- 000release-packages:SL-Micro-release
-
n/a
- glib2
-
- Add glib2-CVE-2025-6052.patch: fix overflow check when expanding
a GString (bsc#1244596 CVE-2025-6052).
- Add glib2-CVE-2025-4373.patch: carefully handle gssize parameters
(bsc#1242844 CVE-2025-4373 glgo#GNOME/glib#3677).
- gptfdisk
-
- fix boot failure with qcow and vmdk images (bsc#1242987)
* 0001-Do-not-check-for-writable-device-if-we-don-t-need-it.patch
- iputils
-
- Security fix [bsc#1243772, CVE-2025-48964]
* Fix integer overflow in ping statistics via zero timestamp
* Add iputils-CVE-2025-48964_01.patch
* Add iputils-CVE-2025-48964_02.patch
* Add iputils-CVE-2025-48964_03.patch
* Add iputils-CVE-2025-48964_04.patch
* Add iputils-CVE-2025-48964_regression.patch
- kernel-source:kernel-default
-
- r8152: add vendor/device ID pair for Dell Alienware AW1022z
(git-fixes).
- commit 9bd4e20
- rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes).
- commit d8e756f
- add bug reference to existing hv_storvsc change (bsc#1245455).
- net: mana: Record doorbell physical address in PF mode (bsc#1244229).
- commit 1c553b0
- nfsd: nfsd4_spo_must_allow() must check this is a v4 compound
request (git-fixes).
- commit 784f61d
- mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
(bsc#1245431).
- commit dd145d5
- netlink: specs: dpll: replace underscores with dashes in names
(git-fixes).
- bnxt: properly flush XDP redirect lists (git-fixes).
- e1000e: set fixed clock frequency indication for Nahum 11 and
Nahum 13 (git-fixes).
- net: ice: Perform accurate aRFS flow match (git-fixes).
- net/mlx5e: Fix leak of Geneve TLV option object (git-fixes).
- net/mlx5: Fix return value when searching for existing flow
group (git-fixes).
- net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes).
- net/mlx5: Ensure fw pages are always allocated on same NUMA
(git-fixes).
- i40e: retry VFLR handling if there is ongoing VF reset
(git-fixes).
- i40e: return false from i40e_reset_vf if reset is in progress
(git-fixes).
- gve: add missing NULL check for gve_alloc_pending_packet()
in TX DQO (git-fixes).
- ice: fix rebuilding the Tx scheduler tree for large queue counts
(git-fixes).
- ice: create new Tx scheduler nodes for new queues only
(git-fixes).
- ice: fix Tx scheduler error handling in XDP callback
(git-fixes).
- net/mlx4_en: Prevent potential integer overflow calculating Hz
(git-fixes).
- gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
(git-fixes).
- net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()
(git-fixes).
- net/mlx5_core: Add error handling
inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes).
- idpf: fix null-ptr-deref in idpf_features_check (CVE-2025-38053
bsc#1244746).
- ice: Fix LACP bonds without SRIOV environment (git-fixes).
- ice: fix vf->num_mac count with port representors (git-fixes).
- devlink: fix port dump cmd type (git-fixes).
- devlink: Fix referring to hw_addr attribute during state
validation (git-fixes).
- netlink: fix potential sleeping issue in mqueue_flush_file
(git-fixes).
- commit 6dccf5f
- mm/hugetlb: unshare page tables during VMA split, not before
(bsc#1245431).
- commit bf8eb79
- staging: rtl8723bs: Avoid memset() in aes_cipher() and
aes_decipher() (git-fixes).
- serial: imx: Restore original RXTL for console to fix data loss
(git-fixes).
- commit 652de47
- drm/amdgpu: csa unmap use uninterruptible lock (CVE-2025-38011
bsc#1244729).
- commit d370e7c
- i2c: tiny-usb: disable zero-length read messages (git-fixes).
- i2c: robotfuzz-osif: disable zero-length read messages
(git-fixes).
- drm/i915: fix build error some more (git-fixes).
- ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR
(git-fixes).
- ALSA: usb-audio: Fix out-of-bounds read in
snd_usb_get_audioformat_uac3() (git-fixes).
- ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged
(stable-fixes).
- ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the
KTMicro sound card (stable-fixes).
- ALSA: hda/intel: Add Thinkpad E15 to PM deny list
(stable-fixes).
- ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
(stable-fixes).
- drivers/rapidio/rio_cm.c: prevent possible heap overwrite
(stable-fixes).
- watchdog: da9052_wdt: respect TWDMIN (stable-fixes).
- watchdog: fix watchdog may detect false positive of softlockup
(stable-fixes).
- fbcon: Make sure modelist not set on unregistered console
(stable-fixes).
- bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value
(stable-fixes).
- i2c: designware: Invoke runtime suspend on quick slave
re-registration (stable-fixes).
- i2c: npcm: Add clock toggle recovery (stable-fixes).
- pinctrl: armada-37xx: propagate error from
armada_37xx_pmx_set_by_name() (stable-fixes).
- pinctrl: armada-37xx: propagate error from
armada_37xx_gpio_get_direction() (stable-fixes).
- pinctrl: armada-37xx: propagate error from
armada_37xx_pmx_gpio_set_direction() (stable-fixes).
- pinctrl: armada-37xx: propagate error from
armada_37xx_gpio_get() (stable-fixes).
- pinctrl: mcp23s08: Reset all pins to input at probe
(stable-fixes).
- software node: Correct a OOB check in
software_node_get_reference_args() (stable-fixes).
- wifi: mt76: mt7996: drop fragments with multicast or broadcast
RA (stable-fixes).
- wifi: mt76: mt7921: add 160 MHz AP for mt7922 device
(stable-fixes).
- wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R
(stable-fixes).
- wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET
(stable-fixes).
- wifi: ath12k: fix a possible dead lock caused by ab->base_lock
(stable-fixes).
- wifi: ath11k: Fix QMI memory reuse logic (stable-fixes).
- wifi: rtw89: leave idle mode when setting WEP encryption for
AP mode (stable-fixes).
- wifi: mac80211: do not offer a mesh path if forwarding is
disabled (stable-fixes).
- wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes).
- wifi: mac80211_hwsim: Prevent tsf from setting if beacon is
disabled (stable-fixes).
- wifi: ath12k: fix failed to set mhi state error during reboot
with hardware grouping (stable-fixes).
- wifi: ath12k: fix link valid field initialization in the
monitor Rx (stable-fixes).
- wifi: ath12k: fix incorrect CE addresses (stable-fixes).
- wifi: ath12k: Pass correct values of center freq1 and center
freq2 for 160 MHz (stable-fixes).
- wifi: mac80211: VLAN traffic in multicast path (stable-fixes).
- wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0
(stable-fixes).
- usbnet: asix AX88772: leave the carrier control to phylink
(stable-fixes).
- PM: runtime: fix denying of auto suspend in
pm_suspend_timer_fn() (stable-fixes).
- ACPI: battery: negate current when discharging (stable-fixes).
- ACPICA: Avoid sequence overread in call to strncmp()
(stable-fixes).
- ACPICA: utilities: Fix overflow check in vsnprintf()
(stable-fixes).
- ACPICA: fix acpi parse and parseext cache leaks (stable-fixes).
- ACPICA: fix acpi operand cache leak in dswstate.c
(stable-fixes).
- ACPI: bus: Bail out if acpi_kobj registration fails
(stable-fixes).
- mmc: Add quirk to disable DDR50 tuning (stable-fixes).
- power: supply: bq27xxx: Retrieve again when busy (stable-fixes).
- power: supply: collie: Fix wakeup source leaks on device unbind
(stable-fixes).
- ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9
(stable-fixes).
- ASoC: tegra210_ahub: Add check to of_device_get_match_data()
(stable-fixes).
- ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change
(stable-fixes).
- Input: sparcspkr - avoid unannotated fall-through
(stable-fixes).
- commit 0dc7dde
- Update
patches.suse/HID-uclogic-Add-NULL-check-in-uclogic_input_configur.patch
(git-fixes CVE-2025-38007 bsc#1244938).
- Update
patches.suse/RDMA-core-Fix-KASAN-slab-use-after-free-Read-in-ib_r.patch
(git-fixes CVE-2025-38022 bsc#1245003).
- Update
patches.suse/RDMA-rxe-Fix-slab-use-after-free-Read-in-rxe_queue_c.patch
(git-fixes CVE-2025-38024 bsc#1245025).
- Update
patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-csu.patch
(bsc#1243342 CVE-2025-38059 bsc#1244759).
- Update
patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-ext.patch
(bsc#1236208 CVE-2025-21658).
- Update
patches.suse/can-bcm-add-locking-for-bcm_op-runtime-updates.patch
(git-fixes CVE-2025-38004 bsc#1244274).
- Update
patches.suse/can-bcm-add-missing-rcu-read-protection-for-procfs-c.patch
(git-fixes CVE-2025-38003 bsc#1244275).
- Update
patches.suse/crypto-algif_hash-fix-double-free-in-hash_accept.patch
(git-fixes CVE-2025-38079 bsc#1245217).
- Update
patches.suse/crypto-lzo-Fix-compression-buffer-overrun.patch
(stable-fixes CVE-2025-38068 bsc#1245210).
- Update
patches.suse/dmaengine-idxd-Refactor-remove-call-with-idxd_cleanu.patch
(git-fixes CVE-2025-38014 bsc#1244732).
- Update
patches.suse/dmaengine-idxd-fix-memory-leak-in-error-handling-pat-46a5cca.patch
(git-fixes CVE-2025-38015 bsc#1244789).
- Update
patches.suse/dmaengine-ti-k3-udma-Add-missing-locking.patch
(git-fixes CVE-2025-38005 bsc#1244727).
- Update
patches.suse/drm-amd-display-Increase-block_sequence-array-size.patch
(stable-fixes CVE-2025-38080 bsc#1244738).
- Update
patches.suse/ext4-goto-right-label-out_mmap_sem-in-ext4_setattr.patch
(bsc#1242556 CVE-2025-22120 bsc#1241592).
- Update
patches.suse/firmware-arm_ffa-Set-dma_mask-for-ffa-devices.patch
(stable-fixes CVE-2025-38043 bsc#1245081).
- Update patches.suse/media-cx231xx-set-device_caps-for-417.patch
(stable-fixes CVE-2025-38044 bsc#1245082).
- Update
patches.suse/net-handshake-Fix-handshake_req_destroy_test1.patch
(git-fixes CVE-2024-26831 bsc#1223008).
- Update
patches.suse/net-mlx5e-Disable-MACsec-offload-for-uplink-represen.patch
(git-fixes CVE-2025-38020 bsc#1245001).
- Update patches.suse/net_sched-prio-fix-a-race-in-prio_tune.patch
(git-fixes CVE-2025-38083 bsc#1245183).
- Update
patches.suse/nfs-handle-failure-of-nfs_get_lock_context-in-unlock-path.patch
(git-fixes CVE-2025-38023 bsc#1245004).
- Update patches.suse/orangefs-Do-not-truncate-file-size.patch
(git-fixes CVE-2025-38065 bsc#1244906).
- Update
patches.suse/padata-do-not-leak-refcount-in-reorder_work.patch
(git-fixes CVE-2025-38031 bsc#1245046).
- Update
patches.suse/phy-tegra-xusb-Use-a-bitmask-for-UTMI-pad-power-stat.patch
(git-fixes CVE-2025-38010 bsc#1244996).
- Update
patches.suse/platform-x86-dell-wmi-sysman-Avoid-buffer-overflow-i.patch
(git-fixes CVE-2025-38077 bsc#1244736).
- Update
patches.suse/regulator-max20086-fix-invalid-memory-access.patch
(git-fixes CVE-2025-38027 bsc#1245042).
- Update
patches.suse/s390-pci-Fix-duplicate-pci_dev_put-in-disable_slot-w.patch
(git-fixes bsc#1244145 CVE-2025-37946 bsc#1243506).
- Update
patches.suse/s390-pci-fix-potential-double-remove-of-hotplug-slot.patch
(bsc#1244145 CVE-2024-56699 bsc#1235490).
- Update
patches.suse/sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch
(git fixes (sched/numa) CVE-2024-56613 bsc#1244176).
- Update
patches.suse/serial-mctrl_gpio-split-disable_ms-into-sync-and-no_.patch
(git-fixes CVE-2025-38040 bsc#1245078).
- Update
patches.suse/spi-rockchip-Fix-register-out-of-bounds-access.patch
(stable-fixes CVE-2025-38081 bsc#1244739).
- Update
patches.suse/usb-typec-ucsi-displayport-Fix-NULL-pointer-access.patch
(git-fixes CVE-2025-37994 bsc#1243823).
- Update
patches.suse/vhost-scsi-Fix-handling-of-multiple-calls-to-vhost_s.patch
(git-fixes CVE-2025-22083 bsc#1241414).
- Update
patches.suse/wifi-cfg80211-fix-out-of-bounds-access-during-multi-.patch
(git-fixes CVE-2025-37973 bsc#1244172).
- Update patches.suse/wifi-iwlwifi-fix-debug-actions-order.patch
(stable-fixes CVE-2025-38045 bsc#1245083).
- Update
patches.suse/wifi-mac80211-Set-n_channels-after-allocating-struct.patch
(git-fixes CVE-2025-38013 bsc#1244731).
- Update
patches.suse/wifi-mt76-disable-napi-on-driver-removal.patch
(git-fixes CVE-2025-38009 bsc#1244995).
- commit fee1c31
- HID: lenovo: Restrict F7/9/11 mode to compact keyboards only
(git-fixes).
- HID: wacom: fix kobject reference count leak (git-fixes).
- HID: wacom: fix memory leak on sysfs attribute creation failure
(git-fixes).
- HID: wacom: fix memory leak on kobject creation failure
(git-fixes).
- wifi: mac80211: fix beacon interval calculation overflow
(git-fixes).
- commit 8d2d6ad
- scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes).
- net: mana: Add support for Multi Vports on Bare metal (bsc#1244229).
- scsi: storvsc: Don't report the host packet status as the hv status (git-fixes).
- commit cde971c
- btrfs: fix fsync of files with no hard links not persisting
deletion (git-fixes).
- btrfs: remove end_no_trans label from btrfs_log_inode_parent()
(git-fixes).
- btrfs: simplify condition for logging new dentries at
btrfs_log_inode_parent() (git-fixes).
- commit 9370aa3
- btrfs: fix wrong start offset for delalloc space release during
mmap write (git-fixes).
- commit 59b0f84
- btrfs: fix invalid data space release when truncating block
in NOCOW mode (git-fixes).
- commit b11e8b5
- btrfs: fix qgroup reservation leak on failure to allocate
ordered extent (git-fixes).
- commit e13d6e0
- ntp: Remove invalid cast in time offset math (git-fixes)
- commit 92649f3
- timekeeping: Fix bogus clock_was_set() invocation in (git-fixes)
- commit 17fecee
- ntp: Safeguard against time_constant overflow (git-fixes)
- commit fb90573
- ntp: Clamp maxerror and esterror to operating range (git-fixes)
- commit 947fc29
- clocksource: Fix brown-bag boolean thinko in (git-fixes)
- commit f65bb99
- clocksource: Make watchdog and suspend-timing multiplication (git-fixes)
- commit a87f573
- timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes)
- commit 1a57489
- timekeeping: Fix cross-timestamp interpolation corner case (git-fixes)
- commit dc250ae
- timekeeping: Fix cross-timestamp interpolation on counter (git-fixes)
- commit 4e863aa
- Refresh
patches.kabi/kabi-restore-layout-of-struct-mem_control.patch.
- commit 5049495
- kabi: restore layout of struct cgroup_subsys (bsc#1241166).
- commit 2014732
- cgroup/cpuset: Fix race between newly created partition and
dying one (bsc#1241166).
- commit 36dffbc
- fgraph: Still initialize idle shadow stacks when starting
(git-fixes).
- commit 1697414
- tracing/eprobe: Fix to release eprobe when failed to add
dyn_event (git-fixes).
- commit a8fd69f
- tracing: Fix cmp_entries_dup() to respect sort() comparison
rules (git-fixes).
- commit f73056c
- tracing: Use atomic64_inc_return() in trace_clock_counter()
(git-fixes).
- commit 23262fc
- trace/trace_event_perf: remove duplicate samples on the first
tracepoint event (git-fixes).
- commit b4e63e6
- bpf: Force uprobe bpf program to always return 0 (git-fixes).
- commit 90effed
- uprobes: Use kzalloc to allocate xol area (git-fixes).
- Refresh
patches.suse/uprobes-introduce-the-global-struct-vm_special_mapping-xol_mapping.patch.
- commit 30d8536
- bpf: abort verification if env->cur_state->loop_entry != NULL
(CVE-2025-38060 bsc#1245155).
- Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch.
- commit c80eca0
- selftests/bpf: check states pruning for deeply nested iterator
(CVE-2025-38060 bsc#1245155).
- bpf: don't do clean_live_states when state->loop_entry->branches
> 0 (CVE-2025-38060 bsc#1245155).
- commit f0d9333
- vmxnet3: support higher link speeds from vmxnet3 v9
(bsc#1244626).
- commit 0aa445e
- vmxnet3: correctly report gso type for UDP tunnels
(bsc#1244626).
- commit 44584be
- vmxnet3: update MTU after device quiesce (bsc#1244626).
- commit 14400a7
- scsi: elx: efct: Fix memory leak in efct_hw_parse_filter()
(git-fixes).
- commit 11611ac
- tracing: Fix compilation warning on arm32 (bsc#1243551).
- commit bc2f48d
- tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923
bsc#1243551).
- commit ff6a777
- ata: libata-eh: Do not use ATAPI DMA for a device limited to
PIO mode (stable-fixes).
- commit 07065f3
- bpf: copy_verifier_state() should copy 'loop_entry' field
(CVE-2025-38060 bsc#1245155).
- Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch.
- commit 815fadf
- selftests/bpf: test correct loop_entry update in
copy_verifier_state (CVE-2025-38060 bsc#1245155).
- commit b2e3449
- tracing: Fix use-after-free in print_graph_function_flags
during tracer switching (CVE-2025-22035 bsc#1241544).
- commit b6d43f4
- bpf: Fix deadlock between rcu_tasks_trace and event_mutex
(CVE-2025-37884 bsc#1243060).
- commit 7f690ab
- truct dwc3 hide new member wakeup_pending_funcs (git-fixes).
- commit 84579a6
- kabi: restore layout of struct page_counter (jsc#PED-12551).
- commit ef34a22
- usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes).
- commit 39cb14b
- ucsi_debugfs_entry: hide signedness change (git-fixes).
- commit 154816e
- usb: typec: ucsi: fix Clang -Wsign-conversion warning
(git-fixes).
- Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch.
- commit 40f2bc3
- hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu
(git-fixes).
- commit b5678d7
- net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538)
- commit 416e192
- hwmon: (peci/dimmtemp) Do not provide fake thresholds data
(git-fixes).
- hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol
namespace (git-fixes).
- commit 53b0cf2
- Update reference for patches.suse/net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch (bsc#1242504)
- commit 8730da1
- s390/tty: Fix a potential memory leak bug (git-fixes
bsc#1245228).
- commit e4f3ff4
- s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes
bsc#1245226).
- commit 7cf700b
- ceph: fix memory leaks in __ceph_sync_read() (git-fixes).
- Refresh
patches.suse/ceph-improve-error-handling-and-short-overflow-read-.patch.
- commit 04880f5
- ceph: allocate sparse_ext map only for sparse reads (git-fixes).
- commit e7c7fa7
- ceph: Fix incorrect flush end position calculation (git-fixes).
- commit 626f897
- KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes
bsc#1245225).
- commit 7cc3455
- iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
(CVE-2025-37927 bsc#1243620).
- commit 4916f47
- nvme-fc: do not reference lsrsp after failure (bsc#1245193).
- nvmet-fcloop: don't wait for lport cleanup (bsc#1245193).
- nvmet-fcloop: add missing fcloop_callback_host_done
(bsc#1245193).
- nvmet-fc: take tgtport refs for portentry (bsc#1245193).
- nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193).
- nvmet-fcloop: drop response if targetport is gone (bsc#1245193).
- nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193).
- nvmet-fcloop: prevent double port deletion (bsc#1245193).
- nvmet-fcloop: access fcpreq only when holding reqlock
(bsc#1245193).
- nvmet-fcloop: update refs on tfcp_req (bsc#1245193).
- nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193).
- nvmet-fcloop: refactor fcloop_nport_alloc and track lport
(bsc#1245193).
- nvmet-fcloop: remove nport from list on last user (bsc#1245193).
- nvmet-fcloop: track ref counts for nports (bsc#1245193).
- commit 20104c4
- Remove host-memcpy-hack.h
This might have been usefult at some point but we have more things that
depend on specific library versions today.
- commit 0396c23
- Remove compress-vmlinux.sh
/usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in
pesign-obs-integration during SLE12 RC. This workaround can be removed.
- commit 19caac0
- Remove try-disable-staging-driver
The config for linux-next is autogenerated from master config, and
defaults filled for missing options. This is unlikely to enable any
staging driver in the first place.
- commit a6f21ed
- nvme: always punt polled uring_cmd end_io work to task_work
(git-fixes).
- nvme: fix implicit bool to flags conversion (git-fixes).
- commit 36de06b
- net/tls: fix kernel panic when alloc_page failed (CVE-2025-38018
bsc#1244999).
- commit 1124110
- espintcp: fix skb leaks (CVE-2025-38057 bsc#1244862).
- commit dffbfd5
- nvme: fix command limits status code (git-fixes).
- nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44
Pro (git-fixes).
- nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes).
- nvme-pci: add quirks for device 126f:1001 (git-fixes).
- commit 990928c
- sunrpc: handle SVC_GARBAGE during svc auth processing as auth
error (git-fixes).
- commit afe6d07
- x86/microcode/AMD: Add get_patch_level() (git-fixes).
- commit 73bb23d
- x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes).
- commit c818693
- x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes).
- commit 761df14
- x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes).
- commit d6c2d35
- x86/microcode: Consolidate the loader enablement checking (git-fixes).
- commit d0fff01
- scsi: iscsi: Fix incorrect error path labels for flashnode
operations (git-fixes).
- md/raid1,raid10: don't handle IO error for REQ_RAHEAD and
REQ_NOWAIT (git-fixes).
- commit cbd3a76
- PCI/PM: Set up runtime PM even for devices without PCI PM
(git-fixes).
- commit 871b129
- gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes).
- ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA
(git-fixes).
- drm/etnaviv: Protect the scheduler's pending list with its lock
(git-fixes).
- drm/nouveau/bl: increase buffer size to avoid truncate warning
(git-fixes).
- drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes).
- drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes).
- drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled
(git-fixes).
- drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate
(git-fixes).
- drm/msm/disp: Correct porch timing for SDM845 (git-fixes).
- commit 3df7edd
- libnvdimm/labels: Fix divide error in nd_label_data_init()
(bsc#1244743, CVE-2025-38072).
- commit 42a394c
- kabi: restore layout of struct mem_control (jsc#PED-12551).
- commit e948e2e
- mm, memcg: cg2 memory{.swap,}.peak write handlers
(jsc#PED-12551).
- mm/memcontrol: export memcg.swap watermark via sysfs for v2
memcg (jsc#PED-12551).
- commit 97c4d37
- can: tcan4x5x: fix power regulator retrieval during probe
(git-fixes).
- commit 5798451
- wifi: carl9170: do not ping device which has failed to load
firmware (git-fixes).
- NFC: nci: uart: Set tty->disc_data only in success path
(git-fixes).
- hwmon: (occ) fix unaligned accesses (git-fixes).
- hwmon: (occ) Rework attribute registration for stack usage
(git-fixes).
- hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes).
- wifi: ath11k: move some firmware stats related functions
outside of debugfs (git-fixes).
- wifi: ath11k: don't wait when there is no vdev started
(git-fixes).
- wifi: ath11k: don't use static variables in
ath11k_debugfs_fw_stats_process() (git-fixes).
- wifi: ath11k: avoid burning CPU in
ath11k_debugfs_fw_stats_request() (git-fixes).
- USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB
(stable-fixes).
- usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage
device (stable-fixes).
- usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE
(stable-fixes).
- thunderbolt: Do not double dequeue a configuration request
(stable-fixes).
- rtc: Make rtc_time64_to_tm() support dates before 1970
(stable-fixes).
- firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
(git-fixes).
- Bluetooth: MGMT: Remove unused mgmt_pending_find_data
(stable-fixes).
- serial: sh-sci: Move runtime PM enable to sci_probe_single()
(stable-fixes).
- wifi: ath11k: convert timeouts to secs_to_jiffies()
(stable-fixes).
- wifi: ath11k: fix soc_dp_stats debugfs file permission
(stable-fixes).
- commit d77b71f
- Update patches.suse/ALSA-pcm-Fix-race-of-buffer-access-at-PCM-OSS-layer.patch
(CVE-2025-38078 bsc#1244737).
- commit 9ad878b
- calipso: Fix null-ptr-deref in calipso_req_{set,del}attr()
(git-fixes).
- commit 1a53756
- net/sched: fix use-after-free in taprio_dev_notifier
(git-fixes).
- commit bd7e23e
- net_sched: ets: fix a race in ets_qdisc_change() (git-fixes).
- commit c8863c2
- net_sched: tbf: fix a race in tbf_change() (git-fixes).
- commit 8dd49d3
- net_sched: red: fix a race in __red_change() (git-fixes).
- commit eb63704
- net_sched: prio: fix a race in prio_tune() (git-fixes).
- commit 2898595
- net_sched: sch_sfq: reject invalid perturb period (git-fixes).
- commit 11af7b7
- net: Fix TOCTOU issue in sk_is_readable() (git-fixes).
- commit 9bf44e9
- Update patches.suse/dlm-mask-sk_shutdown-value.patch
(bsc#1241278).
- Update patches.suse/dlm-use-SHUT_RDWR-for-SCTP-shutdown.patch
(bsc#1241278).
Original bsc number was wrong. Fix it.
- commit 37c9443
- net_sched: hfsc: Address reentrant enqueue adding class to
eltree twice (CVE-2025-38001 bsc#1244234).
- commit 6a31481
- packaging: Add support for suse-kabi-tools
The current workflow to check kABI stability during the RPM build of SUSE
kernels consists of the following steps:
* The downstream script rpm/modversions unpacks the consolidated kABI
symtypes reference data from kabi/<arch>/symtypes-<flavor> and creates
individual symref files.
* The build performs a regular kernel make. During this operation, genksyms
is invoked for each source file. The tool determines type signatures of
all exports within the file, reports any differences compared to the
associated symref reference, calculates symbol CRCs from the signatures
and writes new type data into a symtypes file.
* The script rpm/modversions is invoked again, this time it packs all new
symtypes files to a consolidated kABI file.
* The downstream script rpm/kabi.pl checks symbol CRCs in the new build and
compares them to a reference from kabi/<arch>/symvers-<flavor>, taking
kabi/severities into account.
suse-kabi-tools is a new set of tools to improve the kABI checking process.
The suite includes two tools, ksymtypes and ksymvers, which replace the
existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison
functionality previously provided by genksyms. The tools have their own
source repository and package.
The tools provide faster operation and more detailed, unified output. In
addition, they allow the use of the new upstream tool gendwarfksyms, which
lacks any built-in comparison functionality.
The updated workflow is as follows:
* The build performs a regular kernel make. During this operation, genksyms
(gendwarfksyms) is invoked as usual, determinining signatures and CRCs of
all exports and writing the type data to symtypes files. However,
genksyms no longer performs any comparison.
* 'ksymtypes consolidate' packs all new symtypes files to a consolidated
kABI file.
* 'ksymvers compare' checks symbol CRCs in the new build and compares them
to a reference from kabi/<arch>/symvers-<flavor>, taking kabi/severities
into account. The tool writes its result in a human-readable form on
standard output and also writes a list of all changed exports (not
ignored by kabi/severities) to the changed-exports file.
* 'ksymtypes compare' takes the changed-exports file, the consolidated kABI
symtypes reference data from kabi/<arch>/symtypes-<flavor> and the new
consolidated data. Based on this data, it produces a detailed report
explaining why the symbols changed.
The patch enables the use of suse-kabi-tools via rpm/config.sh, providing
explicit control to each branch. To enable the support, set
USE_SUSE_KABI_TOOLS=Yes in the config file.
- commit a2c6f89
- rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725)
- commit 5432961
- platform/x86: ideapad-laptop: use usleep_range() for EC polling
(git-fixes).
- commit 1373cac
- platform/x86: dell_rbu: Stop overwriting data buffer
(git-fixes).
- platform/x86: dell_rbu: Fix list usage (git-fixes).
- platform/x86/amd: pmc: Clear metrics table at start of cycle
(git-fixes).
- platform/x86/intel-uncore-freq: Fail module load when plat_info
is NULL (git-fixes).
- commit 4eb007c
- Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync
(git-fixes).
- Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes).
- Bluetooth: hci_conn: Fix UAF Write in
__hci_acl_create_connection_sync (git-fixes).
- commit cc24dff
- Bluetooth: hci_event: Fix not using key encryption size when
its known (git-fixes).
- Bluetooth: Remove pending ACL connection attempts
(stable-fixes).
- Bluetooth: hci_conn: Only do ACL connections sequentially
(stable-fixes).
- commit 45b89a8
- kernel-source: Remove log.sh from sources
- commit 96bd779
- powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO
EEH recovery (bsc#1215199).
- commit 8ae69e3
- ima: Suspend PCR extends and log appends when rebooting
(bsc#1210025 ltc#196650).
- commit 25c308f
- ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
(git-fixes).
- regulator: max20086: Fix refcount leak in
max20086_parse_regulators_dt() (git-fixes).
- commit 5b8c5a3
- scsi: dc395x: Remove leftover if statement in reselect()
(git-fixes).
- commit c259874
- loop: add file_start_write() and file_end_write() (git-fixes).
- scsi: dc395x: Remove DEBUG conditional compilation (git-fixes).
- scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
(git-fixes).
- scsi: qedf: Use designated initializer for struct
qed_fcoe_cb_ops (git-fixes).
- scsi: sd_zbc: block: Respect bio vector limits for REPORT
ZONES buffer (git-fixes).
- scsi: mpi3mr: Add level check to control event logging
(git-fixes).
- scsi: st: Tighten the page format heuristics with MODE SELECT
(git-fixes).
- scsi: st: ERASE does not change tape location (git-fixes).
- scsi: mpt3sas: Send a diag reset if target reset fails
(git-fixes).
- scsi: st: Restore some drive settings after reset (git-fixes).
- commit 6dba36f
- x86/mm/init: Handle the special case of device private
pages in add_pages(), to not increase max_pfn and trigger
dma_addressing_limited() bounce buffers (git-fixes).
- commit d67c7bf
- PCI/MSI: Size device MSI domain with the maximum number of
vectors (git-fixes).
- PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from
rockchip_pcie_link_up() (git-fixes).
- PCI: apple: Set only available ports up (git-fixes).
- PCI: dwc: ep: Correct PBA offset in .set_msix() callback
(git-fixes).
- PCI: endpoint: Retain fixed-size BAR size as well as aligned
size (git-fixes).
- kABI: PCI: endpoint: Retain fixed-size BAR size as well as
aligned size (git-fixes).
- PCI/DPC: Log Error Source ID only when valid (git-fixes).
- serial: mctrl_gpio: split disable_ms into sync and no_sync APIs
(git-fixes).
- kABI: serial: mctrl_gpio: split disable_ms into sync and
no_sync APIs (git-fixes).
- x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes).
- PCI/DPC: Use defines with DPC reason fields (git-fixes).
- commit 67e24e5
- Bluetooth: MGMT: Fix sparse errors (git-fixes).
- commit bcd5c33
- wifi: ath11k: validate ath11k_crypto_mode on top of
ath11k_core_qmi_firmware_ready (git-fixes).
- ath10k: snoc: fix unbalanced IRQ enable in crash recovery
(git-fixes).
- Bluetooth: hci_sync: Fix broadcast/PA when using an existing
instance (git-fixes).
- Bluetooth: Fix NULL pointer deference on eir_get_service_data
(git-fixes).
- net/mdiobus: Fix potential out-of-bounds clause 45 read/write
access (git-fixes).
- net/mdiobus: Fix potential out-of-bounds read/write access
(git-fixes).
- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
(git-fixes).
- Bluetooth: hci_core: fix list_for_each_entry_rcu usage
(git-fixes).
- ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()
(git-fixes).
- pinctrl: st: Drop unused st_gpio_bank() function (git-fixes).
- pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes).
- commit d9ecc09
- sch_hfsc: Fix qlen accounting bug when using peek in
hfsc_enqueue() (CVE-2025-38000 bsc#1244277).
- commit ffb9ab4
- net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312)
- commit 8196566
- Revert "ipv6: save dontfrag in cork (git-fixes)."
This reverts commit d3fe600164867bd0529ed1049fbd53ca9fce2eaf.
See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/
and https://bugzilla.suse.com/show_bug.cgi?id=1244313.
- commit b9e7a4e
- Revert "kABI: ipv6: save dontfrag in cork (git-fixes)."
This reverts commit cbc81e238815721048ac709726467c90981753c9.
See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/
and https://bugzilla.suse.com/show_bug.cgi?id=1244313.
- commit 38d0091
- kABI fix for net: Remove RTNL dance for SIOCBRADDIF and
SIOCBRDELIF (CVE-2025-22111 bsc#1241572).
- commit edfd43c
- page_pool: avoid infinite loop to schedule delayed worker
(CVE-2025-37859 bsc#1243051).
- commit b8f1dfd
- tipc: fix memory leak in tipc_link_xmit (CVE-2025-37757 bsc#1242521)
- commit 48e0415
- struct usci: hide additional member (git-fixes).
- commit 1b8456a
- net_sched: Flush gso_skb list too during ->change()
(CVE-2025-37992 bsc#1243698).
- netfilter: ipset: fix region locking in hash types
(CVE-2025-37997 bsc#1243832).
- ipvs: fix uninit-value for saddr in do_output_route4
(CVE-2025-37961 bsc#1243523).
- net: dsa: free routing table on probe failure (CVE-2025-37786
bsc#1242725).
- net: tls: explicitly disallow disconnect (CVE-2025-37756
bsc#1242515).
- net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF
(CVE-2025-22111 bsc#1241572).
- vlan: enforce underlying device type (CVE-2025-21920
bsc#1240686).
- xfrm: delete intermediate secpath entry in packet offload mode
(CVE-2025-21720 bsc#1238859).
- xfrm: state: fix out-of-bounds read during lookup
(CVE-2024-57982 bsc#1237913).
- rxrpc: Fix handling of received connection abort (CVE-2024-58053
bsc#1238982).
- commit d3e755f
- isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774).
Return the correct upper limit of the allocated cpumask.
modified:
- patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping.patch
- patches.suse/lib-group_cpus-let-group_cpu_evenly-return-number.patch
- commit 092bf4a
- xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes)
- commit 24d5250
- arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes)
- commit 28d162e
- Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes)
- commit 9dd3301
- xen/x86: fix initial memory balloon target (git-fixes).
- commit 7e938b1
- ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt
3 dock (stable-fixes).
- ALSA: usb-audio: Fix NULL pointer deref in
snd_usb_power_domain_set() (git-fixes).
- commit 9d209cd
- ALSA: usb-audio: Rename Pioneer mixer channel controls
(git-fixes).
- ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes).
- ALSA: usb-audio: Fix duplicated name in MIDI substream names
(stable-fixes).
- ALSA: usb-audio: mixer: Remove temporary string use in
parse_clock_source_unit (stable-fixes).
- commit e8737ac
- ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI
1.0 entry (stable-fixes).
- ALSA: usb-audio: Accept multiple protocols in GTBs
(stable-fixes).
- ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes).
- commit 498a796
- Revert "ALSA: usb-audio: Skip setting clock selector for single
connections" (stable-fixes).
- Refresh
patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch.
- Refresh
patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch.
- commit d0138e9
- ALSA: usb-audio: Support read-only clock selector control
(stable-fixes).
- Refresh
patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch.
- Refresh
patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch.
- commit ee97bec
- ALSA: usb-audio: Skip setting clock selector for single
connections (stable-fixes).
- Refresh
patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch.
- Refresh
patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch.
- commit 7326e0b
- ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1
(stable-fixes).
- ALSA: usb-audio: enable support for Presonus Studio 1824c
within 1810c file (stable-fixes).
- ALSA: usb-audio: Support multiple control interfaces
(stable-fixes).
- ALSA: usb-audio: Check shutdown at endpoint_set_interface()
(stable-fixes).
- commit d4a0ce3
- wifi: ath11k: update channel list in worker when wait flag is
set (bsc#1243847).
- commit 4cfebaa
- net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909
bsc#1243467).
- vxlan: vnifilter: Fix unlocked deletion of default FDB entry
(CVE-2025-37921 bsc#1243480).
- commit 788c92a
- watchdog: mediatek: Add support for MT6735 TOPRGU/WDT
(git-fixes).
- commit 4df631e
- watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04
(git-fixes).
- commit ba2db88
- module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995 bsc#1243827)
- commit 6979c9a
- mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
- commit 7c95ae0
- x86/xen: fix balloon target initialization for PVH dom0
(git-fixes).
- commit ad18aba
- powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()
(bsc#1244309 ltc#213790).
- powerpc/powernv/memtrace: Fix out of bounds issue in memtrace
mmap (bsc#1244309 ltc#213790).
- commit 2d4ad48
- tracing: Verify event formats that have "%*p.." (CVE-2025-37938
bsc#1243544).
- tracing: Add __print_dynamic_array() helper (bsc#1243544).
- tracing: Add __string_len() example (bsc#1243544).
- commit c705d1d
- libgcrypt
-
- Security fix [bsc#1221107, CVE-2024-2236]
* Add --enable-marvin-workaround to spec to enable workaround
* Fix timing based side-channel in RSA implementation ( Marvin attack )
* Add libgcrypt-CVE-2024-2236_01.patch
* Add libgcrypt-CVE-2024-2236_02.patch
- python311:base
-
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Use one core to build doc. This will make sphinx doc build
reproducible.
bsc#1243155
- Update to 3.11.13:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar")
to be bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
(gh#135034, bsc#1244061).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
- CVE-2025-4516-DecodeError-handler.patch
- Add CVE-2025-4516-DecodeError-handler.patch fixing
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
vulnerability, which could lead to DoS.
- Use extended %autopatch.
- rpm
-
- fix --runposttrans not working correctly with the --root
option [bnc#1216091]
* updated patch: posttrans.diff
* added "rpm_fixed_runposttrans" provides for libzypp
- print scriptlet messages in --runposttrans
* needed to fix leaking tmp files [bsc#1218459]
* updated patch: posttrans.diff
- fix memory leak in str2locale [bsc#1241052]
* updated patch: localetag.diff
- libsolv
-
- add support for product-obsoletes() provides in the product
autopackage generation code
- bump version to 0.7.34
- improve transaction ordering by allowing more uninst->uninst
edges [bsc#1243457]
- implement color filtering when adding update targets
- support orderwithrequires dependencies in susedata.xml
- bump version to 0.7.33
- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32
- Provide a symbol specific for the ruby-version
so yast does not break across updates (boo#1235598)
- fix replaces_installed_package using the wrong solvable id
when checking the noupdate map
- make POOL_FLAG_ADDFILEPROVIDESFILTERED behaviour more standard
- add rpm_query_idarray query function
- support rpm's "orderwithrequires" dependency
- bump version to 0.7.31
- libzypp
-
- Allow explicit request to probe an added repo's URL
(bsc#1246466)
- Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 (fixes #661)
- version 17.37.12 (35)
- Add runtime check for a broken rpm-4.18.0 --runpostrans
(bsc#1246149)
- Add regression test for bsc#1245220 and some other filesize
related tests.
- version 17.37.11 (35)
- BuildRequires: %{libsolv_devel_package} >= 0.7.34 (bsc#1243486)
Newer rpm versions no longer allow a ':' in rpm package names or
obsoletes. So injecting an
Obsoletes: product:oldproductname < oldproductversion
into the -release package to indicate a product rename is no longer
possible.
Since libsolv-0.7.34 you can and should use:
Provides: product-obsoletes(oldproductname) < oldproductversion
in the -release package. libsolv will then inject the appropriate
Obsoletes into the Product.
- version 17.37.10 (35)
- Ignore DeltaRpm download errors (bsc#1245672)
DeltaRpms are in fact optional resources. In case of a failure
the full rpm is downloaded.
- Improve fix for incorrect filesize handling (bsc#1245220)
- version 17.37.9 (35)
- Do not trigger download data exceeded errors on HTTP non data
responses (bsc#1245220)
In some cases a HTTP 401 or 407 did trigger a "filesize exceeded"
error, because the response payload size was compared against the
expected filesize. This patch adds some checks if the response
code is in the success range and only then takes expected
filesize into account. Otherwise the response content-length is
used or a fallback of 2Mb if no content-length is known.
- version 17.37.8 (35)
- Fix SEGV in MediaDISK handler (bsc#1245452)
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
DownloadAsNeeded can not be combined with the rpm singletrans
installer backend because a rpm transaction requires all package
headers to be available the the beginning of the transaction. So
explicitly selecting this mode also turns on the classic_rpmtrans
backend.
- Fix evaluation of libproxy results (bsc#1244710)
- version 17.37.7 (35)
- Enhancements regarding mirror handling during repo refresh.
Added means to disable the use of mirrors when downloading
security relevant files. Requires updaing zypper to 1.14.91.
- Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042)
If ZYPP_FULLLOG=1 a solver testcase to
"/var/log/YaST2/autoTestcase" should be written for each solver
run. There was no testcase written for the very first solver run.
This is now fixed.
- Pass $1==2 to %posttrans script if it's an update (bsc#1243279)
- version 17.37.6 (35)
- Fix credential handling in HEAD requests (bsc#1244105)
- version 17.37.5 (35)
- RepoInfo: use pathNameSetTrailingSlash (fixes #643)
- Fix wrong userdata parameter type when running zypp with debug
verbosity (bsc#1239012)
- version 17.37.4 (35)
- Do not warn about no mirrors if mirrorlist was switched on
automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
(bsc#1243887)
- version 17.37.3 (35)
- Add a note to service maintained .repo file entries (fixes #638)
- Support using %{url} variable in a RIS service's repo section.
- version 17.37.2 (35)
- Use a cookie file to validate mirrorlist cache.
This patch extends the mirrorlist code to use a cookie file to
validate the contents of the cache against the source URL, making
sure that we do not accidentially use a old cache when the
mirrorlist url was changed. For example when migrating a system
from one release to the next where the same repo alias might just
have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- version 17.37.1 (35)
- Code16: Enable curl2 backend and parallel package download by
default. In Code15 it's optional.
Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
When refreshing zypp now primarily uses gpgKeyUrl information
from the repo files and only falls back to a automatically
generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks (fixes
openSUSE/zypper#605)
- spec/CMake: add conditional build
'--with[out] classic_rpmtrans_as_default'.
classic_rpmtrans is the current builtin default for SUSE,
otherwise it's single_rpmtrans.
The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
was removed from the spec file. Accordingly the CMake option
ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- version 17.37.0 (35)
- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
libxml2 2.14 potentially reads the complete stream, so it may
have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
service may set.
Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
keeppackages, gpgkey, mirrorlist, and metalink with the same
semantic as in a .repo file.
- version 17.36.7 (35)
- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires: %{libsolv_devel_package} >= 0.7.32.
Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
default (false).
The default was true in Code12 (libzypp-16.x) and changed to
false with Code15 (libzypp-17.x). Unfortunately this was done by
shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)
- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
(bsc#1238315)
Ftp actually differs between absolute and relative URL paths.
Absolute path names begin with a double slash encoded as '/%2F'.
This must be preserved when manipulating the path.
- version 17.36.5 (35)
- Add a transaction package preloader (fixes openSUSE/zypper#104)
This patch adds a preloader that concurrently downloads files
during a transaction commit. It's not yet enabled per default.
To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
(fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)
- Disable zypp.conf:download.use_deltarpm by default (fixes #620)
Measurements show that you don't benefit from using deltarpms
unless your network connection is very slow. That's why most
distributions even stop offering deltarpms. The default remains
unchanged on SUSE-15.6 and older.
- Make sure repo variables are evaluated in the right context
(bsc#1237044)
- Introducing MediaCurl2 a alternative HTTP backend.
This patch adds MediaCurl2 as a testbed for experimenting with a
more simple way to download files. Set ZYPP_CURL2=1 in the
environment to use it.
- version 17.36.3 (35)
- Filesystem usrmerge must not be done in singletrans mode
(bsc#1236481, bsc#1189788)
Commit will amend the backend in case the transaction would
perform a filesystem usrmerge.
- Workaround bsc#1216091 on Code16.
- version 17.36.2 (35)
- Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983)
Released libyui packages compile with -Werror=deprecated-declarations
so we can't add deprecated warnings without breaking them.
- make gcc15 happy (fixes #613)
- version 17.36.1 (35)
- Drop zypp-CheckAccessDeleted in favor of 'zypper ps'.
- Fix Repoverification plugin not being executed (fixes #614)
- Refresh: Fetch the master index file before key and signature
(bsc#1236820)
- Allow libzypp to compile with C++20.
- Deprecate RepoReports we do not trigger.
- version 17.36.0 (35)
- Create '.keep_packages' in the package cache dir to enforce
keeping downloaded packages of all repos cahed there (bsc#1232458)
- version 17.35.19 (35)
- Fix missing UID checks in repomanager workflow (fixes #603)
- version 17.35.18 (35)
- Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28)
- Fix 'zypper ps' when running in incus container (bsc#1229106)
Should apply to lxc and lxd containers as well.
- Re-enable 'rpm --runposttrans' usage for chrooted systems
(bsc#1216091)
- version 17.35.17 (35)
- perl
-
- do not change the current directory when cloning an open
directory handle [bnc#1244079] [CVE-2025-40909]
new patch: perl-dirdup.diff
- podman
-
- Added patch to remove using rw as a default mount option (bsc#1239776)
* 0007-Fix-Remove-appending-rw-as-the-default-mount-option.patch
- Rebase patches:
* 0001-vendor-update-c-buildah-to-1.33.12.patch
* 0002-Backport-fix-for-CVE-2024-6104.patch
* 0003-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
* 0004-http2-close-connections-when-receiving-too-many-head.patch
* 0005-CVE-2025-27144-vendor-don-t-allow-unbounded-amounts-.patch
* 0006-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch
- python-requests
-
- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
(gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)
- Switch to pyproject macros.
- python311
-
- Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst
case quadratic complexity when processing certain crafted
malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705).
- Use one core to build doc. This will make sphinx doc build
reproducible.
bsc#1243155
- Update to 3.11.13:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar")
to be bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
(gh#135034, bsc#1244061).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).
- gh-128840: Short-circuit the processing of long IPv6
addresses early in ipaddress to prevent excessive memory
consumption and a minor denial-of-service.
- Library
- gh-128840: Fix parsing long IPv6 addresses with embedded
IPv4 address.
- gh-134062: ipaddress: fix collisions in __hash__() for
IPv4Network and IPv6Network objects.
- gh-123409: Fix ipaddress.IPv6Address.reverse_pointer output
according to RFC 3596, §2.5. Patch by Bénédikt Tran.
- bpo-43633: Improve the textual representation of
IPv4-mapped IPv6 addresses (RFC 4291 Sections 2.2, 2.5.5.2)
in ipaddress. Patch by Oleksandr Pavliuk.
- Remove upstreamed patches:
- gh-126572-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
- CVE-2025-4516-DecodeError-handler.patch
- Add CVE-2025-4516-DecodeError-handler.patch fixing
CVE-2025-4516 (bsc#1243273) blocking DecodeError handling
vulnerability, which could lead to DoS.
- Use extended %autopatch.
- sudo
-
- Fix a possible local privilege escalation via the --host option
[bsc#1245274, CVE-2025-32462]
- Fix a possible local privilege Escalation via chroot option
[bsc#1245275, CVE-2025-32463]
- zypper
-
- sh: Reset solver options after command (bsc#1245496)
- Explicitly selecting DownloadAsNeeded also selects the
classic_rpmtrans backend.
- version 1.14.92
- BuildRequires: libzypp-devel >= 17.37.6.
Enhancements regarding mirror handling during repo refresh. Adapt
to libzypp API changes. (bsc#1230267)
- version 1.14.91
- BuildRequires: libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
Add the "metalink" attribute and reflect that the "url" elements
list may in fact be empty, if no baseurls are defined in the
.repo files.
- man: update --allow-unsigned-rpm description.
Explain how to achieve the same for packages provided by
repositories.
- version 1.14.90
- Updated translations (bsc#1230267)
- version 1.14.89
- Do not double encode URL strings passed on the commandline
(bsc#1237587)
URLs passed on the commandline must have their special chars
encoded already. We just want to check and encode forgotten
unsafe chars like a blank. A '%' however must not be encoded
again.
- version 1.14.88
- Package preloader that concurrently downloads files. It's not yet
enabled per default. To enable the preview set ZYPP_CURL2=1 and
ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires: libzypp-devel >= 17.36.4.
- version 1.14.87
- refresh: add --include-all-archs (fixes #598)
Future multi-arch repos may allow to download only those metadata
which refer to packages actually compatible with the systems
architecture. Some tools however want zypp to provide the full
metadata of a repository without filtering incompatible
architectures.
- info,search: add option to search and list Enhances
(bsc#1237949)
- version 1.14.86
- Annonunce --root in commands not launching a Target
(bsc#1237044)
- BuildRequires: libzypp-devel >= 17.36.3.
- version 1.14.85
- Let zypper dup fail in case of (temporarily) unaccessible repos
(bsc#1228434, bsc#1236939, fixes #446)
- version 1.14.84
- New system-architecture command (bsc#1236384)
Prints the detected system architecture.
- version 1.14.83
- requires: libzypp >= 17.36.0.
- Change versioncmp command to return exit code according to the
comparison result (#593)
- version 1.14.82
- lr: show the repositories keep-packages flag (bsc#1232458)
It is shown in the details view or by using -k,--keep-packages.
In addition libyzpp supports to enforce keeping downloaded
packages of all repos within a package cache by creating a
'.keep_packages' file there.
- version 1.14.81
- Try to refresh update repos first to have updated GPG keys on
the fly (bsc#1234752)
An update repo may contain a prolonged GPG key for the GA repo.
Refreshing the update repo first updates a trusted key on the fly
and avoids a 'key has expired' warning being issued when
refreshing the GA repo.
- Refresh: restore legacy behavior and suppress Exception
reporting as non-root (bsc#1235636)
- version 1.14.80
- info: Allow to query a specific version (jsc#PED-11268)
To query for a specific version simply append "-<version>" or
"-<version>-<release>" to the "<name>" pattern. Note that the
edition part must always match exactly.
- version 1.14.79
- Don't try to download missing raw metadata if cache is not
writable (bsc#1225451)
- man: Update 'search' command description.
Hint to "se -v" showing the matches within the packages metadata.
Explain that search strings starting with a "/" will implicitly
look into the filelist as well. Otherfise an explicit "-f" is
needed.
- version 1.14.78