aaa_base
- Add patch git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  * respect /etc/update-alternatives/java when setting JAVA_HOME
    (bsc#1215434,bsc#1107342)
apache2-mod_wsgi
- Use %posttrans instead of %post while adding the wsgi keyword.
  (bsc#1216411)
  * In systems where the former apache2-mod_wsgi-python3 is
    installed, the removal of the obsoleted apache2-mod_wsgi-python3
    and the installation of the new apache2-mod_wsgi did not
    preserve the keyword wsgi in the APACHE_MODULES variable.
apache2
- Security update:
  * Fix CVE-2023-31122 [bsc#1216424] mod_macro buffer over-read
  * Added apache2-CVE-2023-31122.patch
- Fix for bsc#1214357: apply the standard httpd content type handling
  to responses from the backend.
  * Added apache2-bsc1214357-mod_proxy_http2_apply-standard-content-type.patch

- Fix for SG#65054, bsc#1207399:
  Terminate threads before child exit.
  * apache2-core-mpm-add-hook-child_stopped-that-gets-called-whe.patch
  * apache2-core-prefork-run-new-hook-child_stopped-only-on-clea.patch
  * apache2-mod_watchdog-add-assertions-to-cleanup-code.patch
  * apache2-mod_watchdog-do-not-call-a-watchdog-instance-for.patch
  * apache2-mod_watchdog-replace-the-new-volatile-with-atomic-ac.patch
  * apache2-mod_watchdog-use-hook-child_stopping-to-signal-watch.patch
  * apache2-mod_watchdog-use-the-child_stopping-and-child_stoppe.patch
  * apache2-mpm-winnt-add-running-the-child_stopping-hook.patch
apparmor
- update zgrep profile to allow egrep helper use (bsc#1214458)
  - zgrep-profile-sync-with-master.diff
bind
- Update to release 9.16.44
  Security Fixes:
  * Previously, sending a specially crafted message over the
    control channel could cause the packet-parsing code to run out
    of available stack memory, causing named to terminate
    unexpectedly. This has been fixed. (CVE-2023-3341)
  [bsc#1215472]
binutils
- Update to version 2.41 [PED-5778]:
  * The MIPS port now supports the Sony Interactive Entertainment Allegrex
  processor, used with the PlayStation Portable, which implements the MIPS
  II ISA along with a single-precision FPU and a few implementation-specific
  integer instructions.
  * Objdump's --private option can now be used on PE format files to display the
  fields in the file header and section headers.
  * New versioned release of libsframe: libsframe.so.1.  This release introduces
  versioned symbols with version node name LIBSFRAME_1.0.  This release also
  updates the ABI in an incompatible way: this includes removal of
  sframe_get_funcdesc_with_addr API, change in the behavior of
  sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
  * SFrame Version 2 is now the default (and only) format version supported by
  gas, ld, readelf and objdump.
  * Add command-line option, --strip-section-headers, to objcopy and strip to
  remove ELF section header from ELF file.
  * The RISC-V port now supports the following new standard extensions:
  - Zicond (conditional zero instructions)
  - Zfa (additional floating-point instructions)
  - Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,
    Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)
  * The RISC-V port now supports the following vendor-defined extensions:
  - XVentanaCondOps
  * Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
  * A new .insn directive is recognized by x86 gas.
  * Add SME2 support to the AArch64 port.
  * The linker now accepts a command line option of --remap-inputs
  <PATTERN>=<FILE> to relace any input file that matches <PATTERN> with
  <FILE>.  In addition the option --remap-inputs-file=<FILE> can be used to
  specify a file containing any number of these remapping directives.
  * The linker command line option --print-map-locals can be used to include
  local symbols in a linker map.  (ELF targets only).
  * For most ELF based targets, if the --enable-linker-version option is used
  then the version of the linker will be inserted as a string into the .comment
  section.
  * The linker script syntax has a new command for output sections: ASCIZ "string"
  This will insert a zero-terminated string at the current location.
  * Add command-line option, -z nosectionheader, to omit ELF section
  header.
- Removed obsolete patches: binutils-2.40-branch.diff.gz,
  riscv-dynamic-tls-reloc-pie.patch, riscv-pr22263-1.patch,
  extensa-gcc-4_3-fix.diff .
- Add binutils-2.41-branch.diff.gz .
- Add binutils-old-makeinfo.diff for SLE-12 and older.
- Rebased aarch64-common-pagesize.patch and binutils-revert-rela.diff .
- Contains fixes for these non-CVEs (not security bugs per upstreams
  SECURITY.md):
  * bsc#1209642 aka CVE-2023-1579 aka PR29988
  * bsc#1210297 aka CVE-2023-1972 aka PR30285
  * bsc#1210733 aka CVE-2023-2222 aka PR29936
  * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
  * bsc#1214565 aka CVE-2020-19726 aka PR26240
  * bsc#1214567 aka CVE-2022-35206 aka PR29290
  * bsc#1214579 aka CVE-2022-35205 aka PR29289
  * bsc#1214580 aka CVE-2022-44840 aka PR29732
  * bsc#1214604 aka CVE-2022-45703 aka PR29799
  * bsc#1214611 aka CVE-2022-48065 aka PR29925
  * bsc#1214619 aka CVE-2022-48064 aka PR29922
  * bsc#1214620 aka CVE-2022-48063 aka PR29924
  * bsc#1214623 aka CVE-2022-47696 aka PR29677
  * bsc#1214624 aka CVE-2022-47695 aka PR29846
  * bsc#1214625 aka CVE-2022-47673 aka PR29876
cloud-regionsrv-client
- Update to version 10.1.3 (bsc#1214801)
  + Add a warning if we detect a Python package cert bundle for certifi
    This will help with debugging and point to potential issues when
    using SUSE images in AWS, Azure, and GCE
cobbler
- Buildiso: copy grub into ESP using mtools to allow execution in containers

- Add mtools as dependency for Cobbler

- Fix EFI PXE boot regression (bsc#1214124)
- Fix isolinux.cfg generation in "cobbler buildiso" (bsc#1207330)
containerd
- Update to containerd v1.7.7. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.7>
- Add patch to fix build on SLE-12:
  + 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.6 for Docker v24.0.6-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.6> bsc#1215323

- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
  Kubernetes packages
crypto-policies
- Make the supported versions change in the update-crypto-policies(8)
  man page persistent [bsc#1209998].
  * Add patch crypto-policies-supported.patch
  * Rebase patches:
  - crypto-policies-asciidoc.patch
  - crypto-policies-no-build-manpages.patch

- FIPS: Adapt the fips-mode-setup script to use the pbl command
  from the perl-Bootloader package to replace grubby. Add a note
  for transactional systems. Ship the man 8 pages for
  fips-mode-setup and fips-finish-install [jsc#PED-5041].
  * Rebase crypto-policies-FIPS.patch

- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
  and fips-finish-install commands, add also the man pages.
  * Adapt the fips-mode-setup script for SLE [jsc#PED-5041]
  * Rebase crypto-policies-FIPS.patch
  * Simplify the man pages creation:
  - Rebase crypto-policies-no-build-manpages.patch
  - Add crypto-policies-asciidoc.patch
curl
- Security fixes:
  * [bsc#1215888, CVE-2023-38545] SOCKS5 heap buffer overflow
  * [bsc#1215889, CVE-2023-38546] Cookie injection with none file
  * Add curl-CVE-2023-38545.patch curl-CVE-2023-38546.patch

- Security fix: [bsc#1215026, CVE-2023-38039]
  * http: return error when receiving too large header
  * Add curl-CVE-2023-38039.patch
glibc
- dl-map-segment-align-munmap.patch: elf: Align argument of __munmap to
  page size (bsc#1215891, BZ #28676)

- gai-merge-continue-actions.patch: Simplify allocations and fix merge and
  continue actions (CVE-2023-4813, bsc#1215286, BZ #28931)

- gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

- nscd-netlink-cache-invalidation.patch: nscd: Fix netlink cache
  invalidation if epoll is used (bsc#1212910, BZ #29415)

- nss-files-hosts-v4mapped.patch: Restore lookup of IPv4 mapped addresses
  in files database (bsc#1212819, BZ #25457)

- remove-excessive-p-align-check.patch: elf: Remove excessive p_align
  check on PT_LOAD segments (bsc#1211829, BZ #28688)
- segment-align.patch: elf: Properly align PT_LOAD segments (bsc#1211829,
  BZ #28676)
- ld-so-always-use-map-copy.patch: ld.so: Always use MAP_COPY to map the
  first segment (BZ #30452)
grub2
- Fix failure to identify recent ext4 filesystem (bsc#1216010)
  * 0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch
  * 0001-fs-ext2-Ignore-the-large_dir-incompat-feature.patch
- Add patch to fix reading files from btrfs with "implicit" holes
  * 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch

- Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253)
  * 0001-kern-ieee1275-init-ppc64-Restrict-high-memory-in-pre.patch

- Fix detection of encrypted disk's uuid in powerpc to cope with logical disks
  when signed image installation is specified (bsc#1216075)
  * 0003-grub-install-support-prep-environment-block.patch
- grub2.spec: Add support to unlocking multiple encrypted disks in signed
  grub.elf image for logical disks

- Fix CVE-2023-4692 (bsc#1215935)
- Fix CVE-2023-4693 (bsc#1215936)
  * 0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
  * 0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
  * 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
  * 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
  * 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
  * 0006-fs-ntfs-Make-code-more-readable.patch
- Bump upstream SBAT generation to 4

- Fix a boot delay regression in PowerPC PXE boot (bsc#1201300)
  * 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
java-11-openjdk
- Configure with --with-native-debug-symbols=internal to enable
  generation of debuginfo packages

- Upgrade to upstrem tag jdk-11.0.21+9 (October 2023 CPU)
  * Security fixes:
    + JDK-8242330: Arrays should be cloned in several JAAS Callback
    classes
    + JDK-8284910: Buffer clean in PasswordCallback
    + JDK-8286503: Enhance security classes
    + JDK-8296581: Better system proxy support
    + JDK-8297856: Improve handling of Bidi characters
    + JDK-8309966, CVE-2023-22081, bsc#1216374: Enhanced TLS
    connections
    + JDK-8305815: Update Libpng to 1.6.39
    + JDK-8306881: Update FreeType to 2.13.0
  * Other fixes:
    + JDK-6176679: Application freezes when copying an animated gif
    image to the system clipboard
    + JDK-8023980: JCE doesn't provide any class to handle RSA
    private key in PKCS#1
    + JDK-8155246: Throw error if default java.security file is
    missing
    + JDK-8158880: test/java/time/tck/java/time/format/
    /TCKDateTimeFormatterBuilder.java fail with zh_CN locale
    + JDK-8168261: Use server cipher suites preference by default
    + JDK-8181383: com/sun/jdi/OptionTest.java fails intermittently
    with bind failed: Address already in use
    + JDK-8201516: DebugNonSafepoints generates incorrect
    information
    + JDK-8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
    failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
    + JDK-8211343: nsk_jvmti_parseoptions should handle multiple
    suboptions
    + JDK-8212045: Add back the tests that were removed from
    HashesTest.java and AddExportsTest.java
    + JDK-8216059: nsk_jvmti_parseoptions still has dependency on
    tilde separator
    + JDK-8217237: HttpClient does not deal well with multi-valued
    WWW-Authenticate challenge headers
    + JDK-8217395: Update langtools shell tests to use ${EXE_SUFFIX}
    + JDK-8217612: (CL)HSDB cannot show some JVM flags
    + JDK-8217850: CompressedClassSpaceSizeInJmapHeap fails after
    JDK-8217612
    + JDK-8218471: generate-unsafe-access-tests.sh does not
    correctly invoke build.tools.spp.Spp
    + JDK-8219628: [TESTBUG] javadoc/doclet/InheritDocForUserTags
    fails with -othervm
    + JDK-8220410: sun/security/tools/jarsigner/warnings/
    /NoTimestampTest.java failed with missing expected output
    + JDK-8221372: Test vmTestbase/nsk/jvmti/GetThreadState/
    /thrstat001/TestDescription.java times out
    + JDK-8222323: ChildAlwaysOnTopTest.java fails with
    "RuntimeException: Failed to unset alwaysOnTop"
    + JDK-8223573: Replace wildcard address with loopback or local
    host in tests - part 4
    + JDK-8223714: HTTPSetAuthenticatorTest could be made more
    resilient
    + JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java
    sometimes detect threads+1 connections
    + JDK-8223856: Replace wildcard address with loopback or local
    host in tests - part 8
    + JDK-8224617: (fs) java/nio/file/FileStore/Basic.java found
    filesystem twice
    + JDK-8224729: Cleanups in sun/security/provider/certpath/ldap/
    /LDAPCertStoreImpl.java
    + JDK-8224768: Test ActalisCA.java fails
    + JDK-8225012: sanity/client/SwingSet/src/ToolTipDemoTest.java
    fails on Windows
    + JDK-8226221: Update PKCS11 tests to use NSS 3.46 libs
    + JDK-8228341: SignTwice.java fails intermittently on Windows
    + JDK-8228403: SignTwice.java failed with
    java.io.FileNotFoundException: File name too long
    + JDK-8229147: Linux os::create_thread() overcounts guardpage
    size with newer glibc (>=2.27)
    + JDK-8229333: java/io/File/SetLastModified.java timed out
    + JDK-8229338: clean up
    test/jdk/java/util/RandomAccess/Basic.java
    + JDK-8229348: java/net/DatagramSocket/
    /UnreferencedDatagramSockets.java fails intermittently
    + JDK-8229481: sun/net/www/protocol/https/
    /ChunkedOutputStream.java failed with a SSLException
    + JDK-8229912: [TESTBUG] java/net/Socks/SocksIPv6Test fails
    without IPv6
    + JDK-8230132: java/net/NetworkInterface/
    /NetworkInterfaceRetrievalTests.java to skip Teredo Tunneling
    Pseudo-Interface
    + JDK-8231037: java/net/InetAddress/ptr/Lookup.java fails
    intermittently due to reverse lookup failed
    + JDK-8231357: sun/security/pkcs11/Cipher/TestKATForGCM.java
    fails on SLES11 using mozilla-nss-3.14
    + JDK-8231516: network QuickAckTest.java failed due to
    "SocketException: maximum number of DatagramSockets reached"
    + JDK-8232101: (sctp) Add minimal sanity tests for SCTP
    + JDK-8232195: Enable BigInteger tests: DivisionOverflow,
    SymmetricRangeTests and StringConstructorOverflow
    + JDK-8232840: java/math/BigInteger/largeMemory/
    /SymmetricRangeTests.java fails due to "OutOfMemoryError:
    Requested array size exceeds VM limit"
    + JDK-8232922: Add java/math/BigInteger/largeMemory/
    /SymmetricRangeTests.java to ProblemList-Xcomp
    + JDK-8234808: jdb quoted option parsing broken
    + JDK-8236045: [TESTBUG] MismatchedWhiteBox test fails with
    missing WhiteBox$WhiteBoxPermission.class
    + JDK-8237183: Bug ID missing for test in patch which fixed
    JDK-8230665
    + JDK-8238157: security/infra/java/security/cert/
    /CertPathValidator/certification/AmazonCA.java test failures
    because of revocation date
    + JDK-8239007: java/math/BigInteger/largeMemory/ tests should
    be disabled on 32-bit platforms
    + JDK-8239264: Clearup the legacy ObjectIdentifier constructor
    from int array
    + JDK-8239333: Mark test AmazonCA.java with intermittent key
    + JDK-8239537: cgroup MetricsTester testMemorySubsystem fails
    sometimes when testing memory.kmem.tcp.usage_in_bytes
    + JDK-8240193: loadLibrary("osxsecurity") should not be removed
    + JDK-8241097: java/math/BigInteger/largeMemory/
    /SymmetricRangeTests.java requires -XX:+CompactStrings
    + JDK-8242151: Improve OID mapping and reuse among JDK security
    providers for aliases registration
    + JDK-8242897: KeyFactory.generatePublic( x509Spec ) failed
    with java.security.InvalidKeyException
    + JDK-8243210: ClhsdbScanOops fails with NullPointerException
    in FileMapHeader.inCopiedVtableSpace
    + JDK-8244078: ProcessTools executeTestJvm and
    createJavaProcessBuilder have inconsistent handling of
    test.*.opts
    + JDK-8247895: SHA1PRNGReseed.java is calling setSeed(0)
    + JDK-8247968: test/jdk/javax/crypto/SecretKeyFactory/
    /security.properties has wrong header
    + JDK-8248001: javadoc generates invalid HTML pages whose
    ftp:// links are broken
    + JDK-8249699: java/io/ByteArrayOutputStream/MaxCapacity.java
    should use @requires instead of @ignore
    + JDK-8251517: [TESTBUG] com/sun/net/httpserver/bugs/
    /B6393710.java does not scale socket timeout
    + JDK-8252530: Fix inconsistencies in hotspot whitebox
    + JDK-8254350: CompletableFuture.get may swallow
    InterruptedException
    + JDK-8255348: NPE in PKIXCertPathValidator event logging code
    + JDK-8257993: vmTestbase/nsk/jvmti/RedefineClasses/
    /StressRedefine/TestDescription.java crash intermittently
    + JDK-8259796: timed CompletableFuture.get may swallow
    InterruptedException
    + JDK-8260274: Cipher.init(int, key) does not use highest
    priority provider for random bytes
    + JDK-8260878: com/sun/jdi/JdbOptions.java fails without jfr
    + JDK-8260934: java/lang/StringBuilder/HugeCapacity.java fails
    without Compact Strings
    + JDK-8263970: Manual test javax/swing/JTextField/
    /JapaneseReadingAttributes/JapaneseReadingAttributes.java
    failed
    + JDK-8265980: Fix systemDictionary and loaderConstraints
    printing
    + JDK-8268457: XML Transformer outputs Unicode supplementary
    character incorrectly to HTML
    + JDK-8268464: Remove dependancy of TestHttpsServer,
    HttpTransaction, HttpCallback from
    open/test/jdk/sun/net/www/protocol/https/ tests
    + JDK-8269091: javax/sound/sampled/Clip/SetPositionHang.java
    failed with ArrayIndexOutOfBoundsException: Array index out of
    range: -4
    + JDK-8270331: [TESTBUG] Error: Not a test or directory
    containing tests: java/awt/print/PrinterJob/InitToBlack.java
    + JDK-8271838: AmazonCA.java interop test fails
    + JDK-8273807: Zero: Drop incorrect test block from
    compiler/startup/NumCompilerThreadsCheck.java
    + JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from
    KDC
    + JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/
    /SurrogateTest.java test
    + JDK-8275234: java/awt/GraphicsDevice/DisplayModes/
    /CycleDMImage.java is entered twice in ProblemList
    + JDK-8275303: sun/java2d/pipe/InterpolationQualityTest.java
    fails with D3D basic render driver
    + JDK-8276651: java/lang/ProcessHandle tests fail with
    "RuntimeException: Input/output error" in
    java.lang.ProcessHandleImpl$Info.info0
    + JDK-8277353: java/security/MessageDigest/
    /ThreadSafetyTest.java test times out
    + JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed
    out
    + JDK-8283756: (zipfs) ZipFSOutputStreamTest.testOutputStream
    should only check inflated bytes
    + JDK-8284524: Create an automated test for JDK-4422362
    + JDK-8284767: Create an automated test for JDK-4422535
    + JDK-8284772: GHA: Use GCC Major Version Dependencies Only
    + JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java
    failed with Default Button not pressed for L&F:
    com.sun.java.swing.plaf.motif.MotifLookAndFeel
    + JDK-8286172: Create an automated test for JDK-4516019
    + JDK-8286481: Exception printed to stdout on Windows when
    storing transparent image in clipboard
    + JDK-8286620: Create regression test for verifying setMargin()
    of JRadioButton
    + JDK-8289508: Improve test coverage for XPath Axes: ancestor,
    ancestor-or-self, preceding, and preceding-sibling
    + JDK-8289748: C2 compiled code crashes with SIGFPE with
  - XX:+StressLCM and -XX:+StressGCM
    + JDK-8291444: GHA builds/tests won't run manually if disabled
    from automatic running
    + JDK-8291830: jvmti/RedefineClasses/StressRedefine failed:
    assert(!is_null(v)) failed: narrow klass value can never be
    zero
    + JDK-8292033: Move jdk.X509Certificate event logic to JCA layer
    + JDK-8292297: Fix up loading of override java.security
    properties file
    + JDK-8292443: Weak CAS VarHandle/Unsafe tests should test
    always-failing cases
    + JDK-8293180: JQuery UI license file not updated
    + JDK-8293562: KeepAliveCache Blocks Threads while Closing
    Connections
    + JDK-8293657: sun/management/jmxremote/bootstrap/
    /RmiBootstrapTest.java#id1 failed with "SSLHandshakeException:
    Remote host terminated the handshake"
    + JDK-8293858: Change PKCS7 code to use default SecureRandom
    impl instead of SHA1PRNG
    + JDK-8295737: macOS: Print content cut off when width > height
    with portrait orientation
    + JDK-8295894: Remove SECOM certificate that is expiring in
    September 2023
    + JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java
    fails intermittently on a VM
    + JDK-8297437: javadoc cannot link to old docs (with old style
    anchors)
    + JDK-8297523: Various GetPrimitiveArrayCritical miss result -
    NULL check
    + JDK-8297587: Upgrade JLine to 3.22.0
    + JDK-8297681: Unnecessary color conversion during
    4BYTE_ABGR_PRE to INT_ARGB_PRE blit
    + JDK-8297730: C2: Arraycopy intrinsic throws incorrect
    exception
    + JDK-8297887: Update Siphash
    + JDK-8297923: java.awt.ScrollPane broken after multiple scroll
    up/down
    + JDK-8297955: LDAP CertStore should use LdapName and not
    String for DNs
    + JDK-8298921: Create a regression test for JDK-8139581
    + JDK-8298974: Add ftcolor.c to imported freetype sources
    + JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java
    fails on SLES12 ppc64le when testing Memory and Swap Limit
    + JDK-8299658: C1 compilation crashes in
    LinearScan::resolve_exception_edge
    + JDK-8299713: Test javax/swing/JTableHeader/6889007/
    /bug6889007.java failed: Wrong type of cursor
    + JDK-8300098: java/util/concurrent/ConcurrentHashMap/
    /ConcurrentAssociateTest.java fails with internal timeout when
    executed with TieredCompilation1/3
    + JDK-8300659: Refactor TestMemoryAwareness to use WhiteBox api
    for host values
    + JDK-8300751: [17u] Remove duplicate entry in javac.properties
    + JDK-8301269: Update Commons BCEL to Version 6.7.0
    + JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic
    called with negative character argument
    + JDK-8301700: Increase the default TLS Diffie-Hellman group
    size from 1024-bit to 2048-bit
    + JDK-8301959: Compile command in
    compiler.loopopts.TestRemoveEmptyCountedLoop does not work
    + JDK-8302161: Upgrade jQuery UI to version 1.13.2
    + JDK-8302182: Update Public Suffix List to 88467c9
    + JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during
    unrolling
    + JDK-8303809: Dispose context in SPNEGO NegotiatorImpl
    + JDK-8304054: Linux: NullPointerException from
    FontConfiguration.getVersion in case no fonts are installed
    + JDK-8304498: JShell does not switch to raw mode when there is
    no /bin/test
    + JDK-8304867: Explicitly disable dtrace for ppc builds
    + JDK-8305074: ProblemList
    javax/net/ssl/DTLS/RespondToRetransmit.java
    + JDK-8305421: Work around JDK-8305420 in CDSJDITest.java
    + JDK-8305763: Parsing a URI with an underscore goes through a
    silent exception, negatively impacting performance
    + JDK-8305766: ProblemList runtime/CompressedOops/
    /CompressedClassPointers.java
    + JDK-8305950: Have -XshowSettings option display tzdata version
    + JDK-8306133: Open source few AWT Drag & Drop related tests
    + JDK-8306137: Open source several AWT ScrollPane related tests
    + JDK-8306484: Open source several AWT Choice jtreg tests
    + JDK-8306636: Disable compiler/c2/Test6905845.java with
  - XX:TieredStopAtLevel=3
    + JDK-8306638: Open source some AWT tests related to
    datatransfer and Toolkit
    + JDK-8306682: Open source a few more AWT Choice tests
    + JDK-8306718: Optimize and opensource some old AWT tests
    + JDK-8306954: Open source five Focus related tests
    + JDK-8306955: Open source several JComboBox jtreg tests
    + JDK-8307078: Opensource and clean up five more AWT Focus
    related tests
    + JDK-8307080: Open source some more JComboBox jtreg tests
    + JDK-8307128: Open source some drag and drop tests 4
    + JDK-8307133: Open source some JTable jtreg tests
    + JDK-8307135: java/awt/dnd/NotReallySerializableTest/
    /NotReallySerializableTest.java failed
    + JDK-8307301: Update HarfBuzz to 7.2.0
    + JDK-8307569: Build with gcc8 is broken after JDK-8307301
    + JDK-8307572: AArch64: Vector registers are clobbered by some
    macroassemblers
    + JDK-8307603: [AIX] Broken build after JDK-8307301
    + JDK-8307604: gcc12 based Alpine build broken build after
    JDK-8307301
    + JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has
    invalid jtreg `@requires` clause
    + JDK-8308156: VerifyCACerts.java misses blank in error output
    + JDK-8309088: security/infra/java/security/cert/
    /CertPathValidator/certification/AmazonCA.java fails
    + JDK-8309108: Bump update version for OpenJDK: jdk-11.0.21
    + JDK-8309138: Fix container tests for jdks with symlinked conf
    dir
    + JDK-8310054: ScrollPane insets are incorrect
    + JDK-8310176: JDK 11 G1 crash during full GC with
    +UseStringDeduplication
    + JDK-8310620: [11u] Problemlist failing aot tests on macos x64
    + JDK-8311033: [macos] PrinterJob does not take into account
    Sides attribute
    + JDK-8311689: Wrong visible amount in Adjustable of ScrollPane
    + JDK-8312138: jcmd VM.metaspace vslist has no newline
    character before the Class: label.
    + JDK-8312555: Ideographic characters aren't stretched by
    AffineTransform.scale(2, 1)
    + JDK-8313159: [11u] Fix test SSLEngineKeyLimit.java after
    Merge error
    + JDK-8313765: Invalid CEN header (invalid zip64 extra data
    field size)
    + JDK-8313796: AsyncGetCallTrace crash on unreadable
    interpreter method pointer
    + JDK-8313803: [11u] Exclude jdk/jfr/event/sampling/
    /TestStackFrameLineNumbers.java
    + JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le
    + JDK-8314086: [11u] A typo in the fix for JDK-8312462 is
    causing test failure in ChildAlwaysOnTopTest.java
    + JDK-8314950: CMS may miss NMT tag after mark stack expansion
    + JDK-8314960: Add Certigna Root CA - 2
    + JDK-8315135: Memory leak in the native implementation of
    Pack200.Unpacker.unpack()
    + JDK-8315529: [11u] Exclude some failing Z-GC tests
    + JDK-8317040: Exclude cleaner test failing on older releases
    + JDK-8317644: [11u] Remove designator
    DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.21
- Modified patches:
  * adlc-parser.patch
    + extend to initialize all the members to NULL
  * fips.patch
  * nss-security-provider.patch
  * reproducible-javadoc-timestamp.patch
    + rediff

- Compiler flags to realign stack on ix86 (bsc#1214790)

- Added patch:
  * reproducible-properties.patch
    + use SOURCE_DATE_EPOCH for timestamp in the generated
    properties files
kernel-default
- netfilter: nf_tables: skip bound chain on rule flush
  (bsc#1215095 CVE-2023-3777).
- commit afb7c25

- Update
  patches.suse/0001-x86-sev-Disable-MMIO-emulation-from-user-mode.patch
  (bsc#1212649 CVE-2023-46813).
- Update
  patches.suse/0002-x86-sev-Check-IOBM-for-IOIO-exceptions-from-user-spa.patch
  (bsc#1212649 CVE-2023-46813).
- Update
  patches.suse/0003-x86-sev-Check-for-user-space-IOIO-pointing-to-kernel.patch
  (bsc#1212649 CVE-2023-46813).
- commit dd6a315

- quota: Fix slow quotaoff (bsc#1216621).
- commit 988e5f4

- x86/sev: Check for user-space IOIO pointing to kernel space
  (bsc#1212649).
- commit 816f817

- x86/sev: Check IOBM for IOIO exceptions from user-space
  (bsc#1212649).
- commit 2b69036

- x86/sev: Disable MMIO emulation from user mode (bsc#1212649).
- commit 5dae47e

- phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
  (git-fixes).
- phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes).
- phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes).
- gpio: vf610: set value before the direction to avoid a glitch
  (git-fixes).
- platform/surface: platform_profile: Propagate error if profile
  registration fails (git-fixes).
- platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c
  events (git-fixes).
- platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from
  0x20 to 0x2e (git-fixes).
- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
  (git-fixes).
- USB: serial: option: add entry for Sierra EM9191 with new
  firmware (git-fixes).
- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
  (git-fixes).
- mmc: core: Capture correct oemid-bits for eMMC cards
  (git-fixes).
- Bluetooth: hci_sock: Correctly bounds check and pad
  HCI_MON_NEW_INDEX name (git-fixes).
- Bluetooth: avoid memcmp() out of bounds warning (git-fixes).
- Bluetooth: hci_sock: fix slab oob read in create_monitor_event
  (git-fixes).
- Bluetooth: hci_event: Fix coding style (git-fixes).
- Bluetooth: Reject connection with the device which has same
  BD_ADDR (git-fixes).
- Bluetooth: vhci: Fix race when opening vhci device (git-fixes).
- platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
  (git-fixes).
- drm: panel-orientation-quirks: Add quirk for One Mix 2S
  (git-fixes).
- HID: multitouch: Add required quirk for Synaptics 0xcd7e device
  (git-fixes).
- HID: holtek: fix slab-out-of-bounds Write in
  holtek_kbd_input_event (git-fixes).
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- wifi: mac80211: allow transmitting EAPOL frames with tainted
  key (git-fixes).
- wifi: cfg80211: Fix 6GHz scan configuration (git-fixes).
- wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes).
- wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
  (git-fixes).
- Bluetooth: Avoid redundant authentication (git-fixes).
- Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes).
- i2c: mux: Avoid potential false error message in
  i2c_mux_add_adapter (git-fixes).
- gpio: timberdale: Fix potential deadlock on &tgpio->lock
  (git-fixes).
- commit b480af6

- nvme-fc: Prevent null pointer dereference in
  nvme_fc_io_getuuid() (bsc#1214842).
- commit 3b513db

- ubi: Refuse attaching if mtd's erasesize is 0 (CVE-2023-31085
  bsc#1210778).
- commit 86e05f1

- Update
  patches.suse/USB-ene_usb6250-Allocate-enough-memory-for-full-obje.patch
  (bsc#1216051 CVE-2023-45862).
  Retroactively recognized as a security issue
- commit 716929e

- KVM: s390: fix gisa destroy operation might lead to cpu stalls
  (git-fixes bsc#1216512).
- commit 3976fa9

- s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511).
- commit 2bb6835

- s390/cio: fix a memleak in css_alloc_subchannel (git-fixes
  bsc#1216510).
- commit d475feb

- ACPI: irq: Fix incorrect return value in acpi_register_gsi()
  (git-fixes).
- Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
  (git-fixes).
- mtd: rawnand: qcom: Unmap the right resource upon probe failure
  (git-fixes).
- mtd: rawnand: pl353: Ensure program page operations are
  successful (git-fixes).
- mtd: rawnand: arasan: Ensure program page operations are
  successful (git-fixes).
- mtd: spinand: micron: correct bitmask for ecc status
  (git-fixes).
- mtd: physmap-core: Restore map_rom fallback (git-fixes).
- mtd: rawnand: marvell: Ensure program page operations are
  successful (git-fixes).
- mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
  (git-fixes).
- mmc: core: sdio: hold retuning if sdio in 1-bit mode
  (git-fixes).
- ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe
  errors (git-fixes).
- ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
  (git-fixes).
- ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes).
- ASoC: codecs: wcd938x: drop bogus bind error handling
  (git-fixes).
- ASoC: pxa: fix a memory leak in probe() (git-fixes).
- drm/i915: Retry gtt fault when out of fence registers
  (git-fixes).
- commit 766bf5d

- net/sched: fix netdevice reference leaks in
  attach_default_qdiscs() (git-fixes).
- commit 31c27cf

- net: sched: add barrier to fix packet stuck problem for lockless
  qdisc (bsc#1216345).
- commit 508758e

- net: sched: fixed barrier to prevent skbuff sticking in qdisc
  backlog (bsc#1216345).
- commit 839637c

- Fix metadata references
- commit 42e4c9a

- net: rfkill: gpio: prevent value glitch during probe
  (git-fixes).
- net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
  (git-fixes).
- gve: Do not fully free QPL pages on prefill errors (git-fixes).
- Bluetooth: hci_event: Fix using memcmp when comparing keys
  (git-fixes).
- Bluetooth: Fix a refcnt underflow problem for hci_conn
  (git-fixes).
- Bluetooth: hci_event: Ignore NULL link key (git-fixes).
- nfc: nci: fix possible NULL pointer dereference in
  send_acknowledge() (git-fixes).
- thunderbolt: Check that lane 1 is in CL0 before enabling lane
  bonding (git-fixes).
- thunderbolt: Workaround an IOMMU fault on certain systems with
  Intel Maple Ridge (git-fixes).
- Input: powermate - fix use-after-free in
  powermate_config_complete (git-fixes).
- Input: xpad - add PXN V900 support (git-fixes).
- Input: goodix - ensure int GPIO is in input for gpio_count ==
  1 && gpio_int_idx == 0 case (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA
  (git-fixes).
- drm/amdgpu: add missing NULL check (git-fixes).
- drm/amd/display: Don't set dpms_off for seamless boot
  (git-fixes).
- pinctrl: avoid unsafe code pattern in find_pinctrl()
  (git-fixes).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
  (git-fixes).
- ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset
  (git-fixes).
- commit e8f9edc

- sched/rt: Fix live lock between select_fallback_rq() and RT push
  (git fixes (sched)).
- sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes
  (sched)).
- commit a2350c1

- blacklist.conf: Applies only to RCU tiny configurations
- commit 1d1726b

- blacklist.conf: Cosmetic change for !SMP configurations
- commit c9d6cc0

- blacklist.conf: KABI hazard, only backport in response to a customer bug to justify the complexity
- commit 96bc817

- sched/deadline,rt: Remove unused parameter from
  pick_next_[rt|dl]_entity() (git fixes (sched)).
- Refresh
  patches.suse/sched-rt-pick_next_rt_entity-check-list_entry.patch.
- commit d7f894e

- regmap: fix NULL deref on lookup (git-fixes).
- usb: typec: altmodes/displayport: Signal hpd low when exiting
  mode (git-fixes).
- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
  (git-fixes).
- usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
  (git-fixes).
- usb: dwc3: Soft reset phy on probe for host (git-fixes).
- usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap
  call (git-fixes).
- usb: musb: Get the musb_qh poniter after musb_giveback
  (git-fixes).
- usb: musb: Modify the "HWVers" register address (git-fixes).
- usb: cdnsp: Fixes issue with dequeuing not queued requests
  (git-fixes).
- iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
  (git-fixes).
- iio: pressure: dps310: Adjust Timeout Settings (git-fixes).
- iio: pressure: bmp280: Fix NULL pointer exception (git-fixes).
- counter: microchip-tcb-capture: Fix the use of internal GCLK
  logic (git-fixes).
- Input: psmouse - fix fast_reconnect function for PS/2 mode
  (git-fixes).
- dmaengine: stm32-mdma: abort resume if no ongoing transfer
  (git-fixes).
- dmaengine: mediatek: Fix deadlock caused by synchronize_irq()
  (git-fixes).
- dmaengine: idxd: use spin_lock_irqsave before
  wait_event_lock_irq (git-fixes).
- drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid
  overflow (git-fixes).
- drm/msm/dsi: fix irq_of_parse_and_map() error checking
  (git-fixes).
- drm/msm/dsi: skip the wait for video mode done if not applicable
  (git-fixes).
- drm/msm/dp: do not reinitialize phy unless retry during link
  training (git-fixes).
- drm/vmwgfx: fix typo of sizeof argument (git-fixes).
- nfc: nci: assert requested protocol is valid (git-fixes).
- ieee802154: ca8210: Fix a potential UAF in ca8210_probe
  (git-fixes).
- pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes).
- ALSA: hda/realtek: Change model for Intel RVP board (git-fixes).
- commit 7f63276

- netfilter: nf_tables: unbind non-anonymous set if rule
  construction fails (git-fixes).
- commit b7f718b

- KVM: SVM: Don't kill SEV guest if SMAP erratum triggers in
  usermode (git-fixes).
- commit 5316d19

- KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs
  is changed (git-fixes).
- commit 1d58a92

- vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
  (git-fixes).
- commit d4a31a2

- 9p: virtio: make sure 'offs' is initialized in zc_request
  (git-fixes).
- commit 66e7266

- Update config files: unset CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B
  for Arm
  Configuration option CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y is used
  only in the armv7hl + arm64 configurations and appears to be a relic
  from the update procedure in commit 98da1c5f42d ("SLE15-SP4: Update the
  base kernel version to 5.14.").
  Unset it because the option is intended for debugging, not really useful
  for production and makes the text size of vmlinux unnecessarily bigger
  by ~10%
- commit 4229357

- xen-netback: use default TX queue size for vifs (git-fixes).
- commit 84805af

- netfilter: nf_tables: skip immediate deactivate in
  _PREPARE_ERROR (CVE-2023-39193 bsc#1215860).
- commit 6c937af

- kabi: workaround for enum nft_trans_phase (bsc#1215104).
- commit 0a3d3d4

- netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with
  bound set/chain (git-fixes).
- commit 2e62a61

- Update metadata
- commit e780ccd

- net: usb: dm9601: fix uninitialized variable use in
  dm9601_mdio_read (git-fixes).
- commit 236df4a

- crypto: qat - fix crypto capability detection for 4xxx
  (PED-6401).
- crypto: qat - Remove unused function declarations (PED-6401).
- crypto: qat - use kfree_sensitive instead of memset/kfree()
  (PED-6401).
- crypto: qat - replace the if statement with min() (PED-6401).
- crypto: qat - add heartbeat counters check (PED-6401).
- crypto: qat - add heartbeat feature (PED-6401).
- crypto: qat - add measure clock frequency (PED-6401).
- crypto: qat - drop obsolete heartbeat interface (PED-6401).
- crypto: qat - add internal timer for qat 4xxx (PED-6401).
- crypto: qat - add fw_counters debugfs file (PED-6401).
- crypto: qat - change value of default idle filter (PED-6401).
- crypto: qat - do not export adf_init_admin_pm() (PED-6401).
- crypto: qat - expose pm_idle_enabled through sysfs (PED-6401).
- crypto: qat - extend configuration for 4xxx (PED-6401).
- crypto: qat - refactor fw config logic for 4xxx (PED-6401).
- crypto: qat - make fw images name constant (PED-6401).
- crypto: qat - move returns to default case (PED-6401).
- crypto: qat - unmap buffers before free for RSA (PED-6401).
- crypto: qat - unmap buffer before free for DH (PED-6401).
- crypto: qat - update slice mask for 4xxx devices (PED-6401).
- crypto: qat - set deprecated capabilities as reserved
  (PED-6401).
- crypto: qat - add missing function declaration in adf_dbgfs.h
  (PED-6401).
- crypto: qat - move dbgfs init to separate file (PED-6401).
- crypto: qat - drop redundant adf_enable_aer() (PED-6401).
- crypto: qat - fix apply custom thread-service mapping for dc
  service (PED-6401).
- crypto: qat - add support for 402xx devices (PED-6401).
- crypto: qat - make state machine functions static (PED-6401).
- crypto: qat - refactor device restart logic (PED-6401).
- crypto: qat - replace state machine calls (PED-6401).
- crypto: qat - fix concurrency issue when device state changes
  (PED-6401).
- crypto: qat - delay sysfs initialization (PED-6401).
- crypto: qat - Include algapi.h for low-level Crypto API
  (PED-6401).
- crypto: qat - drop log level of msg in get_instance_node()
  (PED-6401).
- Documentation: qat: change kernel version (PED-6401).
- crypto: qat - add qat_zlib_deflate (PED-6401).
- crypto: qat - extend buffer list logic interface (PED-6401).
- crypto: qat - fix spelling mistakes from 'bufer' to 'buffer'
  (PED-6401).
- crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe
  (PED-6401).
- Documentation: qat: rewrite description (PED-6401).
- commit 3c119b1

- cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307).
- commit 555c311

- vmbus_testing: fix wrong python syntax for integer value
  comparison (git-fixes).
- Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present
  CPUs (git-fixes).
- Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc()
  fails (git-fixes).
- commit a15e7ae

- nvmet-tcp: Fix a possible UAF in queue intialization setup
  (bsc#1215768 CVE-2023-5178).
- commit b965ee1

- bpf: Fix incorrect verifier pruning due to missing register
  precision taints (bsc#1215518 CVE-2023-2163).
- bpf: propagate precision in ALU/ALU64 operations (git-fixes).
- commit 71da1d6

- net: mana: Fix oversized sge0 for GSO packets (bsc#1215986).
- net: mana: Fix TX CQE error handling (bsc#1215986).
- commit 3666b58

- xen/events: replace evtchn_rwlock with RCU (bsc#1215745,
  xsa-441, cve-2023-34324).
- commit 291fb99

- netfilter: nfnetlink_osf: avoid OOB read (bsc#1216046
  CVE-2023-39189).
- commit 77dc791

- blacklist.conf: the codebase changed too much to backport the patch
- commit 11474a7

- kabi: blkcg_policy_data fix KABI (bsc#1216062).
- commit cf25442

- blk-cgroup: support to track if policy is online (bsc#1216062).
- commit 45c3300

- mm, memcg: reconsider kmem.limit_in_bytes deprecation
  (bsc#1208788 bsc#1213705).
- commit bdf774a

- Revert "Delete patches.suse/memcg-drop-kmem-limit_in_bytes.patch."
  This reverts commit 52c1db3eb4e2acbdd91aaaefddc26b7207cd4c90.
  It'll be fixed differently in a following commit.
  Restore the commit with upstream commit already for proper sorting.
- commit 8474b47

- blk-cgroup: Fix NULL deref caused by blkg_policy_data being
  installed before init (bsc#1216062).
- commit c2395af

- blacklist.conf: Add 82b90b6c5b38 cgroup:namespace: Remove unused cgroup_namespaces_init()
- commit 6f5ac45

- HID: sony: remove duplicate NULL check before calling
  usb_free_urb() (git-fixes).
- commit 7cd0962

- i2c: mux: gpio: Replace custom acpi_get_local_address()
  (git-fixes).
- commit ef5fd69

- gpio: aspeed: fix the GPIO number passed to
  pinctrl_gpio_set_config() (git-fixes).
- gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes).
- platform/x86: think-lmi: Fix reference leak (git-fixes).
- HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
  (git-fixes).
- HID: sony: Fix a potential memory leak in sony_probe()
  (git-fixes).
- wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
  (git-fixes).
- wifi: mwifiex: Fix oob check condition in
  mwifiex_process_rx_packet (git-fixes).
- wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes).
- wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes).
- wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes).
- net: nfc: llcp: Add lock when modifying device list (git-fixes).
- net: usb: smsc75xx: Fix uninit-value access in
  __smsc75xx_read_reg (git-fixes).
- leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes).
- regmap: rbtree: Fix wrong register marked as in-cache when
  creating new node (git-fixes).
- nilfs2: fix potential use after free in
  nilfs_gccache_submit_read_data() (git-fixes).
- Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" (git-fixes).
- serial: 8250_port: Check IRQ data before use (git-fixes).
- firmware: arm_ffa: Don't set the memory region attributes for
  MEM_LEND (git-fixes).
- soc: imx8m: Enable OCOTP clock for imx8mm before reading
  registers (git-fixes).
- firmware: imx-dsp: Fix an error handling path in
  imx_dsp_setup_channels() (git-fixes).
- bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes).
- bus: ti-sysc: Use fsleep() instead of usleep_range() in
  sysc_reset() (git-fixes).
- i2c: npcm7xx: Fix callback completion ordering (git-fixes).
- ata: libata-core: Do not register PM operations for SAS ports
  (git-fixes).
- ata: libata-core: Fix port and device removal (git-fixes).
- ata: libata-core: Fix ata_port_request_pm() locking (git-fixes).
- ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes).
- ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED
  OPERATION CODES (git-fixes).
- gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
  (git-fixes).
- clk: tegra: fix error return case for recalc_rate (git-fixes).
- power: supply: ucs1002: fix error code in ucs1002_get_property()
  (git-fixes).
- gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
  (git-fixes).
- i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes).
- i2c: mux: demux-pinctrl: check the return value of
  devm_kstrdup() (git-fixes).
- i2c: i801: unregister tco_pdev in i801_probe() error path
  (git-fixes).
- ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link
  (git-fixes).
- ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag
  (git-fixes).
- ALSA: hda: Disable power save for solving pop issue on Lenovo
  ThinkCentre M70q (git-fixes).
- spi: stm32: add a delay before SPI disable (git-fixes).
- spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes).
- drm/amdgpu: Handle null atom context in VBIOS info ioctl
  (git-fixes).
- drm/amd/display: Don't check registers, if using AUX BL control
  (git-fixes).
- spi: sun6i: fix race between DMA RX transfer completion and
  RX FIFO drain (git-fixes).
- spi: sun6i: reduce DMA RX transfer width to single byte
  (git-fixes).
- watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not
  already running (git-fixes).
- watchdog: iTCO_wdt: No need to stop the timer in probe
  (git-fixes).
- commit 22d41cc

- net: usb: smsc75xx: Fix uninit-value access in
  __smsc75xx_read_reg (git-fixes).
- commit 38bd5fc

- r8152: check budget for r8152_poll() (git-fixes).
- commit b4330ba

- RDMA/core: Require admin capabilities to set system parameters (git-fixes)
- commit 165e98e

- RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes)
- commit ad12009

- RDMA/mlx5: Fix NULL string error (git-fixes)
- commit 5556b81

- IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes)
- commit 8c4cdf4

- RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes)
- commit a7c580d

- RDMA/uverbs: Fix typo of sizeof argument (git-fixes)
- commit 7e80897

- RDMA/cxgb4: Check skb value for failure to allocate (git-fixes)
- commit 6e18278

- RDMA/siw: Fix connection failure handling (git-fixes)
- commit 107f7c6

- RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes)
- commit ecb5c5e

- ring-buffer: Do not attempt to read past "commit" (git-fixes).
- commit ee556e0

- ring-buffer: Avoid softlockup in ring_buffer_resize()
  (git-fixes).
- commit bd7050f

- tracing: Make trace_marker{,_raw} stream-like (git-fixes).
- commit fda0bf6

- ring-buffer: Update "shortest_full" in polling (git-fixes).
- commit aad1d04

- ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes).
- commit 296da6c

- tracing: Have event inject files inc the trace array ref count
  (git-fixes).
- commit 817c093

- tracing: Have option files inc the trace array ref count
  (git-fixes).
- commit 921a48a

- tracing: Have current_trace inc the trace array ref count
  (git-fixes).
- commit 586ee6a

- tracing: Have tracing_max_latency inc the trace array ref count
  (git-fixes).
- commit 322c826

- tracing: Increase trace array ref count on enable and filter
  files (git-fixes).
- commit fa9da0d

- kprobes: Prohibit probing on CFI preamble symbol (git-fixes).
- commit de7b87f

- iommu/amd: Add map/unmap_pages() iommu_domain_ops callback
  support (bsc#1212423).
- iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops
  callback (bsc#1212423).
- iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops
  callback (bsc#1212423).
- commit b7a7693

- Update
  patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
  (bsc#1211592 CVE-2023-2860).
- commit 6e15654

- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit 7ac0d16

- KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes).
- commit 14aa242

- s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956
  LTC#203788 bsc#1215957).
- commit a4355b3

- sched/cpuset: Bring back cpuset_mutex (bsc#1215955).
- cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem
  (bsc#1215955).
- commit 59f5010

- blacklist.conf: Add c0f78fd5edcf cgroup/cpuset: Iterate only if DEADLINE tasks are present
  ... and its prereqs
- commit a4ba12c

- blacklist.conf: Add 98dfdd9ee939 sched/psi: Select KERNFS as needed
- commit d326b7e

- x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772).
- commit 48235ff

- KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772).
- commit 237820b

- x86/cpu: Support AMD Automatic IBRS (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 8ed20a4

- scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes
  bsc#1215941).
- commit a62865f

- x86/cpu, kvm: Add the SMM_CTL MSR not present feature  (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit aed5f36

- x86/cpu, kvm: Add the Null Selector Clears Base feature  (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 8f2a48f

- x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf  (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 553f579

- x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 80fb630

- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit  propagation  code (bsc#1213772).
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit f21e4e4

- KVM: x86: synthesize CPUID leaf 0x80000021h if useful  (bsc#1213772).
- Refresh
  patches.suse/KVM-x86-Mask-off-reserved-bits-in-CPUID.80000001H.patch.
- Refresh
  patches.suse/KVM-x86-Move-lookup-of-indexed-CPUID-leafs-to-helper.
- commit 3d1c8b5

- KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772).
- Refresh
  patches.suse/KVM-x86-Mask-off-reserved-bits-in-CPUID.80000001H.patch.
- commit 320f1ae

- net: xfrm: Fix xfrm_address_filter OOB read (CVE-2023-39194
  bsc#1215861).
- commit 55308cb

- netfilter: xt_sctp: validate the flag_info count (CVE-2023-39193
  bsc#1215860).
- commit 5ec24b7

- netfilter: xt_u32: validate user space input (CVE-2023-39192
  bsc#1215858).
- commit 292c059

- ipv4: fix null-deref in ipv4_link_failure (CVE-2023-42754
  bsc#1215467).
- commit ad87dd3

- KVM: s390: pv: fix external interruption loop not always
  detected (git-fixes bsc#1215916).
- commit f1893aa

- btrfs: fix root ref counts in error handling in
  btrfs_get_root_ref (bsc#1214351 CVE-2023-4389).
- commit 3731029

- KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
  (git-fixes bsc#1215915).
- commit fe7fbfc

- KVM: s390/diag: fix racy access of physical cpu number in diag
  9c handler (git-fixes bsc#1215911).
- commit 6454286

- fs/smb/client: Reset password pointer to NULL (bsc#1215899
  CVE-2023-5345).
- commit 679511d

- blacklist.conf: kABi breakage (vmalloc)
- commit 10bad47

- KVM: s390: interrupt: use READ_ONCE() before cmpxchg()
  (git-fixes bsc#1215896).
- commit 8726736

- KVM: s390: vsie: fix the length of APCB bitmap (git-fixes
  bsc#1215895).
- commit 9ff1a1e

- KVM: s390: vsie: Fix the initialization of the epoch extension
  (epdx) field (git-fixes bsc#1215894).
- commit 9c5bbd7

- netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro
  for ip_set_hash_netportnet.c (CVE-2023-42753 bsc#1215150).
- commit 7a6be79

- tcp: Reduce chance of collisions in inet6_hashfn()
  (CVE-2023-1206 bsc#1212703).
- commit e3ebd17

- blacklist.conf: workqueue: compiler warning on 32-bit systems with
  Clang (bsc#1215877)
- commit b7e65aa

- blacklist.conf: workqueue: Code refactoring
- commit e204334

- blacklist.conf: printk: the changes look good but they do not fix
  any serious problem
- commit c560ceb

- printk: ringbuffer: Fix truncating buffer size min_t cast
  (bsc#1215875).
- commit e0d3999

- scsi: storvsc: Handle additional SRB status values (git-fixes).
- commit d1a5f2f

- scsi: qedf: Add synchronization between I/O completions and
  abort (bsc#1210658).
- commit 96a8c32

- gve: fix frag_list chaining (bsc#1214479).
- gve: RX path for DQO-QPL (bsc#1214479).
- gve: Tx path for DQO-QPL (bsc#1214479).
- gve: Control path for DQO-QPL (bsc#1214479).
- gve: trivial spell fix Recive to Receive (bsc#1214479).
- gve: use vmalloc_array and vcalloc (bsc#1214479).
- gve: Unify duplicate GQ min pkt desc size constants
  (bsc#1214479).
- gve: Add AF_XDP zero-copy support for GQI-QPL format
  (bsc#1214479).
- gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479).
- gve: Add XDP DROP and TX support for GQI-QPL format
  (bsc#1214479).
- gve: Changes to add new TX queues (bsc#1214479).
- gve: XDP support GQI-QPL: helper function changes (bsc#1214479).
- gve: Fix gve interrupt names (bsc#1214479).
- commit 4dd2d8d

- net: sched: sch_qfq: Fix UAF in qfq_dequeue() (CVE-2023-4921
  bsc#1215275).
- commit 9408063

- fs: no need to check source (bsc#1215752).
- commit 1a42abf

- Refresh
  patches.suse/drm-msm-dpu-drop-enum-dpu_core_perf_data_bus_id.patch
  (git-fixes)
  Alt-commit
- commit f8178cd

- Refresh
  patches.suse/drm-amd-display-check-attr-flag-before-set-cursor-de.patch
  (git-fixes)
  Alt-commit
- commit f507792

- Refresh
  patches.suse/drm-amdgpu-Fix-vram-recover-doesn-t-work-after-whole.patch
  (git-fixes)
  Alt-commit
- commit 38e2a92

- Refresh
  patches.suse/drm-amdgpu-add-a-missing-lock-for-AMDGPU_SCHED.patch
  (git-fixes)
  Alt-commit
- commit 2ecd3e8

- Refresh
  patches.suse/drm-amd-display-fix-flickering-caused-by-S-G-mode.patch
  (git-fixes)
  Alt-commit
- commit 33e82b2

- Refresh
  patches.suse/drm-nouveau-kms-nv50-fix-nv50_wndw_new_-prototype.patch
  (git-fixes)
  Alt-commit
- commit 4c21b50

- SUNRPC: Mark the cred for revalidation if the server rejects it
  (git-fixes).
- NFS/pNFS: Report EINVAL errors from connect() to the server
  (git-fixes).
- nfsd: fix change_info in NFSv4 RENAME replies (git-fixes).
- pNFS: Fix assignment of xprtdata.cred (git-fixes).
- NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes).
- NFS: Guard against READDIR loop when entry names exceed
  MAXNAMELEN (git-fixes).
- nfs/blocklayout: Use the passed in gfp flags (git-fixes).
- NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
  (git-fixes).
- NFSD: da_addr_body field missing in some GETDEVICEINFO replies
  (git-fixes).
- fs: lockd: avoid possible wrong NULL parameter (git-fixes).
- nfsd: Fix race to FREE_STATEID and cl_revoked (git-fixes).
- xprtrdma: Remap Receive buffers after a reconnect (git-fixes).
- NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes).
- NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes).
- NFSv4: Fix dropped lock for racing OPEN and delegation return
  (git-fixes).
- commit 087b1c4

- uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes).
- commit 68da368

- usb: ehci: move new member has_ci_pec_bug into hole (git-fixes).
- commit bd8b5cf

- usb: ehci: add workaround for chipidea PORTSC.PEC bug
  (git-fixes).
- commit a447793

- net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes).
- commit 613dba7

- kernel-binary: Move build-time definitions together
  Move source list and build architecture to buildrequires to aid in
  future reorganization of the spec template.
- commit 30e2cef

- net: mana: Add page pool for RX buffers (bsc#1214040).
- bnx2x: new flag for track HW resource allocation (bsc#1202845
  bsc#1215322).
- commit 0f79d4d

- blacklist.conf: Ignore redundant patch
- commit 6d0ecfc

- powerpc/fadump: make is_kdump_kernel() return false when fadump
  is active (bsc#1212639 ltc#202582).
- vmcore: remove dependency with is_kdump_kernel() for exporting
  vmcore (bsc#1212639 ltc#202582).
- commit a5cc68e

- x86/srso: Fix srso_show_state() side effect (git-fixes).
- commit 619e525

- x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes).
- commit 5e42be0

- x86/srso: Don't probe microcode in a guest (git-fixes).
- commit 74b567d

- x86/srso: Set CPUID feature bits independently of bug or mitigation  status (git-fixes).
- commit c6caed4

- platform/x86: intel_scu_ipc: Fail IPC send if still busy
  (git-fixes).
- platform/x86: intel_scu_ipc: Don't override scu in
  intel_scu_ipc_dev_simple_command() (git-fixes).
- platform/x86: intel_scu_ipc: Check status upon timeout in
  ipc_wait_for_interrupt() (git-fixes).
- platform/x86: intel_scu_ipc: Check status after timeout in
  busy_loop() (git-fixes).
- ASoC: imx-audmix: Fix return error with devm_clk_get()
  (git-fixes).
- ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates
  (git-fixes).
- ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol
  (git-fixes).
- ASoC: meson: spdifin: start hw on dai probe (git-fixes).
- ALSA: hda/realtek: Splitting the UX3402 into two separate models
  (git-fixes).
- commit 5e7ab5c

- Update
  patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch.
  (bsc#1207036 CVE-2023-23454)
  Fold downstream fixup of caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12.
- commit 6635291

- scsi: lpfc: Prevent use-after-free during rmmod with mapped
  NVMe rports (git-fixes).
- scsi: lpfc: Early return after marking final NLP_DROPPED flag
  in dev_loss_tmo (git-fixes).
- scsi: lpfc: Fix the NULL vs IS_ERR() bug for
  debugfs_create_file() (git-fixes).
- commit 39e6404

- scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir()
  (git-fixes).
- scsi: qla2xxx: Use raw_smp_processor_id() instead of
  smp_processor_id() (git-fixes).
- commit 2981c3a

- fuse: nlookup missing decrement in fuse_direntplus_link
  (bsc#1215581).
- commit 7cedbed

- Drop amdgpu patch causing spamming (bsc#1215523)
  Deleted:
  patches.suse/drm-amdgpu-install-stub-fence-into-potential-unused-.patch.
- commit 2cab595

- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- commit cc9aa11

- USB: core: Change usb_get_device_descriptor() API (bsc#1213123
  CVE-2023-37453 bsc#1215553 bsc#1215522 bsc#1215552).
  Refresh patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch (add missing hunk)
  Refresh patches.suse/USB-core-Fix-oversight-in-SuperSpeed-initialization.patch (context)
- commit 6271d90

- virtio-net: set queues after driver_ok (git-fixes).
- commit a8caba5

- vhost: handle error while adding split ranges to iotlb
  (git-fixes).
- commit 059dc93

- vhost: allow batching hint without size (git-fixes).
- commit 8c5d403

- kernel-binary: python3 is needed for build
  At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18
  Other simimlar scripts may exist.
- commit c882efa

- KVM: x86/mmu: Include mmu.h in spte.h (git-fixes).
- commit e049205

- KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues
  (git-fixes).
- commit fced801

- blacklist.conf: add b439eb8ab57855, as prereq patch is missing
- commit 7f6a95d

- vhost_vdpa: fix the crash in unmap a large memory (git-fixes).
- commit 5c68686

- iommu/virtio: Detach domain on endpoint release (git-fixes).
- commit b648ef9

- vhost-scsi: unbreak any layout for response (git-fixes).
- commit 374c9ef

- drm/virtio: Use appropriate atomic state in
  virtio_gpu_plane_cleanup_fb() (git-fixes).
- commit 491eae6

- drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling
  (git-fixes).
- commit e8e33de

- virtio-net: fix race between set queues and probe (git-fixes).
- commit 1089568

- virtio_net: Fix probe failed when modprobe virtio_net
  (git-fixes).
- commit 5915735

- virtio_net: add checking sq is full inside xdp xmit (git-fixes).
- commit 87c00dd

- virtio_net: separate the logic of checking whether sq is full
  (git-fixes).
- commit 7064a0d

- virtio_net: reorder some funcs (git-fixes).
- commit 4f7fbb1

- nvme-auth: use chap->s2 to indicate bidirectional authentication
  (bsc#1214543).
- commit 41ae88c

- module: Expose module_init_layout_section() (git-fixes)
- commit 54615cb

- arm64: tegra: Update AHUB clock parent and rate (git-fixes)
- commit d3da4d8

- arm64: module: Use module_init_layout_section() to spot init sections (git-fixes)
- commit f80791e

- arm64: sdei: abort running SDEI handlers during crash (git-fixes)
- commit ec53ad3

- virtio: acknowledge all features before access (git-fixes).
- commit 4e146ad

- hwrng: virtio - Fix race on data_avail and actual data
  (git-fixes).
- commit 6d20bd3

- virtio-rng: make device ready before making request (git-fixes).
- commit c09ce65

- vhost: fix hung thread due to erroneous iotlb entries
  (git-fixes).
- commit cc76cf8

- arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git-fixes)
- commit 89467e1

- arm64: module-plts: inline linux/moduleloader.h (git-fixes)
- commit afca04d

- hwrng: virtio - always add a pending request (git-fixes).
- commit 912363c

- hwrng: virtio - don't waste entropy (git-fixes).
- commit 4771c4e

- hwrng: virtio - don't wait on cleanup (git-fixes).
- commit e9188eb

- af_unix: Fix null-ptr-deref in unix_stream_sendpage()
  (CVE-2023-4622 bsc#1215117).
- commit a6ce336

- hwrng: virtio - add an internal buffer (git-fixes).
- commit 477109e

- net/sched: sch_hfsc: Ensure inner classes have fsc curve
  (CVE-2023-4623 bsc#1215115).
- commit 72e753f

- virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
  (git-fixes).
- commit 60546dd

- net: do not allow gso_size to be set to GSO_BY_FRAGS
  (git-fixes).
- commit b96a7ad

- virtio-mmio: don't break lifecycle of vm_dev (git-fixes).
- commit 45da2ea

- KVM: SEV: remove ghcb variable declarations (CVE-2023-4155
  bsc#1214022).
- KVM: SEV: only access GHCB fields once (CVE-2023-4155
  bsc#1214022).
- KVM: SEV: snapshot the GHCB before accessing it (CVE-2023-4155
  bsc#1214022).
- commit f5b3d4d

- xen: remove a confusing comment on auto-translated guest I/O
  (git-fixes).
- commit 80c5d27

- x86/PVH: avoid 32-bit build warning when obtaining VGA console
  info (git-fixes).
- commit 8d6614d

- blacklist.conf: Append 'Revert "fbcon: Use kzalloc() in fbcon_prepare_logo()"'
- commit 501bd2e

- blacklist.conf: Append 'video/aperture: Only remove sysfb on the default vga pci device'
- commit bfaaaff

- blacklist.conf: Append 'parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory()'
- commit 30a9db6

- blacklist.conf: Append 'parisc/agp: Annotate parisc agp init functions with __init'
- commit 9eb45cc

- ata: libata: disallow dev-initiated LPM transitions to
  unsupported states (git-fixes).
- i2c: aspeed: Reset the i2c controller when timeout occurs
  (git-fixes).
- selftests: tracing: Fix to unmount tracefs for recovering
  environment (git-fixes).
- drm/amd/display: fix the white screen issue when >= 64GB DRAM
  (git-fixes).
- drm: gm12u320: Fix the timeout usage for usb_bulk_msg()
  (git-fixes).
- commit 1f4e814

- btrfs: don't hold CPU for too long when defragging a file
  (bsc#1214988).
- commit 9b89645

- 9p/xen : Fix use after free bug in xen_9pfs_front_remove due
  to race condition (bsc#1215206, CVE-2023-1859).
- commit f333aa7

- netfilter: nftables: exthdr: fix 4-byte stack OOB write
  (CVE-2023-4881 bsc#1215221).
- commit 0de26c1

- sctp: leave the err path free in sctp_stream_init to
  sctp_stream_free (CVE-2023-2177 bsc#1210643).
- commit 337b7d8

- platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
  (git-fixes).
- platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
  (git-fixes).
- platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes).
- platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more
  descriptors (git-fixes).
- kselftest/runner.sh: Propagate SIGTERM to runner child
  (git-fixes).
- commit 495d04f

- Delete patches.suse/genksyms-add-override-flag.diff.
  Unncessary after KBUILD_OVERRIDE removed.
- commit 870adc7

- x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635).
- commit 834e1c2

- jbd2: restore t_checkpoint_io_list to maintain kABI
  (bsc#1214946).
- commit 1a1980a

- rpm/kernel-binary.spec.in: Drop use of KBUILD_OVERRIDE=1
  Genksyms has functionality to specify an override for each type in
  a symtypes reference file. This override is then used instead of an
  actual type and allows to preserve modversions (CRCs) of symbols that
  reference the type. It is kind of an alternative to doing kABI fix-ups
  with '#ifndef __GENKSYMS__'. The functionality is hidden behind the
  genksyms --preserve option which primarily tells the tool to strictly
  verify modversions against a given reference file or fail.
  Downstream patch patches.suse/genksyms-add-override-flag.diff which is
  present in various kernel-source branches separates the override logic.
  It allows it to be enabled with a new --override flag and used without
  specifying the --preserve option. Setting KBUILD_OVERRIDE=1 in the spec
  file is then a way how the build is told that --override should be
  passed to all invocations of genksyms. This was needed for SUSE kernels
  because their build doesn't use --preserve but instead resulting CRCs
  are later checked by scripts/kabi.pl.
  However, this override functionality was not utilized much in practice
  and the only use currently to be found is in SLE11-SP1-LTSS. It means
  that no one should miss this option and KBUILD_OVERRIDE=1 together with
  patches.suse/genksyms-add-override-flag.diff can be removed.
  Notes for maintainers merging this commit to their branches:
  * Downstream patch patches.suse/genksyms-add-override-flag.diff can be
  dropped after merging this commit.
  * Branch SLE11-SP1-LTSS uses the mentioned override functionality and
  this commit should not be merged to it, or needs to be reverted
  afterwards.
- commit 4aa02b8

- drm/display: Don't assume dual mode adaptors support i2c
  sub-addressing (bsc#1213808).
- commit 9c64306

- blacklist.conf: Add ef73dcaa3121 ("powerpc: xmon: remove unused variables")
- commit 78179fa

- powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
  (bsc#1065729).
- powerpc/xics: Remove unnecessary endian conversion
  (bsc#1065729).
- word-at-a-time: use the same return type for has_zero regardless
  of endianness (bsc#1065729).
- commit bde8063

- mlx4: Delete custom device management logic (bsc#1187236).
- mlx4: Connect the infiniband part to the auxiliary bus
  (bsc#1187236).
- mlx4: Connect the ethernet part to the auxiliary bus
  (bsc#1187236).
- mlx4: Register mlx4 devices to an auxiliary virtual bus
  (bsc#1187236).
- mlx4: Avoid resetting MLX4_INTFF_BONDING per driver
  (bsc#1187236).
- mlx4: Move the bond work to the core driver (bsc#1187236).
- mlx4: Get rid of the mlx4_interface.activate callback
  (bsc#1187236).
- mlx4: Replace the mlx4_interface.event callback with a notifier
  (bsc#1187236).
- commit 0aba257

- mlx4: Use 'void *' as the event param of mlx4_dispatch_event()
  (bsc#1187236).
- mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236).
- mlx4: Get rid of the mlx4_interface.get_dev callback
  (bsc#1187236).
- net/mlx4: Remove many unnecessary NULL values (bsc#1187236).
- kabi/severities: ignore mlx4 internal symbols
- tracing: Fix race issue between cpu buffer write and swap
  (git-fixes).
- tracing: Remove extra space at the end of hwlat_detector/mode
  (git-fixes).
- tracing: Remove unnecessary copying of tr->current_trace
  (git-fixes).
- bpf: Clear the probe_addr for uprobe (git-fixes).
- commit 47e9584

- x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git-fixes).
- commit 74c2613

- x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes).
- commit a8877f3

- x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes).
- commit 670fb4d

- x86/resctrl: Fix task CLOSID/RMID update race (git-fixes).
- commit 9871c87

- x86/reboot: Disable virtualization in an emergency if SVM is supported (git-fixes).
- commit 3949a2b

- x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes).
- commit 4534667

- x86/sgx: Reduce delay and interference of enclave release (git-fixes).
- commit ef6d157

- x86/rtc: Remove __init for runtime functions (git-fixes).
- commit 4511d93

- x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes).
- commit cb39678

- x86/mce: Retrieve poison range from hardware (git-fixes).
- commit c9f1ddb

- x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git-fixes).
- commit 96d9365

- x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes).
- commit 12a2933

- x86/resctl: fix scheduler confusion with 'current' (git-fixes).
- commit 0d855b9

- x86/purgatory: remove PGO flags (git-fixes).
- commit 9d8ada6

- x86/ioapic: Don't return 0 from arch_dynirq_lower_bound() (git-fixes).
- commit ea0772f

- x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes).
- commit c1031f1

- x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git-fixes).
- commit bbfad26

- x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes).
- commit bf6d064

- x86/cpu: Add Lunar Lake M (git-fixes).
- commit 7ecc64d

- x86/bugs: Reset speculation control settings on init (git-fixes).
- commit 2a6dd8e

- x86/boot/e820: Fix typo in e820.c comment (git-fixes).
- commit ac06968

- x86/alternative: Fix race in try_get_desc() (git-fixes).
- commit d841323

- uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes).
- commit 11f0960

- KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes).
- commit cae635f

- KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git-fixes).
- commit 2a03ef8

- Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
  (git-fixes).
- PCI: Free released resource after coalescing (git-fixes).
- ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes).
- ntb: Drop packets when qp link is down (git-fixes).
- ntb: Clean up tx tail index on link down (git-fixes).
- idr: fix param name in idr_alloc_cyclic() doc (git-fixes).
- commit a1c9c68

- ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42
  codecs (git-fixes).
- arm64: csum: Fix OoB access in IP checksum code for negative
  lengths (git-fixes).
- commit f43b75b

- patches.suse/ovl-remove-privs-in-ovl_copyfile.patch:(git-fixes).
- commit daa1815

- s390/qeth: Don't call dev_close/dev_open (DOWN/UP) (bsc#1214873
  git-fixes).
- commit b0dc76c

- nvme-tcp: add recovery_delay to sysfs (bsc#1201284).
- nvme-tcp: delay error recovery until the next KATO interval
  (bsc#1201284).
- nvme-tcp: make 'err_work' a delayed work (bsc#1201284).
- nvme-tcp: Do not terminate commands when in RESETTING
  (bsc#1201284).
- commit 96ee377

- s390/zcrypt: don't leak memory if dev_set_name() fails
  (git-fixes bsc#1215148).
- commit 62bce52

- drm/amd/display: prevent potential division by zero errors
  (git-fixes).
- drm/i915: mark requests for GuC virtual engines to avoid
  use-after-free (git-fixes).
- net: phy: micrel: Correct bit assignments for phy_device flags
  (git-fixes).
- pwm: lpc32xx: Remove handling of PWM channels (git-fixes).
- i3c: master: svc: fix probe failure when no i3c device exist
  (git-fixes).
- drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
  (git-fixes).
- commit 3aa0807

- blacklist.conf: kABI
- commit fe6afec

- blacklist.conf: kABI
- commit b1fabe7

- blacklist.conf: kABI
- commit c50e08f

- Input: tca6416-keypad - fix interrupt enable disbalance
  (git-fixes).
- commit de27518

- fs: do not update freeing inode i_io_list (bsc#1214813).
- fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
  (bsc#1214813).
- commit 2c1c38b

- watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
  (git-fixes).
- backlight: gpio_backlight: Drop output GPIO direction check
  for initial power state (git-fixes).
- USB: serial: option: add FOXCONN T99W368/T99W373 product
  (git-fixes).
- USB: serial: option: add Quectel EM05G variant (0x030e)
  (git-fixes).
- tcpm: Avoid soft reset when partner does not support get_status
  (git-fixes).
- usb: typec: tcpci: clear the fault status bit (git-fixes).
- ARM: pxa: remove use of symbol_get() (git-fixes).
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
  due to race condition (git-fixes).
- usb: typec: tcpci: move tcpci.h to include/linux/usb/
  (git-fixes).
- commit 72d5b0f

- blacklist.conf: add git-fix to ignore
  this one removes unused kABI functions, but
  just leave them in
- commit 8007015

- scsi: snic: Fix double free in snic_tgt_create() (git-fixes).
- commit 1ed2b1b

- blacklist.conf: 9011e49d54dc ("modules: only allow symbol_get of
  EXPORT_SYMBOL_GPL modules") is not really fixing any existing bug.
- commit 550f5fc

- Move upstreamed pinctrl patch into sorted section
- commit 38f70f2

- Update References tag
  patches.suse/Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_sock_rea.patch
  (git-fixes bsc#1214233 CVE-2023-40283).
- commit 731b49d

- ata: pata_falcon: fix IO base selection for Q40 (git-fixes).
- ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes).
- ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes).
- kconfig: fix possible buffer overflow (git-fixes).
- commit 4a140a1

- powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051).
- commit ac82be8

- Refresh sorted section
- commit a6fbcee

- netfilter: nf_tables: use correct lock to protect gc_list
  (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: GC transaction race with abort path
  (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: GC transaction race with netns dismantle
  (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: fix GC transaction races with netns and
  netlink event exit path (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: fix kdoc warnings after gc rework
  (CVE-2023-4563 bsc#1214727).
- refresh
  - patches.kabi/kabi-hide-changes-in-struct-nft_set.patch
- kabi: hide changes in struct nft_set (CVE-2023-4563
  bsc#1214727).
- netfilter: nf_tables: GC transaction API to avoid race with
  control plane (CVE-2023-4563 bsc#1214727).
- commit cfed41c

- quota: add new helper dquot_active() (bsc#1214998).
- commit 26cc2da

- quota: rename dquot_active() to inode_quota_active()
  (bsc#1214997).
- commit c4d7e83

- quota: factor out dquot_write_dquot() (bsc#1214995).
- commit 40e5ccd
libX11
- U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
  U_0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
  U_0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch
  U_0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
  U_0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
  * CVE-2023-43785 libX11: out-of-bounds memory access in
    _XkbReadKeySyms() (boo#1215683)
  * CVE-2023-43786 libX11: stack exhaustion from infinite recursion
  in PutSubImage() (boo#1215684)
  * CVE-2023-43787 libX11: integer overflow in XCreateImage()
    leading to a heap overflow (boo#1215685)
libapparmor
- update zgrep profile to allow egrep helper use (bsc#1214458)
  - zgrep-profile-sync-with-master.diff
libeconf
- Additional info for version 0.5.2:
  * Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
    function. (CVE-2023-30078, CVE-2023-32181, bsc#1211078)
  * Fixed a stack-buffer-overflow vulnerability in "read_file"
    function. (CVE-2023-30079, CVE-2023-22652, bsc#1211078)

- Update to version 0.5.2:
  * Fixed build for aarch64 and gcc13.
  * Making the output verbose when a test fails.
  * Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
    function.
  * Fixed a stack-buffer-overflow vulnerability in "read_file"
    function.
  * Added new feature: econf_set_conf_dirs (const char **dir_postfix_list)
    Sets a list of directory structures (with order) which describes
    the directories in which the files have to be parsed.
    E.G. with the given list: {"/conf.d/", ".d/", "/", NULL} files in following
    directories will be parsed:
    "<default_dirs>/<project_name>.<suffix>.d/"
    "<default_dirs>/<project_name>/conf.d/"
    "<default_dirs>/<project_name>.d/"
    "<default_dirs>/<project_name>/"
    The entry "<default_dirs>/<project_name>.<suffix>.d/" will be added
    automatically.
  * General code cleanup.

- Update to version 0.5.1:
  * Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless
    there is a /etc/_example_._suffix_ file. (#175)

- Update to version 0.5.0:
  * API calls econf_read*WithCallback supporting a general (void *)
    argument for user defined data with which the callback function is
    called.
  * Tagged following functions deprecated:
    econf_requireOwner, econf_requireGroup, econf_requirePermissions,
    econf_followSymlinks, econf_reset_security_settings
    Use one of the econf_read*WithCallback functions instead.

- Update to version 0.4.9:
  * libeconf.h: added missing sys/types.h header (#171)
  * new API calls: econf_readFileWithCallback,
    econf_readDirsWithCallback, econf_readDirsHistoryWithCallback (#172)
  * Checking NULL comment parameter in the parsing functions.

- Update to version 0.4.8+git20221114.7ff7704:
  * Parsing files which are containing keys only (#170)
    All delimiters are allowed now : "", " =", " ", "=". But the
    user should use "" in order to be distinct.
  * /usr/etc/shells.d/<file_name> will not be parsed if
    /etc/shells.d/<file_name> is defined too.
  * Lto build fixed (#168)
  * New calls: econf_comment_tag, econf_delimiter_tag, econf_set_comment_tag,
    econf_set_delimiter_tag
  * Checking UID,GroupID, permissions,... of the parsed files (#165)
    New calls: econf_requireOwner, econf_requireGroup, econf_requirePermissions,
    econf_followSymlinks
  * Ignoring Group without brackets; Do not hold brackets in the internal data structure. (#164)
  * Error handling improved for nums and booleans (#163)
nghttp2
- security update
- added patches
  fix CVE-2023-44487 [bsc#1216123], HTTP/2 Rapid Reset Attack
  + nghttp2-CVE-2023-44487.patch

- Fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be
  sent, and nghttp2_on_stream_close_callback fails with a fatal error.
  [CVE-2023-35945 bsc#1215713]
  + nghttp2-CVE-2023-35945.patch
openssl-1_1
- Displays "fips" in the version string (bsc#1215215)
  * Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
pciutils
- Apply "lspci-Fixed-buffer-overflows-in-ls-tree.c.patch" to fix a
  buffer overflow error that would cause lspci to crash on systems
  with complex topologies. [bsc#1215265]
- Add "pciutils.keyring" so that the tarball's signature can be
  verified at build time.
- Use "%license" tag instead of "%doc" to install the package's
  license file.
python3
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
  gh#python/cpython#108310, backport from upstream patch
  gh#python/cpython#108315
  (bsc#1214692, CVE-2023-40217)
ruby2.5
- update suse.patch to 531fb8b2cc
  - fix quadratic behavior in the uri parser (boo#1209891
    CVE-2023-28755)
  - fix expensive regexp in the RFC2822 time parser (boo#1209967
    CVE-2023-28756)
  - backport date 2.0.3 (boo#1193035 CVE-2021-41817)
  - merge CGI 0.1.0.2: (boo#1205726 CVE-2021-33621)
  - When parsing cookies, only decode the values
  - HTTP response splitting in CGI
libtirpc
-  update to 1.3.4 (bsc#1199467)
  * binddynport.c honor ip_local_reserved_ports
  - replaces: binddynport-honor-ip_local_reserved_ports.patch
  * gss-api: expose gss major/minor error in authgss_refresh()
  * rpcb_clnt.c: Eliminate double frees in delete_cache()
  * rpcb_clnt.c: memory leak in destroy_addr
  * portmapper: allow TCP-only portmapper
  * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
  * clnt_raw.c: fix a possible null pointer dereference
  * bindresvport.c: fix a potential resource leakage
- update to 1.3.3 (bsc#1201680, CVE-2021-46828):
  * Fix DoS vulnerability in libtirpc
  - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
  * _rpc_dtablesize: use portable system call
  * libtirpc: Fix use-after-free accessing the error number
  * Fix potential memory leak of parms.r_addr
  - replaces 0001-fix-parms.r_addr-memory-leak.patch
  * rpcb_clnt.c add mechanism to try v2 protocol first
  - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
  * Eliminate deadlocks in connects with an MT environment
  * clnt_dg_freeres() uncleared set active state may deadlock
  * thread safe clnt destruction
  * SUNRPC: mutexed access blacklist_read state variable
  * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c
- drop 0001-Fix-DoS-vulnerability-in-libtirpc.patch (upstream)
- update to 1.3.2:
  * Replace the final SunRPC licenses with BSD licenses
  * blacklist: Add a few more well known ports
  * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
- Update to libtirpc 1.3.1
  * Remove AUTH_DES interfaces from auth_des.h
    The unsupported  AUTH_DES authentication has be
    compiled out since commit d918e41d889 (Wed Oct 9 2019)
    replaced by API routines that return errors.
  * svc_dg: Free xp_netid during destroy
  * Fix memory management issues of fd locks
  * libtirpc: replace array with list for per-fd locks
  * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
  * __rpc_dtbsize: rlim_cur instead of rlim_max
  * pkg-config: use the correct replacements for libdir/includedir
  Patches replaced by update:
  binddynport-honor-ip_local_reserved_ports.patch (bsc#1199467)
  0001-Fix-DoS-vulnerability-in-libtirpc.patch (bsc#1201680)
  0001-fix-parms.r_addr-memory-leak.patch (bsc#1198752)
  0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
  (bsc#1196647), (bsc#1200800), (bsc#1198176)
  * replaces /etc/netconfig-try-2-first by the environment variable
  RPCB_V2FIRST
zlib
- Fix CVE-2023-45853, integer overflow and resultant heap-based buffer
  overflow in zipOpenNewFileInZip4_6, bsc#1216378
  * CVE-2023-45853.patch
zchunk
- Fix CVE-2023-46228, bsc#1216268
  * Handle overflow errors in malformed zchunk files.
- Added patch:
  * CVE-2023-46228.patch
log4j
- Build also taglib, jmx-gui, bom, nosql and web modules, on
  platforms where we have the dependencies
shadow
- bsc#1214806 (CVE-2023-4641):
  Fix potential password leak
- Add shadow-CVE-2023-4641.patch
postfix
- postfix: config.postfix causes too tight permission on main.cf
  (bsc#1215372)

- CVE-2023-32182: postfix: config_postfix SUSE specific script
  potentially bad /tmp file usage (bsc#1211196)
  Use temp file created by mktemp
postgresql14
- Update to 14.10:
  * bsc#1216962, CVE-2023-5868: Fix handling of unknown-type
    arguments in DISTINCT "any" aggregate functions. This error led
    to a text-type value being interpreted as an unknown-type value
    (that is, a zero-terminated string) at runtime. This could
    result in disclosure of server memory following the text value.
  * bsc#1216961, CVE-2023-5869: Detect integer overflow while
    computing new array dimensions. When assigning new elements to
    array subscripts that are outside the current array bounds, an
    undetected integer overflow could occur in edge cases. Memory
    stomps that are potentially exploitable for arbitrary code
    execution are possible, and so is disclosure of server memory.
  * bsc#1216960, CVE-2023-5870: Prevent the pg_signal_backend role
    from signalling background workers and autovacuum processes.
    The documentation says that pg_signal_backend cannot issue
    signals to superuser-owned processes. It was able to signal
    these background  processes, though, because they advertise a
    role OID of zero. Treat that as indicating superuser ownership.
    The security implications of cancelling one of these process
    types are fairly small so far as the core code goes (we'll just
    start another one), but extensions might add background workers
    that are more vulnerable.
    Also ensure that the is_superuser parameter is set correctly in
    such processes. No specific security consequences are known for
    that oversight, but it might be significant for some extensions.
  * Add support for LLVM 16 and 17
  * https://www.postgresql.org/docs/14/release-14-10.html

- boo#1216734: Revert the last change and make the devel package
  independend of all other subpackages except for the libs.

- boo#1216022: Call install-alternatives from the devel subpackage
  as well, otherwise the symlink for ecpg might be missing.

- Also buildignore the postgresql*-implementation symbols: this is
  needed in order to bootstrap when no postgresql version currently
  has valid symbols provided. Once the packages are built, OBS
  could translate this to the pgname-* packages and accept the
  ignores; during bootstrap though, there is nothing providing the
  symbol and the existing buildignores do not suffice.
python-instance-billing-flavor-check
- Version 0.0.4
  Run the command as sudo only

- Version 0.0.3
  Handle exception for Python 3.4
python-rpm
- build for all python modules (jsc#PED-68, jsc#PED-1988)
salt
- Randomize pre_flight_script path (CVE-2023-34049 bsc#1215157)
- Allow all primitive grain types for autosign_grains (bsc#1214477)
- Added:
  * allow-all-primitive-grain-types-for-autosign_grains-.patch
  * fix-cve-2023-34049-bsc-1215157.patch

- Fix optimization_order opt to prevent testsuite fails
- Improve salt.utils.json.find_json to avoid fails (bsc#1213293)
- Use salt-call from salt bundle with transactional_update
- Only call native_str on curl_debug message in tornado when needed
- Implement the calling for batch async from the salt CLI
- Fix calculation of SLS context vars when trailing dots
  on targetted sls/state (bsc#1213518)
- Rename salt-tests to python3-salt-testsuite
- Added:
  * improve-salt.utils.json.find_json-bsc-1213293.patch
  * only-call-native_str-on-curl_debug-message-in-tornad.patch
  * fix-optimization_order-opt-to-prevent-test-fails.patch
  * use-salt-call-from-salt-bundle-with-transactional_up.patch
  * implement-the-calling-for-batch-async-from-the-salt-.patch
  * fix-calculation-of-sls-context-vars-when-trailing-do.patch

- Fix inconsistency in reported version by egg-info metadata (bsc#1215489)
- Added:
  * write-salt-version-before-building-when-using-with-s.patch

- Revert usage of long running REQ channel to prevent possible
  missing responses on requests and dublicated responses
  (bsc#1213960, bsc#1213630, bsc#1213257)
- Fix gitfs cachedir basename to avoid hash collisions
  (bsc#1193948, bsc#1214797, CVE-2023-20898)
- Added:
  * fixed-gitfs-cachedir_basename-to-avoid-hash-collisio.patch
  * revert-usage-of-long-running-req-channel-bsc-1213960.patch

- Make sure configured user is properly set by Salt (bsc#1210994)
- Do not fail on bad message pack message (bsc#1213441, CVE-2023-20897)
- Fix broken tests to make them running in the testsuite
- Prevent possible exceptions on salt.utils.user.get_group_dict (bsc#1212794)
- Create minion_id with reproducible mtime
- Fix detection of Salt codename by "salt_version" execution module
- Fix regression: multiple values for keyword argument 'saltenv' (bsc#1212844)
- Fix the regression of user.present state when group is unset (bsc#1212855)
- Fix zypper repositories always being reconfigured
- Fix utf8 handling in 'pass' renderer and make it more robust
- Added:
  * fix-tests-to-make-them-running-with-salt-testsuite.patch
  * zypper-pkgrepo-alreadyconfigured-585.patch
  * fix-regression-multiple-values-for-keyword-argument-.patch
  * mark-salt-3006-as-released-586.patch
  * fix-utf8-handling-in-pass-renderer-and-make-it-more-.patch
  * do-not-fail-on-bad-message-pack-message-bsc-1213441-.patch
  * prevent-possible-exceptions-on-salt.utils.user.get_g.patch
  * make-sure-configured-user-is-properly-set-by-salt-bs.patch
  * fix-the-regression-of-user.present-state-when-group-.patch
spacewalk-certs-tools
- version 4.3.19-1
  * Support EC Cryptography with mgr-ssl-cert-setup
  * mgr-ssl-cert-setup: store CA certificate in database
    (bsc#1212856)
spacewalk-client-tools
- version 4.3.16-1
  * Update translation strings
python-urllib3
- Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803)
  gh#urllib3/urllib3@4e98d57809da

- Add CVE-2023-43804.patch (bsc#1215968, CVE-2023-43804)
  gh#urllib3/urllib3#3139
  * Added the Cookie header to the list of headers to strip from
    requests when redirecting to a different host. As before,
    different headers can be set via Retry.remove_headers_on_redirect.
uyuni-common-libs
- version 4.3.9-1
  * Workaround for python3-debian bug about collecting control
    file (bsc#1211525, bsc#1208692)
release-notes-susemanager
- Update to SUSE Manager 4.3.9
  * Debian 12 support as client
  * New Update Notification (jsc#SUMA-111)
  * Monitoring: Grafana upgraded to 9.5.8
  * Update 'saltkey' endpoints to accept GET instead of POST
  * CVEs fixed
    CVE-2023-34049
  * Bugs mentioned
    bsc#1204270, bsc#1211047, bsc#1211145, bsc#1211270, bsc#1211912
    bsc#1212168, bsc#1212507, bsc#1213132, bsc#1213376, bsc#1213469
    bsc#1213680, bsc#1213689, bsc#1214041, bsc#1214121, bsc#1214463
    bsc#1214553, bsc#1214746, bsc#1215027, bsc#1215120, bsc#1215412
    bsc#1215514, bsc#1216661, bsc#1215157

- Update to SUSE Manager 4.3.8.2
  * Bugs mentioned
    bsc#1215857, bsc#1210253, bsc#1215820

- Update to SUSE Manager 4.3.8.1
  * Fix the link issue for PAYG guide

- Update to SUSE Manager 4.3.8
  * Important Salt minion update
  * SUSE Manager Pay-as-you-go (PAYG)
  * Automated RHUI credential update
  * Monitoring: Prometheus upgraded to 2.45.0
  * Monitoring: Apache exporter updated to version 1.0.0
  * Expose lastBuildDate property (last build/promote date of an
    environment) through contentlifecycle API (jsc#SUMA-280)
  * Add saltboot redeploy and repartition based on pillars
    (jsc#SUMA-158)
  * CVEs fixed
    CVE-2023-29409, CVE-2023-20897, CVE-2023-20898
  * Bugs mentioned
    bsc#1207330, bsc#1208692, bsc#1210935, bsc#1211525, bsc#1211874
    bsc#1211884, bsc#1212246, bsc#1212730, bsc#1212814, bsc#1212827
    bsc#1212856, bsc#1212943, bsc#1213009, bsc#1213077, bsc#1213288
    bsc#1213445, bsc#1213675, bsc#1213716, bsc#1213880, bsc#1214002
    bsc#1214121, bsc#1214124, bsc#1214187, bsc#1214266, bsc#1214280
    bsc#1214889, bsc#1214982, bsc#1215352, bsc#1215362, bsc#1215497
    bsc#1193948, bsc#1214797, bsc#1213441, bsc#1214796, bsc#1213469
    bsc#1215413, bsc#1215756
rsyslog
- fix rsyslog crash in imrelp (bsc#1210286)
  * add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
runc
- Update to runc v1.1.9. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.9>.

- Update to runc v1.1.8. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
samba
- CVE-2023-4091: samba: Client can truncate file with read-only
  permissions; (bsc#1215904); (bso#15439).
- CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
  allows blocking sleep on request; (bso#1215905); (bso#15474).
- CVE-2023-4154: samba: dirsync allows SYSTEM access with only
  "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
  (bsc#1215908); (bso#15424).

- Move libcluster-samba4.so from samba-libs to samba-client-libs;
  (bsc#1213940);
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-server-applications-release
n/a
000product:sle-module-suse-manager-server-release
n/a
000release-packages:sle-module-web-scripting-release
n/a
smdba
- Version 1.7.12
  * re-use configured max_connection value
  * keep previous selected value for SSD configuration
spacecmd
- version 4.3.24-1
  * Change default scheduler from (none) to (system)

- version 4.3.23-1
  * Update translation strings
spacewalk-admin
- version 4.3.13-1
  * Integrate instance-flavor-check to detect if the instance is
    Pay-as-you-go
  * Add checks for csp-billing-adapter in case of a Pay-as-you-go
    instance
spacewalk-backend
- version 4.3.24-1
  * Only show missing /root/.curlrc error with log_level = 5 (bsc#1212507)

- version 4.3.23-1
  * Use a constant to get the product name in python code rather
    than reading rhn.conf (bsc#1212943)
  * Add key import debug logging to reposync (bsc#1213675)
  * Add hint about missing auth header for Pay-as-you-go
    instances (bsc#1213445)
  * rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
  * Implement new RHUI support in reposync
spacewalk-web
- version 4.3.35-1
  * Add missing translation wrappers for Salt formula catalog
  * Shows a notification when an update for SUSE Manager is available

- version 4.3.34-1
  * Fix datetimepicker erroneously updating the date field (bsc#1210253, bsc#1215820)

- version 4.3.33-1
  * Update the messages after syncing the products
  * Fix issue that prevented to delete credentials
  * Add warning message in login UI for Pay-as-you-go with SCC
    credentials and no forward registration.
  * Hide SSH info for `localhost` in Pay-as-you-go section
  * Integrate @formatjs/intl as a replacement for t()
  * Fix link interpolation in message maps
spacewalk-config
- version 4.3.12-1
  * Handle spaces in /ks/dist/ file names (bsc#1213680)

- version 4.3.11-1
  * Allow calling instance-flavor-check via sudo
spacewalk-java
- version 4.3.68-1
  * Sync GPG properties on each build in CLM (bsc#1213689)
  * Change list endpoints in saltkey namespace to accept GET
    requests instead of POST (bsc#1214463)
  * Respect user email preferences when sending 'user creation' emails (bsc#1214553)
  * Fix server error when visiting the notifications page
  * Fixed the value of the advisory release for Ubuntu erratas
  * Restart the bunch from where it was interrupted when rescheduling
  * Moved the Ubuntu errata processing in its own separate taskomatic
    task (bsc#1211145)
  * Stop the taskomatic bunch execution if it was not possible to
    execute one of the tasks
  * Add detection of Debian 12
  * Implement different way to copy data for SystemPackageUpdate
    report database table (bsc#1211912)
  * Avoid SCC credentials check if `server.susemanager.fromdir` is
    set (bsc#1211270)
  * Fix bug about listing Ansible inventories (bsc#1213132)
  * Remove SUSE Manager proxy 4.2 product channel for PAYG
    instance (bsc#1215412)
  * Show a notification when an update for SUSE Manager is available
  * Optimize memory usage in UbuntuErrataManager
  * Handle spaces in /ks/dist/ file names (bsc#1213680)
  * Change default scheduler from (none) to (system)
  * Set user for package list refresh action if possible
  * Fix recurring state execution not using the correct order (bsc#1215027)
  * Ignore mandatory channels results that don't match list of channels (bsc#1204270)
  * Token cleanup process removing invalid tokens using sql query (bsc#1213376)
  * Fix failed actions rescheduling (bsc#1214121)
  * Fix unscheduling actions when the trigger name changed after retry (bsc#1214121)
  * Improve Taskomatic by removing invalid triggers before starting and enhancing logs
  * Revert action executor fix that was intended to prevent blocking of Taskomatic threads (bsc#1214121)
  * Extend success message after adding monitoring property (bsc#1212168)

- version 4.3.67-1
  * Do not call SCC when updating the repositories authentication
    for PAYG (bsc#1215857)

- version 4.3.66-1
  * Fix RHUI support for RHEL 7 clients (bsc#1215756)

- version 4.3.65-1
  * Combine the PAYG credentials and the repository paths when they
    collide (bsc#1215413)

- version 4.3.64-1
  * Fix token issue with cloned deb channels (bsc#1214982)
  * Fix PAYG credentials extraction for SLES 12 clients (bsc#1215352)
  * Improved detection of the best authentication for accessing a
    repository in case of PAYG credentials (bsc#1215362)
  * Do not warn about missing Client Tools Channel subscription in a
    PAYG environment

- version 4.3.63-1
  * Fix X-Instance-Identifier header when doing a product refresh
    at Cloud RMT Server (bsc#1214889)

- version 4.3.62-1
  * Add environment build/promote date to CLM API output
    (jsc#SUMA-280)
  * Call mgr-libmod with its absolute path
  * Introduce new API to update the products page metadata
  * Extract additional authentication information needed for
    Pay-as-you-go
  * Fix handling of null credentials in RMT credentials check
  * Integrate instance-flavor-check to detect if the instance is
    Pay-as-you-go
  * Add rule to count only servers with SUSE Manager Tools as
    managed clients
  * Create flag to disable update status (bsc#1212730)
  * Fix syntax error in sql query for source package search
  * Catch exceptions and log a message when mailer setup failed
    (bsc#1213009)
  * Fix logging of libraries using apache-commons-logging
  * Invalidate Pay-as-you-go client credentials after repeated
    connection failure (bsc#1213445)
  * Restrict product migrations for Pay-as-you-go
  * Add warning message in login UI for Pay-as-you-go with SCC
    credentials and no forward registration.
  * Restrict cloning channels under different product channels for
    Pay-as-you-go
  * Avoid sending data to SCC about Pay-as-you-go instances
  * Add saltboot redeploy and repartition based on pillars
    (jsc#SUMA-158)
  * Add system pillar API access {get|set}Pillar
  * Consider the venv-salt-minion package update as Salt update to
    prevent backtraces on upgrading Salt with itself (bsc#1211884)
  * Fix processing of pkg.purged results (bsc#1213288)
  * Fix Null Pointer Exception in auth endpoint when an empty body
    is provided
  * Do not ignore scheduling error in Taskomatic
  * Add compliance checks when running as PAYG
  * Add RHUI support to Pay-as-you-go connection feature
  * Fix debian Packages file generation (bsc#1213716)
  * Fix action executor to prevent blocking Taskomatic for actions
    that are already finished (bsc#1214121)
  * Fix detection in case RHEL-based products (bsc#1214280)
  * Improve error message when instance-flavor-check tool is not
    installed
  * Fix auto product refresh in case of SUSE Manager Pay-as-you-go
    Server
  * Optimize org channel accessibility query (bsc#1211874)
  * Check csp billing adapter status
spacewalk-setup
- version 4.3.18-1
  * Do not rely on rpm runtime status, rather check rhn.conf if is
    configured (bsc#1210935)
  * Remove storing CA in DB directly as it is now part of
    mgr-ssl-cert-setup (bsc#1212856)
spacewalk-utils
- version 4.3.18-1
  * Add Debian 12 repositories
supportutils-plugin-susemanager
- version 4.3.9-1
  * Add cloud and Pay-as-you-go checks
  * Write configured crypto-policy in supportconfig
supportutils
- Changes in version 3.1.26
  + powerpc plugin to collect the slots and active memory (bsc#1210950)
  + A Cleartext Storage of Sensitive Information vulnerability CVE-2022-45154
  + supportconfig: collect BPF information (pr#154)
  + Added additional iscsi information (pr#155)

- Added run time detection (bsc#1213127)

- ha_info sle15 uses /var/log/pacemaker/ (pq#153)

- Changes for supportutils version 3.1.25
  + Removed iSCSI passwords CVE-2022-45154 (bsc#1207598)
  + powerpc: Collect lsslot,amsstat, and opal elogs (pr#149)
  + powerpc: collect invscout logs (pr#150)
  + powerpc: collect RMC status logs (pr#151)
  + Added missing nvme nbft commands (bsc#1211599)
  + Fixed invalid nvme commands (bsc#1211598)
  + Added missing podman information (PED-1703, bsc#1181477)
  + Removed dependency on sysfstools
  + Check for systool use (bsc#1210015)
  + Added selinux checking (bsc#1209979)
  + Updated SLES_VER matrix

- Fixed missing status detail for apparmor (bsc#1196933)
- Corrected invalid argument list in docker.txt (bsc#1206608)
- Applies limit equally to sar data and text files (bsc#1207543)
- Collects hwinfo hardware logs (bsc#1208928)
- Collects lparnumascore logs (issue#148)

- Add dependency to `numactl` on ppc64le and `s390x`, this enforces
  that `numactl --hardware` data is provided in supportconfigs

- Changes to supportconfig.rc version 3.1.11-35
  + Corrected _sanitize_file to include iscsi.conf and others (bsc#1206402)

- Changes to supportconfig version 3.1.11-46.4
  + Added plymouth_info

- Changes to getappcore version 1.53.02
  + The location of chkbin was updated earlier. This documents that
    change (bsc#1205533, bsc#1204942)
suse-build-key
- add and run a import-suse-build-key scripts, this will be ran
  after installation with libzypp based installers. (jsc#PED-2777)
suse-module-tools
- Update to version 15.4.18:
  * blacklist RNDIS modules (bsc#1205767, jsc#PED-5731, CVE-2023-23559)
  * modprobe.d: Blacklist cls_tcindex module (bsc#1210335, CVE-2023-1829)
  (note: this is not a full fix for that CVE)

- Update to version 15.4.17:
  * cert-script: warn only once about non-writable efivarfs
  * cert-script: skip cert handling if efivarfs is not writable
    (bsc#1213428, bsc#1201066)
susemanager-docs_en
- Removed technical preview statement about Ansible in Administration
  Guide (bsc#1216661)
- Replaced "Quick Start: Public Cloud" with "Public Cloud Guide" in
  Specialized Guides
- Changed Proxy base system version number in the installation
  description to version 15 SP4 (bsc#1213469)
- Added comment about SCC subscription to Administration Guide
  (bsc#1211270)
- Added Debian 12 as supported client in Client Configuration Guide
- Fixed over-long table issue in openSCAP chapter in
  Administration Guide
- Update Hardware Requirements section about disk space for
  /var/spacewalk in the Installation and Upgrade Guide
- Documented disabling automatic channel selection for cloned
  channels in Content Lifecycle Management chapter of
  Administration Guide (bsc#1211047)
- Fixed broken links and references in the Image building file in
  Administration Guide
- Updated autoinstallation chapter in Client Configuration Guide
  about buildiso command in the context of Cobbler
- Removed end-of-life openSUSE Leap clients from the support matrix
  in the Client Configuration Guide
- Added note about Jinja templating for configuration files
  management on Salt Clients in Client Configuration Guide
- Fixed DHCP example for Cobbler autoinstallation and added one
  per architecture in Client Configuration Guide (bsc#1214041)

- Base server version corrected in the Installation and Upgrade
  Guide (bsc#1213469)
- Improved Red Hat Update Infrastructure documentation (bsc#1215373)
- Added background information on Ansible playbooks in the Ansible
  chapter in Administration Guide (bsc#1213077)
- Added Best practices and image pillars files to Retail Guide
- Added a warning about channel synchronization failure because of
  invalidated credentials in Connect Pay-as-you-go instance section
  of the Installation and Upgrade Guide
- Added detailed information about all supported SUSE Linux
  Enterprise Micro versions
- Updated Ansible chapter in Administration Guide for clarity
  (bsc#1213077)
- Added Saltboot redeployment subchapter in the Retail Guide
- Added a note for SUSE Linux Enterprise Micro clients only having
  Node and Blackbox exporter for monitoring available, in the
  Administration Guide (bsc#1212246)
- Removed the step calling rhn-ssl-dbstore from the SSL setup as it
  is now integrated into mgr-ssl-cert-setup in Administration Guide
- Added a workflow describing channel removal to the Common
  Workflows Guide
- Minimal memory requirement is now 16 GB for a SUSE Manager Server
  installation
- Listed supported key types for SSL certificates in Import SSL
  Certificates section of the Administation Guide
- Fixed Ubuntu channel names in Ubuntu chapter of the Client
  Configuration Guide (bsc#1212827)
- Typo correction for cobbler buildiso command in Client Configuration
  Guide
- Replaced plain text with dedicated attribute for AutoYaST
- Changed filename for configuring Tomcat memory usage in Specialized
  Guides (bsc#1212814)
susemanager-schema
- version 4.3.21-1
  * Add index on server needed cache to improve performance for some queries (bsc#1211912)
  * Moved the Ubuntu errata processing in its own separate taskomatic
    task (bsc#1211145)

- version 4.3.20-1
  * Add new credentials type RHUI
  * Store the Pay-as-you-go products
susemanager-sls
- version 4.3.36-1
  * Do not install instance-flavor-check tool on openSUSE

- version 4.3.35-1
  * Integrate instance-flavor-check to detect if the instance is
    Pay-as-you-go
  * Do not disable salt-minion on salt-ssh managed clients
  * Keep original traditional stack tools for RHEL7 RHUI connection
  * Include automatic migration from Salt 3000 to Salt Bundle in
    highstate
  * Use recurse stratedy to merge formula pillar with existing
    pillars
  * Mask Uyuni roster module password on logs
susemanager-sync-data
- version 4.3.13-1
  * Add OES2023.4 (bsc#1215514)
  * Add Debian 12 amd64
susemanager
- version 4.3.32-1
  * Add bootstrap repository definition for OES2023.4 (bsc#1215514)
  * Add bootstrap repository definitions for Debian 12
  * Fix SLES 15 for SAP not being listed in mgr-create-bootstrap-repo (bsc#1215120)
  * Add missing PKGLIST15_TRAD for SLES 15 SAP mgr-create-bootstrap-repo entries (bsc#1215120)
  * Fix possible permission issues with database migration script (bsc#1214746)

- version 4.3.31-1
  * Require LTSS channel for SUSE Manager Proxy 4.2 (bsc#1214187)
systemd-rpm-macros
- Bump version to 14

- Switch to `systemd-hwdb` tool when updating the HW database. It's been
  introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`.
tomcat
- Update to Tomcat 9.0.82
  * Catalina
    + Add: 65770: Provide a lifecycle listener that will
    automatically reload TLS configurations a set time before the
    certificate is due to expire. This is intended to be used with
    third-party tools that regularly renew TLS certificates.
    + Fix: Fix handling of an error reading a context descriptor on
    deployment.
    + Fix: Fix rewrite rule qsd (query string discard) being ignored
    if qsa was also use, while it should instead take precedence.
    + Fix: 67472: Send fewer CORS-related headers when CORS is not
    actually being engaged.
    + Add: Improve handling of failures within recycle() methods.
  * Coyote
    + Fix: 67670: Fix regression with HTTP compression after code
    refactoring.
    + Fix: 67198: Ensure that the AJP connector attribute
    tomcatAuthorization takes precedence over the
    tomcatAuthentication attribute when processing an auth_type
    attribute received from a proxy server.
    + Fix: 67235: Fix a NullPointerException when an AsyncListener
    handles an error with a dispatch rather than a complete.
    + Fix: When an error occurs during asynchronous processing,
    ensure that the error handling process is only triggered once
    per asynchronous cycle.
    + Fix: Fix logic issue trying to match no argument method in
    IntropectionUtil.
    + Fix: Improve thread safety around readNotify and writeNotify
    in the NIO2 endpoint.
    + Fix: Avoid rare thread safety issue accessing message digest
    map.
    + Fix: Improve statistics collection for upgraded connections
    under load.
    + Fix: Align validation of HTTP trailer fields with standard
    fields.
    + Fix: Improvements to HTTP/2 overhead protection (bsc#1216182,
    CVE-2023-44487)
  * jdbc-pool
    + Fix: 67664: Correct a regression in the clean-up of
    unnecessary use of fully qualified class names in 9.0.81
    that broke the jdbc-pool.
  * Jasper
    + Fix: 67080: Improve performance of EL expressions in JSPs that
    use implicit objects

- Update to Tomcat 9.0.80
  * Catalina
    + Add RateLimitFilter which can be used to mitigate DoS and
    Brute Force attacks
    + Move the management of the utility executor from the
    init()/destroy() methods of components to the start()/stop()
    methods.
    + Add org.apache.catalina.core.StandardVirtualThreadExecutor,
    a virtual thread based executor that may be used with one or
    more Connectors to process requests received by those
    Connectors using virtual threads. This Executor requires a
    minimum Java version of Java 21.
    + 66513: Add a per session Semaphore to the PersistentValve that
    ensures that, within a single Tomcat instance, there is no
    more than one concurrent request per session. Also expand the
    debug logging to include whether a request bypasses the Valve
    and the reason if a request fails to obtain the per session
    Semaphore.
    + 66609: Ensure that the default servlet correctly escapes file
    names in directory listings when using XML output.
    + 66618: Add a numeric last modified field to the XML directory
    listings produced by the default servlet to enable sorting in
    the XSLT.
    + 66621: Attempts to lock a collection with WebDAV may
    incorrectly fail if a child collection has an expired lock.
    + 66622: Deprecate the xssProtectionEnabled setting from the
    HttpHeaderSecurityFilter and change the default value to false
    as support for the associated HTTP header has been removed
    from all major browsers.
    + 59232: Add org.apache.catalina.core.ContextNamingInfoListener,
    a listener which creates context naming information
    environment entries.
    + 66665: Add
    org.apache.catalina.core.PropertiesRoleMappingListener, a
    listener which populates the context's role mapping from a
    properties file.
    + Fix an edge case where intra-web application symlinks would be
    followed if the web applications were deliberately crafted to
    allow it even when allowLinking was set to false.
    + Add utility config file resource lookup on Context to allow
    looking up resources from the webapp (prefixed with webapp:)
    and make the resource lookup API more visible.
    + Fix potential database connection leaks in
    DataSourceUserDatabase identified by Coverity Scan.
    + Make parsing of ExtendedAccessLogValve patterns more robust.
    + Fix failure trying to persist configuration for an internal
    credential handler.
    + 66680: When serializing a session during the session
    presistence process, do not log a warning that null Principals
    are not serializable.
    + Catch NamingException in JNDIRealm#getPrincipal. It is used in
    Java up to 17 to signal closed connections.
    + 66822: Use the same naming format in log messages for
    Connector instances as the associated ProtocolHandler instance.
    + The parts count should also lower the actual maxParameterCount
    used for parsing parameters if parts are parsed first.
    + If an application or library sets both a non-500 error code
    and the javax.servlet.error.exception request attribute, use
    the provided error code during error page processing rather
    than assuming an error code of 500.
    + Update code comments and Tomcat output to use MiB for
    1024 * 1024 bytes and KiB for 1024 bytes rather than
    MB and kB.
    + Avoid protocol relative redirects in FORM authentication
    (CVE-2023-41080, bsc#1214666).
  * Coyote
    + Update the HTTP/2 implementation to use the prioritization
    scheme defined in RFC 9218 rather than the one defined in
    RFC 7540.
    + 66602: not sending WINDOW_UPDATE when dataLength is ZERO on
    call SwallowedDataFramePayload.
    + 66627: Restore the documented behaviour of
    MessageBytes.getType() that it returns the type of the
    original content rather than reflecting the most recent
    conversion.
    + 66635: Correct certificate logging on start-up so it
    differentiates between keystore based keys/certificates and
    PEM file based keys/certificates and logs the relevant
    information for each.
    + Refactor blocking reads and writes for the NIO connector to
    remove code paths that could allow a notification from the
    Poller to be missed resuting in a timeout rather than the
    expected read or write.
    + Refactor waiting for an HTTP/2 stream or connection window
    update to handle spurious wake-ups during the wait.
    + Correct a regression introduced in 9.0.78 and use the correct
    constant when constructing the default value for the
    certificateKeystoreFile attribute of an
    SSLHostConfigCertificate instance.
    + Refactor HTTP/2 implementation to reduce pinning when using
    virtual threads.
    + Pass through ciphers referring to an OpenSSL profile, such as
    PROFILE=SYSTEM instead of producing an error trying to parse
    it.
    + 66841: Ensure that AsyncListener.onError() is called after an
    error during asynchronous processing with HTTP/2.
    + 66842: When using asynchronous I/O (the default for NIO and
    NIO2), include DATA frames when calculating the HTTP/2
    overhead count to ensure that connections are not prematurely
    terminated.
    + Correct a race condition that could cause spurious RST
    messages to be sent after the response had been written to an
    HTTP/2 stream.
  * WebSocket
    + 66548: Expand the validation of the value of the
    Sec-Websocket-Key header in the HTTP upgrade request that
    initiates a WebSocket connection. The value is not decoded but
    it is checked for the correct length and that only valid
    characters from the base64 alphabet are used.
    + Improve handling of error conditions for the WebSocket server,
    particularly during Tomcat shutdown.
    + Correct a regression in the fix for 66574 that meant the
    WebSocket session could return false for onOpen() before the
    onClose() event had been completed.
    + 66681: Fix a NullPointerException when flushing batched
    messages with compression enabled using permessage-deflate.
  * Web applications
    + Documentation. Expand the security guidance to cover the
    embedded use case and add notes on the uses made of the
    java.io.tmpdir system property.
    + 66662: Documentation. Fix a typo in the name of the algorithms
    attribute in the configuration section for the Digest
    authentication value.
    + Documentation. Update documentation to use MiB for
    1024 * 1024 bytes and KiB for 1024 bytes rather than
    MB and kB.
  * jdbc-pool
    + Fix the releaseIdleCounter does not increment when testAllIdle
    releases them.
    + Fix the ConnectionState state will be inconsistent with actual
    state on the connection when an exception occurs while
    writing.
  * Other
    + Update to Commons Daemon 1.3.4.
    + Improvements to French translations.
    + Update Checkstyle to 10.12.0.
    + Update the packaged version of the Apache Tomcat Native
    Library to 1.2.37 to pick up the Windows binaries built with
    with OpenSSL 1.1.1u.
    + Include the Windows specific binary distributions in the files
    uploaded to Maven Central.
    + Improvements to French translations.
    + Improvements to Japanese translations.
    + Update UnboundID to 6.0.9.
    + Update Checkstyle to 10.12.1.
    + Update BND to 6.4.1.
    + Update JSign to 5.0.
    + Correct properties for JSign dependency.
    + Align documentation for maxParameterCount to match hard-coded
    defaults.
    + Update NSIS to 3.0.9.
    + Update Checkstyle to 10.12.2.
    + Improvements to French translations.
    + Improvements to Japanese translations.
    + 66829: Fix quoting so users can use the _RUNJAVA environment
    variable as intended on Windows when the path to the Java
    executable contains spaces.
    + Update Tomcat Native to 1.2.38 to pick up Windows binaries
    built with OpenSSL 1.1.1v.
    + Improvements to Chinese translations.
    + Improvements to French translations.
    + Improvements to Japanese translations
- Removed patch:
  * tomcat-9.0.75-CVE-2023-41080.patch
    + integrated in this version

- Fixed CVEs:
  * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)
- Added patches:
  * tomcat-9.0.75-CVE-2023-41080.patch

- Modified patch:
  * tomcat-9.0-osgi-build.patch
    + make it more robust to change in number of artifacts in bnd
    + do not enumerate jars, just take all jars from the aqute-bnd
    directory into the classpath

- Require(pre) shadow because groupadd is needed early
vim
- Updated to version 9.0 with patch level 1894, fixes the following security problems
  * Fixing bsc#1214922 (CVE-2023-4738) - VUL-0: CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both
  * Fixing bsc#1214924 (CVE-2023-4735) - VUL-0: CVE-2023-4735: vim: OOB Write ops.c
  * Fixing bsc#1214925 (CVE-2023-4734) - VUL-0: CVE-2023-4734: vim: segmentation fault in function f_fullcommand
  * Fixing bsc#1215004 (CVE-2023-4733) - VUL-0: CVE-2023-4733: vim: use-after-free in function buflist_altfpos
  * Fixing bsc#1215006 (CVE-2023-4752) - VUL-0: CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp
  * Fixing bsc#1215033 (CVE-2023-4781) - VUL-0: CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both
- drop patches: disable-unreliable-tests.patch
    ignore-flaky-test-failure.patch
    vim-8.1.0297-dump3.patch
- droped %check - most of tests didn't work correctly in OBS
    and maitenace burden of this was getting too big
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1632...v9.0.1894

- Use app icon generated from vimlogo.eps in source tarball; add
  higher res icons of sizes 128, 256, and 512px as png sources.
  Our current icons deviate from upstream flatpaks for example.
- Updated to version 9.0 with patch level 1632
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1443...v9.0.1632
xen
- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
  fully effective (XSA-446)
  xsa446.patch

- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
  IOMMU quarantine page table levels (XSA-445)
  xsa445.patch

- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow
  reference dropped too early for 64-bit PV guests (XSA-438)
  650abbfe-x86-shadow-defer-PV-top-level-release.patch
- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional
  execution leak via division by zero (XSA-439)
  64e5b4ac-x86-AMD-extend-Zenbleed-check.patch
  65087000-x86-spec-ctrl-SPEC_CTRL_EXIT_TO_XEN-confusion.patch
  65087001-x86-spec-ctrl-fold-DO_SPEC_CTRL_EXIT_TO_XEN.patch
  65087002-x86-spec-ctrl-SPEC_CTRL-ENTRY-EXIT-asm-macros.patch
  65087003-x86-spec-ctrl-SPEC_CTRL-ENTER-EXIT-comments.patch
  65087004-x86-entry-restore_all_xen-stack_end.patch
  65087005-x86-entry-track-IST-ness-of-entry.patch
  65087006-x86-spec-ctrl-VERW-on-IST-exit-to-Xen.patch
  65087007-x86-AMD-Zen-1-2-predicates.patch
  65087008-x86-spec-ctrl-Zen1-DIV-leakage.patch
- bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU
  TLB flushing (XSA-442)
  65263470-AMD-IOMMU-flush-TLB-when-flushing-DTE.patch
- bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple
  vulnerabilities in libfsimage disk handling (XSA-443)
  65263471-libfsimage-xfs-remove-dead-code.patch
  65263472-libfsimage-xfs-amend-mask32lo.patch
  65263473-libfsimage-xfs-sanity-check-superblock.patch
  65263474-libfsimage-xfs-compile-time-check.patch
  65263475-pygrub-remove-unnecessary-hypercall.patch
  65263476-pygrub-small-refactors.patch
  65263477-pygrub-open-output-files-earlier.patch
  65263478-libfsimage-function-to-preload-plugins.patch
  65263479-pygrub-deprivilege.patch
  6526347a-libxl-allow-bootloader-restricted-mode.patch
  6526347b-libxl-limit-bootloader-when-restricted.patch
- bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD:
  Debug Mask handling (XSA-444)
  6526347c-SVM-fix-AMD-DR-MASK-context-switch-asymmetry.patch
  6526347d-x86-PV-auditing-of-guest-breakpoints.patch
- Upstream bug fixes (bsc#1027519)
  64e6459b-revert-VMX-sanitize-rIP-before-reentering.patch
  64eef7e9-x86-reporting-spurious-i8259-interrupts.patch
  64f71f50-Arm-handle-cache-flush-at-top.patch
  65084ba5-x86-AMD-dont-expose-TscFreqSel.patch
- Patches dropped / replaced by newer upstream versions
  xsa438.patch
  xsa439-00.patch
  xsa439-01.patch
  xsa439-02.patch
  xsa439-03.patch
  xsa439-04.patch
  xsa439-05.patch
  xsa439-06.patch
  xsa439-07.patch
  xsa439-08.patch
  xsa439-09.patch
  xsa442.patch
  xsa443-01.patch
  xsa443-02.patch
  xsa443-03.patch
  xsa443-04.patch
  xsa443-05.patch
  xsa443-06.patch
  xsa443-07.patch
  xsa443-08.patch
  xsa443-09.patch
  xsa443-10.patch
  xsa443-11.patch
  xsa444-1.patch
  xsa444-2.patch

- bsc#1215744 - VUL-0: CVE-2023-34323: xen: xenstored: A
  transaction conflict can crash C Xenstored (XSA-440)
  xsa440.patch
- bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU
  TLB flushing (XSA-442)
  xsa442.patch
- bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple
  vulnerabilities in libfsimage disk handling (XSA-443)
  xsa443-01.patch
  xsa443-02.patch
  xsa443-03.patch
  xsa443-04.patch
  xsa443-05.patch
  xsa443-06.patch
  xsa443-07.patch
  xsa443-08.patch
  xsa443-09.patch
  xsa443-10.patch
  xsa443-11.patch
- bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD:
  Debug Mask handling (XSA-444)
  xsa444-1.patch
  xsa444-2.patch

- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional
  execution leak via division by zero (XSA-439)
  xsa439-00.patch
  xsa439-01.patch
  xsa439-02.patch
  xsa439-03.patch
  xsa439-04.patch
  xsa439-05.patch
  xsa439-06.patch
  xsa439-07.patch
  xsa439-08.patch
  xsa439-09.patch

- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow
  reference dropped too early for 64-bit PV guests (XSA-438)
  xsa438.patch

- Handle potential unaligned access to bitmap in
  libxc-sr-restore-hvm-legacy-superpage.patch
  If setting BITS_PER_LONG at once, the initial bit must be aligned
zypper
- Fix name of the bash completion script (bsc#1215007)
  In 1.14.63 the location of the bash completion script was changed
  to /usr/share/bash-completion/completions/. But the patch failed
  to also rename the completion script. The original script name
  zypper.sh is not recognized at the new location.
- Update notes about failing signature checks (bsc#1214395)
  It might be a transient issue if the server is in the midst of
  receiving new data. Retry after a few minutes might work.
- Improve the SIGINT handler to be signal safe (bsc#1214292)
  This patch updates the SIGINT handling strategy to be signal
  safe. Meaning the signal handler will do not much more than
  setting a flag, which we are going to check in the normal program
  flow as much as possible.
- version 1.14.64