQ buffer queue index check
  (jsc#SLE-23652).
- gve: Fix GFP flags when allocing pages (jsc#SLE-23652).
- gve: Add consumed counts to ethtool stats (jsc#SLE-23652).
- gve: Implement suspend/resume/shutdown (jsc#SLE-23652).
- gve: Add optional metadata descriptor type GVE_TXD_MTD
  (jsc#SLE-23652).
- gve: remove memory barrier around seqno (jsc#SLE-23652).
- gve: Update gve_free_queue_page_list signature (jsc#SLE-23652).
- gve: Move the irq db indexes out of the ntfy block struct
  (jsc#SLE-23652).
- gve: Correct order of processing device options (jsc#SLE-23652).
- gve: fix for null pointer dereference (jsc#SLE-23652).
- gve: fix unmatched u64_stats_update_end() (jsc#SLE-23652).
- gve: Add a jumbo-frame device option (jsc#SLE-23652).
- gve: Implement packet continuation for RX (jsc#SLE-23652).
- gve: Add RX context (jsc#SLE-23652).
- gve: Use kvcalloc() instead of kvzalloc() (jsc#SLE-23652).
- commit e1a9cfc
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1196079
  CVE-2022-0617).
- commit a1deb2a
- udf: Fix NULL ptr deref when converting from inline format
  (bsc#1196079 CVE-2022-0617).
- commit 43cd4ed
- x86/speculation: Include unprivileged eBPF status in Spectre v2
  mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit d42fa20
- Documentation/hw-vuln: Update spectre doc (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit a48cfcc
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit 1a20a7e
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 80f47a3
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 1f9dd65
- usb: gadget: rndis: check size of RNDIS_MSG_SET command
  (CVE-2022-25375 bsc#1196235).
- commit 4e7d746
- Update patch reference for vfs fix (CVE-2022-0644 bsc#1196155)
- commit 900b4f0
- USB: gadget: validate interface OS descriptor requests
  (CVE-2022-25258 bsc#1196095).
- commit 4c69367
- scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
- commit 6aa037a
- powerpc/pseries/ddw: Revert "/Extend upper limit for huge DMA
  window for persistent memory"/ (bsc#1195995 ltc#196394).
- commit 7be7563
- f2fs: fix to do sanity check on inode type during garbage
  collection (CVE-2021-44879 bsc#1195987).
- commit 139271b
- tipc: improve size validations for received domain records
  (bsc#1195254, CVE-2022-0435).
- commit 48911da
- yam: fix a memory leak in yam_siocdevprivate() (CVE-2022-24959
  bsc#1195897).
- commit 60220af
- usb: gadget: clear related members when goto fail
  (CVE-2022-24958 bsc#1195905).
- usb: gadget: don't release an existing dev->buf (CVE-2022-24958
  bsc#1195905).
- commit 96dda76
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487).
- commit f68f189
- nfsd: don't admin-revoke NSv4.0 state ids (bsc#1192483).
- nfsd: allow delegation state ids to be revoked and then freed
  (bsc#1192483).
- nfsd: allow lock state ids to be revoked and then freed
  (bsc#1192483).
- nfsd: allow open state ids to be revoked and then freed
  (bsc#1192483).
- nfsd: prepare for supporting admin-revocation of state
  (bsc#1192483).
- commit 4fab2c0
- kernel-binary: Do not include sourcedir in certificate path.
  The certs macro runs before build directory is set up so it creates the
  aggregate of supplied certificates in the source directory.
  Using this file directly as the certificate in kernel config works but
  embeds the source directory path in the kernel config.
  To avoid this symlink the certificate to the build directory and use
  relative path to refer to it.
  Also fabricate a certificate in the same location in build directory
  when none is provided.
- commit bb988d4
- constraints: Also adjust disk requirement for x86 and s390.
- commit 9719db0
- constraints: Increase disk space for aarch64
- commit 09c2882
- KVM: s390: Return error on SIDA memop on normal guest
  (bsc#1195516 CVE-2022-0516).
- commit d46602b
- NFSv4: Handle case where the lookup of a directory fails
  (bsc#1195612 CVE-2022-24448).
- commit 1023a28
- btrfs: check for missing device in btrfs_trim_fs (bsc#1195701).
- commit be8e591
- cgroup-v1: Require capabilities to set release_agent
  (bsc#1195543 CVE-2022-0492).
- commit 413d689
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit 5ec67f9
- scsi: target: iscsi: Fix cmd abort fabric stop race
  (bsc#1195286).
- commit 79c1016
- Update kabi files.
- update from February 2022 maintenance update submission (commit 49453fa0b26b)
- commit 10d28a1
- kernel-obs-build: include 9p (boo#1195353)
  To be able to share files between host and the qemu vm of the build
  script, the 9p and 9p_virtio kernel modules need to be included in
  the initrd of kernel-obs-build.
- commit 0cfe67a
- net: tipc: validate domain record count on input (bsc#1195254).
- commit 5e4e31e
- series.conf: sort
  Fix patch ordering in sorted section.
- commit f4bbbbf
- fix patches metadata
- fix Patch-mainline, mark partial backport, add a note to commit message
  - patches.suse/net-xdp-Introduce-xdp_init_buff-utility-routine.patch
  - patches.suse/net-xdp-Introduce-xdp_prepare_buff-utility-routine.patch
- commit c8555c7
- Update kabi files.
- update from out of order January 2022 maintenance update (commit 712a8e6dffc3)
- commit d4e500b
- update
- commit 8000467
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
  CVE-2021-45095).
- commit 98c27cb
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- Delete
  patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch.
  which caused a regression (bsc#1194048).
- fix patches.kabi/revert-xfrm-xfrm_state_mtu-should-return-at-least-1280.patch
  fixes the resulting KABI change
- Replace with an alternative fix for bsc#1185377
- commit ccdfbb9
- net: tipc: validate domain record count on input (bsc#1195254).
- commit 96de11b
- SLE15-SP2 went to LTSS, hand over to L3
- commit 1e60178
- drm/vmwgfx: Fix stale file descriptors on failed usercopy
  (CVE-2022-22942 bsc#1195065).
- commit b93c2a4
- nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
- commit 92fcdfb
- bpf: Verifer, adjust_scalar_min_max_vals to always call
  update_reg_bounds() (bsc#1194227).
- commit bf95985
- net/packet: rx_owner_map depends on pg_vec (bsc#1195184
  CVE-2021-22600).
- commit ef975a8
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit a954734
- Update
  patches.suse/usb-gadget-configfs-Fix-use-after-free-issue-with-ud.patch
  (bsc#1193861 CVE-2021-39648).
  updated references for a CVE that became known after the fix
  had been applied for other reasons
- commit 2372cca
- net: mana: Add RX fencing (bsc#1193506).
- commit 86ca026
- net: mana: Add XDP support (bsc#1193506).
- commit 8a8d94e
- hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
- commit 2ce60c3
- net, xdp: Introduce xdp_prepare_buff utility routine
  (bsc#1193506).
- commit f1f2607
- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
- commit d81f88a
- btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set improperly (bsc#1195009).
- commit 472ff50
- btrfs: tree-checker: annotate all error branches as unlikely (bsc#1195009).
- commit ac668ff
- btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check (bsc#1195009).
- commit 38bf9aa
- kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr
  directory (bsc#1195051).
- commit c80b5de
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit 34a8919
- net: allow retransmitting a TCP packet if original is still
  in queue (bsc#1188605 bsc#1187428).
- commit 07dea3c
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
  Using the the default path is broken since Linux 5.17
- commit 68b36f0
- fix rpm build warning
  tumbleweed rpm is adding these warnings to the log:
  It's not recommended to have unversioned Obsoletes: Obsoletes:      microcode_ctl
- commit 3ba8941
- build initrd without systemd
  This reduces the size of the initrd by over 25%, which
  improves startup time of the virtual machine by 0.5-0.6s on
  very fast machines, more on slower ones.
- commit ef4c569
- Revert "/net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)"/
  This reverts commit 3aa0c01fad38360cc9cd840d49bdfdc565e2e718.
  With the backport of the upstream fix for bsc#1183405 race, this workaround
  is no longer needed.
- commit e063337
- net: sched: add barrier to ensure correct ordering for lockless
  qdisc (bsc#1183405).
- net: sched: avoid unnecessary seqcount operation for lockless
  qdisc (bsc#1183405).
- net: sched: fix tx action reschedule issue with stopped queue
  (bsc#1183405).
- net: sched: fix tx action rescheduling issue during deactivation
  (bsc#1183405).
- net: sched: fix packet stuck problem for lockless qdisc
  (bsc#1183405).
- net: sched: replaced invalid qdisc tree flush helper in
  qdisc_replace (bsc#1183405).
- net: sch_generic: aviod concurrent reset and enqueue op for
  lockless qdisc (bsc#1183405).
- net_sched: get rid of unnecessary dev_qdisc_reset()
  (bsc#1183405).
- net_sched: avoid resetting active qdisc for multiple times
  (bsc#1183405).
- net_sched: use qdisc_reset() in qdisc_destroy() (bsc#1183405).
- commit abc4d94
libarchive
- Fix CVE-2021-36976 use-after-free in copy_string
  (CVE-2021-36976, bsc#1188572)
  * fix-CVE-2021-36976.patch
- The following issues have already been fixed in this package but
  weren't previously mentioned in the changes file:
  CVE-2017-5601, bsc#1022528, bsc#1189528
libsolv
- reworked choice rule generation to cover more usecases
- support SOLVABLE_PREREQ_IGNOREINST in the ordering code
  [bsc#1196514]
- support parsing of Debian's Multi-Arch indicator
- bump version to 0.7.22
- fix segfault on conflict resolution when using bindings
- fix split provides not working if the update includes a forbidden
  vendor change
- support strict repository priorities
  new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
- support zstd compressed control files in debian packages
- add an ifdef allowing to rename Solvable dependency members
  ("/requires"/ is a keyword in C++20)
- support setting/reading userdata in solv files
  new functions: repowriter_set_userdata, solv_read_userdata
- support queying of the custom vendor check function
  new function: pool_get_custom_vendorcheck
- support solv files with an idarray block
- allow accessing the toolversion at runtime
- bump version to 0.7.21
libtirpc
- fix memory leak in client protocol version 2 code (bsc#1193805)
  - update: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
libzypp
- ZConfig: Update solver settings if target changes (bsc#1196368)
- version 17.30.0 (22)
- Fix possible hang in singletrans mode (bsc#1197134)
- Do 2 retries if mount is still busy.
- version 17.29.7 (22)
- Fix package signature check (bsc#1184501)
  Pay attention that header and payload are secured by a valid
  signature and report more detailed which signature is missing.
- Retry umount if device is busy (bsc#1196061, closes #381)
  A previously released ISO image may need a bit more time to
  release it's loop device. So we wait a bit and retry.
- Fix serializing/deserializing type mismatch in zypp-rpm
  protocol (bsc#1196925)
- Fix handling of ISO media in releaseAll (bsc#1196061)
- Hint on common ptf resolver conflicts (bsc#1194848)
- version 17.29.6 (22)
- Hint on ptf<>patch resolver conflicts (bsc#1194848)
- version 17.29.5 (22)
- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.
- version 17.29.4 (22)
- Public header files on older distros must use c++11
  (bsc#1194597)
- Fix exception handling when reading or writing credentials
  (bsc#1194898)
- version 17.29.3 (22)
- Fix Legacy include (bsc#1194597)
- version 17.29.2 (22)
- Fix broken install path for parser compat headers (fixes #372,
  bsc#1194597)
- RepoManager: remember exec errors in exception history
  (bsc#1193007)
- version 17.29.1 (22)
- Use the default zypp.conf settings if no zypp.conf exists
  (bsc#1193488)
- Fix wrong encoding of iso: URL components (bsc#954813)
- Handle armv8l as armv7hl compatible userland.
- Introduce zypp-curl a sublibrary for CURL related code.
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set.
- Save all signatures associated with a public key in its
  PublicKeyData.
- version 17.29.0 (22)
log4j12
- Remove the chainsaw sub-package (bsc#1194844, CVE-2022-23307)
- Remove src/main/java/org/apache/log4j/jdbc/JDBCAppender.java from
  the build to mitigate bsc#1194843, CVE-2022-23305
- Remove src/main/java/org/apache/log4j/net/JMSSink.java from the
  build to mitigate bsc#1194842, CVE-2022-23302
- Obsolete chainsaw < 2.1 by the log4j12 package
- Added patch:
  * log4j12-missingmodules.patch
    + do not package org.apache.log4j.chainsaw classes
    + package org.apache.log4j.pattern classes that will be needed
    by apache-log4j-extras which is a dependency of chainsaw 2.x
- Fix 'chainsaw' package: [bsc#1193184 - Chainsaw does not start]
  * Add missing dependency to log4j12 for 'chainsaw' package.
- Put GUI tools into separate packages
lvm2
- udev: create symlinks and watch even in suspended state (bsc#1195231)
  + bug-1195231-udev-create-symlinks-and-watch-even-in-suspended-sta.patch
mgr-libmod
- version 4.1.10-1
  * require python macros for building
mgr-osad
- version 4.1.6-1
  * require python macros for building
mozilla-nss
- Mozilla NSS 3.68.3 (bsc#1197903)
  This release improves the stability of NSS when used in a multi-threaded
  environment. In particular, it fixes memory safety violations that
  can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
  We presume that with enough effort these memory safety violations are exploitable.
  * Remove token member from NSSSlot struct (bmo#1756271).
  * Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
    (bmo#1755555).
  * Check return value of PK11Slot_GetNSSToken (bmo#1370866).
net-snmp
- Decouple snmp-mibs from net-snmp version to allow major version
  upgrade (bsc#1196955).
nfs-utils
- Add 0023-cache.c-removed-a-couple-warning.patch
  Fix compilation with new glibc (SLE15-SP4)
  (bsc#1197788)
- Add 0021-mount.nfs-insert-sloppy-at-beginning-of-the-options.patch
  Add 0022-mount.nfs-Fix-the-sloppy-option-processing.patch
  Ensure "/sloppy"/ is added correctly for newer kernels.  Particularly
  required for kernels since 5.6 (so SLE15-SP4), and safe for all kernels.
  (boo#1197297)
- Add 0020-mountd-Initialize-logging-early.patch
  If an error or warning message is produced before
  closeall() is called, mountd gets confused and doesn't work.
  (bsc#1194661)
openldap2
- bsc#1191157 - Correct version specification in ppolicy to allow
  submission to SP3 for TLS1.3
- bsc#1191157 - allow specification of max/min TLS version with TLS1.3
  * 0239-ITS-9422-Update-for-TLS-v1.3.patch
  * 0240-ITS-9518-add-LDAP_OPT_X_TLS_PROTOCOL_MAX-option.patch
  * 0241-TLS-set-protocol-version.patch
- bsc#1197004 - libldap was able to be out of step with openldap in
  some cases which could cause incorrect installations and symbol
  resolution failures. openldap2 and libldap now are locked to their
  related release versions.
- jsc#PM-3288 - restore CLDAP functionality in CLI tools
- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression
  reporting is bsc#1197004 causing SSSD to have faults.
- jsc#PM-3288 - restore CLDAP functionality in CLI tools
openssh
- Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: Make ssh
  connections update their dbus environment (bsc#1179465).
- Add openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch
  (bsc#1190975, CVE-2021-41617), backported from upstream by
  Ali Abdallah.
openssl-1_1
- Security Fix: [bsc#1196877, CVE-2022-0778]
  * Infinite loop in BN_mod_sqrt() reachable when parsing certificates
  * Add openssl-CVE-2022-0778.patch openssl-CVE-2022-0778-tests.patch
- Fix PAC pointer authentication in ARM [bsc#1195856]
  * PAC pointer authentication signs the return address against the
    value of the stack pointer, to prevent stack overrun exploits
    from corrupting the control flow. The Poly1305 armv8 code got
    this wrong, resulting in crashes on PAC capable hardware.
  * Add openssl-1_1-ARM-PAC.patch
- Pull libopenssl-1_1 when updating openssl-1_1 with the same
  version. [bsc#1195792]
- FIPS: Fix function and reason error codes [bsc#1182959]
  * Add openssl-1_1-FIPS-fix-error-reason-codes.patch
- Enable zlib compression support [bsc#1195149]
  * Add openssl-fix-BIO_f_zlib.patch to fix BIO_f_zlib: Properly
    handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls.
pam
- Between allocating the variable "/ai"/ and free'ing them, there are
  two "/return NO"/ were we don't free this variable. This patch
  inserts freaddrinfo() calls before the "/return NO;"/s.
  [bsc#1197024, pam-bsc1197024-free-addrinfo-before-return.patch]
- Define _pam_vendordir as "//%{_sysconfdir}/pam.d"/
  The variable is needed by systemd and others.
  [bsc#1196093, macros.pam]
polkit
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
  added CVE-2021-4115.patch
postgresql
- Fix the pg_server_requires macro on older rpm versions (SLE-12).
- Avoid a dependency on awk in postgresql-script.
- Move the dependency of llvmjit-devel on clang and llvm to the
  implementation packages where we can depend on the correct
  versions.
- fix postgresql_has_llvm usage
- First round of changes to make it easier to build extensions for
  - add postgresql-llvmjit-devel subpackage:
    This package will pull in clang and llvm if the distro has a
    recent enough version, otherwise it will just pull
    postgresql-server-devel.
  - add postgresql macros to the postgresql-server-devel package
    those cover all the variables from pg_config and some macros
    to remove repitition from the spec files
- Bump version to 14.
- Bump default to 14 on Factory and future SPs.
procps
- Add patch bsc1195468-23da4f40.patch to fix bsc#1195468 that is
  ignore SIGURG
protobuf
- Fix incorrect parsing of nullchar in the proto symbol, CVE-2021-22570,
  bsc#1195258
  * Add protobuf-CVE-2021-22570.patch
psmisc
  * Determine the namespace of a process only once to speed
    up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
py26-compat-msgpack-python
- Adapted to build on OBS for Enterprise Linux.
py27-compat-salt
- Fix inspector module export function (bsc#1097531)
- Fix possible traceback on ip6_interface grain (bsc#1193565)
- Don't check for cached pillar errors on state.apply (bsc#1190781)
- Added:
  * state.apply-don-t-check-for-cached-pillar-errors.patch
  * fix-inspector-module-export-function-bsc-1097531-479.patch
  * fix-possible-traceback-on-ip6_interface-grain-bsc-11.patch
  * vendor-stateresult.patch
- Simplify "/transactional_update"/ module to not use SSH wrapper and allow more flexible execution
- Add "/--no-return-event"/ option to salt-call to prevent sending return event back to master.
- Make "/state.highstate"/ to acts on concurrent flag.
- Fix the regression with invalid syntax in test_parse_cpe_name_v23.
- Added:
  * refactor-and-improvements-for-transactional-updates-.patch
  * fix-the-regression-with-invalid-syntax-in-test_parse.patch
- Fix tmpfiles.d configuration for salt to not use legacy paths (bsc#1173103)
- Remove wrong _parse_cpe_name from grains.core
- Fix file.find tracebacks with non utf8 file names (bsc#1190114)
- Added:
  * fix-file.find-tracebacks-with-non-utf8-file-names-bs.patch
  * remove-wrong-_parse_cpe_name-from-grains.core-454.patch
- Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412)
- Added Python2 build possibility for RHEL8
- Added:
  * fix-ip6_interface-grain-to-not-leak-secondary-ipv4-a.patch
- Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446)
- Fix traceback.*_exc() calls
- Added:
  * 3000.3-do-not-consider-skipped-targets-as-failed-for.patch
  * fix-traceback.-_exc-calls-431.patch
- Fix the regression of docker_container state module (bsc#1191285)
python
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
python-base
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
python-jsonschema
- Add patch to fix build with new webcolors:
  * webcolors.patch
- update to version 3.2.0 (jsc#SLE-18756):
  * Added a format_nongpl setuptools extra, which installs only format
    dependencies that are non-GPL (#619).
- specfile:
  * be more explicit in %files section
  * require python-importlib-metadata
- update to version 3.1.1:
  * Temporarily revert the switch to js-regex until #611 and #612 are
    resolved.
- changes from version 3.1.0:
  * Regular expressions throughout schemas now respect the ECMA 262
    dialect, as recommended by the specification (#609).
- Replace %fdupes -s with plain %fdupes; hardlinks are better.
- Activate more of the test suite
- Remove tests and benchmarking from the runtime package
- Update to v3.0.2
  * Fixed a bug where 0 and False were considered equal by
    const and enum
- from v3.0.1
  * Fixed a bug where extending validators did not preserve their
    notion of which validator property contains $id information.
- from v3.0.0
  * Support for Draft 6 and Draft 7
  * Draft 7 is now the default
  * New TypeChecker object for more complex type definitions
    (and overrides)
  * Falling back to isodate for the date-time format checker is
    no longer attempted, in accordance with the specification
- Add non-updating note to the SPEC file
- downgrade to < 3.0.0 again to fix all openstack clients
- Update to 3.0.1:
  * Support for Draft 6 and Draft 7
  * Draft 7 is now the default
  * New TypeChecker object for more complex type definitions (and overrides)
  * Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification
- Use %license instead of %doc [bsc#1082318]
python-libxml2-python
- Security fix: [bsc#1196490, CVE-2022-23308]
  * Use-after-free of ID and IDREF attributes.
- Add libxml2-CVE-2022-23308.patch
python-lxml
- With the new update to 4.7.1, the old Bugzilla entries are also
  fixed:
  - bsc#1118088 (related to CVE-2018-19787)
  - bsc#1184177 (related to CVE-2021-28957)
- Update to 4.7.1 (officially released 2021-12-13)
  Features added
  - Chunked Unicode string parsing via parser.feed() now encodes the input
    data to the native UTF-8 encoding directly, instead of going through
    Py_UNICODE / wchar_t encoding first, which previously required duplicate
    recoding in most cases.
  Bugs fixed
  - The standard namespace prefixes were mishandled during "/C14N2"/
  serialisation
    on Python 3.
    See
  https://mail.python.org/archives/list/lxml@python.org/thread/
  6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/
  - lxml.objectify previously accepted non-XML numbers with underscores
    (like "/1_000"/) as integers or float values in Python 3.6 and later.
    It now adheres to the number format of the XML spec again.
  - LP#1939031: Static wheels of lxml now contain the header files of zlib
    and libiconv (in addition to the already provided headers of
    libxml2/libxslt/libexslt).
  Other changes
  - Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).
- Update to 4.7.0 (2021-12-13)
  - Release retracted due to missing files in lxml/includes/.
- UPdate to 4.6.5 (2021-12-12)
  Bugs fixed
  - A vulnerability (GHSL-2021-1038) in the HTML cleaner
  - allowed sneaking script content through SVG images
  - (bnc#1193752, CVE-2021-43818).
  - A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed
  - sneaking script content through CSS imports and other crafted
  - constructs (CVE-2021-43818).
- Update 4.6.4 (2021-11-01)
  Features added
  - GH#317: A new property system_url was added to DTD entities.
  - Patch by Thirdegree.
  - GH#314: The STATIC_* variables in setup.py can now be passed
  - via env vars.
  - Patch by Isaac Jurado.
- Update 4.6.3 (2021-03-21)
  Bugs fixed
  - A vulnerability (CVE-2021-28957) was discovered in the HTML
  - Cleaner by Kevin Chung, which allowed JavaScript to pass through.
  - The cleaner now removes the HTML5 formaction attribute.
- Update 4.6.2 (2020-11-26)
  Bugs fixed
  - A vulnerability (bnc#1179534, CVE-2020-27783) was discovered in the HTML
    Cleaner
  - by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner
  - now removes more sneaky "/style"/ content.
- Update 4.6.1 (2020-10-18)
  Bugs fixed
  - A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry,
  - which allowed JavaScript to pass through. The cleaner now removes
  - more sneaky "/style"/ content.
- Update 4.6.0 (2020-10-17)
  Features added
  - GH#310: lxml.html.InputGetter supports __len__() to count the number
  - of input fields. Patch by Aidan Woolley.
  - lxml.html.InputGetter has a new .items() method to ease processing
  - all input fields.
  - lxml.html.InputGetter.keys() now returns the field names in document
  - order.
  - GH-309: The API documentation is now generated using sphinx-apidoc.
  - Patch by Chris Mayo.
  Bugs fixed
  - LP#1869455: C14N 2.0 serialisation failed for unprefixed attributes
  - when a default namespace was defined.
  - TreeBuilder.close() raised AssertionError in some error cases where
  - it should have raised XMLSyntaxError. It now raises a combined
  - exception to keep up backwards compatibility, while switching to
  - XMLSyntaxError as an interface.
- Update 4.5.2 (2020-07-09)
  Bugs fixed
  - Cleaner() now validates that only known configuration options
  - can be set.
  - LP#1882606: Cleaner.clean_html() discarded comments and PIs
  - regardless of the corresponding configuration option, if
  - remove_unknown_tags was set.
  - LP#1880251: Instead of globally overwriting the document loader
  - in libxml2, lxml now sets it per parser run, which improves the
  - interoperability with other users of libxml2 such as libxmlsec.
  - LP#1881960: Fix build in CPython 3.10 by using Cython 0.29.21.
  - The setup options "/--with-xml2-config"/ and "/--with-xslt-config"/
  - were accidentally renamed to "/--xml2-config"/ and "/--xslt-config"/
  - in 4.5.1 and are now available again.
- Update 4.5.1 (2020-05-19)
  Bugs fixed
  - LP#1570388: Fix failures when serialising documents larger than
  - 2GB in some cases.
  - LP#1865141, GH#298: QName values were not accepted by the
  - el.iter() method. Patch by xmo-odoo.
  - LP#1863413, GH#297: The build failed to detect libraries on Linux
  - that are only configured via pkg-config. Patch by Hugh McMaster.
- Update 4.5.0 (2020-01-29)
  Features added
  - A new function indent() was added to insert tail whitespace for
  - pretty-printing an XML tree.
  Bugs fixed
  - LP#1857794: Tail text of nodes that get removed from a document
    using item deletion disappeared silently instead of sticking with
    the node that was removed.
  Other changes
  - MacOS builds are 64-bit-only by default. Set CFLAGS and LDFLAGS
    explicitly to override it.
  - Linux/MacOS Binary wheels now use libxml2 2.9.10 and libxslt 1.1.34.
  - LP#1840234: The package version number is now available as
    lxml.__version__.
- Update 4.4.3 (2020-01-28)
  Bugs fixed
  - LP#1844674: itertext() was missing tail text of comments and PIs
    since 4.4.0.
release-notes-sles
- 15.2.20220202 (tracked in bsc#933411)
- Added kernel parameter change (bsc#1195107)
- Added note about deprecating XFS V4 (jsc#SLE-22662)
- Added note about ODBC driver location (jsc#SLE-13242)
- Added note about unixODBC drivers in production (jsc#SLE-20554)
- Added note about GNOME and vncserver (bsc#1186415)
release-notes-susemanager
- Update to 4.1.14.1
  * CVEs fixed
    CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941
  * Bugs mentioned
    bsc#1197417
- Update to 4.1.14
  * Bugs mentioned
    bsc#1097531, bsc#1133198, bsc#1190781, bsc#1191360, bsc#1192510,
    bsc#1192566, bsc#1192822, bsc#1193565, bsc#1194044, bsc#1194363,
    bsc#1195043,bsc#1195282
- Update to 4.1.13.1
  * Note about Prometheus 2.32.1
- Update to 4.1.13
  * Forward clients registration information to SCC
  * Bugs mentioned
    bsc#1173103, bsc#1173143, bsc#1184617, bsc#1187708,
    bsc#1188505, bsc#1188900, bsc#1190114, bsc#1190446,
    bsc#1191192, bsc#1191222, bsc#1191285, bsc#1191313,
    bsc#1191340, bsc#1191377, bsc#1191412, bsc#1191442,
    bsc#1191656, bsc#1191702, bsc#1191899, bsc#1192487,
    bsc#1192514, bsc#1192736, bsc#1193008, bsc#1193585,
    bsc#1193612, bsc#1193694, bsc#1193832
rsyslog
- add service dependencies for remote logging (bsc#1194669)
- update config example in remote.conf to match upstream documentation
salt
- Fix regression preventing bootstrapping new clients caused by
  redundant dependency on psutil (bsc#1197533)
- Prevent data pollution between actions proceesed at the same time (bsc#1197637)
- Added:
  * fix-regression-with-depending-client.ssh-on-psutil-b.patch
  * prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
- Fix salt-ssh opts poisoning (bsc#1197637)
- Clear network interfaces cache on grains request (bsc#1196050)
- Add salt-ssh with Salt Bundle support (venv-salt-minion)
- (bsc#1182851, bsc#1196432)
- Remove duplicated method definitions in salt.netapi
- Restrict "/state.orchestrate_single"/ to pass a pillar value if it exists (bsc#1194632)
- Added:
  * clear-network-interface-cache-when-grains-are-reques.patch
  * remove-duplicated-method-definitions-in-salt.netapi-.patch
  * fix-salt-ssh-opts-poisoning-bsc-1197637-3002.2-500.patch
  * add-salt-ssh-support-with-venv-salt-minion-3002.2-47.patch
  * fix-state.orchestrate_single-to-not-pass-pillar-none.patch
- Renamed:
  * patch_for_cve_bsc1197417.patch -> fix-multiple-security-issues-bsc-1197417.patch
- Fix multiple security issues (bsc#1197417)
  * Sign authentication replies to prevent MiTM (CVE-2022-22935)
  * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
  * Prevent job and fileserver replays (CVE-2022-22936)
  * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
- Added:
  * patch_for_cve_bsc1197417.patch
- Fix inspector module export function (bsc#1097531)
- Add all ssh kwargs to sanitize_kwargs method
- Wipe NOTIFY_SOCKET from env in cmdmod (bsc#1193357)
- Don't check for cached pillar errors on state.apply (bsc#1190781)
- Simplify "/transactional_update"/ module to not use SSH wrapper and allow more flexible execution
- Add "/--no-return-event"/ option to salt-call to prevent sending return event back to master.
- Make "/state.highstate"/ to acts on concurrent flag.
- Added:
  * fix-inspector-module-export-function-bsc-1097531-480.patch
  * vendor-stateresult.patch
  * wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
  * add-all-ssh-kwargs-to-sanitize_kwargs-method-3002.2-.patch
  * refactor-and-improvements-for-transactional-updates-.patch
  * state.apply-don-t-check-for-cached-pillar-errors.patch
samba
- CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
  module; (bsc#1194859); (bso#14914).
spacecmd
- version 4.1.17-1
  * Fix interactive mode for "/system_applyerrata"/ and "/errata_apply"/ (bsc#1194363)
- version 4.1.16-1
  * require python macros for building
spacewalk-admin
- version 4.1.11-1
  * add service to update configfile and introduce a backup scc user
spacewalk-backend
- version 4.1.30-1
  * Add headers to update proxy auth token in listChannels (bsc#1193585)
  * require python macros for building
  * Fix the IS_SUSE variable in spacewalk-debug
  * exchange zypp-plugin dependency to use the python3 version (bsc#1192514)
  * Minor spec update.
  * Added RHN config parameter httpd_config_dir.
spacewalk-certs-tools
- version 4.1.20-1
  * Make bootstrap script to use bash when called with a different
    interpreter (bsc#1191656)
spacewalk-client-tools
- version 4.1.11-1
  * require python macros for building
spacewalk-java
- version 4.1.44-1
  * allow SCC to display the last check-in time for registered systems
  * Suggest Product Migration when patch for CVE is in a successor Product (bsc#1191360)
  * Add store info to Equals and hash methods to fix CVE audit process (bsc#1195282)
  * fix ClassCastException during action processing (bsc#1195043)
  * Fix disappearing metadata key files after channel change (bsc#1192822)
  * Pass only selected servers to taskomatic for cancelation (bsc#1194044)
- version 4.1.43-1
  * Fix stack overflow when building a CLM project from modular sources (bsc#1194990)
- version 4.1.42-1
  * Avoid using RPM tags when filtering modular packages in CLM (bsc#1192487)
  * fix XML syntax in cobbler snippets (bsc#1193694)
  * Fix stripping module metadata when cloning channels in CLM (bsc#1193008)
  * Fix system information forwarding to SCC (bsc#1188900)
  * forward registration data to SUSE Customer Center
  * Run Prometheus JMX exporter as Java agent (bsc#1184617)
  * Fix calling wrong XMLRPC bootstrap method (bsc#1192736)
  * Fix package update action with shared channels (bsc#1191313)
  * fix issue with empty action chains getting deleted too early (bsc#1191377)
  * switch to best repo auth item for contentsources (bsc#1191442)
  * Set product name and version in the User-Agent header when connecting to SCC
  * update last boot time of SSH Minions after bootstrapping (bsc#1191899)
  * Mark SSH minion actions when they're picked up (bsc#1188505)
  * Add compressed flag to image pillars when kiwi image is compressed (bsc#1191702)
  * mgr-sync refresh logs when a vendor channel is expired and shows how to remove it (bsc#1191222)
- Readable error when "/mgr-sync add channel"/ is called with a non-existing label (bsc#1173143)
spacewalk-reports
- version 4.1.5-1
  * Fixes query for system-history report to prevent more than one
    row returned by a subquery with rhnxccdftestresult.identifier
    (bsc#1191192)
spacewalk-setup
- version 4.1.10-1
  * Increase "/max_event_size"/ value for the Salt master (bsc#1191340)
  * Leave Cobbler bootloader directory at the default (bsc#1187708)
  * Don't delete cobbler.conf contents.
  * Fixed FileNotFoundError on cobbler setup.
  * cobbler20-setup was removed
  * spacewalk-setup-cobbler was reimplemented in Python
  * Config files for Cobbler don't get edited in place anymore, thus the original
    ones are saved with a "/.backup"/ suffix
spacewalk-utils
- version 4.1.19-1
  * require python macros for building
spacewalk-web
- version 4.1.32-1
  * Suggest Product Migration when patch for CVE is in a successor Product (bsc#1191360)
- version 4.1.31-1
  * Update Web UI version to 4.1.13
sudo
- Add support in the LDAP filter for negated users, patch taken
  from upstream (jsc#20068)
  * Adds sudo-feature-negated-LDAP-users.patch
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)
  * feature-upstream-restrict-sudo-U-other-l.patch
supportutils
- Spec file adjusted for usr-merge
- Changes to version 3.1.20
  + Added command blkid #114
  + Added s390x specific files and output #115
  + Fix for invalid argument during updates (bsc#1193204)
  + Optimized conf_files, conf_files_text and log_cmd functions #118
  + Fixed iscsi initiator name (bsc#1195797)
  + Added rpcinfo -p output #116
  + Included /etc/sssd/conf.d configuration files #100
- Changes to version 3.1.19
  + Made /proc directory and network names spaces configurable (bsc#1193868)
- Changes to version 3.1.19
  + Removed chronyc DNS lookups with -n switch (bsc#1193732)
- Merged Include udev rules in /lib/udev/rules.d/ #113
- Merged Move localmessage/warm logs out of messages.txt to new localwarn.txt #87
- getappcore identifies compressed core files (bsc#1191794)
- Installing to /usr/sbin instead of /sbin (bsc#1191096)
- Added shared memory as a log directory for emergency use (bsc#1190943)
- Fixed cron package for RPM validation (bsc#1190315)
- Updated spec file with correct URL
- Changes to version 3.1.18
  + Added email.txt based on OPTION_EMAIL #108 (bsc#1189028)
  + Include 'multipath -t' output in mpio.txt #105
  + Improved lsblk readability with --ascsi #106
  + Removed duplicate commands in network.txt
  + Remove duplicate firewalld status output #109
supportutils-plugin-suse-public-cloud
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
  + Include cloud-init logs whenever they are present
  + Update the packages we track in AWS, Azure, and Google
  + Include the ecs logs for AWS ECS instances
suse-build-key
- No longer install 1024bit keys by default. (bsc#1197293)
  - SLE11 key moved to documentation
  - old PTF (pre March 2022) moved to documentation only
- extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
- added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- extended expiry of SUSE SLES11 key (bsc#1194845)
- added SUSE Contaner signing key in PEM format for use e.g. by cosign.
- SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
suseRegisterInfo
- version 4.1.4-1
  * require python macros for building
susemanager
- version 4.1.33-1
  * set default for registration batch size
- version 4.1.32-1
  * add additional default config values for forwarding registrations to SCC
susemanager-doc-indexes
- Added a warning about the origin of the salt-minion package in the
  Register on the Command Line (Salt) section of the Client
  Configuration Guide
- In the Client Configuration Guide, explain how you find channel
  names to register older SUSE Linux Enterprise clients.
- Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client
  Configuration Guide
- In the Troubleshooting section of the Client Configuration Guide,
  SUSE Linux Enterprise Server 11 clients also require previous SSL
  versions installed on the server
susemanager-docs_en
- Added a warning about the origin of the salt-minion package in the
  Register on the Command Line (Salt) section of the Client
  Configuration Guide
- In the Client Configuration Guide, explain how you find channel
  names to register older SUSE Linux Enterprise clients.
- Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client
  Configuration Guide
- In the Troubleshooting section of the Client Configuration Guide,
  SUSE Linux Enterprise Server 11 clients also require previous SSL
  versions installed on the server
susemanager-schema
- version 4.1.25-1
  * Continue with index migration when the expected indexes do not exist
    (bsc#1192566)
- version 4.1.24-1
  * Fix rhnChannelNewestPackageView in case there are duplicates (bsc#1193612)
  * DB schema to support forwarding data to SCC
susemanager-sls
- version 4.1.34-1
  * Improve `pkgset` beacon with using `salt.cache`
    to notify about the changes made while the minion was stopped
  * Align the code of pkgset beacon to prevent warnings (bsc#1194464)
- version 4.1.33-1
  * Fix errors on calling sed -E ... by force_restart_minion
    with action chains
  * Postgres exporter package was renamed
  * fix deprecation warnings
  * enforce correct minion configuration similar to bootstrapping
    (bsc#1192510)
- version 4.1.32-1
  * Run Prometheus JMX exporter as Java agent (bsc#1184617)
  * Fix problem installing/removing packages using action chains
    in transactional systems
  * Don't create skeleton /srv/salt/top.sls
  * Add missing compressed_hash value from Kiwi inspect (bsc#1191702)
systemd
- Import commit 5e7db68eb43ec3733c56e98262973431f57e2265
  4f00efadc7 systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)
- Import commit c46bcb2df93c802f43e240ceb96eaf28027808a8
  28e379cc21 systemctl: exit with 1 if no unit files found (bsc#1193841)
* 60-io-scheduler.rules: add rules for virtual devices
    (boo#1193759)
  * 60-io-scheduler.rules: enforce "/none"/ for loop devices
    (boo#1193759)
systemd-presets-common-SUSE
- enable vgauthd service for VMWare by default (bsc#1195251)
systemd-rpm-macros
- Bump version to 11
- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275 bsc#1196406)
  Until SLE15-SP3:QU2, /usr/lib/modprobe.d path was not supported by kmod and
  since SLE15-SP4 /etc/modprobe.d/README has references to /lib/modprobe.d...
- Bump version to 10
- %sysusers_create_inline was wrongly marked as deprecated
- %sysusers_create can be useful in certain cases and won't go away until we'll
  move to file triggers. So don't mark it as deprecated too
tcpdump
- Security fix: [bsc#1195825, CVE-2018-16301]
  * Fix segfault when handling large files
  * Add tcpdump-CVE-2018-16301.patch
timezone
- timezone update 2022a (bsc#1177460):
  * Palestine will spring forward on 2022-03-27, not -03-26*
  * zdump -v now outputs better failure indications
  * Bug fixes for code that reads corrupted TZif data
tomcat
- Security hardening. Deprecate getResources() and always return null. (bsc#1198136)
- Added patch: tomcat-9.0-hardening_getResources.patch
- Remove log4j (bsc#1196137)
- Fixed CVEs:
  * CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255)
- Added patches:
  * tomcat-9.0-CVE-2022-23181.patch
- Fix NPE in JNDIRealm, when userRoleAttribute is not set (bsc#1193569)
- Added patch:
  * tomcat-9.0-NPE-JNDIRealm.patch
update-alternatives
- break bash <-> update-alternatives cycle by coolo's rewrite
  of %post in lua [bsc#1195654]
util-linux
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
  util-linux-libuuid-extend-cache.patch).
- Prevent root owning of /var/lib/libuuid/clock.txt
  (bsc#1194642, util-linux-uuidd-prevent-root-owning.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
  util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
  (bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
util-linux-systemd
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
  util-linux-libuuid-extend-cache.patch).
- Prevent root owning of /var/lib/libuuid/clock.txt
  (bsc#1194642, util-linux-uuidd-prevent-root-owning.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
  util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
  (bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
uyuni-common-libs
- version 4.1.10-1
  * Read modularity data from DISTTAG tag as fallback (bsc#1192487)
  * require python macros for building
vim
- Minimal fix for Bug 1195004 - (CVE-2022-0318) VUL-0: CVE-2022-0318: vim:
  Heap-based Buffer Overflow in vim prior to 8.2.
  / vim-8.0.1568-CVE-2022-0413.patch
- Fixing bsc#1190570 CVE-2021-3796: vim: use-after-free in nv_replace() in
  normal.c / vim-8.0.1568-CVE-2021-3796.patch
- Fixing bsc#1191893 CVE-2021-3872: vim: heap-based buffer overflow in
  win_redr_status() drawscreen.c / vim-8.0.1568-CVE-2021-3872.patch
- Fixing bsc#1192481 CVE-2021-3927: vim: vim is vulnerable to
  Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-3927.patch
- Fixing bsc#1192478 CVE-2021-3928: vim: vim is vulnerable to
  Stack-based Buffer Overflow / vim-8.0.1568-CVE-2021-3928.patch
- Fixing bsc#1193294 CVE-2021-4019: vim: vim is vulnerable to
  Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-4019.patch
- Fixing bsc#1193298 CVE-2021-3984: vim: illegal memory access when C-indenting
  could lead to Heap Buffer Overflow / vim-8.0.1568-CVE-2021-3984.patch
- Fixing bsc#1190533 CVE-2021-3778: vim: Heap-based Buffer Overflow in regexp_nfa.c
  / vim-8.0.1568-CVE-2021-3778.patch
- Fixing bsc#1194216 CVE-2021-4193: vim: vulnerable to Out-of-bounds Read
  / vim-8.0.1568-CVE-2021-4193.patch
- Fixing bsc#1194556 CVE-2021-46059: vim: A Pointer Dereference vulnerability
  exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which
  causes a denial of service. / vim-8.0.1568-CVE-2021-46059.patch
- Fixing bsc#1195066 CVE-2022-0319: vim: Out-of-bounds Read in vim/vim
  prior to 8.2. / vim-8.0.1568-CVE-2022-0319.patch
- Fixing bsc#1195126 CVE-2022-0351: vim: uncontrolled recursion in eval7()
  / vim-8.0.1568-CVE-2022-0351.patch
- Fixing bsc#1195202 CVE-2022-0361: vim: Heap-based Buffer Overflow in vim
  prior to 8.2. / vim-8.0.1568-CVE-2022-0361.patch
- Fixing bsc#1195356 CVE-2022-0413: vim: use after free in src/ex_cmds.c
  / vim-8.0.1568-CVE-2022-0413.patch
wicked
- fsm: fix device rename via yast (bsc#1194392)
  Reset worker config instead to reject a NULL/empty config
  xml node -- introduced in wicked 0.6.67 by commit c2a0385.
  [+ 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
- version 0.6.68
- sysctl: process sysctl.d directories as in sysctl --system
- sysctl: fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- dhcp4: add option to set route pref-src to dhcp IP (bsc#1192353)
- cleanup: warnings, time calculations and dhcp fixes (bsc#1188019)
- wireless: reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- tuntap: avoid sysfs attr read error (bsc#1192311)
- ifstatus: fix warning of unexpected interface flag combination (bsc#1192164)
- dbus: config files in /usr shouldn't be marked as config in spec
- version 0.6.67
- dbus: install bus config in /usr (bsc#1183407,jsc#SLE-9750)
- logging: log reaped sub-process command and as debug, not error
- ifstatus: Don't show link as "/up"/ without RUNNING flag set
- firewalld: Make the zone assignment permanent (boo#1189560)
- fsm: cleanup and improve ifconfig and ifpolicy access utils
- dbus: cleanup the dbus-service.h file and unused property makros
- cleanup: applied code-spell run typo corrections
- dracut: initial fixes and improved option handling (boo#1182227)
- version 0.6.66
- wireless: migrate to wpa-supplicant v1 DBus interface (bsc#1156920)
  - support multiple networks configurations per interface
  - show connection status and scan-results (bsc#1160654)
  - corrected eap-tls,ttls cetificate handling and open vs. shared
    wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
  - cleanups and several other improvements, see changes
  - updated man ifcfg-wireless manual pages
- nanny: fix identify node owner exit condition
- schema: several xml-schema and dbus/property improvements
- utils: format/parse bitmap to array and string alternatives
- client: expose ethtool --get-permanent-address option
- removed sle15-sp3 patches included in the master sources (bsc#1181812)
  [- 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
  [- 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- dhcp4: discover on reboot timeout after start-delay (bsc#1181812)
  [+ 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
- dhcp6: request nis options on sle15 by default (bsc#1181812)
  [+ 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- version 0.6.65
- ifconfig: differentiate if to re-trigger dad on address updates (bsc#1177215)
- client: parse sysctl files in the correct order (bsc#1181186)
- ifup: fix for set up with unenslave from unconfigured master (boo#954329)
- rpm: prepare for new builds using usrmerged rpm macro (boo#1029961)
- rpm: Let wicked-service also provide service(network)
- cleanup: remove obsolete use-nanny=false (gh#openSUSE/wicked#815)
- dbus: add variant container, generic object-path and uint32 array macros
xen
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
  CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
  map (AMD-Vi) handling issues (XSA-400)
  624ebcef-VT-d-dont-needlessly-look-up-DID.patch
  624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch
  624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch
- bsc#1197423 - VUL-0: CVE-2022-26356: xen: Racy interactions
  between dirty vram tracking and paging log dirty hypercalls
  (XSA-397)
  xsa397.patch
- bsc#1197425 - VUL-0: CVE-2022-26357: xen: race in VT-d domain ID
  cleanup (XSA-399)
  xsa399.patch
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
  CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
  map (AMD-Vi) handling issues (XSA-400)
  xsa400-00.patch
  xsa400-01.patch
  xsa400-02.patch
  xsa400-03.patch
  xsa400-04.patch
  xsa400-05.patch
  xsa400-06.patch
  xsa400-07.patch
  xsa400-08.patch
  xsa400-09.patch
  xsa400-10.patch
  xsa400-11.patch
- bsc#1196915 - VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401:
  xen: BHB speculation issues (XSA-398)
  xsa398-1.patch
  xsa398-2.patch
  xsa398-3.patch
  xsa398-4.patch
  xsa398-5.patch
  xsa398-6.patch
- bsc#1194576 - VUL-0: CVE-2022-23033: xen: arm:
  guest_physmap_remove_page not removing the p2m mappings (XSA-393)
  xsa393.patch
- bsc#1194581 - VUL-0: CVE-2022-23034: xen: a PV guest could DoS
  Xen while unmapping a grant (XSA-394)
  xsa394.patch
- bsc#1194588 - VUL-0: CVE-2022-23035: xen: insufficient cleanup of
  passed-through device IRQs (XSA-395)
  xsa395.patch
- bsc#1191668 - L3: issue around xl and virsh operation - virsh
  list not giving any output (see also bsc#1194267)
  libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch
  libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch
- Collect active VM config files in the supportconfig plugin
  xen-supportconfig
- bsc#1191510 - [UEFI]15sp4 uefi fv guest on 12sp5 host unable to
  bootup with sriov pci device plugin
  5e15e174-libxl-dont-needlessly-report-highmem-in-use.patch
- Upstream bug fixes (bsc#1027519)
  616d66bd-x86-HVM-cleanup-after-failed-viridian_vcpu_init.patch
  616e7cfe-x86-paging-restrict-paddr-width-reported.patch
  619b7ac9-harden-assign_pages.patch
  619b8cb0-x86-PoD-misaligned-GFNs.patch
  619b8cb1-x86-PoD-intermediate-page-orders.patch
  619b8cb2-x86-P2M-set-partial-success.patch
- Drop xsa patches in favor of upstream versions
  xsa385.patch
  xsa388-1.patch
  xsa388-2.patch
  xsa389.patch
xerces-j2
- Fix infinite loop within Apache XercesJ xml parser (bsc#1195108,
  CVE-2022-23437)
  * Added patch xerces-j2-CVE-2022-23437.patch
xstream
- Upgrade to 1.4.19
  * Security fixes
    + This maintenance release addresses the security vulnerability
    CVE-2021-43859, bsc#1195458, when unmarshalling highly
    recursive collections or maps causing a Denial of Service.
  * API changes
    + Added c.t.x.XStream.COLLECTION_UPDATE_LIMIT and
    c.t.x.XStream.COLLECTION_UPDATE_SECONDS.
    + Added c.t.x.XStream.setCollectionUpdateLimit(int).
    + Added c.t.x.core.SecurityUtils.
    + Added c.t.x.security.AbstractSecurityException and
    c.t.x.security.InputManipulationException.
    + c.t.x.security.InputManipulationException derives now from
    c.t.x.security.AbstractSecurityException.
xz
- Fix ZDI-CAN-16587 Fix escaping of malicious filenames
  (ZDI-CAN-16587 bsc#1198062 CVE-2022-1271)
  * bsc1198062.patch
yaml-cpp
- Fix CVE-2018-20573 The Scanner:EnsureTokensInQueue function in yaml-cpp
  allows remote attackers to cause DOS via a crafted YAML file
  (CVE-2018-20573, bsc#1121227)
- Fix CVE-2018-20574 The SingleDocParser:HandleFlowMap function in
  yaml-cpp allows remote attackers to cause DOS via a crafted YAML file
  (CVE-2018-20574, bsc#1121230)
- Fix CVE-2019-6285 The SingleDocParser::HandleFlowSequence function in
  cpp allows remote attackers to cause DOS via a crafted YAML file
  (CVE-2019-6285, bsc#1122004)
- Fix CVE-2019-6292 An issue was discovered in singledocparser.cpp in
  yaml-cpp which cause DOS by stack consumption
  (CVE-2019-6292, bsc#1122021)
- Added patch cve-2018-20574.patch
yast2-add-on
- Restore the repo unexpanded URL to get it properly saved in
  the /etc/zypp/repos.d file (bsc#972046, bsc#1194851).
- 4.2.19
zlib
- CVE-2018-25032: Fix memory corruption on deflate, bsc#1197459
  * bsc1197459.patch
zsh
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
  unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
  could be exploited through e.g.  VCS_Info to execute arbitrary shell
  commands (CVE-2021-45444 bsc#1196435)
zypper
- info: print the packages upstream URL if available (fixes #426)
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- Don't prevent less restrictive umasks (bsc#1195999)
- version 1.14.52
- Singletrans: handle fatal and non-fatal script errors properly.
- Add SingleTransReportReceiver.
- Immediately write out additional rpm output.
- BuildRequires:  libzypp-devel >= 17.29.0.
  Need SingleTransReport and immediate rpm script output reports.
- version 1.14.51