suse-manager-server-5-0-v20250627-hvm-ssd-arm64-llc Package Source Changes

python311

- Update to 3.11.13:
  - Security
  - gh-135034: Fixes multiple issues that allowed tarfile
    extraction filters (filter="data" and filter="tar") to be
    bypassed using crafted symlinks and hard links.
    Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
    (bsc#1244059), CVE-2025-4330 (bsc#1244060), and
    CVE-2025-4517 (bsc#1244032).
  - gh-133767: Fix use-after-free in the “unicode-escape”
    decoder with a non-“strict” error handler (CVE-2025-4516,
    bsc#1243273).
  - gh-128840: Short-circuit the processing of long IPv6
    addresses early in ipaddress to prevent excessive memory
    consumption and a minor denial-of-service.
  - Library
  - gh-128840: Fix parsing long IPv6 addresses with embedded
    IPv4 address.
  - gh-134062: ipaddress: fix collisions in __hash__() for
    IPv4Network and IPv6Network objects.
  - gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
    according to RFC 3596, §2.5. Patch by Bénédikt Tran.
  - bpo-43633: Improve the textual representation of
    IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
    in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
  - gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
  - CVE-2025-4516-DecodeError-handler.patch

- Add CVE-2025-4516-DecodeError-handler.patch fixing
  CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
  vulnerability, which could lead to DoS.

- Use extended %autopatch.

- Remove python-3.3.0b1-test-posix_fadvise.patch (not needed
  since kernel 3.6-rc1)

- Update to 3.11.12:
  - gh-131809: Update bundled libexpat to 2.7.1
  - gh-131261: Upgrade to libexpat 2.7.0
  - gh-105704: When using urllib.parse.urlsplit() and
    urllib.parse.urlparse() host parsing would not reject domain
    names containing square brackets ([ and ]). Square brackets
    are only valid for IPv6 and IPvFuture hosts according to RFC
    3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
    gh#python/cpython#105704).
  - gh-121284: Fix bug in the folding of rfc2047 encoded-words
    when flattening an email message using a modern email
    policy. Previously when an encoded-word was too long for
    a line, it would be decoded, split across lines, and
    re-encoded. But commas and other special characters in the
    original text could be left unencoded and unquoted. This
    could theoretically be used to spoof header lines using a
    carefully constructed encoded-word if the resulting rendered
    email was transmitted or re-parsed.
  - gh-80222: Fix bug in the folding of quoted strings
    when flattening an email message using a modern email
    policy. Previously when a quoted string was folded so that
    it spanned more than one line, the surrounding quotes and
    internal escapes would be omitted. This could theoretically
    be used to spoof header lines using a carefully constructed
    quoted string if the resulting rendered email was transmitted
    or re-parsed.
  - gh-119511: Fix a potential denial of service in the imaplib
    module. When connecting to a malicious server, it could
    cause an arbitrary amount of memory to be allocated. On many
    systems this is harmless as unused virtual memory is only
    a mapping, but if this hit a virtual address size limit
    it could lead to a MemoryError or other process crash. On
    unusual systems or builds where all allocated memory is
    touched and backed by actual ram or storage it could’ve
    consumed resources doing so until similarly crashing.
  - gh-127257: In ssl, system call failures that OpenSSL reports
    using ERR_LIB_SYS are now raised as OSError.
  - gh-121277: Writers of CPython’s documentation can now use
    next as the version for the versionchanged, versionadded,
    deprecated directives.
  - gh-106883: Disable GC during the _PyThread_CurrentFrames()
    and _PyThread_CurrentExceptions() calls to avoid the
    interpreter to deadlock.
- Remove upstreamed patch:
  - CVE-2025-0938-sq-brackets-domain-names.patch
- Add gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
  which makes test_ssl not to stop ThreadedEchoServer on OSError,
  which makes test_ssl pass with OpenSSL 3.5 (bsc#1241067,
  gh#python/cpython!126572)

libzypp

- Fix credential handling in HEAD requests (bsc#1244105)
- version 17.37.5 (35)

- RepoInfo: use pathNameSetTrailingSlash (fixes #643)
- Fix wrong userdata parameter type when running zypp with debug
  verbosity (bsc#1239012)
- version 17.37.4 (35)

- Do not warn about no mirrors if mirrorlist was switched on
  automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
  (bsc#1243887)
- version 17.37.3 (35)

- Add a note to service maintained .repo file entries (fixes #638)
- Support using %{url} variable in a RIS service's repo section.
- version 17.37.2 (35)

- Use a cookie file to validate mirrorlist cache.
  This patch extends the mirrorlist code to use a cookie file to
  validate the contents of the cache against the source URL, making
  sure that we do not accidentially use a old cache when the
  mirrorlist url was changed. For example when migrating a system
  from one release to the next where the same repo alias might just
  have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- version 17.37.1 (35)

- Code16: Enable curl2 backend and parallel package download by
  default. In Code15 it's optional.
  Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
  can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
  When refreshing zypp now primarily uses gpgKeyUrl information
  from the repo files and only falls back to a automatically
  generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks (fixes
  openSUSE/zypper#605)
- spec/CMake: add conditional build
  '--with[out] classic_rpmtrans_as_default'.
  classic_rpmtrans is the current builtin default for SUSE,
  otherwise it's single_rpmtrans.
  The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
  was removed from the spec file.  Accordingly the CMake option
  ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- version 17.37.0 (35)

uyuni-tools

- version 0.1.30-0
  * Bump the default image tag to 5.0.4.1

pam-config

- Stop adding pam_env in AUTH stack, and be sure to put this module at the
  really end of the SESSION stack.
  [bsc#1243226, CVE-2025-6018, remove-pam_env-from-auth-stack.patch]

pam

- pam_namespace: convert functions that may operate on a user-controlled path
  to operate on file descriptors instead of absolute path. And keep the
  bind-mount protection from protect_mount() as a defense in depthmeasure.
  [bsc#1244509
  pam_inline-introduce-pam_asprintf-pam_snprintf-and-p.patch,
  pam_namespace-fix-potential-privilege-escalation.patch,
  pam_namespace-add-flags-to-indicate-path-safety.patch,
  pam_namespace-secure_opendir-do-not-look-at-the-grou.patch]
- pam_namespace-fix-potential-privilege-escalation.patch adapted and includes
  changes from upstream commits: ds6242a, bc856cd.
  * pam_namespace fix logic in return value handling
  * pam_namespace move functions around

- pam_env: Change the default to not read the user .pam_environment file
  [bsc#1243226, CVE-2025-6018,
  pam_env-change-the-default-to-not-read-the-user-env.patch]

perl

- do not change the current directory when cloning an open
  directory handle [bnc#1244079] [CVE-2025-40909]
  new patch: perl-dirdup.diff

podman

- Added patch to remove using rw as a default mount option (bsc#1239776)
  * 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch
- Rebase patches:
  * 0001-vendor-update-c-buildah-to-1.33.12.patch
  * 0002-Backport-fix-for-CVE-2024-6104.patch
  * 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
  * 0004-http2-close-connections-when-receiving-too-many-head.patch
  * 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
  * 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch

python-requests

- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
  (gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)

selinux-policy

- Update to version 20230511+git23.258d08099:
  * Provide type for sysstat lock files (bsc#1228247 bsc#1244094)

server-attestation-image

n/a

server-hub-xmlrpc-api-image

n/a

server-image

n/a

server-migration-14-16-image

n/a

zypper

- BuildRequires:  libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
  Add the "metalink" attribute and reflect that the "url" elements
  list may in fact be empty, if no baseurls are defined in the
  .repo files.
- man: update --allow-unsigned-rpm description.
  Explain how to achieve the same for packages provided by
  repositories.
- version 1.14.90