- 000release-packages:SUSE-MicroOS-release
-
n/a
- boost
-
- CVE-2016-9840: fixed out-of-bounds pointer arithmetic in zlib in beast
(bsc#1245936)
- adds patch boost-zlib.patch
- coreutils
-
- coreutils-9.7-sort-CVE-2025-5278.patch: Add upstream patch:
sort with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer.
(CVE-2025-5278, bsc#1243767)
- docker
-
[ This update is a no-op, only needed to work around unfortunate automated
packaging script behaviour on SLES. ]
- The following patches were removed in openSUSE in the Docker 28.1.1-ce
update, but the patch names were later renamed in a SLES-only update before
Docker 28.1.1-ce was submitted to SLES.
This causes the SLES build scripts to refuse the update because the patches
are not referenced in the changelog. There is no obvious place to put the
patch removals (the 28.1.1-ce update removing the patches chronologically
predates their renaming in SLES), so they are included here a dummy changelog
entry to work around the issue.
- 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to docker-buildx v0.25.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.25.0>
- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
Docker does not have permission to access the host zypper credentials in this
mode (and unprivileged users cannot disable the feature using
/etc/docker/suse-secrets-enable.) bsc#1240150
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Rebase patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+ 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+ 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to Docker 28.2.2-ce. See upstream changelog online at
<https://github.com/moby/moby/releases/tag/v28.2.2>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to Docker 28.2.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2820> bsc#1243833
<https://github.com/moby/moby/releases/tag/v28.2.1>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to docker-buildx v0.24.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.24.0>
- Update to Docker 28.1.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2811> bsc#1242114
Includes upstream fixes:
- CVE-2025-22872 bsc#1241830
- Remove long-outdated build handling for deprecated and unsupported
devicemapper and AUFS storage drivers. AUFS was removed in v24, and
devicemapper was removed in v25.
<https://docs.docker.com/engine/deprecated/#aufs-storage-driver>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Remove upstreamed patches:
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to docker-buildx v0.23.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.23.0>
- Update to docker-buildx v0.22.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.22.0>
* Includes fixes for CVE-2025-0495. bsc#1239765
- Disable transparent SUSEConnect support for SLE-16. PED-12534
When this patchset was first added in 2013 (and rewritten over the years),
there was no upstream way to easily provide SLE customers with a way to build
container images based on SLE using the host subscription. However, with
docker-buildx you can now define secrets for builds (this is not entirely
transparent, but we can easily document this new requirement for SLE-16).
Users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Now that the only blocker for docker-buildx support was removed for SLE-16,
enable docker-buildx for SLE-16 as well. PED-8905
- transactional-update
-
- Build with PIE enabled [bsc#1239954]
- kernel-default
-
- scsi: storvsc: Increase the timeouts to storvsc_timeout
(bsc#1245455).
- scsi: storvsc: Don't report the host packet status as the hv
status (git-fixes).
- commit a5f8a2c
- firmware: arm_scpi: Ensure scpi_info is not assigned if the
probe fails (CVE-2022-50087 bsc#1245119).
- commit ed98a38
- Update
patches.suse/0012-dm-thin-fix-use-after-free-crash-in-dm_sm_register_t.patch
(git-fixes CVE-2022-50092 bsc#1244848).
- Update
patches.suse/0014-dm-raid-fix-address-sanitizer-warning-in-raid_status.patch
(git-fixes CVE-2022-50084 bsc#1245117).
- Update
patches.suse/0023-loop-Check-for-overflow-while-configuring-loop.patch
(git-fixes CVE-2022-49993 bsc#1245121).
- Update
patches.suse/0025-drivers-md-fix-a-potential-use-after-free-bug.patch
(git-fixes CVE-2022-50022 bsc#1245131).
- Update
patches.suse/ALSA-bcd2000-Fix-a-UAF-bug-on-the-error-path-of-prob.patch
(git-fixes CVE-2022-50229 bsc#1244856).
- Update
patches.suse/ASoC-SOF-debug-Fix-potential-buffer-overflow-by-snpr.patch
(git-fixes CVE-2022-50051 bsc#1245041).
- Update
patches.suse/ASoC-mt6797-mt6351-Fix-refcount-leak-in-mt6797_mt635.patch
(git-fixes CVE-2022-50124 bsc#1244816).
- Update
patches.suse/HID-cp2112-prevent-a-buffer-overflow-in-cp2112_xfer.patch
(git-fixes CVE-2022-50156 bsc#1244782).
- Update
patches.suse/HID-hidraw-fix-memory-leak-in-hidraw_release.patch
(git-fixes CVE-2022-49981 bsc#1245072).
- Update
patches.suse/HID-steam-Prevent-NULL-pointer-dereference-in-steam_.patch
(git-fixes CVE-2022-49984 bsc#1244950).
- Update
patches.suse/Input-iforce-wake-up-after-clearing-IFORCE_XMIT_RUNN.patch
(git-fixes CVE-2022-49954 bsc#1244976).
- Update
patches.suse/NFSv4-pnfs-Fix-a-use-after-free-bug-in-open.patch
(git-fixes CVE-2022-50072 bsc#1244979).
- Update
patches.suse/PCI-dwc-Deallocate-EPC-memory-on-dw_pcie_ep_init-err.patch
(git-fixes CVE-2022-50146 bsc#1244788).
- Update
patches.suse/RDMA-qedr-Fix-potential-memory-leak-in-__qedr_alloc_.patch
(git-fixes CVE-2022-50138 bsc#1244797).
- Update
patches.suse/RDMA-rxe-Fix-error-unwind-in-rxe_create_qp.patch
(git-fixes CVE-2022-50127 bsc#1244815).
- Update
patches.suse/RDMA-siw-Fix-duplicated-reported-IW_CM_EVENT_CONNECT.patch
(git-fixes CVE-2022-50136 bsc#1244804).
- Update
patches.suse/ceph-don-t-leak-snap_rwsem-in-handle_cap_grant.patch
(bsc#1202810 CVE-2022-50059 bsc#1245031).
- Update
patches.suse/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch
(git-fixes CVE-2022-50029 bsc#1245146).
- Update
patches.suse/crypto-arm64-poly1305-fix-a-read-out-of-bound.patch
(git-fixes CVE-2022-50231 bsc#1244853).
- Update
patches.suse/driver-core-fix-potential-deadlock-in-__driver_attac.patch
(git-fixes CVE-2022-50149 bsc#1244883).
- Update
patches.suse/drm-mcde-Fix-refcount-leak-in-mcde_dsi_bind.patch
(git-fixes CVE-2022-50176 bsc#1244902).
- Update
patches.suse/drm-meson-Fix-refcount-bugs-in-meson_vpu_has_availab.patch
(git-fixes CVE-2022-50038 bsc#1244943).
- Update
patches.suse/drm-msm-mdp5-Fix-global-state-lock-backoff.patch
(git-fixes CVE-2022-50173 bsc#1244992).
- Update
patches.suse/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch
(git-fixes CVE-2022-50185 bsc#1244887).
- Update
patches.suse/drm-sun4i-dsi-Prevent-underflow-when-computing-packe.patch
(git-fixes CVE-2022-50036 bsc#1244941).
- Update
patches.suse/ext4-avoid-resizing-to-a-partial-cluster-size.patch
(bsc#1206880 CVE-2022-50020 bsc#1245129).
- Update
patches.suse/fbdev-fb_pm2fb-Avoid-potential-divide-by-zero-error.patch
(git-fixes CVE-2022-49978 bsc#1245195).
- Update
patches.suse/ftrace-Fix-NULL-pointer-dereference-in-is_ftrace_trampoline-when-ftrace-is-dead.patch
(git-fixes CVE-2022-49977 bsc#1244936).
- Update patches.suse/gadgetfs-ep_io-wait-until-IRQ-finishes.patch
(git-fixes CVE-2022-50028 bsc#1245135).
- Update
patches.suse/hwmon-gpio-fan-Fix-array-out-of-bounds-access.patch
(git-fixes CVE-2022-49945 bsc#1244908).
- Update
patches.suse/ieee802154-adf7242-defer-destroy_workqueue-call.patch
(git-fixes CVE-2022-49968 bsc#1244959).
- Update
patches.suse/iio-light-isl29028-Fix-the-warning-in-isl29028_remov.patch
(git-fixes CVE-2022-50218 bsc#1244861).
- Update
patches.suse/intel_th-Fix-a-resource-leak-in-an-error-handling-pa.patch
(git-fixes CVE-2022-50143 bsc#1244790).
- Update patches.suse/intel_th-msu-Fix-vmalloced-buffers.patch
(git-fixes CVE-2022-50142 bsc#1244796).
- Update
patches.suse/iommu-vt-d-avoid-invalid-memory-access-via-node_online-NUMA_NO_N
(git-fixes CVE-2022-50093 bsc#1244849).
- Update
patches.suse/jbd2-fix-assertion-jh-b_frozen_data-NULL-failure-whe.patch
(bsc#1202716 CVE-2022-50126 bsc#1244813).
- Update
patches.suse/locking-csd_lock-Change-csdlock_debug-from-early_par.patch
(git-fixes CVE-2022-50091 bsc#1244885).
- Update patches.suse/md-call-__md_stop_writes-in-md_stop.patch
(git-fixes CVE-2022-49987 bsc#1245024).
- Update patches.suse/md-raid10-fix-KASAN-warning.patch (git-fixes
CVE-2022-50211 bsc#1245140).
- Update patches.suse/memstick-ms_block-Fix-a-memory-leak.patch
(git-fixes CVE-2022-50140 bsc#1244793).
- Update
patches.suse/meson-mx-socinfo-Fix-refcount-leak-in-meson_mx_socin.patch
(git-fixes CVE-2022-50209 bsc#1244868).
- Update
patches.suse/mfd-max77620-Fix-refcount-leak-in-max77620_initialis.patch
(git-fixes CVE-2022-50108 bsc#1244834).
- Update
patches.suse/misc-fastrpc-fix-memory-corruption-on-open.patch
(git-fixes CVE-2022-49950 bsc#1244958).
- Update
patches.suse/misc-fastrpc-fix-memory-corruption-on-probe.patch
(git-fixes CVE-2022-49952 bsc#1244945).
- Update
patches.suse/mmc-sdhci-of-esdhc-Fix-refcount-leak-in-esdhc_signal.patch
(git-fixes CVE-2022-50141 bsc#1244794).
- Update
patches.suse/msft-hv-2639-scsi-storvsc-Remove-WQ_MEM_RECLAIM-from-storvsc_erro.patch
(git-fixes CVE-2022-49986 bsc#1244948).
- Update
patches.suse/mt76-mt76x02u-fix-possible-memory-leak-in-__mt76x02u.patch
(git-fixes CVE-2022-50172 bsc#1244764).
- Update
patches.suse/mtd-maps-Fix-refcount-leak-in-ap_flash_init.patch
(git-fixes CVE-2022-50160 bsc#1244776).
- Update
patches.suse/mtd-maps-Fix-refcount-leak-in-of_flash_probe_versati.patch
(git-fixes CVE-2022-50161 bsc#1244774).
- Update
patches.suse/mtd-partitions-Fix-refcount-leak-in-parse_redboot_of.patch
(git-fixes CVE-2022-50158 bsc#1244779).
- Update
patches.suse/netfilter-nf_tables-do-not-allow-CHAIN_ID-to-refer-t.patch
(CVE-2022-2586 bsc#1202095 CVE-2022-50212 bsc#1244869).
- Update
patches.suse/pinctrl-nomadik-Fix-refcount-leak-in-nmk_pinctrl_dt_.patch
(git-fixes CVE-2022-50061 bsc#1245033).
- Update
patches.suse/powerpc-64-Init-jump-labels-before-parse_early_param.patch
(bsc#1065729 CVE-2022-50012 bsc#1245125).
- Update patches.suse/powerpc-pci-Fix-get_phb_number-locking.patch
(bsc#1065729 CVE-2022-50045 bsc#1244967).
- Update
patches.suse/powerpc-perf-Optimize-clearing-the-pending-PMI-and-r.patch
(bsc#1156395 CVE-2022-50118 bsc#1244825).
- Update
patches.suse/powerpc-xive-Fix-refcount-leak-in-xive_get_max_prio.patch
(fate#322438 git-fixess CVE-2022-50104 bsc#1244836).
- Update
patches.suse/regulator-of-Fix-refcount-leak-bug-in-of_get_regulat.patch
(git-fixes CVE-2022-50191 bsc#1244899).
- Update
patches.suse/s390-fix-double-free-of-GS-and-RI-CBs-on-fork-failure
(git-fixes CVE-2022-49990 bsc#1245006).
- Update
patches.suse/scsi-lpfc-Fix-possible-memory-leak-when-failing-to-i.patch
(bsc#1201956 CVE-2022-50027 bsc#1245073).
- Update
patches.suse/scsi-lpfc-Prevent-buffer-overflow-crashes-in-debugfs.patch
(bsc#1201956 CVE-2022-50030 bsc#1245265).
- Update
patches.suse/scsi-qla2xxx-fix-crash-due-to-stale-srb-access-around-i-o-timeouts.patch
(bsc#1201160 CVE-2022-50098 bsc#1244841).
- Update
patches.suse/scsi-sg-Allow-waiting-for-commands-to-complete-on-removed-device.patch
(git-fixes CVE-2022-50215 bsc#1245138).
- Update
patches.suse/spmi-trace-fix-stack-out-of-bound-access-in-SPMI-tracing-functions.patch
(git-fixes CVE-2022-50094 bsc#1244851).
- Update
patches.suse/tty-serial-Fix-refcount-leak-bug-in-ucc_uart.c.patch
(git-fixes CVE-2022-50019 bsc#1245098).
- Update
patches.suse/tty-vt-initialize-unicode-screen-buffer.patch
(git-fixes CVE-2022-50222 bsc#1245136).
- Update
patches.suse/usb-host-Fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch
(git-fixes CVE-2022-50153 bsc#1244786).
- Update
patches.suse/usb-host-ohci-ppc-of-Fix-refcount-leak-bug.patch
(git-fixes CVE-2022-50033 bsc#1245139).
- Update
patches.suse/usb-ohci-nxp-Fix-refcount-leak-in-ohci_hcd_nxp_probe.patch
(git-fixes CVE-2022-50152 bsc#1244783).
- Update patches.suse/usb-renesas-Fix-refcount-leak-bug.patch
(git-fixes CVE-2022-50032 bsc#1245103).
- Update
patches.suse/usbnet-Fix-linkwatch-use-after-free-on-disconnect.patch
(git-fixes CVE-2022-50220 bsc#1245348).
- Update
patches.suse/video-fbdev-amba-clcd-Fix-refcount-leak-bugs.patch
(git-fixes CVE-2022-50109 bsc#1244884).
- Update
patches.suse/video-fbdev-arkfb-Check-the-size-of-screen-before-me.patch
(git-fixes CVE-2022-50099 bsc#1244842).
- Update
patches.suse/video-fbdev-arkfb-Fix-a-divide-by-zero-bug-in-ark_se.patch
(git-fixes CVE-2022-50102 bsc#1244838).
- Update
patches.suse/video-fbdev-i740fb-Check-the-argument-of-i740_calc_v.patch
(git-fixes CVE-2022-50010 bsc#1245122).
- Update
patches.suse/video-fbdev-s3fb-Check-the-size-of-screen-before-mem.patch
(git-fixes CVE-2022-50097 bsc#1244845).
- Update
patches.suse/video-fbdev-vt8623fb-Check-the-size-of-screen-before.patch
(git-fixes CVE-2022-50101 bsc#1244839).
- Update
patches.suse/virtio-gpu-fix-a-missing-check-to-avoid-NULL-derefer.patch
(git-fixes CVE-2022-50181 bsc#1244901).
- Update
patches.suse/virtio_net-fix-memory-leak-inside-XPD_TX-with-mergea.patch
(git-fixes CVE-2022-50065 bsc#1244986).
- Update
patches.suse/vt-Clear-selection-before-changing-the-font.patch
(git-fixes CVE-2022-49948 bsc#1245058).
- Update
patches.suse/wifi-iwlwifi-mvm-fix-double-list_add-at-iwl_mvm_mac_.patch
(git-fixes CVE-2022-50164 bsc#1244770).
- Update
patches.suse/wifi-libertas-Fix-possible-refcount-leak-in-if_usb_p.patch
(git-fixes CVE-2022-50162 bsc#1244773).
- Update
patches.suse/wifi-mac80211-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch
(git-fixes CVE-2022-49942 bsc#1244881).
- Update
patches.suse/wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch
(git-fixes CVE-2022-49934 bsc#1245051).
- Update
patches.suse/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch
(git-fixes CVE-2022-50169 bsc#1244767).
- Update
patches.suse/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch
(git-fixes CVE-2022-50165 bsc#1244771).
- Update
patches.suse/xen-privcmd-fix-error-exit-of-privcmd_ioctl_dm_op.patch
(git-fixes CVE-2022-49989 bsc#1245007).
- commit 138997d
- Update
patches.suse/USB-core-Prevent-nested-device-reset-calls.patch
(bsc#1206664 CVE-2022-4662 CVE-2022-49936 bsc#1244984).
- Update
patches.suse/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch
(CVE-2022-1679 bsc#1199487 CVE-2022-50179 bsc#1244886).
- Update
patches.suse/bpf-Don-t-use-tnum_range-on-array-range-checking-for.patch
(bsc#1202564 bsc#1202860 CVE-2022-2905 CVE-2022-49985
bsc#1244956).
- Update
patches.suse/btrfs-unset-reloc-control-if-transaction-commit-fail.patch
(bsc#1212051 CVE-2023-3111 CVE-2022-50067 bsc#1245047).
- Update
patches.suse/ext4-add-EXT4_INODE_HAS_XATTR_SPACE-macro-in-xattr.h.patch
(bsc#1206878 CVE-2022-50083 bsc#1244968).
- Update
patches.suse/media-mceusb-Use-new-usb_control_msg_-routines.patch
(CVE-2022-3903 bsc#1205220 CVE-2022-49937 bsc#1245057).
- Update
patches.suse/netfilter-nf_tables-do-not-allow-SET_ID-to-refer-to-.patch
(CVE-2022-2586 bsc#1202095 CVE-2022-50213 bsc#1244867).
- Update patches.suse/sch_htb-make-htb_deactivate-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-37953 bsc#1243543).
- Update
patches.suse/sch_htb-make-htb_qlen_notify-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-37932 bsc#1243627).
- Update
patches.suse/staging-rtl8712-fix-use-after-free-bugs.patch
(CVE-2022-4095 bsc#1205514 CVE-2022-49956 bsc#1244969).
- commit cfda5f9
- selinux: Add boundary check in put_entry() (CVE-2022-50200
bsc#1245149).
- commit 66f4090
- net_sched: prio: fix a race in prio_tune() (CVE-2025-38083
bsc#1245183).
- commit 23a5ba6
- dm raid: fix address sanitizer warning in raid_resume
(CVE-2022-50085 bsc#1245147).
- commit 014ae24
- kabi: place tstamp needed for nftables set in a hole
(CVE-2024-27397 bsc#1224095).
- commit 77b63ae
- netfilter: nf_tables: use timestamp to check for set element
timeout (CVE-2024-27397 bsc#1224095).
- commit 9049387
- netfilter: nft_set_rbtree: .deactivate fails if element has
expired (CVE-2024-27397 bsc#1224095).
- commit 1e980c4
- net_sched: hfsc: Address reentrant enqueue adding class to
eltree twice (CVE-2025-38001 bsc#1244234).
- commit f66f8f9
- sch_ets: make est_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
Note: this patch is only needed SLE15-SP3-LTSS as sch_ets was not
backported into other 5.3 based branches.
- commit 6c457bf
- sch_htb: make htb_deactivate() idempotent (CVE-2025-37798
bsc#1242414).
- codel: remove sch->q.qlen check before
qdisc_tree_reduce_backlog() (CVE-2025-37798 bsc#1242414).
- sch_qfq: make qfq_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_drr: make drr_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_htb: make htb_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- commit 76ca52d
- packaging: Add support for suse-kabi-tools
The current workflow to check kABI stability during the RPM build of SUSE
kernels consists of the following steps:
* The downstream script rpm/modversions unpacks the consolidated kABI
symtypes reference data from kabi/<arch>/symtypes-<flavor> and creates
individual symref files.
* The build performs a regular kernel make. During this operation, genksyms
is invoked for each source file. The tool determines type signatures of
all exports within the file, reports any differences compared to the
associated symref reference, calculates symbol CRCs from the signatures
and writes new type data into a symtypes file.
* The script rpm/modversions is invoked again, this time it packs all new
symtypes files to a consolidated kABI file.
* The downstream script rpm/kabi.pl checks symbol CRCs in the new build and
compares them to a reference from kabi/<arch>/symvers-<flavor>, taking
kabi/severities into account.
suse-kabi-tools is a new set of tools to improve the kABI checking process.
The suite includes two tools, ksymtypes and ksymvers, which replace the
existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison
functionality previously provided by genksyms. The tools have their own
source repository and package.
The tools provide faster operation and more detailed, unified output. In
addition, they allow the use of the new upstream tool gendwarfksyms, which
lacks any built-in comparison functionality.
The updated workflow is as follows:
* The build performs a regular kernel make. During this operation, genksyms
(gendwarfksyms) is invoked as usual, determinining signatures and CRCs of
all exports and writing the type data to symtypes files. However,
genksyms no longer performs any comparison.
* 'ksymtypes consolidate' packs all new symtypes files to a consolidated
kABI file.
* 'ksymvers compare' checks symbol CRCs in the new build and compares them
to a reference from kabi/<arch>/symvers-<flavor>, taking kabi/severities
into account. The tool writes its result in a human-readable form on
standard output and also writes a list of all changed exports (not
ignored by kabi/severities) to the changed-exports file.
* 'ksymtypes compare' takes the changed-exports file, the consolidated kABI
symtypes reference data from kabi/<arch>/symtypes-<flavor> and the new
consolidated data. Based on this data, it produces a detailed report
explaining why the symbols changed.
The patch enables the use of suse-kabi-tools via rpm/config.sh, providing
explicit control to each branch. To enable the support, set
USE_SUSE_KABI_TOOLS=Yes in the config file.
- commit a2c6f89
- kernel-source: Remove log.sh from sources
- commit 96bd779
- netfilter: ipset: add missing range check in bitmap_ip_uadt (CVE-2024-53141 bsc#1234381)
- commit 21ac02b
- net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
(CVE-2025-37823 bsc#1242924).
- commit dca98b0
- sch_hfsc: Fix qlen accounting bug when using peek in
hfsc_enqueue() (CVE-2025-38000 bsc#1244277).
- net_sched: hfsc: Fix a UAF vulnerability in class with netem
as child qdisc (CVE-2025-37890 bsc#1243330).
- net: sched: sch_multiq: fix possible OOB write in multiq_tune()
(CVE-2024-36978 bsc#1226514).
- commit 8d2bb29
- netfilter: ipset: fix region locking in hash types
(CVE-2025-37997 bsc#1243832).
- commit d102bab
- net: sched: Disallow replacing of child qdisc from one parent
to another (CVE-2025-21700 bsc#1237159).
- commit bde17d3
- netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
(git-fixes CVE-2025-21703 bsc#1237313).
- commit 982a71f
- pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702 bsc#1237312)
- commit f34470d
- net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312)
- commit a87a922
- netfilter: nft_set_pipapo: do not free live element
(CVE-2024-26924 bsc#1223387).
- commit b465633
- net/sched: netem: account for backlog updates from child qdisc
(CVE-2024-56770 bsc#1235637).
- sch/netem: fix use after free in netem_dequeue (CVE-2024-56770
bsc#1235637 CVE-2024-46800 bsc#1230827).
- commit 3360a1a
- mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
- commit 7c95ae0
- MyBS: Do not build kernel-obs-qa with limit_packages
Fixes: 58e3f8c34b2b ("bs-upload-kernel: Pass limit_packages also on multibuild")
- commit f4c6047
- MyBS: Simplify qa_expr generation
Start with a 0 which makes the expression valid even if there are no QA
repositories (currently does not happen). Then separator is always
needed.
- commit e4c2851
- MyBS: Correctly generate build flags for non-multibuild package limit
(bsc# 1244241)
Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build")
- commit 27588c9
- bs-upload-kernel: Pass limit_packages also on multibuild
Fixes: 0999112774fc ("MyBS: Use buildflags to set which package to build")
Fixes: 747f601d4156 ("bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)")
- commit 8ef486c
- wifi: cfg80211: fix certs build to not depend on file order
(bsc#1243001).
- wifi: cfg80211: Add my certificate (bsc#1243001).
- commit eda1fcf
- kernel-source: Do not use multiple -r in sed parameters
This usage is enabled in commit b18d64d
(sed: allow multiple (non-conflicting) -E/-r parameters, 2016-07-31)
only available since sed 4.3
Fixes: dc2037cd8f94 ("kernel-source: Also replace bin/env"
- commit 91ad98e
- kabi/severities: workaround kABI checker complains after AX25 and HAMRADIO removals
KABI: symbol asc2ax(mod:net/ax25/ax25) lost
KABI: symbol ax25_bcast(mod:net/ax25/ax25) lost
KABI: symbol ax25_defaddr(mod:net/ax25/ax25) lost
KABI: symbol ax25_display_timer(mod:net/ax25/ax25) lost
KABI: symbol ax25_find_cb(mod:net/ax25/ax25) lost
KABI: symbol ax25_findbyuid(mod:net/ax25/ax25) lost
KABI: symbol ax25_header_ops(mod:net/ax25/ax25) lost
KABI: symbol ax25_ip_xmit(mod:net/ax25/ax25) lost
KABI: symbol ax25_linkfail_register(mod:net/ax25/ax25) lost
KABI: symbol ax25_linkfail_release(mod:net/ax25/ax25) lost
KABI: symbol ax25_listen_register(mod:net/ax25/ax25) lost
KABI: symbol ax25_listen_release(mod:net/ax25/ax25) lost
KABI: symbol ax25_protocol_release(mod:net/ax25/ax25) lost
KABI: symbol ax25_register_pid(mod:net/ax25/ax25) lost
KABI: symbol ax25_send_frame(mod:net/ax25/ax25) lost
KABI: symbol ax25_uid_policy(mod:net/ax25/ax25) lost
KABI: symbol ax25cmp(mod:net/ax25/ax25) lost
KABI: symbol ax2asc(mod:net/ax25/ax25) lost
KABI: symbol hdlcdrv_arbitrate(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol hdlcdrv_receiver(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol hdlcdrv_register(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol hdlcdrv_transmitter(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol hdlcdrv_unregister(mod:drivers/net/hamradio/hdlcdrv) lost
KABI: symbol null_ax25_address(mod:net/ax25/ax25) lost
- commit fc0b9ba
- drop rose drivers (bsc#1238471).
- drop netrom drivers (bsc#1238471).
- drop hamradio drivers (bsc#1238471).
- drop ax25 drivers (bsc#1238471).
- commit bde35e8
- polkit
-
- CVE-2025-7519: Fixed that a XML policy file with a large number of
nested elements may lead to out-of-bounds write (bsc#1246472)
added 0001-Nested-.policy-files-cause-xml-parsing-overflow-lead.patch
- libsolv
-
- add support for product-obsoletes() provides in the product
autopackage generation code
- bump version to 0.7.34
- improve transaction ordering by allowing more uninst->uninst
edges [bsc#1243457]
- implement color filtering when adding update targets
- support orderwithrequires dependencies in susedata.xml
- bump version to 0.7.33
- libssh
-
- Fix CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
* Add patch libssh-CVE-2025-5318.patch
- Fix CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
* Add patch libssh-CVE-2025-4877.patch
- Fix CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
* Add patches:
- libssh-CVE-2025-4878-1.patch
- libssh-CVE-2025-4878-2.patch
- Fix CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
* Add patch libssh-CVE-2025-5372.patch
- libxml2
-
- security update
- added patches
CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS)
CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49794,49796.patch
- security update
- added patches
CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash
CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
+ libxml2-CVE-2025-6170,6021.patch
- libzypp
-
- Ignore DeltaRpm download errors (bsc#1245672)
DeltaRpms are in fact optional resources. In case of a failure
the full rpm is downloaded.
- Improve fix for incorrect filesize handling (bsc#1245220)
- version 17.37.9 (35)
- Do not trigger download data exceeded errors on HTTP non data
responses (bsc#1245220)
In some cases a HTTP 401 or 407 did trigger a "filesize exceeded"
error, because the response payload size was compared against the
expected filesize. This patch adds some checks if the response
code is in the success range and only then takes expected
filesize into account. Otherwise the response content-length is
used or a fallback of 2Mb if no content-length is known.
- version 17.37.8 (35)
- Fix SEGV in MediaDISK handler (bsc#1245452)
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
DownloadAsNeeded can not be combined with the rpm singletrans
installer backend because a rpm transaction requires all package
headers to be available the the beginning of the transaction. So
explicitly selecting this mode also turns on the classic_rpmtrans
backend.
- Fix evaluation of libproxy results (bsc#1244710)
- version 17.37.7 (35)
- Enhancements regarding mirror handling during repo refresh.
Added means to disable the use of mirrors when downloading
security relevant files. Requires updaing zypper to 1.14.91.
- Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042)
If ZYPP_FULLLOG=1 a solver testcase to
"/var/log/YaST2/autoTestcase" should be written for each solver
run. There was no testcase written for the very first solver run.
This is now fixed.
- Pass $1==2 to %posttrans script if it's an update (bsc#1243279)
- version 17.37.6 (35)
- python-PyYAML
-
- Add python36-PyYAML provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pyparsing
-
- Add python36-pyparsing provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pytz
-
- Add python36-pytz provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-requests
-
- Add python36- provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- salt
-
- Prevent tests failures when pygit2 is not present
- Several fixes for security issues
(bsc#1244561, CVE-2024-38822)
(bsc#1244564, CVE-2024-38823)
(bsc#1244565, CVE-2024-38824)
(bsc#1244566, CVE-2024-38825)
(bsc#1244567, CVE-2025-22240)
(bsc#1244568, CVE-2025-22236)
(bsc#1244570, CVE-2025-22241)
(bsc#1244571, CVE-2025-22237)
(bsc#1244572, CVE-2025-22238)
(bsc#1244574, CVE-2025-22239)
(bsc#1244575, CVE-2025-22242)
* Request server hardening
* Prevent traversal in local_cache::save_minions
* Add test and fix for file_recv cve
* Fix traversal in gitfs find_file
* Fix traversal in salt.utils.virt
* Fix traversal in pub_ret
* Reasonable failures when pillars timeout
* Make send_req_async wait longer
* Remove token to prevent decoding errors
* Fix checking of non-url style git remotes
* Allow subdirs in GitFS find_file check
- Add subsystem filter to udev.exportdb (bsc#1236621)
- tornado.httputil: raise errors instead of logging in
multipart/form-data parsing (CVE-2025-47287, bsc#1243268)
- Fix Ubuntu 24.04 edge-case test failures
- Fix broken tests for Ubuntu 24.04
- Fix refresh of osrelease and related grains on Python 3.10+
- Make "salt" package to obsolete "python3-salt" package on SLE15SP7+
- Fix issue requiring proper Python flavor for dependencies and recommended package
- Added:
* fix-tests-issues-in-salt-shaker-environments-721.patch
* several-fixes-for-security-issues.patch
* fix-of-cve-2025-47287-bsc-1243268-718.patch
* add-subsystem-filter-to-udev.exportdb-bsc-1236621-71.patch
* fix-ubuntu-24.04-specific-failures-716.patch
* fix-debian-tests-715.patch
* fix-refresh-of-osrelease-and-related-grains-on-pytho.patch
- python-urllib3
-
- Add python36-urllib3 provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- zypper
-
- sh: Reset solver options after command (bsc#1245496)
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
- version 1.14.92
- BuildRequires: libzypp-devel >= 17.37.6.
Enhancements regarding mirror handling during repo refresh. Adapt
to libzypp API changes. (bsc#1230267)
- version 1.14.91