- libevent
-
- Disable the select backend, this can be easily done by lying
to configure. This is done due to:
* using fd number > 1024 on an fd_set results in a runtime
fortify source assertion, preventing further doom.
* select will not be changed to handle fd > 1024.
* this limit is unreasonable low for this century.
- Drop insserv_prereq and fillup_prereq macros: there are no
pre-scripts that would justify these dependencies.
- Update to 2.1.12 stable
* buffer: do not pass NULL to memcpy() from evbuffer_pullup()
* http: fix undefined-shift in EVUTIL_IS*_ helpers
* Check error code of evhttp_add_header_internal() in
evhttp_parse_query_impl()
* http: fix EVHTTP_CON_AUTOFREE in case of timeout
* evdns: Add additional validation for values of dns options
* Fix memory corruption in EV_CLOSURE_EVENT_FINALIZE with debug enabled
* increase segment refcnt only if evbuffer_add_file_segment() succeeds
* evdns: fix a crash when evdns_base with waiting requests is freed
* event_base_once: fix potential null pointer threat
* http: do not assume body for CONNECT
* evbuffer_add_file: fix freeing of segment in the error path
* Fix checking return value of the evdns_base_resolv_conf_parse()
* Support EV_CLOSED on linux for poll(2)
* Parse IPv6 scope IDs.
* evutil_time: detect and use _gmtime64_s()/_gmtime64()
* bufferevent: allow setting priority on socket and openssl type
* Fix EV_CLOSED detection/reporting
* Revert "Warn if forked from the event loop during event_reinit()"
- Add upstream patches with the feature of "prepare" and "check"
watchers. That feature is needed by envoy-proxy:
* 0001-evwatch-Add-prepare-and-check-watchers.patch
* 0002-evwatch-fix-race-condition.patch
- Update to 2.1.11 stable
* Fix ABI breakage that had been introduced in 2.1.10. Strictly speaking
this release breaks ABI again to make it compatible with <= 2.1.9.
+ See git commit 18104973 for more details
* evdns: add new options -- so-rcvbuf/so-sndbuf
* various autotools and cmake build changes
* buffer: fix possible NULL dereference in evbuffer_setcb() on ENOMEM
* Warn if forked from the event loop during event_reinit()
* evutil: set the have_checked_interfaces in evutil_check_interfaces()
* https-client: correction error checking
- Use FAT LTO objects in order to provide proper static library.
- Fix name of library package (bsc#1138369)
- Update to 2.1.10 stable
* evdns: add DNS_OPTION_NAMESERVERS_NO_DEFAULT /
EVDNS_BASE_NAMESERVERS_NO_DEFAULT
* Add support for EV_TIMEOUT to event_base_active_by_fd
* kqueue: Avoid undefined behaviour.
* Prevent integer overflow in kq_build_changes_list.
* evdns: fix lock/unlock mismatch in evdns_close_server_port()
* Protect min_heap_push_ against integer overflow.
* le-proxy: initiate use of the Winsock DLL
* Fix leaks in error path of the bufferevent_init_common_()
* buffer: make evbuffer_prepend() of zero-length array no-op
* Don't loose top error in SSL
* Remove needless check for arc4_seeded_ok
* Cleanup __func__ detection
* Add convenience macros for user-triggered events
* Notify event base if there are no more events, so it can exit without
delay
* Fix base unlocking in event_del() if event_base_set() runned in another
thread
* If precise_time is false, we should not set EVENT_BASE_FLAG_PRECISE_TIMER
* Fix race in access to ev_res from event loop with event_active()
* Return from event_del() after the last event callback termination
* Preserve socket error from listen across closesocket cleanup
* fix connection retries when there more then one request for connection
* improve error path for bufferevent_{setfd,enable,disable}()
* Fix conceivable UAF of the bufferevent in evhttp_connection_free()
* Fix evhttp_connection_get_addr() fox incomming http connections
* fix leaks in evhttp_uriencode()
* CONNECT method only takes an authority
* Allow bodies for GET/DELETE/OPTIONS/CONNECT
* Do not crash when evhttp_send_reply_start() is called after a timeout.
* Fix crashing http server when callback do not reply in place
* fix handling of close_notify (ssl) in http with openssl bufferevents
* use *_new_with_arg() to match function prototype
* avoid NULL dereference on request is not EVHTTP_REQ_POST
* bufferevent_socket_connect{,_hostname}() missing event callback and use
ret code
* don't fail be_null_filter if bytes are copied
* Call underlying bev ctrl GET_FD on filtered bufferevents
* be_openssl: avoid leaking of SSL structure
* Add missing includes into openssl-compat.h
* Explicitly call SSL_clear when reseting the fd.
* sample/https-client: use host SSL certificate store by default
* ipv6only socket bind support
* evdns: handle NULL filename explicitly
* Fix assert() condition in evbuffer_drain() for IOCP
* fix incorrect unlock of the buffer mutex (for deferred callbacks)
* Fix wrong assert in evbuffer_drain()
* Port `event_rpcgen.py` and `test/check-dumpevents.py` to Python 3.
- rename python2-shebang.patch -> python3-shebang.patch following port
- Make use of %license macro
- Add devel-static package, which is needed for building Envoy
(https://www.envoyproxy.io/) and Cilium with Envoy integration
- Fix an error about /usr/bin/env shebang in event_rpcgen.py
* python2-shebang.patch
- python-certifi
-
- Add python36-certifi provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-idna
-
- Add python36-idna provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-packaging
-
- Add python36-packaging provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pycparser
-
- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-py
-
- Add python36-py provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-six
-
- Add python36-six provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-urllib3
-
- fix regression in CVE-2025-66471.patch when downloading large files
(bsc#1259829)
- rsync
-
- Security update:
- bsc#1234100, CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- bsc#1234101, CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- bsc#1234102, CVE-2024-12086: server leaks arbitrary client files
- bsc#1234103, CVE-2024-12087: server can make client write files outside of destination directory using symbolic links
- bsc#1234104, CVE-2024-12088: --safe-links bypass
- bsc#1235475, CVE-2024-12747: Race Condition in rsync Handling Symbolic Links
- bsc#1254441, CVE-2025-10158: Out of bounds array access via negative index
- bsc#1262223, CVE-2026-41035: Count of entries mismatch can lead to a use-after-free
- bsc#1264511, CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no)
- bsc#1264515, CVE-2026-43617: Authorization Bypass via Hostname Resolution
- bsc#1264512, CVE-2026-43618: Integer Overflow Information Disclosure
- bsc#1264514, CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls
- bsc#1264513, CVE-2026-43620: Out-of-Bounds Array Read via recv_files()
- bsc#1265296, CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing
- With the big security update above-mentioned, we received a big amount of harderning
patches that are pre-requisitoes that we added to this version:
- rsync-hardening-0001-Fix-warning-about-conflicting-lseek-lseek64-prototyp.patch
- rsync-hardening-0002-hlink-Fix-function-pointer-cast-in-qsort.patch
- rsync-hardening-0003-bool-is-a-keyword-in-C23.patch
- rsync-hardening-0004-Fix-warning-about-missing-bomb-.-prototype.patch
- rsync-hardening-0005-CVE-2024-12084-Some-checksum-buffer-fixes.patch
(replaces: rsync-CVE-2024-12084-overflow-01.patch)
- rsync-hardening-0006-CVE-2024-12084-Another-cast-when-multiplying-integers.patch
(replaces: rsync-CVE-2024-12084-overflow-02.patch)
- rsync-hardening-0007-CVE-2024-12085-prevent-information-leak-off-the-stack.patch
(replaces: rsync-CVE-2024-12085.patch)
- rsync-hardening-0008-CVE-2024-12086-refuse-fuzzy-options-when-fuzzy-not-selected.patch
(replaces: rsync-CVE-2024-12086_01.patch)
- rsync-hardening-0009-added-secure_relative_open.patch
(replaces: rsync-CVE-2024-12086_02.patch)
- rsync-hardening-0010-receiver-use-secure_relative_open-for-basis-file.patch
(replaces: rsync-CVE-2024-12086_03.patch)
- rsync-hardening-0011-disallow-.-elements-in-relpath-for-secure_relative_o.patch
(replaces: rsync-CVE-2024-12086_04.patch)
- rsync-hardening-0012-CVE-2024-12087-Refuse-a-duplicate-dirlist.patch
(replaces: rsync-CVE-2024-12087_01.patch)
- rsync-hardening-0013-CVE-2024-12087-range-check-dir_ndx-before-use.patch
(replaces:: rsync-CVE-2024-12087_02.patch)
- rsync-hardening-0014-CVE-2024-12088-make-safe-links-stricter.patch
(replaces: rsync-CVE-2024-12088.patch)
- rsync-hardening-0015-CVE-2024-12747-fixed-symlink-race-condition-in-sender.patch
(replaces: rsync-CVE-2024-12747.patch)
- rsync-hardening-0016-syscall-fix-a-Y2038-bug-by-replacing-Int32x32To64-wi.patch
- rsync-hardening-0017-options.c-Fix-segv-if-poptGetContext-returns-NULL.patch
- rsync-hardening-0018-Using-a-correct-time-in-log-file.patch
- rsync-hardening-0019-configure.ac-check-for-xattr-support-both-in-libc-an.patch
(replaces: rsync-no-libattr.patch)
- rsync-hardening-0020-util-fixed-issue-in-clean_fname.patch
- rsync-hardening-0021-testsuite-added-clean-fname-underflow-test.patch
- rsync-hardening-0022-CVE-2025-10158-fixed-an-invalid-access-to-files-array.patch
(replaces: rsync-CVE-2025-10158.patch)
- rsync-hardening-0023-fix-uninitialized-buf1-in-get_checksum2-MD4-path.patch
- rsync-hardening-0024-reject-negative-token-values-in-compressed-stream-re.patch
- rsync-hardening-0025-acl-fixed-ACL-ID-mapping-for-non-root.patch
- rsync-hardening-0026-fix-uninitialized-mul_one-in-AVX2-checksum-and-add-S.patch
- rsync-hardening-0027-Fix-glibc-2.43-constness-warnings.patch
- rsync-hardening-0029-fix-signed-integer-overflow-in-proxy-protocol-v2-hea.patch
- rsync-hardening-0030-zero-all-new-memory-from-allocations.patch
- rsync-hardening-0031-CVE-2026-41035-xattrs-fixed-count-in-qsort.patch
- rsync-hardening-0032-call-tzset-before-chroot-to-cache-timezone-data.patch
- rsync-hardening-0033-testsuite-xattrs-ignore-SUNWattr_-in-the-Solaris-xls.patch
- rsync-hardening-0034-syscall-use-openat2-RESOLVE_BENEATH-on-Linux-for-sec.patch
- rsync-hardening-0035-syscall-also-use-O_RESOLVE_BENEATH-on-FreeBSD-and-Ma.patch
- rsync-hardening-0036-testsuite-skip-symlink-dirlink-basis-on-platforms-wi.patch
- rsync-hardening-0037-CVE-2026-29518-syscall-clientserver-am_chrooted-and-use_secure_syml.patch
- rsync-hardening-0038-CVE-2026-29518-sender-fix-read-path-TOCTOU-by-opening-from-module-r.patch
- rsync-hardening-0039-CVE-2026-43619-syscall-receiver-secure-receiver-side-do_chmod-again.patch
- rsync-hardening-0040-CVE-2026-43619-util1-secure-change_dir-against-symlink-race-chdir-e.patch
- rsync-hardening-0041-CVE-2026-43619-syscall-add-symlink-race-safe-do_-_at-wrappers-and-h.patch
- rsync-hardening-0042-CVE-2026-43619-util1-syscall-secure-copy_file-source-dest-opens-bar.patch
- rsync-hardening-0043-CVE-2026-43619-testsuite-end-to-end-regression-test-for-chdir-symli.patch
- rsync-hardening-0044-CVE-2026-43618-token-harden-compressed-token-decoding-against-integ.patch
- rsync-hardening-0045-CVE-2026-43618-testsuite-cover-refuse-options-compress-for-the-daem.patch
- rsync-hardening-0046-CVE-2026-43620-receiver-add-parent_ndx-0-guard-mirroring-797e17f.patch
- rsync-hardening-0047-CVE-2026-43617-clientserver-fix-hostname-ACL-bypass-when-using-daem.patch
- rsync-hardening-0048-CVE-2026-43618-defence-in-depth-bound-wire-supplied-counts-and-leng.patch
- rsync-hardening-0049-CVE-2026-43618-defence-in-depth-guard-cumulative-snprintf-against-l.patch
- rsync-hardening-0050-CVE-2026-43620-defence-in-depth-receiver-block-index-bounds-read_de.patch
- rsync-hardening-0052-exclude-fix-crashes-with-fortified-strlcpy.patch
(replaces: rsync-fortified-strlcpy-fix.patch)
- rsync-hardening-0053-testsuite-use-integer-sleep-in-clean-fname-underflow.patch
- rsync-hardening-0055-popt-fix-poptDupArgv-strlcpy-size-argument.patch
- rsync-hardening-0056-testsuite-fixes-for-3.2.7-backport.patch
- rsync-hardening-0057-rsync.h-lower-MAX_WIRE_DEL_STAT-to-avoid-signed-int-.patch
- rsync-hardening-0058-CVE-2026-45232-socket-reject-over-long-proxy-response-line.patch
- rsync-hardening-0059-main-reject-hyphen-prefixed-remote-shell-hostnames.patch
- rsync-hardening-0060-util1-handle-out-of-range-times-in-timestring.patch
- A few hardening patches were discarded, as the don't affect SUSE distributions:
- rsync-hardening-0028-zlib-convert-K-R-function-definitions-to-ANSI-style
(we don't bundle zlib, nothing to patch)
- rsync-hardening-0051-CI-added-workflows-from-master-for-backport-testing
(fixes CI Github Actions, not present in release tarballs)
- rsync-hardening-0054-ci-update-RSYNC_EXPECT_SKIPPED-for-3.2.7-backport-ba
(fixes CI Github Actions, not present in release tarballs)
- Rename rsync-fix-FLAG_GOT_DIR_FLIST.patch to rsync-fix-duplicate.patch to align codestreams.
- Security update (CVE-2026-41035, bsc#1262223): rsync: count of
entries mismatch can lead to a use-after-free
- Add rsync-CVE-2026-41035.patch
- vim
-
- Fix bsc#1261833 / CVE-2026-39881.
- Update to 9.2.0398.
- Changes:
* 9.2.0398: MS-Windows: missing strptime() support
* 9.2.0397: tabpanel: double-click opens a new tab
* 9.2.0396: tests: Test_error_callback_terminal is flaky on macOS
* 9.2.0395: tests: Test_backupskip() may read from $HOME
* 9.2.0394: xxd: offsets greater than LONG_MAX print as negative
* 9.2.0393: MS-Windows: link error with XPM support on UCRT64
* 9.2.0392: tests: Some tests are flaky
* 9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting
* 9.2.0390: filetype: some Beancount files are not recognized
* 9.2.0389: DECRQM still leaves stray "pp" on Apple Terminal.app
* 9.2.0388: strange indent in update_topline()
* 9.2.0387: DECRQM request may leave stray chars in terminal
* 9.2.0386: No scroll/scrollbar support in the tabpanel
* 9.2.0385: Integer overflow with "ze" and large 'sidescrolloff'
* 9.2.0384: stale Insstart after <Cmd> cursor move breaks undo
* 9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs
* 9.2.0382: Wayland: focus-stealing is non-working
* 9.2.0381: Vim9: Missing check_secure() in exec_instructions()
* 9.2.0380: completion: a few issues in completion code
* 9.2.0379: gui.color_approx is never used
* 9.2.0378: Using int as bool type in win_T struct
* 9.2.0377: Using int as bool type in gui_T struct
* 9.2.0376: Vim9: elseif condition compiled in dead branch
* 9.2.0375: prop_find() does not find a virt text in starting line
* 9.2.0374: c_CTRL-{G,T} does not handle offset
* 9.2.0373: Ctrl-R mapping not triggered during completion
* 9.2.0372: pum: rendering issues with multibyte text and opacity
* 9.2.0371: filetype: ghostty config files are not recognized
* 9.2.0370: duplicate code with literal string_T assignment
* 9.2.0369: multiple definitions of STRING_INIT macro
* 9.2.0368: too many strlen() calls when adding strings to dicts
* 9.2.0367: runtime(netrw): ~ note expanded on MS Windows
* 9.2.0366: pum: flicker when updating pum in place
* 9.2.0365: using int as bool
* 9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails
* 9.2.0363: Vim9: variable shadowed by script-local function
* 9.2.0362: division by zero with smoothscroll and small windows
* 9.2.0361: tests: no tests for ch_listen() with IPs
* 9.2.0360: Cannot handle mouse-clicks in the tabpanel
* 9.2.0359: wrong VertSplitNC highlighting on winbar
* 9.2.0358: runtime(vimball): still path traversal attacks possible
* 9.2.0357: [security]: command injection via backticks in tag files
* 9.2.0356: Cannot apply 'scrolloff' context lines at end of file
* 9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()
* 9.2.0354: filetype: not all Bitbake include files are recognized
* 9.2.0353: Missing out-of-memory check in register.c
* 9.2.0352: 'winhighlight' of left window blends into right window
* 9.2.0351: repeat_string() can be improved
* 9.2.0350: Enabling modelines poses a risk
* 9.2.0349: cannot style non-current window separator
* 9.2.0348: potential buffer underrun when setting statusline like option
* 9.2.0347: Vim9: script-local variable not found
* 9.2.0346: Wrong cursor position when entering command line window
* 9.2.0345: Wrong autoformatting with 'autocomplete'
* 9.2.0344: channel: ch_listen() can bind to network interface
* 9.2.0343: tests: test_clientserver may fail on slower systems
* 9.2.0342: tests: test_excmd.vim leaves swapfiles behind
* 9.2.0341: some functions can be run from the sandbox
* 9.2.0340: pum_redraw() may cause flicker
* 9.2.0339: regexp: nfa_regmatch() allocates and frees too often
* 9.2.0338: Cannot handle mouseclicks in the tabline
* 9.2.0337: list indexing broken on big-endian 32-bit platforms
* 9.2.0336: libvterm: no terminal reflow support
* 9.2.0335: json_encode() uses recursive algorithm
* 9.2.0334: GTK: window geometry shrinks with with client-side decorations
* 9.2.0333: filetype: PklProject files are not recognized
* 9.2.0332: popup: still opacity rendering issues
* 9.2.0331: spellfile: stack buffer overflows in spell file generation
* 9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough
* 9.2.0329: tests: test_indent.vim leaves swapfiles behind
* 9.2.0328: Cannot handle mouseclicks in the statusline
* 9.2.0327: filetype: uv scripts are not detected
* 9.2.0326: runtime(tar): but with dotted path
* 9.2.0325: runtime(tar): bug in zstd handling
* 9.2.0324: 0x9b byte not unescaped in <Cmd> mapping
* 9.2.0323: filetype: buf.lock files are not recognized
* 9.2.0322: tests: test_popupwin fails
* 9.2.0321: MS-Windows: No OpenType font support
* 9.2.0320: several bugs with text properties
* 9.2.0319: popup: rendering issues with partially transparent popups
* 9.2.0318: cannot configure opacity for popup menu
* 9.2.0317: listener functions do not check secure flag
* 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType
* 9.2.0315: missing bound-checks
* 9.2.0314: channel: can bind to all network interfaces
* 9.2.0313: Callback channel not registered in GUI
* 9.2.0312: C-type names are marked as translatable
* 9.2.0311: redrawing logic with text properties can be improved
* 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys()
* 9.2.0309: Missing out-of-memory check to may_get_cmd_block()
* 9.2.0308: Error message E1547 is wrong
* 9.2.0307: more mismatches between return types and documentation
* 9.2.0306: runtime(tar): some issues with lz4 support
* 9.2.0305: mismatch between return types and documentation
* 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix
* 9.2.0303: tests: zip plugin tests don't check for warning message properly
* 9.2.0302: runtime(netrw): RFC2396 decoding double escaping spaces
* 9.2.0301: Vim9: void function return value inconsistent
* 9.2.0300: The vimball plugin needs some love
* 9.2.0299: runtime(zip): may write using absolute paths
* 9.2.0298: Some internal variables are not modified
* 9.2.0297: libvterm: can improve CSI overflow code
* 9.2.0296: Redundant and incorrect integer pointer casts in drawline.c
* 9.2.0295: 'showcmd' shows wrong Visual block size with 'linebreak'
* 9.2.0294: if_lua: lua interface does not work with lua 5.5
* 9.2.0293: :packadd may lead to heap-buffer-overflow
* 9.2.0292: E340 internal error when using method call on void value
* 9.2.0291: too many strlen() calls
* 9.2.0290: Amiga: no support for AmigaOS 3.x
* 9.2.0289: 'linebreak' may lead to wrong Visual block highlighting
* 9.2.0288: libvterm: signed integer overflow parsing long CSI args
* 9.2.0287: filetype: not all ObjectScript routines are recognized
* 9.2.0286: still some unnecessary (int) casts in alloc()
* 9.2.0285: :syn sync grouphere may go beyond end of line
* 9.2.0284: tabpanel: crash when tabpanel expression returns variable line count
* 9.2.0283: unnecessary (int) casts before alloc() calls
* 9.2.0282: tests: Test_viminfo_len_overflow() fails
* 9.2.0281: tests: Test_netrw_FileUrlEdit.. fails on Windows