apache2
- Apply fix for CVE-2024-40725, bsc#1228097.
  Patch file added:
  * apache2-CVE-2024-40725.patch

- Apply fix for CVE-2024-39884, bsc#1227353.
  Patch file added:
  * apache2-CVE-2024-39884.patch

- Apply fix for CVE-2024-38474, bsc#1227278.
  Patch file added:
  * apache2-CVE-2024-38474.patch
- Apply fix for CVE-2024-38473, bsc#1227276.
  Patch files added:
  * apache2-CVE-2024-38473-1.patch
  * apache2-CVE-2024-38473-2.patch
  * apache2-CVE-2024-38473-3.patch
  * apache2-CVE-2024-38473-4.patch
bash
- Add patch boo1227807.patch
  * Load completion file eveh if a brace expansion is in the
    command line included (boo#1227807)
bind
- Update to release 9.16.50
  Bug Fixes:
  * A regression in cache-cleaning code enabled memory use to grow
    significantly more quickly than before, until the configured
    max-cache-size limit was reached. This has been fixed.
  * Using rndc flush inadvertently caused cache cleaning to become
    less effective. This could ultimately lead to the configured
    max-cache-size limit being exceeded and has now been fixed.
  * The logic for cleaning up expired cached DNS records was
    tweaked to be more aggressive. This change helps with enforcing
    max-cache-ttl and max-ncache-ttl in a timely manner.
  * It was possible to trigger a use-after-free assertion when the
    overmem cache cleaning was initiated. This has been fixed.
  New Features:
  * Added RESOLVER.ARPA to the built in empty zones.
- Security Fixes:
  * It is possible to craft excessively large numbers of resource
    record types for a given owner name, which has the effect of
    slowing down database processing. This has been addressed by
    adding a configurable limit to the number of records that can
    be stored per name and type in a cache or zone database. The
    default is 100, which can be tuned with the new
    max-types-per-name option. (CVE-2024-1737)
    [bsc#1228256, bind-9.16-CVE-2024-1737.patch]
  * Validating DNS messages signed using the SIG(0) protocol (RFC
    2931) could cause excessive CPU load, leading to a
    denial-of-service condition. Support for SIG(0) message
    validation was removed from this version of named.
    (CVE-2024-1975)
    [bsc#1228257, bind-9.16-CVE-2024-1975.patch]
  * When looking up the NS records of parent zones as part of
    looking up DS records, it was possible for named to trigger an
    assertion failure if serve-stale was enabled. This has been
    fixed. (CVE-2024-4076)
    [bsc#1228258, bind-9.16-CVE-2024-4076.patch]
binutils
- Update to current 2.43.1 branch [PED-10474]:
  * PR32109 - fuzzing problem
  * PR32083 - LTO vs overridden common symbols
  * PR32067 - crash with LTO-plugin and --oformat=binary
  * PR31956 - LTO vs wrapper symbols
  * riscv - add Zimop and Zcmop extensions
- Adjusted binutils-2.43-branch.diff.gz.

- Update to version 2.43:
  * new .base64 pseudo-op, allowing base64 encoded data as strings
  * Intel APX: add support for CFCMOV, CCMP, CTEST, zero-upper, NF
    (APX_F now fully supported)
  * x86 Intel syntax now warns about more mnemonic suffixes
  * macros and .irp/.irpc/.rept bodies can use \+ to get at number
    of times the macro/body was executed
  * aarch64: support 'armv9.5-a' for -march, add support for LUT
    and LUT2
  * s390: base register operand in D(X,B) and D(L,B) can now be
    omitted (ala 'D(X,)'); warn when register type doesn't match
    operand type (use option
    'warn-regtype-mismatch=[strict|relaxed|no]' to adjust)
  * riscv: support various extensions: Zacas, Zcmp, Zfbfmin,
    Zvfbfmin, Zvfbfwma, Smcsrind/Sscsrind, XCvMem, XCvBi, XCvElw,
    XSfCease, all at version 1.0;
    remove support for assembly of privileged spec 1.9.1 (linking
    support remains)
  * arm: remove support for some old co-processors: Maverick and FPA
  * mips: '--trap' now causes either trap or breakpoint instructions
    to be emitted as per current ISA, instead of always using trap
    insn and failing when current ISA was incompatible with that
  * LoongArch: accept .option pseudo-op for fine-grained control
    of assembly code options; add support for DT_RELR
  * readelf: now displays RELR relocations in full detail;
    add -j/--display-section to show just those section(s) content
    according to their type
  * objdump/readelf now dump also .eh_frame_hdr (when present) when
    dumping .eh_frame
  * gprofng: add event types for AMD Zen3/Zen4 and Intel Ice Lake
    processors; add minimal support for riscv
  * linker:
  - put .got and .got.plt into relro segment
  - add -z isa-level-report=[none|all|needed|used] to the x86 ELF
    linker to report needed and used x86-64 ISA levels
  - add --rosegment option which changes the -z separate-code
    option so that only one read-only segment is created (instead
    of two)
  - add --section-ordering-file <FILE> option to add extra
    mapping of input sections to output sections
  - add -plugin-save-temps to store plugin intermediate files
    permanently
- Removed binutils-2.42.tar.bz2, binutils-2.42-branch.diff.gz.
- Added binutils-2.43.tar.bz2, binutils-2.43-branch.diff.gz.
- Removed upstream patch riscv-no-relax.patch.
- Rebased ld-relro.diff and binutils-revert-rela.diff.

- binutils-pr22868.diff: Remove obsolete patch
- Undefine _FORTIFY_SOURCE when running checks

- Allow to disable profiling

- Use %patch -P N instead of deprecated %patchN.

- riscv-no-relax.patch: RISC-V: Don't generate branch/jump relocation if
  symbol is local when no-relax

- Add binutils-disable-code-arch-error.diff to demote an
  error about swapped .arch/.code directives to a warning.
  It happens in the wild.

- Update to version 2.42:
  * Add support for many aarch64 extensions: SVE2.1, SME2.1, B16B16,
  RASv2, LSE128, GCS, CHK, SPECRES2, LRCPC3, THE, ITE, D128, XS and
  flags to enable them: '+fcma', '+jscvt', '+frintts', '+flagm2',
  '+rcpc2' and '+wfxt'
  * Add experimantal support for GAS to synthesize call-frame-info for
  some hand-written asm (--scfi=experimental) on x86-64.
  * Add support for more x86-64 extensions: APX: 32 GPRs, NDD, PUSH2/POP2,
  PUSHP/POPP; USER_MSR, AVX10.1, PBNDKB, SM4, SM3, SHA512, AVX-VNNI-INT16.
  * Add support for more RISC-V extensions: T-Head v2.3.0, CORE-V v1.0,
  SiFive VCIX v1.0.
  * BPF assembler: ';' separates statements now, and does not introduce
  line comments anymore (use '#' or '//' for this).
  * x86-64 ld: Add '-z mark-plt/-z nomark-plt' to mark PLT entries with
  dynamic tags.
  * risc-v ld: Add '--[no-]check-uleb128'.
  * New linker script directive: REVERSE, to be combined with SORT_BY_NAME
  or SORT_BY_INIT_PRIORITY, reverses the generated order.
  * New linker options --warn-execstack-objects (warn only about execstack
  when input object files request it), and --error-execstack plus
  - -error-rxw-segments to convert the existing warnings into errors.
  * objdump: Add -Z/--decompress to be used with -s/--full-contents to
  decompress section contents before displaying.
  * readelf: Add --extra-sym-info to be used with --symbols (currently
  prints section name of references section index).
  * objcopy: Add --set-section-flags for x86_64 to include
  SHF_X86_64_LARGE.
  * s390 disassembly: add target-specific disasm option 'insndesc',
  as in "objdump -M insndesc" to display an instruction description
  as comment along with the disassembly.
- Add binutils-2.42-branch.diff.gz.
- Rebased s390-biarch.diff.
- Adjusted binutils-revert-hlasm-insns.diff,
  binutils-revert-plt32-in-branches.diff and binutils-revert-rela.diff
  for upstream changes.
- Removed binutils-2.41-branch.diff.gz, binutils-2.41.tar.bz2,
  binutils-2.41-branch.diff.gz.
- Removed binutils-use-less-memory.diff, binutils-old-makeinfo.diff
  and riscv-relro.patch (all upstreamed).
- Removed add-ulp-section.diff, we use a different mechanism
  for live patching since a long time.

- Add binutils-use-less-memory.diff to be a little nicer to 32bit
  userspace and huge links.  [bsc#1216908]

- riscv-relro.patch: RISC-V: Protect .got with relro

- Add libzstd-devel to Requires of binutils-devel. (bsc#1215341)
ca-certificates-mozilla
- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".
cloud-regionsrv-client
- Update to 10.3.4
  + Modify the message when network access over a specific IP version does
    not work. This is an informational message and should not look like
    an error
  + Inform the user that LTSS registration takes a little longer
  + Add fix-for-sles12-no-trans_update.patch
    + SLE 12 family has no products with transactional-update we do not
    need to look for this condition
- From 10.3.3 (bsc#1229472)
  + Handle changes in process structure to properly identify the running
    zypper parent process and only check for 1 PID
- From 10.3.2
  + Remove rgnsrv-clnt-fix-docker-setup.patch included upstream
- From 10.3.1 (jsc#PCT-400)
  + Add support for LTSS registration
  + Add fix-for-sles12-disable-registry.patch
    ~ No container support in SLE 12

- Add rgnsrv-clnt-fix-docker-setup.patch (bsc#1229137)
  + The entry for the update infrastructure registry mirror was written
    incorrectly causing docker daemon startup to fail.

- Update to version 10.3.0 (bsc#1227308, bsc#1222985)
  + Add support for sidecar registry
    Podman and rootless Docker support to set up the necessary
    configuration for the container engines to run as defined
  + Add running command as root through sudoers file

- Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016)
  + In addition to logging, write message to stderr when registration fails
  + Detect transactional-update system with read only setup and use
    the transactional-update command to register
  + Handle operation in a different target root directory for credentials
    checking
containerd
- Update to containerd v1.7.21. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.21>
  Fixes CVE-2023-47108. bsc#1217070
  Fixes CVE-2023-45142. bsc#1228553
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
cups
- cups-branch-2.2-commit-b643d6ba92f00752aa5e74ff86ad3974334914c1.diff
  is https://github.com/OpenPrinting/cups/commit/b643d6ba92f00752aa5e74ff86ad3974334914c1
  which was added in CUPS 2.2.8 that
  fixed a parsing bug in cups_auth_find() in cups/auth.c
  which lead to cupsd failing to authenticate users
  when group membership is required by cupsd configuration
  like 'Require user @GROUP' which lead to CUPS related commands
  requesting password from group users even if it is not needed
  (bsc#1226227)
- In cups.changes replaced one place where UTF-8 characters
  were used in the entry dated "Sat Sep 30 08:52:42 UTC 2017"
  for what should be ' - ' by ASCII to avoid RPMLINT warning
  about 'non-break-space' which "can lead to obscure errors".
curl
- Make special characters in URL work with aws-sigv4 [bsc#1230516]
  * http_aws_sigv4: canonicalize the query [fc76a24c]
  * test439: verify query canonization for aws-sigv4 [65661016]
  * http_aws_sigv4: skip the op if the query pair is zero bytes [16bdc09e]
  * aws_sigv4: the query canon code miscounted URL encoded input [a1532a33]
  * http_aws_sigv4: canonicalise valueless query params [bbba69da]
  * aws-sigv4: url encode the canonical path [768909d8]
  * Add upstream patches:
  - curl-aws_sigv4-canonicalize-the-query.patch
  - curl-aws_sigv4-verify-query-canonization.patch
  - curl-aws_sigv4-skip-the-op-if-the-query-pair-is-zero-bytes.patch
  - curl-aws_sigv4-the-query-canon-code-miscounted-url-encoded-input.patch
  - curl-aws_sigv4-canonicalise-valueless-query-params.patch
  - curl-aws_sigv4-url-encode-the-canonical-path.patch

- Security fix: [bsc#1230093, CVE-2024-8096]
  * curl: OCSP stapling bypass with GnuTLS
  * Add curl-CVE-2024-8096.patch

- Security fix: [bsc#1228535, CVE-2024-7264]
  * curl: ASN.1 date parser overread
  * Add curl-CVE-2024-7264.patch
deltarpm
- update to deltarpm-3.6.5
  * support for archive files bigger than 2GByte [bnc#1230547]

- update to deltarpm-3.6.4
  * support for threaded zstd
  * use a tmp file instead of memory to hold the incore data
    [bsc#1228948]
- dropped patches:
  * deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch

- deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch: fixed
  some C bugs ( incorrect sized memset() , memcpy instead of strcpy,
  unsigned int)

- update to deltarpm-3.6.3
  * support for threaded zstd compression

- Actually enable zstd compression

- update to deltarpm-3.6.2
  * support for zstd compression
dmidecode
- Update to upstream version 3.6 (jsc#PED-8574):
  * Support for SMBIOS 3.6.0. This includes new memory device types, new
    processor upgrades, and Loongarch support.
  * Support for SMBIOS 3.7.0. This includes new port types, new processor
    upgrades, new slot characteristics and new fields for memory modules.
  * Add bash completion.
  * Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245.
  * Implement options --list-strings and --list-types.
  * Update HPE OEM records 203, 212, 216, 221, 233 and 236.
  * Update Redfish support.
  * Bug fixes:
    Fix enabled slot characteristics not being printed
  * Minor improvements:
    Print slot width on its own line
    Use standard strings for slot width
  * Add a --no-quirks option.
  * Drop the CPUID exception list.
  * Obsoletes dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch,
    dmidecode-fortify-entry-point-length-checks.patch,
    dmidecode-split-table-fetching-from-decoding.patch,
    dmidecode-write-the-whole-dump-file-at-once.patch,
    dmioem-fix-segmentation-fault-in-dmi_hp_240_attr.patch,
    dmioem-hpe-oem-record-237-firmware-change.patch,
    dmioem-typo-fix-virutal-virtual.patch,
    ensure-dev-mem-is-a-character-device-file.patch,
    news-fix-typo.patch and
    use-read_file-to-read-from-dump.patch.
  Update for HPE servers from upstream:
- dmioem-update-hpe-oem-type-238.patch: Decode PCI bus segment in
  HPE type 238 records.
dracut
- Update to version 055+suse.359.geb85610b:
  * fix(convertfs): error in conditional expressions (bsc#1228847)
e2fsprogs
- resize2fs-Check-number-of-group-descriptors-only-if-.patch: resize2fs: Check
  number of group descriptors only if meta_bg is disabled (bsc#1230145)
glib2
- Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in
  a dbus message. Fixes a possible use after free (boo#1224044).
glibc
- tcache-thread-shutdown.patch: malloc: Initiate tcache shutdown even
  without allocations (bsc#1228661, BZ #28028)

- s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ
  [#31934])
grub2
- grub2.spec: Add ofnet to signed grub.elf to support powerpc net boot
  installation when secure boot is enabled (bsc#1217761) (bsc#1228866)
- Improved check for disk device when looking for PReP partition
  * 0004-Introduce-prep_load_env-command.patch

- Fix btrfs subvolume for platform modules not mounting at runtime when the
  default subvolume is the topmost root tree (bsc#1228124)
  * grub2-btrfs-06-subvol-mount.patch
- Rediff
  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch

- Fix error in grub-install when root is on tmpfs (bsc#1226100)
  * 0001-grub-install-bailout-root-device-probing.patch

- Fix input handling in ppc64le grub2 has high latency (bsc#1223535)
  * 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch

- Fix PowerPC grub loads 5 to 10 minutes slower on SLE-15-SP5 compared to
  SLE-15-SP2 (bsc#1217102)
  * add 0001-ofdisk-enhance-boot-time-by-focusing-on-boot-disk-re.patch
  * add 0002-ofdisk-add-early_log-support.patch

- Enhancement to PPC secure boot's root device discovery config (bsc#1207230)
- Fix regex for Open Firmware device specifier with encoded commas
  * 0002-prep_loadenv-Fix-regex-for-Open-Firmware-device-spec.patch
- Fix regular expression in PPC secure boot config to prevent escaped commas
  from being treated as delimiters when retrieving partition substrings.
- Use prep_load_env in PPC secure boot config to handle unset host-specific
  environment variables and ensure successful command execution.
  * 0004-Introduce-prep_load_env-command.patch
- Refreshed
  * 0005-export-environment-at-start-up.patch
java-11-openjdk
- Upgrade to upstream tag jdk-11.0.25+9 (October 2024 CPU)
  * Security fixes
    + JDK-8290367, JDK-8332643: Update default value and extend the
    scope of com.sun.jndi.ldap.object.trustSerialData system
    property
    + JDK-8307383: Enhance DTLS connections
    + JDK-8328286, CVE-2024-21208, bsc#1231702: Enhance HTTP client
    + JDK-8328544, CVE-2024-21210, bsc#1231711: Improve handling of
    vectorization
    + JDK-8328726: Better Kerberos support
    + JDK-8331446, CVE-2024-21217, bsc#1231716: Improve
    deserialization support
    + JDK-8332644, CVE-2024-21235, bsc#1231719: Improve graph
    optimizations
    + JDK-8335713: Enhance vectorization analysis
  * Other changes
    + JDK-7124313: [macosx] Swing Popups should overlap taskbar
    + JDK-7156347: javax/swing/JList/6462008/bug6462008.java fails
    + JDK-8078725: method adjustments can be done just once for all
    classes involved into redefinition
    + JDK-8205076: [17u] Inet6AddressImpl.c: 'lookupIfLocalHost'
    accesses 'int InetAddress.preferIPv6Address' as a boolean
    + JDK-8206440: Remove javac -source/-target 6 from jdk
    regression tests
    + JDK-8210338: Better output for GenerationTests.java
    + JDK-8211920: Close server socket and cleanups in
    test/jdk/javax/naming/module/RunBasic.java
    + JDK-8222005: ClassRedefinition crashes with: guarantee(false)
    failed: OLD and/or OBSOLETE method(s) found
    + JDK-8222884: ConcurrentClassDescLookup.java times out
    intermittently
    + JDK-8224081: SOCKS v4 tests require IPv4
    + JDK-8227122: [TESTBUG] Create Docker sidecar test cases
    + JDK-8229822: ThrowingPushPromises tests sometimes fail due to
    EOF
    + JDK-8231427: Warning cleanup in tests of java.io.Serializable
    + JDK-8236917: TestInstanceKlassSize.java fails with "The size
    computed by SA for java.lang.Object does not match"
    + JDK-8238169: BasicDirectoryModel getDirectories and
    DoChangeContents.run can deadlock
    + JDK-8240226: DeflateIn_InflateOut.java test incorrectly
    assumes size of compressed file
    + JDK-8242999: HTTP/2 client may not handle CONTINUATION frames
    correctly
    + JDK-8244966: Add .vscode to .hgignore and .gitignore
    + JDK-8249097: test/lib/jdk/test/lib/util/JarBuilder.java has a
    bad copyright
    + JDK-8249772: (ch) Improve
    sun/nio/ch/TestMaxCachedBufferSize.java
    + JDK-8249826: 5 javax/net/ssl/SSLEngine tests use @ignore w/o
    bug-id
    + JDK-8251188: Update LDAP tests not to use wildcard addresses
    + JDK-8253207: enable problemlists jcheck's check
    + JDK-8255898: Test java/awt/FileDialog/FilenameFilterTest/
    /FilenameFilterTest.java fails on Mac OS
    + JDK-8255913: Decrease number of iterations in
    TestMaxCachedBufferSize
    + JDK-8255969: Improve java/io/BufferedInputStream/
    /LargeCopyWithMark.java using jtreg tags
    + JDK-8259274: Increase timeout duration in
    sun/nio/ch/TestMaxCachedBufferSize.java
    + JDK-8260633: [macos] java/awt/dnd/MouseEventAfterStartDragTest/
    /MouseEventAfterStartDragTest.html test failed
    + JDK-8261433: Better pkcs11 performance for
    libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit
    + JDK-8263031: HttpClient throws Exception if it receives a
    Push Promise that is too large
    + JDK-8266149: mark hotspot compiler/startup tests which ignore
    VM flags
    + JDK-8266150: mark hotspot compiler/arguments tests which
    ignore VM flags
    + JDK-8266153: mark hotspot compiler/onSpinWait tests which
    ignore VM flags
    + JDK-8266154: mark hotspot compiler/oracle tests which ignore
    VM flags
    + JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java
    assumes that GCs take 1ms minimum
    + JDK-8269428: java/util/concurrent/ConcurrentHashMap/
    /ToArray.java timed out
    + JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java
    fails with Address already in use error
    + JDK-8273135: java/awt/color/ICC_ColorSpace/
    /MTTransformReplacedProfile.java crashes in liblcms.dylib with
    NULLSeek+0x7
    + JDK-8275851: Deproblemlist open/test/jdk/javax/swing/
    /JComponent/6683775/bug6683775.java
    + JDK-8276036: The value of full_count in the message of
    insufficient codecache is wrong
    + JDK-8276306: jdk/jshell/CustomInputToolBuilder.java fails
    intermittently on storage acquisition
    + JDK-8276819: javax/print/PrintServiceLookup/
    /FlushCustomClassLoader.java fails to free
    + JDK-8279164: Disable TLS_ECDH_* cipher suites
    + JDK-8279337: The MToolkit is still referenced in a few places
    + JDK-8280392: java/awt/Focus/NonFocusableWindowTest/
    /NonfocusableOwnerTest.java failed with "RuntimeException:
    Test failed."
    + JDK-8284585: PushPromiseContinuation test fails
    intermittently in timeout
    + JDK-8286601: Mac Aarch: Excessive warnings to be ignored for
    build jdk
    + JDK-8286781: Replace the deprecated/obsolete gethostbyname
    and inet_addr calls
    + JDK-8292044: HttpClient doesn't handle 102 or 103 properly
    + JDK-8294148: Support JSplitPane for instructions and test UI
    + JDK-8294310: compare.sh fails on macos after JDK-8293550
    + JDK-8296410: HttpClient throws java.io.IOException: no
    statuscode in response for HTTP2
    + JDK-8298873: Update IllegalRecordVersion.java for changes to
    TLS implementation
    + JDK-8299058: AssertionError in sun.net.httpserver.ServerImpl
    when connection is idle
    + JDK-8299487: Test
    java/net/httpclient/whitebox/SSLTubeTestDriver.java timed out
    + JDK-8301189: validate-source fails after JDK-8298873
    + JDK-8303216: Prefer ArrayList to LinkedList in
    sun.net.httpserver.ServerImpl
    + JDK-8303965: java.net.http.HttpClient should reset the stream
    if response headers contain malformed header fields
    + JDK-8305072: Win32ShellFolder2.compareTo is inconsistent
    + JDK-8305079: Remove finalize() from compiler/c2/Test719030
    + JDK-8305081: Remove finalize() from
    test/hotspot/jtreg/compiler/runtime/Test8168712
    + JDK-8305825: getBounds API returns wrong value resulting in
    multiple Regression Test Failures on Ubuntu 23.04
    + JDK-8305906: HttpClient may use incorrect key when finding
    pooled HTTP/2 connection for IPv6 address
    + JDK-8306060: Open source few AWT Insets related tests
    + JDK-8306432: Open source several AWT Text Component related
    tests
    + JDK-8306466: Open source more AWT Drag & Drop related tests
    + JDK-8306489: Open source AWT List related tests
    + JDK-8306566: Open source several clipboard AWT tests
    + JDK-8306850: Open source AWT Modal related tests
    + JDK-8307091: A few client tests intermittently throw
    ConcurrentModificationException
    + JDK-8307779: Relax the java.awt.Robot specification
    + JDK-8308184: Launching java with large number of jars in
    classpath with java.protocol.handler.pkgs system property set
    can lead to StackOverflowError
    + JDK-8309934: Update GitHub Actions to use JDK 17 for building
    jtreg
    + JDK-8310201: Reduce verbose locale output in -XshowSettings
    launcher option
    + JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
    + JDK-8312140: jdk/jshell tests failed with JDI socket timeouts
    + JDK-8314614: jdk/jshell/ImportTest.java failed with
    "InternalError: Failed remote listen"
    + JDK-8315422: getSoTimeout() would be in try block in
    SSLSocketImpl
    + JDK-8315437: Enable parallelism in
    vmTestbase/nsk/monitoring/stress/classload tests
    + JDK-8315442: Enable parallelism in
    vmTestbase/nsk/monitoring/stress/thread tests
    + JDK-8315804: Open source several Swing JTabbedPane JTextArea
    JTextField tests
    + JDK-8315898: Open source swing JMenu tests
    + JDK-8315965: Open source various AWT applet tests
    + JDK-8316104: Open source several Swing SplitPane and
    RadioButton related tests
    + JDK-8316211: Open source several manual applet tests
    + JDK-8316240: Open source several add/remove MenuBar manual
    tests
    + JDK-8316285: Opensource JButton manual tests
    + JDK-8316306: Open source and convert manual Swing test
    + JDK-8316328: Test jdk/jfr/event/oldobject/
    /TestSanityDefault.java times out for some heap sizes
    + JDK-8316462: sun/jvmstat/monitor/MonitoredVm/
    /MonitorVmStartTerminate.java ignores VM flags
    + JDK-8316973: GC: Make TestDisableDefaultGC use createTestJvm
    + JDK-8317039: Enable specifying the JDK used to run jtreg
    + JDK-8317228: GC: Make TestXXXHeapSizeFlags use createTestJvm
    + JDK-8317288: [macos] java/awt/Window/Grab/GrabTest.java:
    Press on the outside area didn't cause ungrab
    + JDK-8317316: G1: Make TestG1PercentageOptions use
    createTestJvm
    + JDK-8317343: GC: Make TestHeapFreeRatio use createTestJvm
    + JDK-8317358: G1: Make TestMaxNewSize use createTestJvm
    + JDK-8317807: JAVA_FLAGS removed from jtreg running in
    JDK-8317039
    + JDK-8318039: GHA: Bump macOS and Xcode versions
    + JDK-8320079: The ArabicBox.java test has no control buttons
    + JDK-8320570: NegativeArraySizeException decoding >1G UTF8
    bytes with non-ascii characters
    + JDK-8320602: Lock contention in SchemaDVFactory.getInstance()
    + JDK-8320945: problemlist tests failing on latest Windows 11
    update
    + JDK-8322330: JavadocHelperTest.java OOMEs with Parallel GC
    and ZGC
    + JDK-8323670: A few client tests intermittently throw
    ConcurrentModificationException
    + JDK-8324755: Enable parallelism in
    vmTestbase/gc/gctests/LargeObjects tests
    + JDK-8325022: Incorrect error message on client authentication
    + JDK-8325179: Race in BasicDirectoryModel.validateFileCache
    + JDK-8325862: set -XX:+ErrorFileToStderr when executing java
    in containers for some container related jtreg tests
    + JDK-8325876: crashes in docker container tests on
    Linuxppc64le Power8 machines
    + JDK-8326140: src/jdk.accessibility/windows/native/
    /libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp
    ReleaseStringChars might be missing in early returns
    + JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java
    fails
    + JDK-8327137: Add test for ConcurrentModificationException in
    BasicDirectoryModel
    + JDK-8327631: Update IANA Language Subtag Registry to Version
    2024-03-07
    + JDK-8327787: Convert javax/swing/border/Test4129681.java
    applet test to main
    + JDK-8327840: Automate javax/swing/border/Test4129681.java
    + JDK-8328011: Convert java/awt/Frame/GetBoundsResizeTest/
    /GetBoundsResizeTest.java applet test to main
    + JDK-8328110: Allow simultaneous use of PassFailJFrame with
    split UI and additional windows
    + JDK-8328115: Convert java/awt/font/TextLayout/
    /TestJustification.html applet test to main
    + JDK-8328158: Convert java/awt/Choice/NonFocusablePopupMenuTest
    to automatic main test
    + JDK-8328218: Delete test
    java/awt/Window/FindOwner/FindOwner.html
    + JDK-8328234: Remove unused nativeUtils files
    + JDK-8328238: Convert few closed manual applet tests to main
    + JDK-8328269: NonFocusablePopupMenuTest.java should be marked
    as headful
    + JDK-8328273: sun/management/jmxremote/bootstrap/
    /RmiRegistrySslTest.java failed with
    java.rmi.server.ExportException: Port already in use
    + JDK-8328560: java/awt/event/MouseEvent/ClickDuringKeypress/
    /ClickDuringKeypress.java imports Applet
    + JDK-8328561: test java/awt/Robot/ManualInstructions/
    /ManualInstructions.java isn't used
    + JDK-8328953: JEditorPane.read throws ChangedCharSetException
    + JDK-8328999: Update GIFlib to 5.2.2
    + JDK-8329004: Update Libpng to 1.6.43
    + JDK-8329013: StackOverflowError when starting Apache Tomcat
    with signed jar
    + JDK-8329103: assert(!thread->in_asgct()) failed during
    multi-mode profiling
    + JDK-8329510: Update ProblemList for
    JFileChooser/8194044/FileSystemRootTest.java
    + JDK-8329559: Test javax/swing/JFrame/bug4419914.java failed
    because The End and Start buttons are not placed correctly and
    Tab focus does not move as expected
    + JDK-8329995: Restricted access to '/proc' can cause JFR
    initialization to crash
    + JDK-8330063: Upgrade jQuery to 3.7.1
    + JDK-8330416: Update system property for Java SE specification
    maintenance version
    + JDK-8330523: Reduce runtime and improve efficiency of
    KeepAliveTest
    + JDK-8331063: Some HttpClient tests don't report leaks
    + JDK-8331263: Bump update version for OpenJDK: jdk-11.0.25
    + JDK-8331466: Problemlist serviceability/dcmd/gc/
    /RunFinalizationTest.java on generic-all
    + JDK-8331746: Create a test to verify that the cmm id is not
    ignored
    + JDK-8331798: Remove unused arg of checkErgonomics() in
    TestMaxHeapSizeTools.java
    + JDK-8332008: Enable issuestitle check
    + JDK-8332113: Update nsk.share.Log to be always verbose
    + JDK-8332424: Update IANA Language Subtag Registry to Version
    2024-05-16
    + JDK-8332524: Instead of printing "TLSv1.3," it is showing
    "TLS13"
    + JDK-8332898: failure_handler: log directory of commands
    + JDK-8332936: Test vmTestbase/metaspace/gc/watermark_70_80/
    /TestDescription.java fails with no GC's recorded
    + JDK-8333724: Problem list security/infra/java/security/cert/
    /CertPathValidator/certification/CAInterop.java
    [#]teliasonerarootcav1
    + JDK-8333804: java/net/httpclient/ForbiddenHeadTest.java threw
    an exception with 0 failures
    + JDK-8333837: [11u] HexPrinterTest.java javac compile fails
    illegal start of expression
    + JDK-8333839: [11u] LingeredAppTest.java fails Can't find
    source file: LingeredApp.java
    + JDK-8334166: Enable binary check
    + JDK-8334335: [TESTBUG] Backport of 8279164 to 11u & 17u
    includes elements of JDK-8163327
    + JDK-8334418: Update IANA Language Subtag Registry to Version
    2024-06-14
    + JDK-8334653: ISO 4217 Amendment 177 Update
    + JDK-8334711: [TEST_BUG] Compilation failed of
    MimeFormatsTest/MimeFormatsTest.java
    + JDK-8335803: SunJCE cipher throws NPE for un-extractable RSA
    keys
    + JDK-8336301: test/jdk/java/nio/channels/
    /AsyncCloseAndInterrupt.java leaves around a FIFO file upon
    test completion
    + JDK-8336928: GHA: Bundle artifacts removal broken
    + JDK-8337664: Distrust TLS server certificates issued after
    Oct 2024 and anchored by Entrust Root CAs
    + JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods
    are inconsistent with their setVerbose methods
    + JDK-8341057: Add 2 SSL.com TLS roots
    + JDK-8341059: Change Entrust TLS distrust date to November 12,
    2024
    + JDK-8341675: [11u] Remove designator
    DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.25
- Added patches:
  * reproducible-directory-mtime.patch
    + if present, use SOURCE_DATE_EPOCH as timestamp for newly
    created directories
  * reproducible-search-index-files.patch
    + if present, use SOURCE_DATE_EPOCH as timestamp for the search
    index zip files created by javadoc
kernel-default
- usb: dwc3: st: fix probed platform device ref count on probe
  error path (bsc#1230507 CVE-2024-46674).
- commit ffd5693

- scsi: ibmvfc: Add max_sectors module parameter (bsc#1216223).
  Delete
  patches.suse/ibmvfc-make-max_sectors-a-module-option.patch.
- commit 13d3e25

- Update
  patches.suse/media-vivid-fix-compose-size-exceed-boundary.patch
  (git-fixes CVE-2022-48945 bsc#1230398).
- Update
  patches.suse/powerpc-rtas-Prevent-Spectre-v1-gadget-construction-.patch
  (bsc#1227487 CVE-2024-46774 bsc#1230767).
- Update patches.suse/sched-Fix-yet-more-sched_fork-races.patch
  (git fixes (sched/core) CVE-2022-48944 bsc#1229947).
- commit be5b46d

- SUNRPC: avoid soft lockup when transmitting UDP to reachable
  server (bsc#1225272 bsc#1231016).
- commit d8ddf61

- kabi: add __nf_queue_get_refs() for kabi compliance.
- netfilter: nf_queue: fix possible use-after-free (bsc#1229633,
  CVE-2022-48911).
- commit 09526c9

- btrfs: prevent copying too big compressed lzo segment (CVE-2022-48923 bsc#1229662)
- commit 9c5b30e

- dev/parport: fix the array out-of-bounds risk (CVE-2024-42301
  bsc#1229407).
- commit 0515c56

- KABI: kcm: Serialise kcm_sendmsg() for the same socket
  (CVE-2024-44946 bsc#1230015).
- commit 4220de4

- kcm: Serialise kcm_sendmsg() for the same socket
  (CVE-2024-44946 bsc#1230015).
- commit 195f676

- Refresh
  patches.suse/Bluetooth-hci_ldisc-check-HCI_UART_PROTO_READY-flag-.patch.
  Update upstream status and move to the sorted section.
- commit 43dbf50

- memcg_write_event_control(): fix a user-triggerable oops
  (CVE-2024-45021 bsc#1230434).
- commit f5c92ca

- Revert "mm/sparsemem: fix race in accessing memory_section->usage"
  This reverts commit 606bd9b8228bfe004cf6ab930ffb673a535e3c55.
- commit 532bbfe

- Revert "mm, kmsan: fix infinite recursion due to RCU critical section"
  This reverts commit 1702784a5db6b26695f0bc2c6b0cbe973db5c0f3.
- commit e220e83

- Revert "mm: prevent derefencing NULL ptr in pfn_section_valid()"
  This reverts commit d77caa16c18115f0c470ecf5cdd3cdb6f9865aeb.
- commit b38d226

- blk-mq: add helper for checking if one CPU is mapped to
  specified hctx (bsc#1223600).
- blk-mq: don't schedule block kworker on isolated CPUs
  (bsc#1223600).
- commit 4537dc0

- vfs: Don't evict inode under the inode lru traversing context
  (CVE-2024-45003 bsc#1230245).
- commit 82e6e44

- blacklist.conf: update blacklist
- commit 401873a

- Bluetooth: L2CAP: Fix deadlock (git-fixes).
- commit 9438e54

- bluetooth/l2cap: sync sock recv cb and release (bsc#1228576
  CVE-2024-41062).
- commit 5b1f743

- Update references
- commit a096907

- fuse: Initialize beyond-EOF page contents before setting
  uptodate (bsc#1229454 CVE-2024-44947).
- commit ddfd2d7

- usb: vhci-hcd: Do not drop references before new references
  are gained (CVE-2024-43883 bsc#1229707).
- commit 44d7bae

- net: usb: qmi_wwan: fix memory leak for not ip packets
  (CVE-2024-43861 bsc#1229500).
- commit 3e796c3

- Update
  patches.suse/ASoC-ops-Shift-tested-values-in-snd_soc_put_volsw-by.patch
  (git-fixes CVE-2022-48917 bsc#1229637).
- Update
  patches.suse/Bluetooth-hci_qca-Fix-driver-shutdown-on-closed-serd.patch
  (git-fixes CVE-2022-48878 bsc#1229554).
- Update
  patches.suse/CDC-NCM-avoid-overflow-in-sanity-checking.patch
  (git-fixes CVE-2022-48938 bsc#1229664).
- Update
  patches.suse/KVM-x86-mmu-make-apf-token-non-zero-to-fix-bug.patch
  (git-fixes CVE-2022-48943 bsc#1229645).
- Update
  patches.suse/RDMA-cma-Do-not-change-route.addr.src_addr-outside-s.patch
  (git-fixes CVE-2022-48925 bsc#1229630).
- Update patches.suse/RDMA-ib_srp-Fix-a-deadlock.patch (git-fixes
  CVE-2022-48930 bsc#1229624).
- Update
  patches.suse/USB-gadgetfs-Fix-race-between-mounting-and-unmountin.patch
  (CVE-2022-4382 bsc#1206258 CVE-2022-48869 bsc#1229507).
- Update
  patches.suse/auxdisplay-lcd2s-Fix-memory-leak-in-remove.patch
  (git-fixes CVE-2022-48907 bsc#1229608).
- Update
  patches.suse/blktrace-fix-use-after-free-for-struct-blk_trace.patch
  (bsc#1198017 CVE-2022-48913 bsc#1229643).
- Update
  patches.suse/bpf-Fix-crash-due-to-out-of-bounds-access-into-reg2b.patch
  (git-fixes bsc#1194111 bsc#1194765 bsc#1196261 CVE-2021-4204
  CVE-2022-0500 CVE-2022-23222 CVE-2022-48929 bsc#1229625).
- Update
  patches.suse/btrfs-fix-race-between-quota-rescan-and-disable-lead.patch
  (bsc#1207158 CVE-2023-52896 bsc#1229533).
- Update
  patches.suse/btrfs-fix-relocation-crash-due-to-premature-return-f.patch
  (bsc#1203360 CVE-2022-48903 bsc#1229613).
- Update
  patches.suse/cgroup-cpuset-Prevent-UAF-in-proc_cpuset_show.patch
  (bsc#1228801 CVE-2024-43853 bsc#1229292).
- Update
  patches.suse/cifs-fix-double-free-race-when-mount-fails-in-cifs_get_root-.patch
  (bsc#1193629 CVE-2022-48919 bsc#1229657).
- Update
  patches.suse/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch
  (git-fixes CVE-2022-48931 bsc#1229623).
- Update
  patches.suse/dmaengine-idxd-Let-probe-fail-when-workqueue-cannot-.patch
  (git-fixes CVE-2022-48868 bsc#1229506).
- Update
  patches.suse/drm-msm-another-fix-for-the-headless-Adreno-GPU.patch
  (git-fixes CVE-2023-52911 bsc#1229522).
- Update
  patches.suse/drm-msm-dp-do-not-complete-dp_aux_cmd_fifo_tx-if-irq.patch
  (git-fixes CVE-2022-48898 bsc#1229537).
- Update patches.suse/drm-virtio-Fix-GEM-handle-creation-UAF.patch
  (git-fixes CVE-2022-48899 bsc#1229536).
- Update
  patches.suse/gsmi-fix-null-deref-in-gsmi_get_variable.patch
  (git-fixes CVE-2023-52893 bsc#1229535).
- Update
  patches.suse/hwmon-Handle-failure-to-register-sensor-with-thermal.patch
  (git-fixes CVE-2022-48942 bsc#1229612).
- Update
  patches.suse/ibmvnic-free-reset-work-item-when-flushing.patch
  (bsc#1196516 ltc#196391 CVE-2022-48905 bsc#1229604).
- Update
  patches.suse/ice-fix-concurrent-reset-and-removal-of-VFs.patch
  (git-fixes CVE-2022-48941 bsc#1229614).
- Update
  patches.suse/iio-adc-men_z188_adc-Fix-a-resource-leak-in-an-error.patch
  (git-fixes CVE-2022-48928 bsc#1229626).
- Update
  patches.suse/iio-adc-tsc2046-fix-memory-corruption-by-preventing-.patch
  (git-fixes CVE-2022-48927 bsc#1229628).
- Update
  patches.suse/io_uring-add-a-schedule-point-in-io_add_buffers.patch
  (git-fixes CVE-2022-48937 bsc#1229617).
- Update patches.suse/iommu-amd-Fix-I-O-page-table-memory-leak
  (git-fixes CVE-2022-48904 bsc#1229603).
- Update
  patches.suse/iommu-vt-d-fix-double-list_add-when-enabling-vmd-in-scalable-mode
  (bsc#1196894 CVE-2022-48916 bsc#1229638).
- Update
  patches.suse/iwlwifi-mvm-check-debugfs_dir-ptr-before-use.patch
  (git-fixes CVE-2022-48918 bsc#1229636).
- Update patches.suse/ixgbe-fix-pci-device-refcount-leak.patch
  (jsc#SLE-18384 CVE-2022-48896 bsc#1229540).
- Update
  patches.suse/misc-fastrpc-Don-t-remove-map-on-creater_process-and.patch
  (git-fixes CVE-2022-48873 bsc#1229512).
- Update
  patches.suse/misc-fastrpc-Fix-use-after-free-race-condition-for-m.patch
  (git-fixes CVE-2022-48872 bsc#1229510).
- Update
  patches.suse/net-mlx5-DR-Fix-slab-out-of-bounds-in-mlx5_cmd_dr_cr.patch
  (jsc#SLE-19253 CVE-2022-48932 bsc#1229622).
- Update patches.suse/net-smc-fix-connection-leak (git-fixes
  CVE-2022-48909 bsc#1229611).
- Update
  patches.suse/nfc-pn533-Wait-for-out_urb-s-completion-in-pn533_usb.patch
  (git-fixes CVE-2023-52907 bsc#1229526).
- Update
  patches.suse/nfp-flower-Fix-a-potential-leak-in-nfp_tunnel_add_sh.patch
  (git-fixes CVE-2022-48934 bsc#1229620).
- Update
  patches.suse/nilfs2-fix-general-protection-fault-in-nilfs_btree_i.patch
  (git-fixes CVE-2023-52900 bsc#1229581).
- Update
  patches.suse/octeontx2-pf-Fix-resource-leakage-in-VF-driver-unbin.patch
  (git-fixes CVE-2023-52905 bsc#1229528).
- Update
  patches.suse/platform-surface-aggregator-Add-missing-call-to-ssam.patch
  (git-fixes CVE-2022-48880 bsc#1229557).
- Update
  patches.suse/regulator-da9211-Use-irq-handler-when-ready.patch
  (git-fixes CVE-2022-48891 bsc#1229565).
- Update
  patches.suse/sched-fair-Fix-fault-in-reweight_entity.patch
  (git fixes (sched/core) CVE-2022-48921 bsc#1229635).
- Update
  patches.suse/scsi-storvsc-Fix-swiotlb-bounce-buffer-leak-in-confi.patch
  (bsc#1206006 CVE-2022-48890 bsc#1229544).
- Update
  patches.suse/spi-spi-zynq-qspi-Fix-a-NULL-pointer-dereference-in-.patch
  (git-fixes CVE-2021-4441 bsc#1229598).
- Update
  patches.suse/thermal-core-Fix-TZ_GET_TRIP-NULL-pointer-dereferenc.patch
  (git-fixes CVE-2022-48915 bsc#1229639).
- Update
  patches.suse/thermal-int340x-fix-memory-leak-in-int3400_notify.patch
  (git-fixes CVE-2022-48924 bsc#1229631).
- Update
  patches.suse/tty-fix-possible-null-ptr-defer-in-spk_ttyio_release.patch
  (git-fixes CVE-2022-48870 bsc#1229508).
- Update
  patches.suse/tty-serial-qcom-geni-serial-fix-slab-out-of-bounds-o.patch
  (git-fixes CVE-2022-48871 bsc#1229509).
- Update
  patches.suse/usb-gadget-f_ncm-fix-potential-NULL-ptr-deref-in-ncm.patch
  (git-fixes CVE-2023-52894 bsc#1229566).
- Update
  patches.suse/usb-gadget-rndis-add-spinlock-for-rndis-response-lis.patch
  (git-fixes CVE-2022-48926 bsc#1229629).
- Update
  patches.suse/usb-xhci-Check-endpoint-is-valid-before-dereferencin.patch
  (git-fixes CVE-2023-52901 bsc#1229531).
- Update
  patches.suse/wifi-mac80211-sdata-can-be-NULL-during-AMPDU-start.patch
  (git-fixes CVE-2022-48875 bsc#1229516).
- Update
  patches.suse/xen-netfront-destroy-queues-before-real_num_tx_queue.patch
  (git-fixes CVE-2022-48914 bsc#1229642).
- Update
  patches.suse/xhci-Fix-null-pointer-dereference-when-host-dies.patch
  (git-fixes CVE-2023-52898 bsc#1229568).
- commit 5c5e4d7

- mm: prevent derefencing NULL ptr in pfn_section_valid()
  (git-fixes).
- commit d77caa1

- mm, kmsan: fix infinite recursion due to RCU critical section
  (git-fixes).
- commit 1702784

- mm/sparsemem: fix race in accessing memory_section->usage
  (bsc#1221326 CVE-2023-52489).
- commit 606bd9b

- jfs: Fix shift-out-of-bounds in dbDiscardAG (bsc#1229792
  CVE-2024-44938).
- commit 8003b7e

- ata: libata-core: Fix double free on error
  (CVE-2024-41087,bsc#1228466).
- commit b5892ca

- ata: libata-core: Fix double free on error
  (CVE-2024-41087,bsc#1228466).
- commit 0a4b370

- exec: Fix ToCToU between perm check and set-uid/gid usage
  (CVE-2024-43882 bsc#1229503).
- commit 83a7456

- netfilter: nf_tables: unregister flowtable hooks on netns exit (CVE-2022-48935 bsc#1229619)
- commit 3e33f70

- netfilter: fix use-after-free in __nf_register_net_hook() (CVE-2022-48912 bsc#1229641)
- commit f8f42c3

- scsi: smartpqi: Expose SAS address for SATA drives
  (bsc#1223958).
- commit 6711c21

- net/iucv: fix use after free in iucv_sock_close()
  (CVE-2024-42271 bsc#1229400 bsc#1228974).
- commit 82bb6f3

- Update
  patches.suse/drm-amdkfd-don-t-allow-mapping-the-MMIO-HDP-page-wit.patch
  (CVE-2024-41011 bsc#1228115 bsc#1228114).
- Update
  patches.suse/powerpc-pseries-Fix-scv-instruction-crash-with-kexec.patch
  (bsc#1194869 CVE-2024-42230 bsc#1228489).
- commit f6019c1

- libceph: fix race between delayed_work() and ceph_monc_stop()
  (bsc#1228959 CVE-2024-42232).
- commit 27160c2

- rpm/kernel-binary.spec.in: fix klp_symbols macro
  The commit below removed openSUSE filter from %ifs of the klp_symbols
  definition. But it removed -c of grep too and that causes:
  error: syntax error in expression:  01 && (  || 1 )
  error:                                        ^
  error: unmatched (:  01 && (  || 1 )
  error:                     ^
  error: kernel-default.spec:137: bad %if condition:  01 && (  || 1 )
  So reintroduce -c to the PTF's grep.
  Fixes: fd0b293bebaf (kernel-binary.spec.in: Enable klp_symbols on openSUSE Tumbleweed (boo#1229042).)
- commit 4a36fe3

- rpm/kernel-binary.spec.in: Fix build regression
  The previous fix forgot to take over grep -c option that broke the
  conditional expression
- commit d29edf2

- kernel-binary.spec.in: Enable klp_symbols on openSUSE Tumbleweed (boo#1229042).
  After the Jump project the kernel used by SLE and openSUSE Leap are the
  same. As consequence the klp_symbols variable is set, enabling
  kernel-default-livepatch-devel on both SLE and openSUSE.
  The current rules to avoid enabling the package exclude openSUSE
  Tumbleweed alone, which doesn't makes sense for now. Enabling
  kernel-default-livepatch-devel on TW makes it easier to test the
  creation of kernel livepatches of the next SLE versions.
- commit fd0b293

- Update
  patches.suse/powerpc-Avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch
  (bsc#1221645 ltc#205739 bsc#1223191 CVE-2024-42126 bsc#1228718).
  Add CVE references.
- commit 637c320

- Update
  patches.suse/0001-ocfs2-fix-DIO-failure-due-to-insufficient-transactio.patch
  (bsc#1216834 CVE-2024-42077 bsc#1228516).
  Add CVE references.
- commit 8360e90

- ax25: Fix refcount imbalance on inbound connections
  (CVE-2024-40910 bsc#1227832).
- commit 12cb329

- config.sh: generate and install compile_commands.json (bsc#1228971)
  This file contains the command line options used to compile every C file.
  It's useful for the livepatching team.
- kernel-binary: generate and install compile_commands.json (bsc#1228971)
  This file contains the command line options used to compile every C file.
  It's useful for the livepatching team.
- commit 314f719

- packaging: Add case-sensitive perl option parsing
  A recent change in Getopt::Long [1]:
  Changes in version 2.55
  - ----------------------
  * Fix long standing bug that duplicate options were not detected
  when the options differ in case while ignore_case is in effect.
  This will now yield a warning and become a fatal error in a future
  release.
  perl defaults to ignore_case by default, switch it off to avoid
  accidental misparsing of options.
  This was suggested after similar change in scripts/.
- commit e978477

- btrfs: sysfs: update fs features directory asynchronously
  (bsc#1226168).
- commit 97cd90c

- ima: Fix use-after-free on a dentry's dname.name (bsc#1227716
  CVE-2024-39494).
- commit 81484ec

- ASoC: topology: Fix route memory corruption (CVE-2024-41069
  bsc#1228644).
- commit 586db1a

- net: do not leave a dangling sk pointer, when socket creation fails (CVE-2024-40954 bsc#1227808)
- commit 8f44f81

- check-for-config-changes: ignore also GCC_ASM_GOTO_OUTPUT_BROKEN
  Mainline commit f2f6a8e88717 ("init/Kconfig: remove
  CONFIG_GCC_ASM_GOTO_OUTPUT_WORKAROUND") replaced
  GCC_ASM_GOTO_OUTPUT_WORKAROUND with GCC_ASM_GOTO_OUTPUT_BROKEN. Ignore both
  when checking config changes.
- commit b60be3e

- IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145)
- commit 810053d

- ptp: fix integer overflow in max_vclocks_store (bsc#1227829
  CVE-2024-40994).
- commit 205cc4c

- filelock: Remove locks reliably when fcntl/close race is
  detected (CVE-2024-41012 bsc#1228247).
- commit e2c5917

- Update
  patches.suse/KVM-Always-flush-async-PF-workqueue-when-vCPU-is-being-des.patch
  (bsc#1223635 (CVE-2024-26976) CVE-2024-26976).
- Update
  patches.suse/jfs-xattr-fix-buffer-overflow-for-invalid-xattr.patch
  (bsc#1227383 CVE-2024-40902 bsc#1227764).
- Update
  patches.suse/vfio-fsl-mc-Block-calling-interrupt-handler-without-trigge.patch
  (bsc#1222810 (CVE-2024-26814) CVE-2024-26814).
- Update
  patches.suse/vfio-platform-Create-persistent-IRQ-handlers.patch
  (bsc#1222809 (CVE-2024-26813) CVE-2024-26813).
- commit 39eeeb9

- Update
  patches.suse/SUNRPC-Fix-UAF-in-svc_tcp_listen_data_ready.patch
  (git-fixes CVE-2023-52885 bsc#1227750).
- Update
  patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch
  (bsc#1213123 CVE-2023-37453 CVE-2023-52886 bsc#1227981).
- Update
  patches.suse/virtio-blk-fix-implicit-overflow-on-virtio_max_dma_size.patch
  (bsc#1225573 (CVE-2023-52762) CVE-2023-52762).
- commit 3784f34

- Update
  patches.suse/HID-hid-thrustmaster-fix-OOB-read-in-thrustmaster_in.patch
  (git-fixes CVE-2022-48866 bsc#1228014).
- Update
  patches.suse/Input-aiptek-properly-check-endpoint-type.patch
  (git-fixes CVE-2022-48836 bsc#1227989).
- Update
  patches.suse/KVM-x86-nSVM-fix-potential-NULL-derefernce-on-nested.patch
  (git-fixes CVE-2022-48793 bsc#1228019).
- Update
  patches.suse/NFC-port100-fix-use-after-free-in-port100_send_compl.patch
  (git-fixes CVE-2022-48857 bsc#1228005).
- Update
  patches.suse/NFSD-Fix-NFSv3-SETATTR-CREATE-s-handling-of-large-fi.patch
  (git-fixes CVE-2022-48829 bsc#1228055).
- Update patches.suse/NFSD-Fix-ia_size-underflow.patch (git-fixes
  CVE-2022-48828 bsc#1228054).
- Update
  patches.suse/NFSD-Fix-the-behavior-of-READ-near-OFFSET_MAX.patch
  (bsc#1195957 CVE-2022-48827 bsc#1228037).
- Update
  patches.suse/SUNRPC-lock-against-sock-changing-during-sysfs-read.patch
  (bsc#1194324 CVE-2022-48816 bsc#1228038).
- Update
  patches.suse/can-isotp-fix-potential-CAN-frame-reception-race-in-.patch
  (git-fixes CVE-2022-48830 bsc#1227982).
- Update
  patches.suse/cfg80211-fix-race-in-netlink-owner-interface-destruc.patch
  (git-fixes CVE-2022-48784 bsc#1227938).
- Update
  patches.suse/dmaengine-ptdma-Fix-the-error-handling-path-in-pt_co.patch
  (git-fixes CVE-2022-48774 bsc#1227923).
- Update
  patches.suse/drm-amdgpu-bypass-tiling-flag-check-in-virtual-displ.patch
  (git-fixes CVE-2022-48849 bsc#1228061).
- Update
  patches.suse/drm-vc4-Fix-deadlock-on-DSI-device-attach-error.patch
  (git-fixes CVE-2022-48826 bsc#1227975).
- Update
  patches.suse/drm-vrr-Set-VRR-capable-prop-only-if-it-is-attached-.patch
  (git-fixes CVE-2022-48843 bsc#1228066).
- Update
  patches.suse/eeprom-ee1004-limit-i2c-reads-to-I2C_SMBUS_BLOCK_MAX.patch
  (git-fixes CVE-2022-48806 bsc#1227948).
- Update
  patches.suse/ethernet-Fix-error-handling-in-xemaclite_of_probe.patch
  (git-fixes CVE-2022-48860 bsc#1228008).
- Update
  patches.suse/fs-proc-task_mmu.c-don-t-read-mapcount-for-migration-entry.patch
  (CVE-2023-1582 bsc#1209636 CVE-2022-48802 bsc#1227942).
- Update
  patches.suse/gianfar-ethtool-Fix-refcount-leak-in-gfar_get_ts_inf.patch
  (git-fixes CVE-2022-48856 bsc#1228004).
- Update patches.suse/iavf-Fix-hang-during-reboot-shutdown.patch
  (jsc#SLE-18385 CVE-2022-48840 bsc#1227990).
- Update
  patches.suse/ibmvnic-don-t-release-napi-in-__ibmvnic_open.patch
  (bsc#1195668 ltc#195811 CVE-2022-48811 bsc#1227928).
- Update
  patches.suse/ice-Fix-KASAN-error-in-LAG-NETDEV_UNREGISTER-handler.patch
  (git-fixes CVE-2022-48807 bsc#1227970).
- Update
  patches.suse/ice-Fix-race-condition-during-interface-enslave.patch
  (git-fixes CVE-2022-48842 bsc#1228064).
- Update
  patches.suse/ice-fix-NULL-pointer-dereference-in-ice_update_vsi_t.patch
  (jsc#SLE-18375 CVE-2022-48841 bsc#1227991).
- Update
  patches.suse/iio-buffer-Fix-file-related-error-handling-in-IIO_BU.patch
  (git-fixes CVE-2022-48801 bsc#1227956).
- Update
  patches.suse/ima-fix-reference-leak-in-asymmetric_verify.patch
  (git-fixes CVE-2022-48831 bsc#1227986).
- Update
  patches.suse/iommu-Fix-potential-use-after-free-during-probe
  (git-fixes CVE-2022-48796 bsc#1228028).
- Update patches.suse/iwlwifi-fix-use-after-free.patch
  (bsc#1197762 git-fixes CVE-2022-48787 bsc#1227932).
- Update
  patches.suse/mISDN-Fix-memory-leak-in-dsp_pipeline_build.patch
  (git-fixes CVE-2022-48863 bsc#1228063).
- Update
  patches.suse/misc-fastrpc-avoid-double-fput-on-failed-usercopy.patch
  (git-fixes CVE-2022-48821 bsc#1227976).
- Update
  patches.suse/mm-don-t-try-to-NUMA-migrate-COW-pages-that-have-other-uses.patch
  (git fixes (mm/numa) CVE-2022-48797 bsc#1228035).
- Update
  patches.suse/mm-vmscan-remove-deadlock-due-to-throttling.patch
  (bsc#1195357 CVE-2022-48800 bsc#1227954).
- Update
  patches.suse/msft-hv-2515-Drivers-hv-vmbus-Fix-memory-leak-in-vmbus_add_channe.patch
  (git-fixes CVE-2022-48775 bsc#1227924).
- Update
  patches.suse/mtd-parsers-qcom-Fix-kernel-panic-on-skipped-partiti.patch
  (git-fixes CVE-2022-48777 bsc#1227922).
- Update
  patches.suse/mtd-parsers-qcom-Fix-missing-free-for-pparts-in-clea.patch
  (git-fixes CVE-2022-48776 bsc#1227925).
- Update
  patches.suse/mtd-rawnand-gpmi-don-t-leak-PM-reference-in-error-pa.patch
  (git-fixes CVE-2022-48778 bsc#1227935).
- Update
  patches.suse/net-dsa-ar9331-register-the-mdiobus-under-devres.patch
  (git-fixes CVE-2022-48817 bsc#1227931).
- Update
  patches.suse/net-dsa-bcm_sf2-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48815 bsc#1227933).
- Update
  patches.suse/net-dsa-felix-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48813 bsc#1227963).
- Update
  patches.suse/net-dsa-lantiq_gswip-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48812 bsc#1227971).
- Update
  patches.suse/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_rem.patch
  (git-fixes CVE-2022-48783 bsc#1227949).
- Update
  patches.suse/net-dsa-mv88e6xxx-don-t-use-devres-for-mdiobus.patch
  (git-fixes CVE-2022-48818 bsc#1228039).
- Update
  patches.suse/net-dsa-seville-register-the-mdiobus-under-devres.patch
  (git-fixes CVE-2022-48814 bsc#1227944).
- Update
  patches.suse/net-ieee802154-at86rf230-Stop-leaking-skb-s.patch
  (git-fixes CVE-2022-48794 bsc#1228025).
- Update
  patches.suse/net-marvell-prestera-Add-missing-of_node_put-in-pres.patch
  (git-fixes CVE-2022-48859 bsc#1228007).
- Update
  patches.suse/net-mlx5-Fix-a-race-on-command-flush-flow.patch
  (git-fixes CVE-2022-48858 bsc#1228006).
- Update
  patches.suse/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch
  (CVE-2022-20368 bsc#1202346 CVE-2022-48839 bsc#1227985).
- Update
  patches.suse/net-smc-Avoid-overwriting-the-copies-of-clcsock-callback-functions
  (git-fixes CVE-2022-48780 bsc#1227995).
- Update
  patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
  (bsc#1196018 CVE-2022-28748 bsc#1202686 CVE-2022-2964
  CVE-2022-48805 bsc#1227969).
- Update
  patches.suse/nvme-fix-a-possible-use-after-free-in-controller-res.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48790
  bsc#1227941).
- Update
  patches.suse/nvme-rdma-fix-possible-use-after-free-in-transport-e.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48788
  bsc#1227952).
- Update
  patches.suse/nvme-tcp-fix-possible-use-after-free-in-transport-er.patch
  (bsc#1193787 bsc#1197146 bsc#1193554 CVE-2022-48789
  bsc#1228000).
- Update
  patches.suse/perf-Fix-list-corruption-in-perf_cgroup_switch.patch
  (git fixes CVE-2022-48799 bsc#1227953).
- Update
  patches.suse/phy-stm32-fix-a-refcount-leak-in-stm32_usbphyc_pll_e.patch
  (git-fixes CVE-2022-48820 bsc#1227972).
- Update
  patches.suse/phy-ti-Fix-missing-sentinel-for-clk_div_table.patch
  (git-fixes CVE-2022-48803 bsc#1227965).
- Update
  patches.suse/s390-cio-verify-the-driver-availability-for-path_event-call
  (bsc#1195927 LTC#196420 CVE-2022-48798 bsc#1227945).
- Update
  patches.suse/scsi-mpt3sas-Page-fault-in-reply-q-processing.patch
  (git-fixes CVE-2022-48835 bsc#1228060).
- Update patches.suse/scsi-myrs-Fix-crash-in-error-case.patch
  (git-fixes CVE-2022-48824 bsc#1227964).
- Update
  patches.suse/scsi-pm8001-Fix-use-after-free-for-aborted-SSP-STP-sas_task.patch
  (git-fixes CVE-2022-48792 bsc#1228013).
- Update
  patches.suse/scsi-pm8001-Fix-use-after-free-for-aborted-TMF-sas_task.patch
  (git-fixes CVE-2022-48791 bsc#1228002).
- Update
  patches.suse/scsi-qedf-Add-stag_work-to-all-the-vports.patch
  (git-fixes CVE-2022-48825 bsc#1228056).
- Update
  patches.suse/scsi-qedf-Fix-refcount-issue-when-LOGO-is-received-during-TMF.patch
  (git-fixes CVE-2022-48823 bsc#1228045).
- Update
  patches.suse/staging-gdm724x-fix-use-after-free-in-gdm_lte_rx.patch
  (git-fixes CVE-2022-48851 bsc#1227997).
- Update
  patches.suse/swiotlb-fix-info-leak-with-DMA_FROM_DEVICE.patch
  (CVE-2022-0854 bsc#1196823 CVE-2022-48853 bsc#1228015).
- Update patches.suse/usb-f_fs-Fix-use-after-free-for-epfile.patch
  (git-fixes CVE-2022-48822 bsc#1228040).
- Update
  patches.suse/usb-gadget-Fix-use-after-free-bug-by-not-setting-udc.patch
  (git-fixes CVE-2022-48838 bsc#1227988).
- Update
  patches.suse/usb-gadget-rndis-prevent-integer-overflow-in-rndis_s.patch
  (git-fixes CVE-2022-48837 bsc#1227987).
- Update
  patches.suse/usb-usbtmc-Fix-bug-in-pipe-direction-for-control-tra.patch
  (git-fixes CVE-2022-48834 bsc#1228062).
- Update
  patches.suse/vdpa-fix-use-after-free-on-vp_vdpa_remove.patch
  (git-fixes CVE-2022-48861 bsc#1228009).
- Update
  patches.suse/vhost-fix-hung-thread-due-to-erroneous-iotlb-entries.patch
  (git-fixes CVE-2022-48862 bsc#1228010).
- Update
  patches.suse/vsock-remove-vsock-from-connected-table-when-connect.patch
  (git-fixes CVE-2022-48786 bsc#1227996).
- Update
  patches.suse/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch
  (git-fixes CVE-2022-48804 bsc#1227968).
- Update patches.suse/watch_queue-Fix-filter-limit-check.patch
  (CVE-2022-0995 bsc#1197246 CVE-2022-48847 bsc#1227993).
- Update
  patches.suse/xprtrdma-fix-pointer-derefs-in-error-cases-of-rpcrdm.patch
  (git-fixes CVE-2022-48773 bsc#1227921).
- commit e328ee7

- Update
  patches.suse/net-sunrpc-fix-reference-count-leaks-in-rpc_sysfs_xp.patch
  (git-fixes CVE-2021-47624 bsc#1227920).
- Update
  patches.suse/scsi-ufs-Fix-a-deadlock-in-the-error-handler.patch
  (git-fixes CVE-2021-47622 bsc#1227917).
- commit f2d923e

- nvme_core: scan namespaces asynchronously (bsc#1224105).
- commit c8086f4

- cgroup/cpuset: Prevent UAF in proc_cpuset_show() (bsc#1228801).
- commit 8837200

- net/dpaa2: Avoid explicit cpumask var allocation on stack
  (CVE-2024-42093 bsc#1228680).
- commit e2a1614

- workqueue: Improve scalability of workqueue watchdog touch
  (bsc#1193454).
- commit 51a7eb4

- workqueue: wq_watchdog_touch is always called with valid CPU
  (bsc#1193454).
- commit 10bbd80

- KVM: arm64: Disassociate vcpus from redistributor region on
  teardown (CVE-2024-40989 bsc#1227823).
- commit 724dd5c

- ASoC: topology: Fix references to freed memory (CVE-2024-41069
  bsc#1228644).
- commit 44dd0c7

- Update
  patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch
  (bsc#1221044 CVE-2023-52591 bsc#1228440).
- commit d21f810

- hfsplus: fix uninit-value in copy_name (bsc#1228561
  CVE-2024-41059).
- commit cfc2db1

- dmaengine: idxd: Fix possible Use-After-Free in
  irq_process_work_list (CVE-2024-40956 bsc#1227810).
- commit 3632d87

- ocfs2: fix DIO failure due to insufficient transaction credits
  (bsc#1216834).
- commit edabc6f

- tap: add missing verification for short frame (CVE-2024-41090
  bsc#1228328).
- commit e64bcfc

- bpf: Fix overrunning reservations in ringbuf (bsc#1228020
  CVE-2024-41009).
- commit e559e61

- rpm/guards: fix precedence issue with control flow operator
  With perl 5.40 it report the following error on rpm/guards script:
  Possible precedence issue with control flow operator (exit) at scripts/guards line 208.
  Fix the issue by adding parenthesis around ternary operator.
- commit 07b8b4e

- drm/amdkfd: don't allow mapping the MMIO HDP page with large
  pages (CVE-2024-41011 bsc#1228115).
- commit ff8f843

- 9p: add missing locking around taking dentry fid list (bsc#1227090, CVE-2024-39463).
- commit c58a66f

- sch_cake: do not call cake_destroy() from cake_init()
  (CVE-2021-47598 bsc#1226574).
- commit d533b8e

- gve: Clear napi->skb before dev_kfree_skb_any() (CVE-2024-40937
  bsc#1227836).
- commit 610d469

- Update
  patches.suse/powerpc-pseries-iommu-LPAR-panics-during-boot-up-wit.patch
  (bsc#1222011 ltc#205900 CVE-2024-36926 bsc#1225829).
- commit 1ec0d1e

- Update
  patches.suse/perf-x86-intel-pt-Fix-crash-with-stop-filters-in-single-range-mode.patch
  (git fixes CVE-2022-48713 bsc#1227549).
- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226758 CVE-2024-38559 bsc#1226785).
- Update
  patches.suse/tls-fix-use-after-free-on-failed-backlog-decryption.patch
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186
  CVE-2024-26800 bsc#1222728).
- commit 329a684

- vfio/fsl-mc: Block calling interrupt handler without trigger
  (bsc#1222810 CVE-2024-26814).
- commit 520ae3c

- KVM: Always flush async #PF workqueue when vCPU is being
  destroyed (bsc#1223635 CVE-2024-26976).
- commit c5ed396

- virtio-blk: fix implicit overflow on virtio_max_dma_size
  (bsc#1225573 CVE-2023-52762).
- commit 4296dc1

- vfio/platform: Create persistent IRQ handlers (bsc#1222809
  CVE-2024-26813).
- commit a8290e8

- net: mana: Fix Rx DMA datasize and skb_over_panic (git-fixes CVE-2024-35901 bsc#1224495).
- commit 9db7ad0

- Update patches.suse/net-tls-factor-out-tls_-crypt_async_wait.patch.
- fix build warning
- commit 01715f7

- powerpc/pseries: Fix scv instruction crash with kexec
  (bsc#1194869 CVE-2024-42230).
- powerpc/kasan: Disable address sanitization in kexec paths
  (bsc#1194869 CVE-2024-42230).
- commit c9d175f

- kernel-binary: vdso: Own module_dir
- commit ff69986

- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226785 CVE-2024-38559).
  Fixed incorrect bug reference.
- commit e3b8fb6

- net/dcb: check for detached device before executing callbacks
  (bsc#1215587).
- commit 9c27e1c

- kABI: rtas: Workaround false positive due to lost definition
  (bsc#1227487).
- commit fb8a8f3

- powerpc/rtas: Prevent Spectre v1 gadget construction in
  sys_rtas() (bsc#1227487).
- commit 9648fb4

- tls: fix use-after-free on failed backlog decryption
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: separate no-async decryption request handling from async
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: decrement decrypt_pending if no async completion will be
  called (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: handle backlogging of crypto requests (CVE-2024-26584
  bsc#1220186).
- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- tls: fix race between async notify and socket close
  (CVE-2024-26583 bsc#1220185).
- net: tls: factor out tls_*crypt_async_wait() (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: fix async vs NIC crypto offload (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: use async as an in-out argument (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: assume crypto always calls our callback (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't track the async count (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: simplify async wait (CVE-2024-26583 CVE-2024-26584
  bsc#1220185 bsc#1220186).
- tls: rx: wrap decryption arguments in a structure
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't report text length from the bowels of decrypt
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: drop unnecessary arguments from tls_setup_from_iter()
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- commit 63dd4a4

- Delete
  patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch.
  Will be replaced with a refreshed version once all conflicting new patches are in.
- commit a0fa0a3

- NFS: Reduce use of uncached readdir (bsc#1226662).
- NFS: Don't re-read the entire page cache to find the next cookie
  (bsc#1226662).
- commit a10cc0e

- jfs: xattr: fix buffer overflow for invalid xattr
  (bsc#1227383).
- commit 33e2d96
apr
- security update
- added patches
  fix CVE-2023-49582 [bsc#1229783], unexpected lax shared memory permissions
  + apr-CVE-2023-49582.patch
util-linux
- Skip aarch64 decode path for rest of the architectures
  (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch).

- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).
expat
- Security fix (bsc#1229932, CVE-2024-45492): detect integer
  overflow in function nextScaffoldPart
  * Added expat-CVE-2024-45492.patch
- Security fix (bsc#1229931, CVE-2024-45491): detect integer
  overflow in dtdCopy
  * Added expat-CVE-2024-45491.patch
- Security fix (bsc#1229930, CVE-2024-45490): reject negative
  len for XML_ParseBuffer
  * Added expat-CVE-2024-45490.patch
mozilla-nss
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
  approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
libmodulemd
- Build python bindings for all pythons (jsc#PED-6218)
ncurses
- Add patch ncurses-6.1-boo1229028.patch (boo#1229028)
  * Allow that terminal description based on static fallback
    entries can be freed.
openssl-1_1
- Security fix: [bsc#1220262, CVE-2023-50782]
  * Implicit rejection in PKCS#1 v1.5
  * Add openssl-CVE-2023-50782.patch

- Build with no-afalgeng [bsc#1226463]

- Security fix: [bsc#1227138, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch
libpcap
- enable rdma support (bsc#1230894)

- Security fix: [bsc#1230034, CVE-2024-8006]
  * libpcap: NULL pointer derefence in pcap_findalldevs_ex()
  * Add libpcap-CVE-2024-8006.patch

- Security fix: [bsc#1230020, CVE-2023-7256]
  * libpcap: double free via addrinfo in sock_initaddress()
  * Add libpcap-CVE-2023-7256.patch
postgresql16
- Upgrade to 16.4 (bsc#1229013):
  * bsc#1229013, CVE-2024-7348 PostgreSQL relation replacement
    during pg_dump executes arbitrary SQL
  * https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/
  * https://www.postgresql.org/docs/release/16.4/
python3
- Add CVE-2024-9287-venv_path_unquoted.patch to properly quote
  path names provided when creating a virtual environment
  (bsc#1232241, CVE-2024-9287)

- Drop .pyc files from docdir for reproducible builds
  (bsc#1230906).

- Add CVE-2024-6232-ReDOS-backtrack-tarfile.patch prevent
  ReDos via excessive backtracking while parsing header values
  (bsc#1230227, CVE-2024-6232).

- Add CVE-2024-5642-switch-off-NPN.patch switching off the NPN
  support eliminating bsc#1227233 (CVE-2024-5642).

- Add CVE-2024-6923-email-hdr-inject.patch to prevent email
  header injection due to unquoted newlines (bsc#1228780,
  CVE-2024-6923).
- Add CVE-2024-7592-quad-complex-cookies.patch fixing quadratic
  complexity in parsing cookies with backslashes (bsc#1229596,
  CVE-2024-7592)
- %{profileopt} variable is set according to the variable
  %{do_profiling} (bsc#1227999)

- Remove %suse_update_desktop_file macro as it is not useful any
  more.

- Stop using %%defattr, it seems to be breaking proper executable
  attributes on /usr/bin/ scripts (bsc#1227378).
ruby2.5
- backport REXML from 3.3
  - fix denial of service when parsing a XML that has many deep
    elements with the same local name attributes
    (boo#1229673 CVE-2024-43398)
  - fix denial of service when parsing an XML that contains many
    specific characters such as whitespaces, >] and ]>
    (boo#1228794 CVE-2024-41123)
  - fix denial of service when parsing an XML that has many entity
    expansions with SAX2 or pull parser API
    (boo#1228799 CVE-2024-41946)
  - fix denial of service when parsing an XML that has many left
    angled brackets in an attribute value
    (boo#1224390 CVE-2024-35176)
  - fix ReDoS when parsing an XML that has many specific characters
    (boo#1228072 CVE-2024-39908)
libsolv
- removed dependency on external find program in the repo2solv tool
- bindings: fix return value of repodata.add_solv()
- new SOLVER_FLAG_FOCUS_NEW flag
- bump version to 0.7.30
suseconnect-ng
- Update version to 1.12:
  - Set the filesystem root on zypper when given (bsc#1230229,bsc#1229014)
systemd
- Import commit a57a6d239c5d6b91fb3dcd269705e60804a03ae1
  cd0c9ac4f4 unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414)
  e1eaa86a49 udev: do not set ID_PATH and by-path symlink for nvmf disks
  a85d211874 man: Document ranges for distributions config files and local config files

- Don't mention any rpm macros inside comments, even if escaped (bsc#1228091)
  Otherwise pesign-obs-integration ends up re-packaging systemd with all macros
  inside comments unescaped leading to unpredictable behavior. Now why rpm
  expands rpm macros inside comments is the question...

- Update 1011-sysv-generator-add-back-support-for-SysV-scripts-for.patch
  Really skip redundant dependencies specified the LSB description that
  references the file name of the service itself for early boot scripts (noticed
  in bsc#1221479).
libzypp
- PluginFrame: Send unescaped colons in header values
  (bsc#1231043)
  According to the STOMP protocol it would be correct to escape a
  colon in a header-value, but it breaks plugin receivers which do
  not expect this. The first colon separates header-name from
  header-value, so escaping in the header-value is not needed
  anyway.
  Escaping in the header-value affects especially the urlresolver
  plugins. The input URL is passed in a header, but sent back as
  raw data in the frames body. If the plugin receiver does not
  correctly unescape the URL we may get back a "https\c//" which is
  not usable.
- Do not ignore return value of std::remove_if in MediaSyncFacade
  (fixes #579)
- Fix hang in curl code with no network connection (bsc#1230912)
- version 17.35.12 (35)

- Deprecate librpmDb::db_const_iterator default ctor (bsc#1230267)
  It's preferred to explicitly tell the root directory of the
  system whose database you want to query.
- version 17.35.11 (35)

- API refactoring. Prevent zypper from using now private libzypp
  symbols (bsc#1230267)
- Conflicts: zypper <= 1.14.76
- version 17.35.10 (35)

- single_rpmtrans: fix installation of .src.rpms (bsc#1228647)
- version 17.35.9 (35)

- Make sure not to statically linked installed tools (bsc#1228787)
- version 17.35.8 (35)

- MediaPluginType must be resolved to a valid MediaHandler
  (bsc#1228208)
- version 17.35.7 (35)

- Export CredentialManager for legacy YAST versions (bsc#1228420)
- version 17.35.6 (35)

- Export asSolvable for YAST (bsc#1228420)
- Fix 4 typos in zypp.conf.
- version 17.35.5 (35)

- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- version 17.35.4 (35)

- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
  Older zypp-plugins reject stomp headers including a '-'. Like the
  'content-length' header we may send.
- Fix int overflow in Provider (fixes #559)
  This patch fixes an issue in safe_strtonum which caused
  timestamps to overflow in the Provider message parser.
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- version 17.35.3 (35)

- Keep UrlResolverPlugin API public (fixes #560)
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
  Buddy pairs (like -release package and product) internally share
  the same status object. When applying locks from query results
  the locked bit must be set if either item is locked.
- version 17.35.2 (35)

- Install zypp/APIConfig.h legacy include (fixes #557)
- version 17.35.1 (35)

- Update soname due to RepoManager refactoring and cleanup.
- version 17.35.0 (35)

- Workaround broken libsolv-tools-base requirements (fixes
  openSUSE/zypper#551)
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency.
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows.
- version 17.34.2 (34)
shadow
- bsc#1230972: Add useradd warnings when requested UID is outside
  the default range
- add shadow-bsc1230972-useradd-warning.patch

- bsc#1228337: chage -d date vs passwd -S output is off by one
  Remove shadow-bsc1176006-chage-date.patch
logrotate
- Backport 'ignoreduplicates' configuration flag (jsc#PED-10366)
  * Added patch logrotate-ignore-duplicates.patch
  * Allows log processing with duplicate logfile matches
pam-config
- Change check for existence of modules.
  If we have a biarch architecture, we check that the 64bit
  PAM module is there and report an error if not. For the 32bit
  variant, we only issue a warning.
  [pam-config-change-check-for-existence-of-modules.patch, bsc#1227216]
pam
- Prevent cursor escape from the login prompt [bsc#1194818]
  * Added: pam-bsc1194818-cursor-escape.patch
postgresql
- bsc#1230423: Relax the dependency of extensions on the server
  version from exact major.minor to greater or equal, after Tom
  Lane confirmed on the PostgreSQL packagers list that ABI
  stability is being taken care of between minor releases.
postgresql14
- Upgrade to 14.13 (bsc#1229013):
  * bsc#1229013, CVE-2024-7348 PostgreSQL relation replacement
    during pg_dump executes arbitrary SQL
  * https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/
  * https://www.postgresql.org/docs/release/14.13/
protobuf
- Build the java part with maven, so that we create artifacts
  that correspond to upstream distributed ones.
- Add maven artifact metadata to the protoc binary
- Package also the bom and pom artifacts

- Add patch to fix StackOverflow vulnerability in Protocol Buffers
  * CVE-2024-7254.patch (bsc#1230778, CVE-2024-7254)
python-PyYAML
- reenable the cython yaml loader (bsc#1225641)
python3-dmidecode
- Update to the upstream release 3.12.3 (bsc#1229855):
  - consolidation of previous git commits
  - support SMBIOS3.3.0
- Remove upstreamed huge-memory.patch
- Remove upstreamed fix-memory-Type-Detail-map-size.patch
python-dnspython
- Fix CVE-2023-29483-pre1.patch
  (bsc#1230353, gh#rthalley/dnspython@6d590f0a2e1b, gh#nrhall/dnspython@55d6a9d81930)
salt
- Fix rich rule comparison in firewalld module (bsc#1222684)
- test_vultrpy: adjust test expectation to prevent failure after Debian 10 EOL
- Make auth.pam more robust with Salt Bundle and fix tests
- Fix performance of user.list_groups with many remote groups
- Fix "status.diskusage" function and exclude some tests for Salt Bundle
- Skip certain tests if necessary for some OSes and set flaky ones
- Add a timer to delete old env post update for venv-minion
- Several fixes for tests to avoid errors and failures in some OSes
- Added:
  * test_vultrpy-adjust-test-expectation-to-prevent-fail.patch
  * skip-certain-tests-if-necessary-and-mark-some-flaky-.patch
  * some-more-small-tests-fixes-enhancements-661.patch
  * firewalld-normalize-new-rich-rules-before-comparing-.patch
  * several-fixes-for-tests-to-avoid-errors-and-failures.patch
  * provide-systemd-timer-unit.patch
  * fix-user.list_groups-omits-remote-groups.patch
  * fix-status.diskusage-and-exclude-some-tests-to-run-w.patch
python3-setuptools
- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
  * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)
zypp-plugin
- Fix stomp header regex to include '-' (bsc#1227793)
- version 0.6.4

- singlespec in Tumbleweed must support multiple python3 flavors
  in the future gh#openSUSE/python-rpm-macros#66

- Provide python3-zypp-plugin down to SLE12 (bsc#1081596)

- Provide python3-zypp-plugin in SLE12-SP3 (bsc#1081596)
regionServiceClientConfigEC2
- Update to version 4.3.0 (bsc#1228363)
  + The IPv6 cert was switched up for the region server running in us-west-2
    and as such the SSL handshake was failing. Drop the incorrect cert
    and add the correct cert.

- Switch the patch syntax away form the deprecated shorthand macro

- Version 4.2.0
  Replace certs (length 4096):
  rgnsrv-ec2-cn-north1  -> 54.223.148.145 expires in 8 years
  rgnsrv-ec2-us-west2-2 -> 54.245.101.47  expires in 9 years
  Sidenote: We have one server with a short cert (2048) left;
  34.197.223.242 expires in 2027

- Version 4.1.1
  Add patch no-ipv6.patch to not serve IPv6 addresses on SLES12
  Related to bsc#1218656
rsyslog
- fix PreserveFQDN option before daemon is restarted (bsc#1231229)
  add 0001-core-bugfix-rsyslog-messages-may-not-always-have-FQD.patch
runc
[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.14. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
  Includes the patch for CVE-2024-45310. bsc#1230092
- Rebase patches:
  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
  * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
shim
- Update shim-install to apply the missing fix for openSUSE Leap
  (bsc#1210382) fixed by Gary.
  * 86b73d1 Fix that bootx64.efi is not updated on Leap
- Update shim-install to use the 'removable' way for SL-Micro
  (bsc#1230316) fixed by Gary.
  * 433cc4e Always use the removable way for SL-Micro
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-desktop-applications-release
n/a
000release-packages:sle-module-development-tools-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-python3-release
n/a
000release-packages:sle-module-server-applications-release
n/a
000release-packages:sle-module-web-scripting-release
n/a
strace
- Change the license to the correct LGPL-2.1-or-later
  (bsc#1228216).
supportutils
- Changes to version 3.2.8
  + Avoid getting duplicate kernel verifications in boot.text (pr#190)
  + lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
  + docker_info: Add timestamps to container logs (pr#196)
  + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
  + Update supportconfig get pam.d sorted (pr#199)
  + yast_files: Exclude .zcat (pr#201)
  + Sanitize grub bootloader (bsc#1227127, pr#203)
  + Sanitize regcodes (pr#204)
  + Improve product detection (pr#205)
  + Add read_values for s390x (bsc#1228265, pr#206)
  + hardware_info: Remove old alsa ver check (pr#209)
  + drbd_info: Fix incorrect escape of quotes (pr#210)
suse-build-key
- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
  - gpg-pubkey-39db7c82-5f68629b.asc
  + gpg-pubkey-39db7c82-66c5d91a.asc

- ensure key2rpmname is called using bash.

- make the per-project inclusion optional, default off.

- Also include the GPG key from the current build project
  to allow Staging testing without production keys. (bsc#1231829)
unzip
- Use %patch -P N instead of deprecated %patchN.

- Build unzip-rcc using multibuild and update unzip-rcc.spec file
util-linux-systemd
- Skip aarch64 decode path for rest of the architectures
  (bsc#1229476, util-linux-lscpu-skip-aarch64-decode.patch).

- agetty: Prevent login cursor escape (bsc#1194818,
  util-linux-agetty-prevent-cursor-escape.patch).
wget
- Update 0001-possibly-truncate-pathname-components.patch
  * Take the patch from savannah repository where the checking of the file
    length doesn't include path length.
  * [bsc#1204720, bsc#1231661]
wicked
- compat-suse: fix dummy interfaces configuration with
  INTERFACETYPE=dummy (boo#1229555, gh#openSUSE/wicked#1031)
  [+ 0001-compat-suse-repair-dummy-interfaces-boo-1229555.patch]
xen
- bsc#1230366 - VUL-0: CVE-2024-45817: xen: x86: Deadlock in
  vlapic_error() (XSA-462)
  xsa462.patch

- bsc#1228201 - [Baremetal][sles15sp4][guest migration] xl
  migration fail , guest not shutdown.
  This also fixes, bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86:
  Native Branch History Injection (XSA-456)
  661d00b8-VMX-prevent-fallthrough-in-vmx_set_reg.patch

- bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86
  IOMMU identity mapping (XSA-460)
  66bb7316-x86-IOMMU-move-tracking-in-iommu_identity_mapping.patch
- bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through
  with shared resources (XSA-461)
  66bb6fa5-x86-pass-through-document-as-security-unsupported.patch
- Drop xsa458.patch in favor of upstream version (bsc#1227355)
  669662ea-x86-IRQ-avoid-double-unlock-in-map_domain_pirq.patch

- bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86
  guest IRQ handling (XSA-458)
  xsa458.patch

- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
  History Injection (XSA-456)
  662a6a4c-x86-spec-reporting-of-BHB-clearing.patch
  662a6a8d-x86-spec-adjust-logic-to-elide-LFENCE.patch
zypper
- API refactoring. Prevent zypper from using now private libzypp
  symbols (bsc#1230267)
- BuildRequires:  libzypp-devel >= 17.35.10.
- Fix wrong numbers used in CommitSummary skipped/failed messages.
- version 1.14.77

- Show rpm install size before installing (bsc#1224771)
  If filesystem snapshots are taken before the installation (e.g.
  by snapper) no disk space is freed by removing old packages. In
  this case the install size of all packages is a hint how much
  additional disk space is needed by the new packages static
  content.
- version 1.14.76

- Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly
  (bsc#1227205)
- version 1.14.75

- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- version 1.14.74