- kernel-default
-
- kernel-binary: Only apply vmlinux workaround on SLE15 and later
To create debuginfo for vmlinux the file needs to be present even if
it's not packaged because a compressed file is packaged insteand.
To accomplish that the file is marked as ghost in the file list. Then
rpm does not complain that the file exists but does not package it.
However, rpm still reserves space for ghost files when installing a
package. To avoid reserving space for a file that is not used the file
is truncated.
That works on SLE 15 but on SLE 12 rpm then fails packaging the
debuginfo complaiing that extra debuginfo files are present. Limit the
workaround to SLE 15 and later.
Fixes: 222edac2a18 (kernel-binary: prevent uncompressed vmlinux from inflating rpm size requirements)
- commit 1ef7451
- scsi: target: iscsi: validate CHAP_R length before base64 decode
(bsc#1265449).
- commit 9997c88
- net: mana: Fix crash from unvalidated SHM offset read from BAR0 during FLR (bsc#1265846).
- net: mana: remove double CQ cleanup in mana_create_rxq error path (git-fixes).
- net: mana: Skip WQ object destruction for uninitialized RXQ (git-fixes).
- net: mana: check xdp_rxq registration before unreg in mana_destroy_rxq() (git-fixes).
- RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() (git-fixes).
- RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() (git-fixes).
- RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() (git-fixes).
- RDMA/mana: Validate rx_hash_key_len (git-fixes).
- hv_sock: fix ARM64 support (git-fixes).
- commit 18c2af9
- Kernel-binary: Do not truncate vmlinux when it's the boot image
Some architectures use vmlinux to boot. Truncating vmlinux on those
architectures causes signing failure during build. Also if the signing
was disabled a brokne kernel would be produced.
Fixes: 222edac2a18 (kernel-binary: prevent uncompressed vmlinux from inflating rpm size requirements)
- commit d3cf603
- perf: Fix __perf_event_overflow() vs perf_remove_from_context()
race (bsc#1260018 CVE-2026-23271).
- commit d05430f
- kernel-binary: prevent uncompressed vmlinux from inflating rpm size requirements
define %__spec_install_post to truncate the uncompressed vmlinux
to 0 bytes after find-debuginfo.sh and brp-* scripts run. This prevents
rpmbuild from baking the %ghost file size into the FILESIZES
header, which can cause installation failures on smaller /boot partitions.
Fixes: bsc#1265456
- commit 222edac
- net/rds: reset op_nents when zerocopy page pin fails
(bsc#1265626, CVE-2026-43494).
- net/rds: reset op_nents when zerocopy page pin fails
(bsc#1265626).
- commit b66d9fc
- perf: Make sure to use pmu_ctx->pmu for groups (bsc#1263001
CVE-2026-31528).
- commit 2f72854
- net/sched: fix pedit partial COW leading to page cache corruption
(bsc#1265421).
- commit a756c69
- RDMA/irdma: Fix double free related to rereg_user_mr (CVE-2026-43120)
- commit c514796
- libevent
-
- Disable the select backend, this can be easily done by lying
to configure. This is done due to:
* using fd number > 1024 on an fd_set results in a runtime
fortify source assertion, preventing further doom.
* select will not be changed to handle fd > 1024.
* this limit is unreasonable low for this century.
- Drop insserv_prereq and fillup_prereq macros: there are no
pre-scripts that would justify these dependencies.
- Update to 2.1.12 stable
* buffer: do not pass NULL to memcpy() from evbuffer_pullup()
* http: fix undefined-shift in EVUTIL_IS*_ helpers
* Check error code of evhttp_add_header_internal() in
evhttp_parse_query_impl()
* http: fix EVHTTP_CON_AUTOFREE in case of timeout
* evdns: Add additional validation for values of dns options
* Fix memory corruption in EV_CLOSURE_EVENT_FINALIZE with debug enabled
* increase segment refcnt only if evbuffer_add_file_segment() succeeds
* evdns: fix a crash when evdns_base with waiting requests is freed
* event_base_once: fix potential null pointer threat
* http: do not assume body for CONNECT
* evbuffer_add_file: fix freeing of segment in the error path
* Fix checking return value of the evdns_base_resolv_conf_parse()
* Support EV_CLOSED on linux for poll(2)
* Parse IPv6 scope IDs.
* evutil_time: detect and use _gmtime64_s()/_gmtime64()
* bufferevent: allow setting priority on socket and openssl type
* Fix EV_CLOSED detection/reporting
* Revert "Warn if forked from the event loop during event_reinit()"
- Add upstream patches with the feature of "prepare" and "check"
watchers. That feature is needed by envoy-proxy:
* 0001-evwatch-Add-prepare-and-check-watchers.patch
* 0002-evwatch-fix-race-condition.patch
- Update to 2.1.11 stable
* Fix ABI breakage that had been introduced in 2.1.10. Strictly speaking
this release breaks ABI again to make it compatible with <= 2.1.9.
+ See git commit 18104973 for more details
* evdns: add new options -- so-rcvbuf/so-sndbuf
* various autotools and cmake build changes
* buffer: fix possible NULL dereference in evbuffer_setcb() on ENOMEM
* Warn if forked from the event loop during event_reinit()
* evutil: set the have_checked_interfaces in evutil_check_interfaces()
* https-client: correction error checking
- Use FAT LTO objects in order to provide proper static library.
- Fix name of library package (bsc#1138369)
- Update to 2.1.10 stable
* evdns: add DNS_OPTION_NAMESERVERS_NO_DEFAULT /
EVDNS_BASE_NAMESERVERS_NO_DEFAULT
* Add support for EV_TIMEOUT to event_base_active_by_fd
* kqueue: Avoid undefined behaviour.
* Prevent integer overflow in kq_build_changes_list.
* evdns: fix lock/unlock mismatch in evdns_close_server_port()
* Protect min_heap_push_ against integer overflow.
* le-proxy: initiate use of the Winsock DLL
* Fix leaks in error path of the bufferevent_init_common_()
* buffer: make evbuffer_prepend() of zero-length array no-op
* Don't loose top error in SSL
* Remove needless check for arc4_seeded_ok
* Cleanup __func__ detection
* Add convenience macros for user-triggered events
* Notify event base if there are no more events, so it can exit without
delay
* Fix base unlocking in event_del() if event_base_set() runned in another
thread
* If precise_time is false, we should not set EVENT_BASE_FLAG_PRECISE_TIMER
* Fix race in access to ev_res from event loop with event_active()
* Return from event_del() after the last event callback termination
* Preserve socket error from listen across closesocket cleanup
* fix connection retries when there more then one request for connection
* improve error path for bufferevent_{setfd,enable,disable}()
* Fix conceivable UAF of the bufferevent in evhttp_connection_free()
* Fix evhttp_connection_get_addr() fox incomming http connections
* fix leaks in evhttp_uriencode()
* CONNECT method only takes an authority
* Allow bodies for GET/DELETE/OPTIONS/CONNECT
* Do not crash when evhttp_send_reply_start() is called after a timeout.
* Fix crashing http server when callback do not reply in place
* fix handling of close_notify (ssl) in http with openssl bufferevents
* use *_new_with_arg() to match function prototype
* avoid NULL dereference on request is not EVHTTP_REQ_POST
* bufferevent_socket_connect{,_hostname}() missing event callback and use
ret code
* don't fail be_null_filter if bytes are copied
* Call underlying bev ctrl GET_FD on filtered bufferevents
* be_openssl: avoid leaking of SSL structure
* Add missing includes into openssl-compat.h
* Explicitly call SSL_clear when reseting the fd.
* sample/https-client: use host SSL certificate store by default
* ipv6only socket bind support
* evdns: handle NULL filename explicitly
* Fix assert() condition in evbuffer_drain() for IOCP
* fix incorrect unlock of the buffer mutex (for deferred callbacks)
* Fix wrong assert in evbuffer_drain()
* Port `event_rpcgen.py` and `test/check-dumpevents.py` to Python 3.
- rename python2-shebang.patch -> python3-shebang.patch following port
- Make use of %license macro
- Add devel-static package, which is needed for building Envoy
(https://www.envoyproxy.io/) and Cilium with Envoy integration
- Fix an error about /usr/bin/env shebang in event_rpcgen.py
* python2-shebang.patch
- gnutls
-
- Security fixes:
* CVE-2026-33846: buffers: add more checks to DTLS reassembly (bsc#1263705)
* CVE-2026-42009: lib/buffers: ensure packets have differing sequence numbers (bsc#1263708)
* CVE-2026-33845: buffers: switch from end_offset over to frag_length (bsc#1263704)
* CVE-2026-42010: lib/auth/rsa_psk: fix binary PSK identity lookup (bsc#1263709)
* CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive (bsc#1263707)
* CVE-2026-42011: x509/name_constraints: fix intersecting empty constraints (bsc#1263710)
* CVE-2026-42012: x509/hostname-verify: make URI/SRV SAN preclude CN fallback (bsc#1263711)
* CVE-2026-42013: x509: prevent fallback on oversized SAN (bsc#1263712)
* CVE-2026-42014: pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin (bsc#1263713)
* CVE-2026-42015: x509/pkcs12_bag: fix off-by-one in bag element bounds check (bsc#1263714)
* CVE-2026-5260: lib/pkcs11_privkey: guard against overreading on short ciphertexts (bsc#1263715)
* CVE-2026-5419: gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free (bsc#1263716)
* Add patches:
gnutls-CVE-2026-33846.patch gnutls-CVE-2026-42009.patch
gnutls-CVE-2026-33845.patch gnutls-CVE-2026-42010.patch
gnutls-CVE-2026-3833.patch gnutls-CVE-2026-42011.patch
gnutls-CVE-2026-42012.patch gnutls-CVE-2026-42013.patch
gnutls-CVE-2026-42014.patch gnutls-CVE-2026-5260.patch
gnutls-CVE-2026-42015.patch gnutls-CVE-2026-5419.patch
- xz
-
- Fix buffer overflow in lzma_index_append (bsc#1261280, CVE-2026-34743)
* CVE-2026-34743.patch
- Change SUSE-Public-Domain license to LicenseRef-SUSE-Public-Domain to
fix rpmlint errors
- openssl-1_1
-
- bsc#1250782 Fix 30-test_fips_sli.t fails intermittently on s390x:
Fix AES_GCM IV test sometimes failing on s390x.
* Add openssl-fix-fips-slitest-s390x.patch
- python-certifi
-
- Add python36-certifi provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-idna
-
- Add python36-idna provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-packaging
-
- Add python36-packaging provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pycparser
-
- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-py
-
- Add python36-py provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-six
-
- Add python36-six provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-urllib3
-
- CVE-2026-44431: sensitive information disclosure due to sensitive
headers being forwarded across origins in proxied low-level redirects
(bsc#1265267)
Add patch CVE-2026-44431.patch
- fix regression in CVE-2025-66471.patch when downloading large files
(bsc#1259829)
- samba
-
- CVE-2026-4480: Fix Unauthenticated Remote Code Execution;
(bso#16033); (bsc#1261161).
- CVE-2026-4408: Fix Remote Code Execution in SAMR;(bso#16034);
(bsc#1261163).
- CVE-2026-3238: Fix unauthenticated udp packet crashes AD DC
nbt server; (bso#16012); (bsc#1261160).
- CVE-2026-3012: Fix CVE-2026-3012 group policy certificate
enrollment using http:// without validation;(bso#16003);
(bsc#1261159).
- CVE-2026-2340: vfs_worm does not block directory modification;
(bso#15997); (bsc#1261158).
- xen
-
- bsc#1264066 - VUL-0: CVE-2025-54518: xen: AMD-SN-7052: CPU OP
Cache Corruption
xsa490.patch
- bsc#1262428 - VUL-0: CVE-2025-54505: xen: Floating Point Divider
State Sampling on AMD CPUs AMD-SN-7053 (XSA-488)
xsa488.patch
- bsc#1262178 - VUL-0: CVE-2026-23557: xen: Xenstored DoS via
XS_RESET_WATCHES command (XSA-484)
xsa484.patch
- bsc#1262180 - VUL-0: CVE-2026-23558: xen: grant table v2 race in
status page mapping (XSA-486)
xsa486.patch