amazon-ssm-agent
- Fix mangled ExlusiveArch field
- Update to version 3.1.1260.0
  + Added missing check for invalid S3 path parameter
  + Added support for domain join using a non-local username
  + Fixed broken links in README.md
  + Fixed ECS Exec issue where agent was using environment variables for credentials
  + Updated Ec2Detector test to query smbios directly for system information
- from version 3.1.1208.0
  + Updated ec2detector module to use Get-CmiInstance instead of wmic.exe
  + Fixed file creation mode of ssm-agent-users sudoer file (bsc#1196556, CVE-2022-29527)
- from version 3.1.1188.0
  + Added new ec2detector module to determine if agent is on EC2
  + Added support for port forwarding to remote host
  + Added quotes around inventory parameter ValueName on Windows
  + Fix for domain join DNS IP assignments in shared directories
  + Replaced namedpipe updater test with ec2detector test
- from version 3.1.1141.0
  + Add application inventory by file for Bottlerocket
  + Fix infinite retry logic to send failed replies in MGSInteractor
  + Remove usage of io/fs package
- from version 3.1.1080.0
  + (windows only) Remove symlink scan during update
- from version 3.1.1045.0
  + Fixed sourceHash validation for aws:application document plugin
  + Added document parameter validation for values passed to target document of aws:runDocument plugin
  + (windows only) Fix process leak when legacy cloudwatch plugin is enabled
  + (windows only) Fail installation if C:ProgramDataAmazonSSM has symlinks
- from version 3.1.1004.0
  + Added platform detection for Bottlerocket OS
  + Consolidated regional endpoint generation to common endpoint module
- from version 3.1.941.0
  + Added support for Rocky linux
  + Fixed sharefile/shareprofile not being propagated to updateutil
  + Fixed incorrect darwin platform detection post BigSur
  + Fixed log flush issue in updater
  + Updated .NET dependencies for domainjoin and cloudwatch (windows only)
  + Updated go version to 1.17.6
- from version 3.1.821.0
  + Implement new core module named MessageService to start processing commands from both MGS and MDS
  * Merge functionalities from RunCommandService core module and Session core module.
  * Receive run command documents through MGS if connected and fallback to MDS otherwise.
    This functionality requires appropriate permissions for both endpoints and will be rolled
    out gradually to end users.
  * Provide filesystem based idempotency check to avoid duplicate run command document execution.
  * Increase default run command pool buffer size from 1 to 5 to load additional documents
    before-hand for processing.
  + Fix nil pointer deference panic produced in named pipe test case during agent update
  + Remove StopType concept in ssm-agent-worker and add different waits for reboot and shutdown stop
- from version 3.1.804.0
  + Add support for upstart when running get-diagnostic command using ssm-cli
  + Fix systemctl service name to support older versions of systemctl
  + Include changes to facilitate testing
  + Update DNS server selection logic for seamless domain join on linux and darwin
  + Update go version to go1.17.5
  + Update golang sys package dependency
- from version 3.1.715.0
  + Derive default directories from appconfig on Darwin
  + Set x-bit on newly-created directories
- from version 3.1.634.0
  + Fix for ssm-setup-cli to be able to select service manager without the agent being installed
- from version 3.1.630.0
  + Added greengrass component recipe for the new SystemsManagerAgent component
  + Added support for registering agent on a greengrass device
  + Added support for downloading more than 1000 objects in downloadContent
  + Fixed retry logic for onprem and s3 upload
  + Fixed unit tests when running on Mac
  + Update AWS SDK to v1.41.4
  + Update logic to retrieve platform details for Rocky Linux
- from version 3.1.501.0
  + Add diagnostics command to ssm-cli
  + Fix caching for onprem credentials
  + Additional configuration options for Seamless Domain Join
  + Gracefully exit session if group of runas user is modified
  + Skip retries for cert validation errors in S3 HEAD requests
  + Fix DNS failures on CentOS 8.2
  + Update several dependencies
- from version 3.1.459.0
  + Fixed a bug with powershell command for Inventory
- from version 3.1.426.0
  + Fixed cpu spike issue manifesting on snap
  + Fixed issue with version comparison in EC2Config update plugin
  + Fixed panic when command output was being truncated
  + Updated build to use go1.16.8
  + Removed Profile from inventory powershell commands on Windows
- from version 3.1.338.0
  + Fix to eliminate WaitGroup reuse panic triggered during agent reboot
  + Fix to include applications without UninstallString in Inventory for Windows
  + Fixed a bug where multi-plugin documents with large outputs would timeout RunCommand
  + Fixed a bug where RunCommand could delay executions for up to 15 minutes
- from version 3.1.282.0
  + Add serial port logging of AwsNitroEnclaves package version on windows during startup
  + Allow usage of existing loggroup/logstream when the user does not have create permission
  + Change service interrogate request log to debug
  + Cleanup old surveyor channel files on startup
  + Fix filehandle leak in windows leading to agent going offline
  + Fix to schedule correct next run time during orchestration directories cleanup
  + Fix to sequentially update correct runcount value in the document bookkeeping file
  + Fix a bug with version parsing EC2Config updater
  + Updated rpm packaging for fips compliance
- from version 3.1.192.0
  + Added darwin arm64 to makefile
  + Added logic to limit orchestration directory cleanup
  + Added packaging for public SSM Agent container image
  + Fixed cloudwatch endpoint for telemetry metrics requests
  + Fixed handling of Windows filepaths and mutex locks
  + Fixed agent worker handling of OS signals and termination channel requests
  + Updated datachannel retry strategy to not retry for a specific error scenario
  + Updated default gomaxproc value for Windows
  + Update build to use go1.16.6
- from version 3.1.127.0
  + Added a workaround for windows random halts
  + Fixed race condition during reboot document execution
- from version 3.1.90.0
  + Updated to version 3.1
  + Updated build to build statically linked binaries for linux 64bit
  * Minimum supported linux kernel version for linux 64bit is 3.2+
  + Fixed permissions for docker config file
  + Fixed issue with ubuntu prerm and postinst scripts
  + Fixed issue where processor stop was being called twice
- from version 3.0.1390.0
  + Added config option to delete orchestration folder
  + Added snapcraft packaging config
  + Added workaround for aws:runDocument status bug
  + Added improved handling of file closure
  + Added support for go mod and updated build to use go 1.16.4
  + Fixed bug parsing vpce s3 urls
  + Refactored use of agent identity in agent cli
  + Updated check if agent is running as windows service
  + Updated handling of session cancellation to still send output to client side
  + Updated interactive session exit code logic to match non-interactive mode
  + Updated vendor dependencies
- Update directory path for GOPATH
- Update to version 3.0.1295.0
  + Added configurable custom identity and identity consumption order
  + Added cross-account domain join
  + Added cleanup for older versions of updater artifacts
  + Added a workaround for MacOS kernel bug that sometimes kept RunCommand from launching
  + Added a workaround for log file contention on Windows
  + Added synchronization to RunCommand service stop
  + Changed hibernation log level
  + MacOS executables are now signed
  + Removed delay in non-interactive session type
audit-secondary
- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)
  * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
bind
- Security Fixes:
  * Previously, there was no limit to the number of database lookups
  performed while processing large delegations, which could be abused
  to severely impact the performance of named running as a recursive
  resolver. This has been fixed.
  [bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch]
  * A memory leak was fixed that could be externally triggered in the
  DNSSEC verification code for the ECDSA algorithm.
  [bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch]
  * Memory leaks were fixed that could be externally triggered in the
  DNSSEC verification code for the EdDSA algorithm.
  [bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch]
binutils
- Add binutils-revert-rela.diff to revert back to old behaviour
  of not ignoring the in-section content of to be relocated
  fields on x86-64, even though that's a RELA architecture.
  Compatibility with buggy object files generated by old tools.
  [bsc#1198422]
ca-certificates-mozilla
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
  Added:
  - Certainly Root E1
  - Certainly Root R1
  - DigiCert SMIME ECC P384 Root G5
  - DigiCert SMIME RSA4096 Root G5
  - DigiCert TLS ECC P384 Root G5
  - DigiCert TLS RSA4096 Root G5
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  Removed:
  - Hellenic Academic and Research Institutions RootCA 2011
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
  Added:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - D-TRUST BR Root CA 1 2020
  - D-TRUST EV Root CA 1 2020
  - GlobalSign ECC Root CA R4
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
  - HiPKI Root CA - G1
  - ISRG Root X2
  - Telia Root CA v2
  - vTrus ECC Root CA
  - vTrus Root CA
  Removed:
  - Cybertrust Global Root
  - DST Root CA X3
  - DigiNotar PKIoverheid CA Organisatie - G2
  - GlobalSign ECC Root CA R4
  - GlobalSign Root CA R2
  - GTS Root R1
  - GTS Root R2
  - GTS Root R3
  - GTS Root R4
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added CAs:
  + HARICA Client ECC Root CA 2021
  + HARICA Client RSA Root CA 2021
  + HARICA TLS ECC Root CA 2021
  + HARICA TLS RSA Root CA 2021
  + TunTrust Root CA
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
  - NAVER Global Root Certification Authority
- Removed old root CA:
  - GeoTrust Global CA
  - GeoTrust Primary Certification Authority
  - GeoTrust Primary Certification Authority - G3
  - GeoTrust Universal CA
  - GeoTrust Universal CA 2
  - thawte Primary Root CA
  - thawte Primary Root CA - G2
  - thawte Primary Root CA - G3
  - VeriSign Class 3 Public Primary Certification Authority - G4
  - VeriSign Class 3 Public Primary Certification Authority - G5
cifs-utils
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
  (bsc#1198976, CVE-2022-29869)
  * add cifs-utils-CVE-2022-29869.patch
cloud-regionsrv-client
- Follow up fix to 10.0.4 (bsc#1202706)
  - While the source code was updated to support SLE Micro the spec file
    was not updated for the new locations of the cache and the certs.
    Update the spec file to be consistent with the code implementation.
- Update to version 10.0.5 (bsc#1201612)
  - Handle exception when trying to deregister a system form the server
- Update to version 10.0.4 (bsc#1199668)
  - Store the update server certs in the /etc path instead of /usr to
    accomodate read only setup of SLE-Micro
cronie
- Allow to define the logger info and warning priority, fixes
  jsc#SLE-24577
  * run-crons
  * sysconfig.cron
curl
- Security Fix: [bsc#1204383, CVE-2022-32221]
  * POST following PUT confusion
  * Add curl-CVE-2022-32221.patch
- Security fix: [bsc#1202593, CVE-2022-35252]
  * Control codes in cookie denial of service
  * Add curl-CVE-2022-35252.patch
- Security fix: [bsc#1200735, CVE-2022-32206]
  * HTTP compression denial of service
  * Add curl-CVE-2022-32206.patch
- Security fix: [bsc#1200737, CVE-2022-32208]
  * FTP-KRB bad message verification
  * Add curl-CVE-2022-32208.patch
- Securiy fix: [bsc#1199224, CVE-2022-27782]
  * TLS and SSH connection too eager reuse
  * Add curl-CVE-2022-27782.patch
- Securiy fix: [bsc#1199223, CVE-2022-27781]
  * CERTINFO never-ending busy-loop
  * Add curl-CVE-2022-27781.patch
dbus-1
- Fix a potential crash that could be triggered by an invalid signature.
  (CVE-2022-42010, bsc#1204111)
  * fix-upstream-CVE-2022-42010.patch
- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
  bsc#1204112)
  * fix-upstream-CVE-2022-42011.patch
- A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption CVE-2022-42012,
  bsc#1204113)
  * fix-upstream-CVE-2022-42012.patch
- Disable asserts (bsc#1087072)
- Refreshed patches
  * dbus-do-autolaunch.patch
  * increase-backlog.patch
  * fix-upstream-timeout-reset-2.patch
  * fix-upstream-CVE-2020-12049_2.patch
dbus-1-x11
- Fix a potential crash that could be triggered by an invalid signature.
  (CVE-2022-42010, bsc#1204111)
  * fix-upstream-CVE-2022-42010.patch
- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
  bsc#1204112)
  * fix-upstream-CVE-2022-42011.patch
- A message in non-native endianness with out-of-band Unix file descriptors
  would cause a use-after-free and possible memory corruption CVE-2022-42012,
  bsc#1204113)
  * fix-upstream-CVE-2022-42012.patch
- Disable asserts (bsc#1087072)
- Refreshed patches
  * dbus-do-autolaunch.patch
  * increase-backlog.patch
  * fix-upstream-timeout-reset-2.patch
  * fix-upstream-CVE-2020-12049_2.patch
dhcp
- bsc#1198657: properly handle DHCRELAY(6)_OPTIONS.
dracut
- Fix vrev so package gets properly updated when comming from older products
  eg. SLE-12.3
expat
- Security fix:
  * (CVE-2022-43680, bsc#1204708) use-after free caused by overeager
    destruction of a shared DTD in XML_ExternalEntityParserCreate in
    out-of-memory situations
  - Added patch expat-CVE-2022-43680.patch
- Security fix:
  * (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
    function in xmlparse.c
  - Added patch expat-CVE-2022-40674.patch
gcc11
- Update to the GCC 11.3.0 release.
  * includes SLS hardening backport on x86_64.  [bsc#1195283]
- Update to gcc-11 branch head (691af15031e00227ba6d5935c), git1635
  * includes gcc11-pr104931.patch
  * includes fix for Firefox ICE  [gcc#105256]
- Add provides/conflicts to glibc crosses since only one GCC version
  for the same target can be installed at the same time.
- Add provides/conflicts to libgccjit.
- Update to gcc-11 branch head (6a1150d1524aeda3381b21717), git1406
  * includes change to adjust gnats idea of the target, fixing
    the build of gprbuild.  [bsc#1196861]
- Add gcc11-pr104931.patch to fix miscompile of embedded premake
  in 0ad on i586.  [bsc#1197065]
- drop armv5tel, merge arm and armv6hl
- use --with-cpu rather than specifying --with-arch/--with-tune
  to Recoomends.
- Remove sys/rseq.h from include-fixed
- Update to gcc-11 branch head (d4a1d3c4b377f1d4acb), git1173
  * Fix D memory corruption in -M output.
  * Fix ICE in is_this_parameter with coroutines.  [boo#1193659]
- Enable the cross compilers also on i586
- Enable some cross compilers also in rings
- Remove cross compilers for i386 target
- Update to gcc-11 branch head (7510c23c1ec53aa4a62705f03), git1018
  * fixes issue with debug dumping together with -o /dev/null
  * fixes libgccjit issue showing up in emacs build  [boo#1192951]
- Package mwaitintrin.h
- Remove spurious exit from change_spec.
- Enable the full cross compiler, cross-aarch64-gcc11 and
  cross-riscv64-gcc11 now provide a fully hosted C (and C++)
  cross compiler, not just a freestanding one.  I.e. with a cross
  glibc.  They don't yet support the sanitizer libraries.
  Part of [jsc#OBS-124].
glib2
- Add glib2-CVE-2021-28153.patch: fix CREATE_REPLACE_DESTINATION
  with symlinks (boo#1183533 glgo#GNOME/glib#2325 CVE-2021-28153).
gpg2
- Security fix [CVE-2022-34903, bsc#1201225]
  - Vulnerable to status injection
  - Added patch gnupg-CVE-2022-34903.patch
grub2
- fs/xfs: add bigtime incompat feature support (bsc#1203387)
  * grub2-fs-xfs-Add-bigtime-incompat-feature-support.patch
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
  * 0001-video-Remove-trailing-whitespaces.patch
  * 0002-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
  * 0003-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
  * 0004-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
  * 0005-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
  * 0006-misc-Format-string-for-grub_error-should-be-a-litera.patch
  * 0007-loader-efi-chainloader-Simplify-the-loader-state.patch
  * 0008-commands-boot-Add-API-to-pass-context-to-loader.patch
- Fix CVE-2022-28736 (bsc#1198496)
  * 0009-loader-efi-chainloader-Use-grub_loader_set_ex.patch
  * 0010-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
  * 0011-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
  * 0012-video-readers-png-Refuse-to-handle-multiple-image-he.patch
- Fix CVE-2021-3695 (bsc#1191184)
  * 0013-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
- Fix CVE-2021-3696 (bsc#1191185)
  * 0014-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
  * 0015-video-readers-png-Sanity-check-some-huffman-codes.patch
  * 0016-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
  * 0017-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
  * 0018-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
- Fix CVE-2021-3697 (bsc#1191186)
  * 0019-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
  * 0020-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
- Fix CVE-2022-28733 (bsc#1198460)
  * 0021-net-ip-Do-IP-fragment-maths-safely.patch
  * 0022-net-netbuff-Block-overly-large-netbuff-allocs.patch
  * 0023-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
  * 0024-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
  * 0025-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
  * 0026-net-tftp-Avoid-a-trivial-UAF.patch
  * 0027-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
- Fix CVE-2022-28734 (bsc#1198493)
  * 0028-net-http-Fix-OOB-write-for-split-http-headers.patch
- Fix CVE-2022-28734 (bsc#1198493)
  * 0029-net-http-Error-out-on-headers-with-LF-without-CR.patch
  * 0030-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
  * 0031-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
  * 0032-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
  * 0033-Use-grub_loader_set_ex-for-secureboot-chainloader.patch
- Update SBAT security contact (boo#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused by
  0001-ieee1275-implement-FCP-methods-for-WWPN-and-LUNs.patch, when
  the root LV is completely in the boot LUN (bsc#1197948)
  * 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
icu
- Backport icu-CVE-2020-21913.patch: backport commit 727505bdd
  from upstream, use LocalMemory for cmd to prevent use after free
  (bsc#1193951 CVE-2020-21913).
json-c
- Added CVE-2020-12762.patch (bsc#1171479, CVE-2020-12762)
- Added gcc7-fix.patch
- Update to upstream release 0.12.1
- Removed upstream fixed json-c-0.12-unused_variable_size.patch
- Added fix-set-but-not-used.patch
- json-c 0.12
  Fixes for security issues contained in this release have been
  previously patched into this package, but listed for completeness:
  * Address security issues:
  * CVE-2013-6371: hash collision denial of service
  * CVE-2013-6370: buffer overflow if size_t is larger than int
- Further changes:
  * Avoid potential overflow in json_object_get_double
  * Eliminate the mc_abort() function and MC_ABORT macro.
  * Make the json_tokener_errors array local.  It has been deprecated for
    a while, and json_tokener_error_desc() should be used instead.
  * change the floating point output format to %.17g so values with
    more than 6 digits show up in the output.
  * Remove the old libjson.so name compatibility support.  The library is
    only created as libjson-c.so now and headers are only installed
    into the ${prefix}/json-c directory.
  * When supported by the linker, add the -Bsymbolic-functions flag.
  * Make strict mode more strict:
  * number must not start with 0
  * no single-quote strings
  * no comments
  * trailing char not allowed
  * only allow lowercase literals
  * Added a json_object_new_double_s() convenience function to allow
    an exact string representation of a double to be specified when
    creating the object and use it in json_tokener_parse_ex() so
    a re-serialized object more exactly matches the input.
  * Add support NaN and Infinity
- packaging changes:
  * json-c-hash-dos-and-overflow-random-seed-4e.patch is upstream
  * Move from json-c-lfs.patch which removed warning errors and
    autoconf call to json-c-0.12-unused_variable_size.patch from
    upstream which fixes the warning
  * except for SLE 11 where autoreconf call is required
  * add licence file to main package
kernel-default
- net: mana: Add rmb after checking owner bits (git-fixes).
- commit cf3a26a
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- commit a1ccfcd
- media: dvb-core: Fix UAF due to refcount races at releasing
  (CVE-2022-41218 bsc#1202960).
- commit 231362a
- media: em28xx: initialize refcount before kref_get
  (CVE-2022-3239 bsc#1203552).
- commit 477c587
- x86/bugs: Reenable retbleed=off
  While for older kernels the return thunks are statically built in and
  cannot be dynamically patched out, retbleed=off should still be possible
  to do so that the mitigation can still be disabled on Intel who don't
  use the return thunks but IBRS.
- Update
  patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- Update patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- commit e2cf3a6
- Refresh
  patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch.
- commit a2eaeb6
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
  bsc#1202677).
- commit b644c0f
- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
  (CVE-2022-39188, bsc#1203107).
- commit 7df6276
- netfilter: nf_conntrack_irc: Tighten matching on DCC message
  (CVE-2022-2663 bsc#1202097).
- netfilter: nf_conntrack_irc: Fix forged IP logic (CVE-2022-2663
  bsc#1202097).
- commit 7253cd6
- Update
  patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch.
- Update
  patches.suse/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch.
  Add missing objtool annotations from upstream commits to fix bsc#1202396.
- commit 04338d1
- objtool: Track original function across branches (bsc#1202396).
- Refresh
  patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- Refresh
  patches.suse/objtool-make-bp-scratch-register-warning-more-robust.patch.
- commit c9a2efe
- objtool: Don't use ignore flag for fake jumps (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- commit d008d3c
- objtool: Add --backtrace support (bsc#1202396).
- Refresh
  patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- commit 923b23e
- objtool: Set insn->func for alternatives (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- Refresh
  patches.suse/objtool-add-relocation-check-for-alternative-sections.patch.
- commit 881bd07
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
  (git-fixes, bsc#1203098).
  kABI: Fix kABI after "/mm/rmap: Fix anon_vma->degree ambiguity
  leading to double-reuse"/ (git-fixes, bsc#1203098).
- commit 9b79372
- mm/rmap.c: don't reuse anon_vma if we just want a copy
  (git-fixes, bsc#1203098).
- commit d3fffdb
- objtool: Allow no-op CFI ops in alternatives (bsc#1202396).
- commit 28f1746
- objtool: Add support for intra-function calls (bsc#1202396).
- commit 93bc738
- objtool: Remove INSN_STACK (bsc#1202396).
- commit 6e91884
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- commit 53607e4
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- commit 63057c7
- objtool: Fix ORC vs alternatives (bsc#1202396).
- commit 7738c2e
- objtool: Uniquely identify alternative instruction groups
  (bsc#1202396).
- commit 67086e3
- objtool: Remove check preventing branches within alternative
  (bsc#1202396).
- commit 139d41d
- objtool: Fix !CFI insn_state propagation (bsc#1202396).
- commit 56f9880
- objtool: Rename struct cfi_state (bsc#1202396).
- commit b354131
- objtool: Support multiple stack_op per instruction
  (bsc#1202396).
- commit 48c54a4
- objtool: Support conditional retpolines (bsc#1202396).
- commit 65f3866
- objtool: Convert insn type to enum (bsc#1202396).
- commit b962b87
- objtool: Rename elf_open() to prevent conflict with libelf
  from elftoolchain (bsc#1202396).
- commit 7bee2f3
- objtool: Use Elf_Scn typedef instead of assuming struct name
  (bsc#1202396).
- commit 882e170
- rpm/kernel-source.spec.in: simplify finding of broken symlinks
  "/find -xtype l"/ will report them, so use that to make the search a bit
  faster (without using shell).
- commit 13bbc51
- mkspec: eliminate @NOSOURCE@ macro
  This should be alsways used with @SOURCES@, just include the content
  there.
- commit 403d89f
- kernel-source: include the kernel signature file
  We assume that the upstream tarball is used for released kernels.
  Then we can also include the signature file and keyring in the
  kernel-source src.rpm.
  Because of mkspec code limitation exclude the signature and keyring from
  binary packages always - mkspec does not parse spec conditionals.
- commit e76c4ca
- kernel-binary: move @NOSOURCE@ to @SOURCES@ as in other packages
- commit 4b42fb2
- dtb: Do not include sources in src.rpm - refer to kernel-source
  Same as other kernel binary packages there is no need to carry duplicate
  sources in dtb packages.
- commit 1bd288c
- objtool: Fix sibling call detection (bsc#1202396).
- commit 07f4371
- objtool: Rewrite alt->skip_orig (bsc#1202396).
- commit 5c9e381
- af_key: Do not call xfrm_probe_algs in parallel (bsc#1202898
  CVE-2022-3028).
- commit e68eb5b
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit c9ac9a2
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit d995183
- cifs: fix error paths in cifs_tree_connect() (bsc#1177440).
- commit cf9a74a
- cifs: report error instead of invalid when revalidating a
  dentry fails (bsc#1177440).
- commit a3f2294
- Backport causes crashes on all arches so revert the patch until
  I find the root cause
- commit 83c44b2
- check sk_peer_cred pointer before put_cred() call
- commit 78087f4
- tpm: fix reference counting for struct tpm_chip (CVE-2022-2977
  bsc#1202672).
- commit 743f12e
- net: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit c37013b
- Drop the unused function after porting on 4.12
- commit a8cf8a3
- fuse: handle kABI change in struct sock (bsc#1194535
  CVE-2021-4203).
- commit cb0be42
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
  (bsc#1194535 CVE-2021-4203).
- commit cfbed38
- cifs: fix uninitialized pointer in error case in
  dfs_cache_get_tgt_share (bsc#1188944).
- commit adb8007
- cifs: skip trailing separators of prefix paths (bsc#1188944).
- commit bb8e115
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: remove from list when handle is 0
  (CVE-2022-2588 bsc#1202096).
- commit 05c19f7
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420
  ZDI-CAN-17325).
- commit 30cd9be
- ext4: make sure ext4_append() always allocates new block
  (bsc#1198577 CVE-2022-1184).
- commit bc8c541
- ext4: check if directory block is within i_size (bsc#1198577
  CVE-2022-1184).
- commit b9efa04
- ext4: Fix check for block being out of directory size
  (bsc#1198577 CVE-2022-1184).
- commit be40637
- rpm/kernel-binary.spec.in: move vdso to a separate package (bsc#1202385)
  We do the move only on 15.5+.
- commit 9c7ade3
- rpm/kernel-binary.spec.in: simplify find for usrmerged
  The type test and print line are the same for both cases. The usrmerged
  case only ignores more, so refactor it to make it more obvious.
- commit 583c9be
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put()
  in xfrm_bundle_lookup() (bsc#1201948 CVE-2022-36879).
- commit 6a240fe
- net/packet: fix slab-out-of-bounds access in packet_recvmsg()
  (CVE-2022-20368 bsc#1202346).
- commit bcc8988
- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers
  across ioctls (bsc#1202347 CVE-2022-20369).
- commit 0cf8c8f
- x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726
  CVE-2022-26373).
- commit b4f64d8
- x86/speculation: Add RSB VM Exit protections (bsc#1201726
  CVE-2022-26373).
- commit 679800f
- x86/speculation: Fill RSB on vmexit for IBRS (bsc#1201726
  CVE-2022-26373).
- commit 1a1bc6e
- x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
  (bsc#1201726 CVE-2022-26373).
- commit 2e32661
- openvswitch: fix OOB access in reserve_sfa_size() (CVE-2022-2639
  bsc#1202154).
- commit 0d36370
- ipv4: avoid using shared IP generator for connected sockets
  (CVE-2020-36516 bsc#1196616).
- ipv4: tcp: send zero IPID in SYNACK messages (CVE-2020-36516
  bsc#1196616).
- commit df5e606
- Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- commit 9816878
- cifs: use the expiry output of dns_query to schedule next
  resolution (bsc#1201926).
- commit 9e72b3d
- cifs: fix potential use-after-free in cifs_echo_request()
  (bsc#1201926).
- commit 63d5cc7
- cifs: fix memory leak of smb3_fs_context_dup::server_hostname
  (bsc#1201926).
- commit 696ce53
- cifs: To match file servers, make sure the server hostname
  matches (bsc#1201926).
- commit 265867f
- KVM: emulate: do not adjust size of fastop and setcc subroutines
  (bsc#1201930).
- commit f527a88
- kvm/emulate: Fix SETcc emulation function offsets with SLS
  (bsc#1201930).
- commit 30c285c
- netfilter: nf_queue: do not allow packet truncation below
  transport header offset (bsc#1201940 CVE-2022-36946).
- commit 06aa700
- cifs: set a minimum of 120s for next dns resolution
  (bsc#1201926).
- commit 40bb64c
- cifs: On cifs_reconnect, resolve the hostname again
  (bsc#1201926).
- commit a466ab8
- cifs: Simplify reconnect code when dfs upcall is enabled
  (bsc#1201926).
- commit 9d203d0
- kABI workaround for including mm.h in fs/sysfs/file.c
  (bsc#1200598 CVE-2022-20166).
- commit fe1fe6b
- mm: and drivers core: Convert hugetlb_report_node_meminfo to
  sysfs_emit (bsc#1200598 CVE-2022-20166).
- commit 3d23964
- drivers core: Miscellaneous changes for sysfs_emit (bsc#1200598
  CVE-2022-20166).
- commit c8e2e5b
- drivers core: Remove strcat uses around sysfs_emit and neaten
  (bsc#1200598 CVE-2022-20166).
- commit 5cd9512
- drivers core: Use sysfs_emit and sysfs_emit_at for show(device
  * ...) functions (bsc#1200598 CVE-2022-20166).
- commit 7554520
- x86/entry: Remove skip_r11rcx (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- Refresh
  patches.suse/x86-entry-add-kernel-ibrs-implementation.patch.
- commit b1071b3
- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
  (bsc#1200598 CVE-2022-20166).
- commit c5a70d7
- x86/kexec: Disable RET on kexec (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 191d646
- x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 5c77536
- x86/cpu/amd: Enumerate BTC_NO (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- Refresh
  patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch.
- commit 8397b0e
- x86/common: Stamp out the stepping madness (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit be4f5a3
- x86/speculation: Remove x86_spec_ctrl_mask (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 95c7c85
- x86/speculation: Use cached host SPEC_CTRL value for guest
  entry/exit (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit e0da5e4
- x86/speculation: Fix SPEC_CTRL write on SMT state change
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit be2020e
- x86/speculation: Fix firmware entry SPEC_CTRL handling
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit f577c84
- x86/cpu/amd: Add Spectral Chicken (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 169cc5b
- x86/bugs: Do IBPB fallback check only once (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 25a7fe5
- x86/bugs: Add retbleed=ibpb (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit bba8676
- intel_idle: Disable IBRS during long idle (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 8791bc4
- x86/bugs: Report Intel retbleed vulnerability (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 031a8ba
- x86/bugs: Split spectre_v2_select_mitigation() and
  spectre_v2_user_select_mitigation() (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit a8a6605
- Re-backport an upstream commit
  Backport
  fdf82a7856b3 ("/x86/speculation: Protect against userspace-userspace spectreRSB"/)
  properly in order to get rid of the now-unused is_skylake_era() symbol.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-client-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- Refresh
  patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
  patches.suse/x86-speculation-enable-cross-hyperthread-spectre-v2-stibp-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-reorder-the-spec_v2-code.patch.
- commit ecf8345
- x86/speculation: Add spectre_v2=ibrs option to support Kernel
  IBRS (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit c458857
- x86/bugs: Optimize SPEC_CTRL MSR writes (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit ef21bc9
- x86/entry: Add kernel IBRS implementation (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit c195904
- x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 38fd246
- x86/bugs: Enable STIBP for JMP2RET (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 8246682
- x86/bugs: Add AMD retbleed= boot parameter (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- Update config files.
- commit 3a343bc
- x86/bugs: Report AMD retbleed vulnerability (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit fd68631
- x86: Add magic AMD return-thunk (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 407dacc
- x86: Use return-thunk in asm code (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit fe1b3c3
- x86/sev: Avoid using __x86_return_thunk (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit acfc9e6
- x86/vsyscall_emu/64: Don't use RET in vsyscall emulation
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 9f9f050
- x86/kvm: Fix SETcc emulation for return thunks (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 5ea2bf6
- x86: Undo return-thunk damage (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit ce6827b
- x86/retpoline: Use -mfunction-return (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 01c7d45
- x86/cpufeatures: Move RETPOLINE flags to word 11 (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 19e5ab2
- x86: Add straight-line-speculation mitigation (bsc#1201050
  CVE-2021-26341).
- Update config files.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- commit fe797ea
- Sort in CPU vuln fixes
  And remove the homegrown IBRS functionality - will be replaced by the
  upstream one.
- Refresh
  patches.suse/0001-x86-entry-64-compat-Fix-stack-switching-for-XEN-PV.patch.
- Refresh
  patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- Refresh
  patches.suse/documentation-hw-vuln-update-spectre-doc.patch.
- Refresh
  patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch.
- Refresh
  patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch.
- Refresh
  patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch.
- Refresh
  patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch.
- Refresh
  patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
  patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch.
- Refresh
  patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- Refresh
  patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch.
- Refresh
  patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch.
- Refresh
  patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch.
- Delete
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete
  patches.suse/0002-x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- Delete
  patches.suse/0003-x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch.
- Delete
  patches.suse/0004-x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch.
- Delete
  patches.suse/0005-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Delete patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit 44b7026
- CVE Mitigation for CVE-2022-29900 and CVE-2022-29901
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 1ca4472
- x86: Prepare inline-asm for straight-line-speculation
  (bsc#1201050 CVE-2021-26341).
- commit 6c064d3
- x86: Prepare asm files for straight-line-speculation
  (bsc#1201050 CVE-2021-26341).
- commit b57e26a
- x86/lib/atomic64_386_32: Rename things (bsc#1201050
  CVE-2021-26341).
- commit 010d7d0
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1200910
  CVE-2020-36558).
- commit 3c76a1f
- vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
  (bsc#1201429 CVE-2020-36557).
- commit f15e18d
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- commit e2263d4
- vt: drop old FONT ioctls (bsc#1201636 CVE-2021-33656).
- commit 704434f
- Refresh patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch
  Fix the build error due to missing is_console_locked()
- commit 39e2064
- fbmem: Check virtual screen sizes in fb_set_var()
  (CVE-2021-33655 bsc#1201635).
- fbcon: Prevent that screen size is smaller than font size
  (CVE-2021-33655 bsc#1201635).
- fbcon: Disallow setting font bigger than screen size
  (CVE-2021-33655 bsc#1201635).
- commit c1a0922
- rpm/kernel-binary.spec.in: Require dwarves >= 1.22 on SLE15-SP3 or newer
  Dwarves 1.22 or newer is required to build kernels with BTF information
  embedded in modules.
- commit ee19e9d
- pty: do tty_flip_buffer_push without port->lock in pty_write
  (bsc#1198829 CVE-2022-1462).
- commit c0b9f34
- tty: use new tty_insert_flip_string_and_push_buffer() in
  pty_write() (bsc#1198829 CVE-2022-1462).
- tty: extract tty_flip_buffer_commit() from
  tty_flip_buffer_push() (bsc#1198829 CVE-2022-1462).
- commit 1b70eb4
- net: Rename and export copy_skb_header (bsc#1200762,
  CVE-2022-33741, XSA-403).
- commit 5e3ad99
- net: rose: fix UAF bugs caused by timer handler (CVE-2022-2318
  bsc#1201251).
- commit 6ad5c1f
- xen/netfront: force data bouncing when backend is untrusted
  (bsc#1200762, CVE-2022-33741, XSA-403).
- commit 459e62a
- xen/netfront: fix leaking data in shared pages (bsc#1200762,
  CVE-2022-33740, XSA-403).
- commit b225a00
- xen/blkfront: force data bouncing when backend is untrusted
  (bsc#1200762, CVE-2022-33742, XSA-403).
- commit 8bcc9cd
- xen/blkfront: fix leaking data in shared pages (bsc#1200762,
  CVE-2022-26365, XSA-403).
- commit f3412de
- Refresh
  patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch.
  Fix a build warning.
- commit 88f1e54
- sctp: handle kABI change in struct sctp_endpoint (CVE-2022-20154
  bsc#1200599).
- commit c46afe6
- sctp: use call_rcu to free endpoint (CVE-2022-20154 bsc#1200599).
- commit 3cb182d
- rpm/check-for-config-changes: ignore GCC12/CC_NO_ARRAY_BOUNDS
  Upstream commit f0be87c42cbd (gcc-12: disable '-Warray-bounds'
  universally for now) added two new compiler-dependent configs:
  * CC_NO_ARRAY_BOUNDS
  * GCC12_NO_ARRAY_BOUNDS
  Ignore them -- they are unset by dummy tools (they depend on gcc version
  == 12), but set as needed during real compilation.
- commit a14607c
- ath9k: fix use-after-free in ath9k_hif_usb_rx_cb (CVE-2022-1679
  bsc#1199487).
- commit 2c5abda
- exec: Force single empty string when argv is empty
  (bsc#1200571).
- commit 4ee3bdd
- HID: holtek: fix mouse probing (CVE-2022-20132 bsc#1200619).
- HID: add USB_HID dependancy to hid-prodikeys (CVE-2022-20132
  bsc#1200619).
- HID: add USB_HID dependancy to hid-chicony (CVE-2022-20132
  bsc#1200619).
- HID: add USB_HID dependancy on some USB HID drivers
  (CVE-2022-20132 bsc#1200619).
- HID: check for valid USB device for many HID drivers
  (CVE-2022-20132 bsc#1200619).
- HID: add hid_is_usb() function to make it simpler for USB
  detection (CVE-2022-20132 bsc#1200619).
- HID: introduce hid_is_using_ll_driver (CVE-2022-20132
  bsc#1200619).
- commit fb86cdd
- igmp: Add ip_mc_list lock in ip_check_mc_rcu (bsc#1200604
  CVE-2022-20141).
- commit 5040a6d
- certs: Add EFI_CERT_X509_GUID support for dbx entries
  (bsc#1177282 CVE-2020-26541).
- Update config files.
- commit 2e7bde8
- kernel-binary.spec: check s390x vmlinux location
  As a side effect of mainline commit edd4a8667355 ("/s390/boot: get rid of
  startup archive"/), vmlinux on s390x moved from "/compressed"/ subdirectory
  directly into arch/s390/boot. As the specfile is shared among branches,
  check both locations and let objcopy use one that exists.
- commit cd15543
- Add missing recommends of kernel-install-tools to kernel-source-vanilla (bsc#1200442)
- commit 93b1375
- floppy: disable FDRAWCMD by default (bsc#1198866 CVE-2022-1836).
- Update config files.
- commit 9af4e3a
- add mainline tag for a pci-hyperv change
- commit dd0f473
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- commit 996513e
- NFC: netlink: fix sleep in atomic bug when firmware download
  timeout (CVE-2022-1975 bsc#1200143).
- commit a8211d8
- nfc: replace improper check device_is_registered() in netlink
  related functions (CVE-2022-1974 bsc#1200144).
- commit d539b18
- KVM: x86/speculation: Disable Fill buffer clear within guests
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation: Add a common function for MD_CLEAR mitigation
  update (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Add mitigation for Processor MMIO Stale
  Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Add sysfs reporting for Processor
  MMIO Stale Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127
  CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Enable CPU Fill buffer clearing on idle
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Reuse SRBDS mitigation for SBDS
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/srbds: Update SRBDS mitigation selection
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- Refresh
  patches.suse/powerpc-64s-flush-L1D-after-user-accesses.patch.
- Refresh
  patches.suse/powerpc-64s-flush-L1D-on-kernel-entry.patch.
- commit 96526da
- btrfs: extent-tree: kill the BUG_ON() in
  insert_inline_extent_backref() (CVE-2019-19377 bsc#1158266).
- commit 7762823
- btrfs: extent-tree: kill BUG_ON() in  __btrfs_free_extent()
  (CVE-2019-19377 bsc#1158266).
- commit fa0dbe1
- kernel-binary.spec: Support radio selection for debuginfo.
  To disable debuginfo on 5.18 kernel a radio selection needs to be
  switched to a different selection. This requires disabling the currently
  active option and selecting NONE as debuginfo type.
- commit 43b5dd3
- perf: Fix sys_perf_event_open() race against self
  (CVE-2022-1729, bsc#1199507).
- commit fc77f1c
- ext4: avoid cycles in directory h-tree (bsc#1198577
  CVE-2022-1184).
- commit ec51c1b
- ext4: verify dir block before splitting it (bsc#1198577
  CVE-2022-1184).
- commit 97bfb10
- debug: Lock down kgdb (bsc#1199426 CVE-2022-21499).
- debug: Lock down kgdb (bsc#1199426).
- commit 1cd17a0
- Add dtb-starfive
- commit 85335b1
- Update patch reference for ACPI fix (CVE-2017-13695 bsc#1055710)
- commit e74f546
- floppy: use a statically allocated error counter (bsc#1199063
  CVE-2022-1652).
- commit 7173277
- nfc: nfcmrvl: main: reorder destructive operations in
  nfcmrvl_nci_unregister_dev to avoid bugs (CVE-2022-1734
  bsc#1199605).
- commit d9ccce0
- btrfs: relocation: Only remove reloc rb_trees if reloc  control
  has been initialized (bsc#1199399).
- commit d95d9f9
- bpf: fix panic due to oob in bpf_prog_test_run_skb (bsc#1197219,
  CVE-2021-39711).
- commit 51bae76
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
  PTRACE_SEIZE (CVE-2022-30594 bsc#1199505 bsc#1198413).
- commit 26d8e0b
- btrfs: relocation: Only remove reloc rb_trees if reloc  control
  has been initialized (bsc#1199399).
- commit adb6d28
- NFSv4: nfs_atomic_open() can race when looking up a non-regular
  file (bsc#1195612 CVE-2022-24448).
- commit dd7b1a9
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- commit 07098d3
- Fix kernel-vanilla build issue
  Fix:
  [  315s]   CC [M]  fs/fat/namei_vfat.o
  [  315s]   CC      kernel/elfcore.o
  [  315s] ../scripts/Makefile.build:302: recipe for target 'kernel/elfcore.o' failed
  [  315s] Cannot find symbol for section 1: .text.
  [  315s] kernel/elfcore.o: failed
  [  315s] make[3]: *** [kernel/elfcore.o] Error 1
  due to toolchain updates and the patch missing in the vanilla flavor. So
  move it there.
- commit 23d6a8f
- rpm/kernel-obs-build.spec.in: Also depend on dracut-systemd (bsc#1195775)
- commit 5d4e32c
- ixgbevf: add disable link state (bsc#1196426 CVE-2021-33061).
- ixgbe: add improvement for MDD response functionality
  (bsc#1196426 CVE-2021-33061).
- ixgbe: add the ability for the PF to disable VF link state
  (bsc#1196426 CVE-2021-33061).
- commit 7ca9841
- net: mana: Remove unnecessary check of cqe_type in
  mana_process_rx_cqe() (bsc#1195651).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- commit a27cea8
- net: mana: Reuse XDP dropped page (bsc#1195651).
- commit c707c23
- net: mana: Add counter for XDP_TX (bsc#1195651).
- commit 9e62047
- net: mana: Add counter for packet dropped by XDP (bsc#1195651).
- commit e3af7bf
- net: mana: Use struct_size() helper in
  mana_gd_create_dma_region() (bsc#1195651).
- commit 2c30991
- net/x25: Fix null-ptr-deref caused by x25_disconnect
  (CVE-2022-1516 bsc#1199012).
- commit 70361a9
- ovl: fix missing negative dentry check in ovl_rename()
  (CVE-2021-20321 bsc#1191647).
- commit 3e23b63
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
  (bsc#1028340 bsc#1198825).
- commit 5e96c61
- net-sysfs: call dev_hold if kobject_init_and_add success
  (CVE-2019-20811 bsc#1172456).
- commit 5de8a61
- pahole 1.22 required for full BTF features.
  also recommend pahole for kernel-source to make the kernel buildable
  with standard config
- commit 364f54b
- Update
  patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
  (bsc#1196018 CVE-2022-28748).
- commit 25ea790
- Update
  patches.suse/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
  (bsc#1051510 bsc#1084513 CVE-2018-7755).
- commit 371ca37
- use jobs not processors in the constraints
  jobs is the number of vcpus available to the build, while processors
  is the total processor count of the machine the VM is running on.
- commit a6e141d
- drm/vgem: Close use-after-free race in vgem_gem_create (CVE-2022-1419 bsc#1198742)
- commit c2b5f0e
- isdn: cpai: check ctr->cnr to avoid array index out of bound
  (bsc#1191958 CVE-2021-43389).
- commit 6296574
- nfc: fix NULL ptr dereference in llcp_sock_getname() after
  failed connect (CVE-2021-38208 bsc#1187055).
- commit 54aed86
- powerpc/pseries: Fix use after free in remove_phb_dynamic()
  (bsc#1065729 bsc#1198660 ltc#197803).
- commit 534ea7f
- af_key: add __GFP_ZERO flag for compose_sadb_supported in
  function pfkey_register (CVE-2022-1353 bsc#1198516).
- commit ffb367f
- Update
  patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch
  (bsc#1198400).
- Update
  patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
  (bsc#1198400).
- commit b81f481
- drm/ttm/nouveau: don't call tt destroy callback on alloc failure
  (CVE-2021-20292 bsc#1183723).
- commit f1a5fa2
- x86/speculation: Restore speculation related MSRs during S3
  resume (bsc#1114648).
- commit 46f1ca5
- fuse: handle kABI change in struct fuse_req (bsc#1197343
  CVE-2022-1011).
- fuse: fix pipe buffer lifetime for direct_io (bsc#1197343
  CVE-2022-1011).
- commit e67cd7e
- x86/pm: Save the MSR validity status at context setup
  (bsc#1114648).
- commit 87c5893
- livepatch: Don't block removal of patches that are safe to
  unload (bsc#1071995).
- commit 2e90af6
- Refresh
  patches.suse/net-sched-use-Qdisc-rcu-API-instead-of-relying-on-rt.patch.
  Fix missplaced qdisc_put()
- commit 883b3be
- linux/dim: Move implementation to .c files (bsc#1197099
  jsc#SLE-24124).
- commit 03d416d
- net: ena: Select DIMLIB for ENA_ETHERNET (bsc#1197099
  jsc#SLE-24124).
- Update config files.
- commit fbae1a9
- net: ena: Change the name of bad_csum variable (bsc#1197099
  jsc#SLE-24124).
- net: ena: Remove ena_calc_queue_size_ctx struct (bsc#1197099
  jsc#SLE-24124).
- net: ena: Move reset completion print to the reset function
  (bsc#1197099 jsc#SLE-24124).
- net: ena: Remove redundant return code check (bsc#1197099
  jsc#SLE-24124).
- net: ena: Change ENI stats support check to use capabilities
  field (bsc#1197099 jsc#SLE-24124).
- net: ena: Add capabilities field with support for ENI stats
  capability (bsc#1197099 jsc#SLE-24124).
- net: ena: Change return value of ena_calc_io_queue_size()
  to void (bsc#1197099 jsc#SLE-24124).
- net: ena: Fix error handling when calculating max IO queues
  number (bsc#1197099 jsc#SLE-24124).
- net: ena: Fix wrong rx request id by resetting device
  (bsc#1197099 jsc#SLE-24124).
- net: ena: make symbol 'ena_alloc_map_page' static (bsc#1197099
  jsc#SLE-24124).
- net: ena: re-organize code to improve readability (bsc#1197099
  jsc#SLE-24124).
- net: ena: Use dev_alloc() in RX buffer allocation (bsc#1197099
  jsc#SLE-24124).
- net: ena: Remove module param and change message severity
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add jiffies of last napi call to stats (bsc#1197099
  jsc#SLE-24124).
- net: ena: Improve error logging in driver (bsc#1197099
  jsc#SLE-24124).
- net: ena: Remove unused code (bsc#1197099 jsc#SLE-24124).
- net: ena: remove extra words from comments (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix inaccurate print type (bsc#1197099 jsc#SLE-24124).
- ethernet: amazon: ena: A typo fix in the file ena_com.h
  (bsc#1197099 jsc#SLE-24124).
- net: ena: aggregate stats increase into a function (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix coding style nits (bsc#1197099 jsc#SLE-24124).
- net: ena: store values in their appropriate variables types
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add device distinct log prefix to files (bsc#1197099
  jsc#SLE-24124).
- net: ena: use constant value for net_device allocation
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix packet's addresses for rx_offset feature
  (bsc#1197099 jsc#SLE-24124).
- net: ena: set initial DMA width to avoid intel iommu issue
  (bsc#1197099 jsc#SLE-24124).
- net: ena: handle bad request id in ena_netdev (bsc#1197099
  jsc#SLE-24124).
- net: ena: Fix all static chekers' warnings (bsc#1197099
  jsc#SLE-24124).
- net: ena: Change RSS related macros and variables names
  (bsc#1197099 jsc#SLE-24124).
- net: ena: Remove redundant print of placement policy
  (bsc#1197099 jsc#SLE-24124).
- net: ena: Capitalize all log strings and improve code
  readability (bsc#1197099 jsc#SLE-24124).
- net: ena: Change log message to netif/dev function (bsc#1197099
  jsc#SLE-24124).
- net: ena: Change license into format to SPDX in all files
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ethtool: Add new device statistics (bsc#1197099
  jsc#SLE-24124).
- net: ena: ethtool: convert stat_offset to 64 bit resolution
  (bsc#1197099 jsc#SLE-24124).
- net: ena: Make missed_tx stat incremental (bsc#1197099
  jsc#SLE-24124).
- net: ena: Prevent reset after device destruction (bsc#1197099
  jsc#SLE-24124).
- net: ena: support new LLQ acceleration mode (bsc#1197099
  jsc#SLE-24124).
- net: ena: move llq configuration from ena_probe to
  ena_device_init() (bsc#1197099 jsc#SLE-24124).
- net: ena: enable support of rss hash key and function changes
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add support for traffic mirroring (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: change ena_com_stats_admin stats to u64
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add reserved PCI device ID (bsc#1197099
  jsc#SLE-24124).
- net: ena: avoid unnecessary rearming of interrupt vector when
  busy-polling (bsc#1197099 jsc#SLE-24124).
- net: ena: Fix using plain integer as NULL pointer in
  ena_init_napi_in_range (bsc#1197099 jsc#SLE-24124).
- net: ena: reduce driver load time (bsc#1197099 jsc#SLE-24124).
- net: ena: cosmetic: minor code changes (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: fix spacing issues (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: code reorderings (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: remove unnecessary code (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: fix line break issues (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: fix spelling and grammar mistakes in
  comments (bsc#1197099 jsc#SLE-24124).
- net: ena: cosmetic: set queue sizes to u32 for consistency
  (bsc#1197099 jsc#SLE-24124).
- net: ena: cosmetic: rename
  ena_update_tx/rx_rings_intr_moderation() (bsc#1197099
  jsc#SLE-24124).
- net: ena: simplify ena_com_update_intr_delay_resolution()
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix ena_com_comp_status_to_errno() return value
  (bsc#1197099 jsc#SLE-24124).
- net: ena: use explicit variable size for clarity (bsc#1197099
  jsc#SLE-24124).
- net: ena: rename ena_com_free_desc to make API more uniform
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add support for the rx offset feature (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: extract code to ena_indirection_table_set()
  (bsc#1197099 jsc#SLE-24124).
- net: ena: cosmetic: remove unnecessary spaces and tabs in
  ena_com.h macros (bsc#1197099 jsc#SLE-24124).
- net: ena: use SHUTDOWN as reset reason when closing interface
  (bsc#1197099 jsc#SLE-24124).
- net: ena: drop superfluous prototype (bsc#1197099
  jsc#SLE-24124).
- net: ena: add support for reporting of packet drops (bsc#1197099
  jsc#SLE-24124).
- net: ena: add unmask interrupts statistics to ethtool
  (bsc#1197099 jsc#SLE-24124).
- net: ena: remove code that does nothing (bsc#1197099
  jsc#SLE-24124).
- net: ena: changes to RSS hash key allocation (bsc#1197099
  jsc#SLE-24124).
- net: ena: change default RSS hash function to Toeplitz
  (bsc#1197099 jsc#SLE-24124).
- net: ena: allow setting the hash function without changing
  the key (bsc#1197099 jsc#SLE-24124).
- net: ena: fix error returning in ena_com_get_hash_function()
  (bsc#1197099 jsc#SLE-24124).
- net: ena: avoid unnecessary admin command when RSS function
  set fails (bsc#1197099 jsc#SLE-24124).
- net/ena: Fix build warning in ena_xdp_set() (bsc#1197099
  jsc#SLE-24124).
- net: ena: ethtool: clean up minor indentation issue (bsc#1197099
  jsc#SLE-24124).
- net: ena: ethtool: remove redundant non-zero check on rc
  (bsc#1197099 jsc#SLE-24124).
- net: ena: remove set but not used variable 'hash_key'
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix continuous keep-alive resets (bsc#1197099
  jsc#SLE-24124).
- net: ena: avoid memory access violation by validating req_id
  properly (bsc#1197099 jsc#SLE-24124).
- net: ena: fix request of incorrect number of IRQ vectors
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix incorrect setting of the number of msix vectors
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ena-com.c: prevent NULL pointer dereference
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ethtool: use correct value for crc32 hash (bsc#1197099
  jsc#SLE-24124).
- net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix corruption of dev_idx_to_host_tbl (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix incorrectly saving queue numbers when setting
  RSS indirection table (bsc#1197099 jsc#SLE-24124).
- net: ena: rss: store hash function as values and not bits
  (bsc#1197099 jsc#SLE-24124).
- net: ena: rss: fix failure to get indirection table (bsc#1197099
  jsc#SLE-24124).
- net: ena: rss: do not allocate key when not supported
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix incorrect default RSS key (bsc#1197099
  jsc#SLE-24124).
- net: ena: add missing ethtool TX timestamping indication
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix uses of round_jiffies() (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix potential crash when rxfh key is NULL (bsc#1197099
  jsc#SLE-24124).
- net: ena: Add first_interrupt field to napi struct (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix issues in setting interrupt moderation params
  in ethtool (bsc#1197099 jsc#SLE-24124).
- net: ena: fix default tx interrupt moderation interval
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ethtool: support set_channels callback (bsc#1197099
  jsc#SLE-24124).
- net: ena: remove redundant print of number of queues
  (bsc#1197099 jsc#SLE-24124).
- net: ena: make ethtool -l show correct max number of queues
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ethtool: get_channels: use combined only (bsc#1197099
  jsc#SLE-24124).
- net: ena: multiple queue creation related cleanups (bsc#1197099
  jsc#SLE-24124).
- net: ena: change num_queues to num_io_queues for clarity and
  consistency (bsc#1197099 jsc#SLE-24124).
- net: update net_dim documentation after rename (bsc#1197099
  jsc#SLE-24124).
- net: ena: clean up indentation issue (bsc#1197099
  jsc#SLE-24124).
- lib: dimlib: fix help text typos (bsc#1197099 jsc#SLE-24124).
- dimlib: make DIMLIB a hidden symbol (bsc#1197099 jsc#SLE-24124).
- net: ena: don't wake up tx queue when down (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix incorrect update of intr_delay_resolution
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix retrieval of nonadaptive interrupt moderation
  intervals (bsc#1197099 jsc#SLE-24124).
- net: ena: fix update of interrupt moderation register
  (bsc#1197099 jsc#SLE-24124).
- net: ena: remove all old adaptive rx interrupt moderation code
  from ena_com (bsc#1197099 jsc#SLE-24124).
- net: ena: remove ena_restore_ethtool_params() and relevant
  fields (bsc#1197099 jsc#SLE-24124).
- net: ena: remove old adaptive interrupt moderation code from
  ena_netdev (bsc#1197099 jsc#SLE-24124).
- net: ena: remove code duplication
  in ena_com_update_nonadaptive_moderation_interval _*()
  (bsc#1197099 jsc#SLE-24124).
- net: ena: enable the interrupt_moderation in
  driver_supported_features (bsc#1197099 jsc#SLE-24124).
- net: ena: reimplement set/get_coalesce() (bsc#1197099
  jsc#SLE-24124).
- net: ena: switch to dim algorithm for rx adaptive interrupt
  moderation (bsc#1197099 jsc#SLE-24124).
- net: ena: add intr_moder_rx_interval to struct ena_com_dev
  and use it (bsc#1197099 jsc#SLE-24124).
- lib/dim: Fix -Wunused-const-variable warnings (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Fix overflow in dim calculation (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Implement RDMA adaptive moderation (DIM) (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Add completions count to dim_sample (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Rename externally used net_dim members (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Rename net_dim_sample() to net_dim_update_sample()
  (bsc#1197099 jsc#SLE-24124).
- linux/dim: Rename externally exposed macros (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Remove "/net"/ prefix from internal DIM members
  (bsc#1197099 jsc#SLE-24124).
- linux/dim: Move logic to dim.h (bsc#1197099 jsc#SLE-24124).
- Documentation/networking: Add net DIM documentation (bsc#1197099
  jsc#SLE-24124).
- MAINTAINERS: add entry for Dynamic Interrupt Moderation
  (bsc#1197099 jsc#SLE-24124).
- commit 051ce5b
- rpm/constraints.in: skip SLOW_DISK workers for kernel-source
- commit e84694f
- rpm/*.spec.in: remove backtick usage
- commit 87ca1fb
- rpm/kernel-obs-build.spec.in: add systemd-initrd and terminfo dracut module (bsc#1195775)
- commit d9a821b
- rpm/kernel-obs-build.spec.in: use default dracut modules (bsc#1195926,
  bsc#1198484)
  Let's iron out the reduced initrd optimisation in Tumbleweed.
  Build full blown dracut initrd with systemd for SLE15 SP4.
- commit ea76821
- Add dtb-microchip
- commit c797107
- pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
  (git-fixes CVE-2021-4157 bnc#1194013).
- commit 957ab2c
- rpm/kernel-source.spec.in: temporary workaround for a build failure
  Upstream c6x architecture removal left a dangling link behind which
  triggers openSUSE post-build check in kernel-source, failing
  kernel-source build.
  A fix deleting the danglink link has been submitted but it did not make
  it into 5.12-rc1. Unfortunately we cannot add it as a patch as patch
  utility does not handle symlink removal. Add a temporary band-aid which
  deletes all dangling symlinks after unpacking the kernel source tarball.
  [jslaby] It's not that temporary as we are dragging this for quite some
  time in master. The reason is that this can happen any time again, so
  let's have this in packaging instead.
- commit 52a1ad7
- powerpc/pseries: extract host bridge from pci_bus prior to
  bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).
- commit b12aafe
- powerpc/pci: Fix broken INTx configuration via OF (bsc#1172145
  ltc#184630 bsc#1200770 ltc#198666).
- powerpc/pci: Use of_irq_parse_and_map_pci() helper (bsc#1172145
  ltc#184630 bsc#1200770 ltc#198666).
- commit 0d4a2e4
- powerpc/pci: Remove LSI mappings on device teardown (bsc#1172145
  ltc#184630 bsc#1200770 ltc#198666).
- commit ab4cfbd
keyutils
- Apply default TTL to DNS records from getaddrinfo() (upstream):
  * dns-Apply-a-default-TTL-to-records-obtained-from-get.patch
less
- Fix Startup terminal initialization, bsc#1200738
  * bsc1200738.patch
libcroco
- Add libcroco-CVE-2020-12825.patch: limit recursion in block and
  any productions (boo#1171685 CVE-2020-12825).
libfastjson
- update to 0.99.8:
  * make build under gcc7 with strict settings (warning==error)
  * bugfix: constant key names not properly handled
  * fix potentially invalid return value of fjson_object_iter_begin
  * fix small potential memory leak in json_tokener
- update to 0.99.7:
  * add option for case-insensitive comparisons
  * Remove userdata and custom-serialization functions
- update to 0.99.6:
  * fixes for platforms other than GNU/Linux
- update to 0.99.5:
  * fix floating point representation when fractional part is missing
  * m4: fix detection of atomics
  * add fjson_object_dump() and fjson_object_write() functions
libgcrypt
- FIPS: Auto-initialize drbg if needed. [bsc#1200095]
  * Add a _gcry_drbg_init() to _gcry_drbg_randomize() and to
    _gcry_drbg_add_bytes() to fix a crash in FIPS mode.
  * Add libgcrypt-FIPS-Autoinitialize-drbg-if-needed.patch
libksba
- Security fix: [bsc#1204357, CVE-2022-3515]
  * Detect a possible overflow directly in the TLV parser.
  * Add libksba-CVE-2022-3515.patch
libnl-1_1
- Fix elevation of privilege vulnerability (bsc#1020123, CVE-2017-0386).
  Add: libnl-1_1-fix-elevation-of-privilege-vulnerability.patch
libnl3
- Fix elevation of privilege vulnerability (bsc#1020123, CVE-2017-0386).
  Add: libnl3-fix-elevation-of-privilege-vulnerability.patch
libtasn1
- Add libtasn1-CVE-2021-46848.patch: Fixed off-by-one array size check
  that affects asn1_encode_simple_der (CVE-2021-46848, bsc#1204690).
libtirpc
- fix CVE-2021-46828: libtirpc: DoS vulnerability with lots of
  connections (bsc#1201680)
  - backport 0001-Fix-DoS-vulnerability-in-libtirpc.patch
- exclude ipv6 addresses in client protocol 2 code (bsc#1200800)
  - update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
- fix memory leak in params.r_addr assignement (bsc#1198752)
  - add 0001-fix-parms.r_addr-memory-leak.patch
libxml2
- Security fixes:
  * [CVE-2022-40303, bsc#1204366] Fix integer overflows with
    XML_PARSE_HUGE
    + Added patch libxml2-CVE-2022-40303.patch
  * [CVE-2022-40304, bsc#1204367] Fix dict corruption caused by
    entity reference cycles
    + Added patch libxml2-CVE-2022-40304.patch
- Security fix: [bsc#1201978, CVE-2016-3709]
  * Cross-site scripting vulnerability after commit 960f0e2
  * Add libxml2-CVE-2016-3709.patch
- Security fix: [bsc#1069689, CVE-2017-16932]
  * parser.c in libxml2 before 2.9.5 does not prevent infinite
    recursion inparameter entities.
  * Add libxml2-CVE-2017-16932.patch
- Sync and fix changelog entries between libxml2 and
  python-libxml2.
- Security fix: [bsc#1199132, CVE-2022-29824]
  * Integer overflow leading to out-of-bounds write in buf.c
    (xmlBuf*) and tree.c (xmlBuffer*)
  * Add libxml2-CVE-2022-29824.patch
  * Add libxml2-CVE-2022-23308.patch
  * Add libxml2-CVE-2021-3541.patch
- Version update to 2.9.7 release:
  * Bug Fixes:
    + xmlcatalog: restore ability to query system catalog easily
    + Fix comparison of nodesets to strings
  * Improvements:
    + Add Makefile rules to rebuild HTML man pages
    + Remove generated file python/setup.py from version control
    + Fix mixed decls and code in timsort.h
    + Rework handling of return values in thread tests
    + Fix unused variable warnings in testrecurse
    + Fix -Wimplicit-fallthrough warnings
    + Upgrade timsort.h to latest revision
    + Fix a couple of warnings in dict.c and threads.c
    + Fix unused variable warnings in nanohttp.c
    + Don't include winsock2.h in xmllint.c
    + Use __linux__ macro in generated code
  * Portability:
    + Add declaration for DllMain
    + Fix preprocessor conditional in threads.h
    + Fix macro redefinition warning
    + many Windows specific improvements
  * Documentation:
    + xmlcatalog: refresh man page wrt. quering system catalog easily
- Includes bug fixes from 2.9.6:
  * Fix XPath stack frame logic
  * Report undefined XPath variable error message
  * Fix regression with librsvg
  * Handle more invalid entity values in recovery mode
  * Fix structured validation errors
  * Fix memory leak in LZMA decompressor
  * Set memory limit for LZMA decompression
  * Handle illegal entity values in recovery mode
  * Fix debug dump of streaming XPath expressions
  * Fix memory leak in nanoftp
  * Fix memory leaks in SAX1 parser
- Drop libxml2-bug787941.patch
  * upstreamed in 3157cf4e53c03bc3da604472c015c63141907db8
- Update package summaries and RPM groups. Trim descriptions for
  size on secondary subpackages. Replace install call by a
  commonly-used macro.
- Add patch to fix TW integration:
  * libxml2-bug787941.patch
- Version update to 2.9.5 release:
  * Merged all the previous cve fixes that were patched in
  * Few small tweaks
- Remove merged patches:
  * libxml2-CVE-2016-4658.patch
  * libxml2-CVE-2017-0663.patch
  * libxml2-CVE-2017-5969.patch
  * libxml2-CVE-2017-9047.patch
  * libxml2-CVE-2017-9048.patch
  * libxml2-CVE-2017-9049.patch
  * libxml2-2.9.4-fix_attribute_decoding.patch
- Added libxml2-CVE-2016-4658.patch: Disallow namespace nodes in
  XPointer ranges. Namespace nodes must be copied to avoid
  use-after-free errors. But they don't necessarily have a physical
  representation in a document, so simply disallow them in XPointer
  ranges [bsc#1005544] [CVE-2016-4658]
- Remove obsolete patches libxml2-2.9.1-CVE-2016-3627.patch,
  0001-Add-missing-increments-of-recursion-depth-counter-to.patch,
  and libxml2-2.9.3-bogus_UTF-8_encoding_error.patch.
- add libxml2-2.9.3-bogus_UTF-8_encoding_error.patch to fix XML
  push parser that fails with bogus UTF-8 encoding error when
  multi-byte character in large CDATA section is split across
  buffer [bnc#962796]
- temporarily reverting libxml2-CVE-2014-0191.patch until there is a fix
  that doesn't break other applications
- buildignore python to avoid build cycle
- fix version
- renamed to python-libxml2 to follow python naming expectations
- do not require python but let rpm figure it out
- buildrequire python-xml to fix build
libyajl
- add libyajl-CVE-2022-24795.patch (CVE-2022-24795, bsc#1198405)
logrotate
- Security fix: (bsc#1192449) related to (bsc#1191281, CVE-2021-3864)
  * enforce stricter parsing to avoid CVE-2021-3864
  * Added patch logrotate-enforce-stricter-parsing-and-extra-tests.patch
- Fix "/logrotate emits unintended warning: keyword size not properly
  separated, found 0x3d"/ (bsc#1200278, bsc#1200802):
  * Added patch logrotate-dont_warn_on_size=_syntax.patch
mozilla-nspr
- update to version 4.34
  * add an API that returns a preferred loopback IP on hosts that
    have two IP stacks available.
- update to 4.33:
  * fixes to build system and export of private symbols
mozilla-nss
- update to NSS 3.79.1 (bsc#1202645)
  * bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
  * bmo#1771498 - Uninitialized value in cert_ComputeCertType.
  * bmo#1759794 - protect SFTKSlot needLogin with slotLock.
  * bmo#1760998 - avoid data race on primary password change.
  * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
  rest of the DSA ciphers, keeping signature verification only
  (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to fix compiler
  warning.
- Update nss-fips-constructor-self-tests.patch to add on-demand
  integrity tests through sftk_FIPSRepeatIntegrityCheck()
  (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms
  as approved/non-approved according to security policy
  (bsc#1191546, bsc#1201298).
- Update nss-fips-approved-crypto-non-ec.patch to remove hard
  disabling of unapproved algorithms. This requirement is now
  fulfilled by the service level indicator (bsc#1200325).
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
  the workaround in FIPS mode (bsc#1200325).
- Remove nss-fips-tests-skip.patch. This is no longer needed since
  we removed the code to short-circuit broken hashes and moved to
  using the SLI.
- Remove upstreamed patches:
  * nss-fips-version-indicators.patch
  * nss-fips-tests-pin-paypalee-cert.patch
- update to NSS 3.79
  - bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
  - bmo#1766907 - Update mercurial in clang-format docker image.
  - bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
  - bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
  - bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
  - bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
  - bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
  - bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
  - bmo#1764788 - Correct invalid record inner and outer content type alerts.
  - bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
  - bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
  - bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
  - bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
- update to NSS 3.78.1
  * bmo#1767590 - Initialize pointers passed to
    NSS_CMSDigestContext_FinishMultiple
- update to NSS 3.78
    bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
    bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries.
    bmo#1763120 - Add ECH Grease Support to tstclnt
    bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
    bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
    bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
    bmo#1762489 - Update zlib in NSS to 1.2.12.
- update to NSS 3.77
  * Bug 1762244 - resolve mpitests build failure on Windows.
  * bmo#1761779 - Fix link to TLS page on wireshark wiki
  * bmo#1754890 - Add two D-TRUST 2020 root certificates.
  * bmo#1751298 - Add Telia Root CA v2 root certificate.
  * bmo#1751305 - Remove expired explicitly distrusted certificates
    from certdata.txt.
  * bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
  * bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
  * bmo#1756271 - Remove token member from NSSSlot struct.
  * bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
  * bmo#1757279 - Support UTF-8 library path in the module spec string.
  * bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
  * bmo#1760827 - Add a CI Target for gcc-11.
  * bmo#1760828 - Change to makefiles for gcc-4.8.
  * bmo#1741688 - Update googletest to 1.11.0
  * bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
  * bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
  * bmo#1755904 - Fix calculation of ECH HRR Transcript.
  * bmo#1758741 - Allow ld path to be set as environment variable.
  * bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
  * bmo#1758478 - Fix DataBuffer Move Assignment.
  * bmo#1552254 - internal_error alert on Certificate Request with
    sha1+ecdsa in TLS 1.3
  * bmo#1755092 - rework signature verification in mozilla::pkix
- Require nss-util in nss.pc and subsequently remove -lnssutil3
- update to NSS 3.76.1
  NSS 3.76.1
  * bmo#1756271 - Remove token member from NSSSlot struct.
  NSS 3.76
  * bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
    nssTrustDomain_GetActiveSlots.
  * bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
  * bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
  * bmo#1679803 - Add SHA256 fingerprint comments to old
    certdata.txt entries.
  * bmo#1753505 - Avoid truncating files in nss-release-helper.py.
  * bmo#1751157 - Throw illegal_parameter alert for illegal extensions
    in handshake message.
- Add nss-util pkgconfig and config files (copied from RH/Fedora)
- update to NSS 3.75
  * bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
  * bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
  * bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
  * bmo#1748386 - Remove redundant key type check.
  * bmo#1749869 - Update ABI expectations to match ECH changes.
  * bmo#1748386 - Enable CKM_CHACHA20.
  * bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
  * bmo#1747310 - real move assignment operator.
  * bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
  * bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
  * bmo#1747772 - Allow to build using clang's integrated assembler.
  * bmo#1321398 - Allow to override python for the build.
  * bmo#1747317 - test HKDF output rather than input.
  * bmo#1747316 - Use ASSERT macros to end failed tests early.
  * bmo#1747310 - move assignment operator for DataBuffer.
  * bmo#1712879 - Add test cases for ECH compression and unexpected
    extensions in SH.
  * bmo#1725938 - Update tests for ECH-13.
  * bmo#1725938 - Tidy up error handling.
  * bmo#1728281 - Add tests for ECH HRR Changes.
  * bmo#1728281 - Server only sends GREASE HRR extension if enabled
    by preference.
  * bmo#1725938 - Update generation of the Associated Data for ECH-13.
  * bmo#1712879 - When ECH is accepted, reject extensions which were
    only advertised in the Outer Client Hello.
  * bmo#1712879 - Allow for compressed, non-contiguous, extensions.
  * bmo#1712879 - Scramble the PSK extension in CHOuter.
  * bmo#1712647 - Split custom extension handling for ECH.
  * bmo#1728281 - Add ECH-13 HRR Handling.
  * bmo#1677181 - Client side ECH padding.
  * bmo#1725938 - Stricter ClientHelloInner Decompression.
  * bmo#1725938 - Remove ECH_inner extension, use new enum format.
  * bmo#1725938 - Update the version number for ECH-13 and adjust
    the ECHConfig size.
- update to NSS 3.74
  * bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
    OCSP responses
  * bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
  * bmo#1721426 - NSS does not properly restrict server keys based on policy
  * bmo#1733003 - Set nssckbi version number to 2.54
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
  * bmo#1735407 - Replace GlobalSign ECC Root CA R4
  * bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
  * bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
    certificates
  * bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
    CIF A62634068 root certificate
  * bmo#1740095 - Add iTrusChina ECC root certificate
  * bmo#1740095 - Add iTrusChina RSA root certificate
  * bmo#1738805 - Add ISRG Root X2 root certificate
  * bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
  * bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
  * bmo#1735028 - Check for missing signedData field
  * bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
- update to NSS 3.73.1:
  * Add SHA-2 support to mozilla::pkix's OSCP implementation
- update to NSS 3.73
  * bmo#1735028 - check for missing signedData field.
  * bmo#1737470 - Ensure DER encoded signatures are within size limits.
  * bmo#1729550 - NSS needs FiPS 140-3 version indicators.
  * bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
  * bmo#1738600 - sunset Coverity from NSS
  MFSA 2021-51 (bsc#1193170)
  * CVE-2021-43527 (bmo#1737470)
    Memory corruption via DER-encoded DSA and RSA-PSS signatures
- update to NSS 3.72
  * Remove newline at the end of coreconf.dep
  * bmo#1731911 - Fix nsinstall parallel failure.
  * bmo#1729930 - Increase KDF cache size to mitigate perf
    regression in about:logins
- update to NSS 3.71
  * bmo#1717716 - Set nssckbi version number to 2.52.
  * bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
  * bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
  * bmo#1717707 - Add HARICA Client ECC Root CA 2021.
  * bmo#1717707 - Add HARICA Client RSA Root CA 2021.
  * bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
  * bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
  * bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- update to NSS 3.70
  * bmo#1726022 - Update test case to verify fix.
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
  * bmo#1681975 - Avoid using a lookup table in nssb64d.
  * bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
  * bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
  * bmo#1726022 - Cache additional PBE entries.
  * bmo#1709750 - Read HPKE vectors from official JSON.
- Update to NSS 3.69.1
  * bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
  * bmo#1720226 (Backout) - integrity checks in key4.db not happening
    on private components with AES_CBC
  NSS 3.69
  * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
  * bmo#1720226 - integrity checks in key4.db not happening on private
    components with AES_CBC (backed out again)
  * bmo#1720235 - SSL handling of signature algorithms ignores
    environmental invalid algorithms.
  * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
    nss failures.
    (removed obsolete nss-btrfs-sqlite.patch)
  * bmo#1720230 - Gtest update changed the gtest reports, losing gtest
    details in all.sh reports.
  * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
  * bmo#1720232 - SQLite calls could timeout in starvation situations.
  * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
  * bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
  * bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
- Update nss-fips-constructor-self-tests.patch to scan
  LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
  Based on work by Marcus Meissner.
- Add nss-fips-tests-skip.patch to skip algorithms that are hard
  disabled in FIPS mode.
- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired
  PayPalEE cert from failing the tests.
- Add nss-fips-tests-enable-fips.patch, which enables FIPS during
  test certificate creation and disables the library checksum
  validation during same.
- Update nss-fips-constructor-self-tests.patch to allow
  checksumming to be disabled, but only if we entered FIPS mode
  due to NSS_FIPS being set, not if it came from /proc.
- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
  makes the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC
  from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
  for build.
- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES
  unapproved in FIPS mode (bsc#1192080).
- Update nss-fips-constructor-self-tests.patch to allow testing
  of unapproved algorithms (bsc#1192228).
- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086).
  This adds FIPS version indicators.
- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087).
  Most of the relevant changes are already upstream since NSS 3.60.
- Mozilla NSS 3.68.4 (bsc#1200027)
  * Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
    (bmo#1767590)
ncurses
- Add patch ncurses-bnc1198627.patch
  * Fix bsc#1198627: CVE-2022-29458: ncurses: segfaulting OOB read
openldap2
- bsc#1198341 - Prevent memory reuse which may lead to instability
  * 0226-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
- bsc#1199240 - CVE-2022-29155 - Resolve sql injection in back-sql
  * 0225-ITS-9815-slapd-sql-escape-filter-values.patch
- bsc#1198383 - Resolve issue with SASL init
  * 0224-ITS-8648-init-SASL-library-in-global-init.patch
openssl-1_0_0
- Added	openssl-1_0_0-Fix-file-operations-in-c_rehash.patch
  * bsc#1200550
  * CVE-2022-2068
  * Fixed more shell code injection issues in c_rehash
- Fixed error in openssl-CVE-2022-1292.patch resulting in misnamed
  variable.
- Security fix: [bsc#1199166, CVE-2022-1292]
  * Added: openssl-CVE-2022-1292.patch
  * properly sanitise shell metacharacters in c_rehash script.
patterns-sles
- downgrade requires of libopenssl-1_1-hmac to avoid explicit pulling
  in perhaps unwanted openssl 1.1.1 (bsc#1196307)
pcre
- Added pcre-8.45-bsc1199232-unicode-property-matching.patch
  * bsc#1199232
  * CVE-2022-1586
  * Fixes unicode property matching issue
python
- Add patch CVE-2021-28861-double-slash-path.patch:
  * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
python-M2Crypto
- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657,
  bsc#1178829), which mitigates the Bleichenbacher timing attacks
  in the RSA decryption API.
- Add python-M2Crypto.keyring to verify GPG signature of tarball.
python-PyJWT
- Add CVE-2022-29217-non-blocked-pubkeys.patch fixing
  CVE-2022-29217 (bsc#1199756), which disallows use of blocked
  pubkeys (heavily modified from upstream).
python-base
- Add patch CVE-2021-28861-double-slash-path.patch:
  * BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
python3
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
  on s390x.
- drop PYTHONSTARTUP hooks that cause spurious startup errors
  (bsc#1070738, bsc#1199441), as the relevant feature (REPL
  history) is now built into Python itself.
python3-base
- Add patch CVE-2021-28861-double-slash-path.patch:
  * http.server: Fix an open redirection vulnerability in the HTTP server
    when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
  on s390x.
- drop PYTHONSTARTUP hooks that cause spurious startup errors
  (bsc#1070738, bsc#1199441), as the relevant feature (REPL
  history) is now built into Python itself.
python3-lxml
- Add patch CVE-2020-27783.patch to fix CVE-2020-27783 mXSS due to the use of
  improper parser
  Fix bsc#1179534
rsync
- Add support for --trust-sender parameter (patch by Jie Gong in
  bsc#1202970). (related to CVE-2022-29154, bsc#1201840)
  * Added patch rsync-CVE-2022-29154-trust-sender-1.patch
  * Added patch rsync-CVE-2022-29154-trust-sender-2.patch
- Apply "/rsync-CVE-2022-29154.patch"/ to fix a security vulnerability
  in the do_server_recv() function. [bsc#1201840, CVE-2022-29154]
- Run rsync's regression test suite as part of the build.
rsyslog
- (CVE-2022-24903) fix potential heap buffer overflow in modules for TCP
  syslog reception (bsc#1199061)
  * add CVE-2022-24903.patch
salt
- Fix state.apply in test mode with file state module
  on user/group checking (bsc#1202167)
- Added:
  * fix-state.apply-in-test-mode-with-file-state-module-.patch
- Make zypperpkg to retry if RPM lock is temporarily unavailable (bsc#1200596)
- Added:
  * retry-if-rpm-lock-is-temporarily-unavailable-547-551.patch
- Add support for gpgautoimport in zypperpkg module
- Fix salt.states.file.managed() for follow_symlinks=True and test=True (bsc#1199372)
- Added:
  * fix-salt.states.file.managed-for-follow_symlinks-tru.patch
  * add-support-for-gpgautoimport-to-refresh_db-in-the-z.patch
- Add support for name, pkgs and diff_attr parameters to upgrade
  function for zypper and yum (bsc#1198489)
- Added:
  * add-support-for-name-pkgs-and-diff_attr-parameters-t.patch
- Unify logic on using multiple requisites and add onfail_all (bsc#1198738)
- Normalize package names once with pkg.installed/removed using yum (bsc#1195895)
- Added:
  * normalize-package-names-once-with-pkg.installed-remo.patch
  * unify-logic-on-using-multiple-requisites-and-add-onf.patch
- Fix handling of a sign-in response by a syndic node (bsc#1199906)
- Added:
  * fix-handling-of-a-sign-in-response-by-a-syndic-node-.patch
- Remove redundant overrides causing confusing DEBUG logging (bsc#1189501)
- Added:
  * remove-redundand-overrides-causing-confusing-debug-l.patch
- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566)
- Added:
  * fix-for-cve-2022-22967-bsc-1200566.patch
samba
- CVE-2022-32742:SMB1 code does not correct verify SMB1write,
  SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
  (bsc#1201496).
sqlite3
- update to 3.39.3:
  * Use a statement journal on DML statement affecting two or more
    database rows if the statement makes use of a SQL functions
    that might abort.
  * Use a mutex to protect the PRAGMA temp_store_directory and
    PRAGMA data_store_directory statements, even though they are
    decremented and documented as not being threadsafe.
- update to 3.39.2:
  * Fix a performance regression in the query planner associated
    with rearranging the order of FROM clause terms in the
    presences of a LEFT JOIN.
  * Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
    1345947, forum post 3607259d3c, and other minor problems
    discovered by internal testing. [boo#1201783]
- update to 3.39.1:
  * Fix an incorrect result from a query that uses a view that
    contains a compound SELECT in which only one arm contains a
    RIGHT JOIN and where the view is not the first FROM clause term
    of the query that contains the view
  * Fix a long-standing problem with ALTER TABLE RENAME that can
    only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
    to a very small value.
  * Fix a long-standing problem in FTS3 that can only arise when
    compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
    option.
  * Fix the initial-prefix optimization for the REGEXP extension so
    that it works correctly even if the prefix contains characters
    that require a 3-byte UTF8 encoding.
  * Enhance the sqlite_stmt virtual table so that it buffers all of
    its output.
- update to 3.39.0:
  * Add (long overdue) support for RIGHT and FULL OUTER JOIN
  * Add new binary comparison operators IS NOT DISTINCT FROM and
    IS DISTINCT FROM that are equivalent to IS and IS NOT,
    respective, for compatibility with PostgreSQL and SQL standards
  * Add a new return code (value "/3"/) from the sqlite3_vtab_distinct()
    interface that indicates a query that has both DISTINCT and
    ORDER BY clauses
  * Added the sqlite3_db_name() interface
  * The unix os interface resolves all symbolic links in database
    filenames to create a canonical name for the database before
    the file is opened
  * Defer materializing views until the materialization is actually
    needed, thus avoiding unnecessary work if the materialization
    turns out to never be used
  * The HAVING clause of a SELECT statement is now allowed on any
    aggregate query, even queries that do not have a GROUP BY
    clause
  * Many microoptimizations collectively reduce CPU cycles by about
    2.3%.
- drop sqlite-src-3380100-atof1.patch, included upstream
- add sqlite-src-3390000-func7-pg-181.patch to skip float precision
  related test failures on 32 bit
- update to 3.38.5:
  * Fix a blunder in the CLI of the 3.38.4 release
- includes changes from 3.38.4:
  * fix a byte-code problem in the Bloom filter pull-down
    optimization added by release 3.38.0 in which an error in the
    byte code causes the byte code engine to enter an infinite loop
    when the pull-down optimization encounters a NULL key
- update to 3.38.3:
  * Fix a case of the query planner be overly aggressive with
    optimizing automatic-index and Bloom-filter construction,
    using inappropriate ON clause terms to restrict the size of the
    automatic-index or Bloom filter, and resulting in missing rows
    in the output.
  * Other minor patches. See the timeline for details.
- update to 3.38.2:
  * Fix a problem with the Bloom filter optimization that might
    cause an incorrect answer when doing a LEFT JOIN with a WHERE
    clause constraint that says that one of the columns on the
    right table of the LEFT JOIN is NULL.
  * Other minor patches.
- Remove obsolete configure flags
- Package the Tcl bindings here again so that we only ship one copy
  of SQLite (bsc#1195773).
- update to 3.38.1:
  * Fix problems with the new Bloom filter optimization that might
    cause some obscure queries to get an incorrect answer.
  * Fix the localtime modifier of the date and time functions so
    that it preserves fractional seconds.
  * Fix the sqlite_offset SQL function so that it works correctly
    even in corner cases such as when the argument is a virtual
    column or the column of a view.
  * Fix row value IN operator constraints on virtual tables so that
    they work correctly even if the virtual table implementation
    relies on bytecode to filter rows that do not satisfy the
    constraint.
  * Other minor fixes to assert() statements, test cases, and
    documentation. See the source code timeline for details.
- add upstream patch to run atof1 tests only on x86_64
  sqlite-src-3380100-atof1.patch
- update to 3.38.0
  * Add the -> and ->> operators for easier processing of JSON
  * The JSON functions are now built-ins
  * Enhancements to date and time functions
  * Rename the printf() SQL function to format() for better
    compatibility, with alias for backwards compatibility.
  * Add the sqlite3_error_offset() interface for helping localize
    an SQL error to a specific character in the input SQL text
  * Enhance the interface to virtual tables
  * CLI columnar output modes are enhanced to correctly handle tabs
    and newlines embedded in text, and add options like "/--wrap N"/,
    "/--wordwrap on"/, and "/--quote"/ to the columnar output modes.
  * Query planner enhancements using a Bloom filter to speed up
    large analytic queries, and a balanced merge tree to evaluate
    UNION or UNION ALL compound SELECT statements that have an
    ORDER BY clause.
  * The ALTER TABLE statement is changed to silently ignores
    entries in the sqlite_schema table that do not parse when
    PRAGMA writable_schema=ON
- update to 3.37.2:
  * Fix a bug introduced in version 3.35.0 (2021-03-12) that can
    cause database corruption if a SAVEPOINT is rolled back while
    in PRAGMA temp_store=MEMORY mode, and other changes are made,
    and then the outer transaction commits
  * Fix a long-standing problem with ON DELETE CASCADE and ON
    UPDATE CASCADE in which a cache of the bytecode used to
    implement the cascading change was not being reset following a
    local DDL change
- update to 3.37.1:
  * Fix a bug introduced by the UPSERT enhancements of version
    3.35.0 that can cause incorrect byte-code to be generated for
    some obscure but valid SQL, possibly resulting in a NULL-
    pointer dereference.
  * Fix an OOB read that can occur in FTS5 when reading corrupt
    database files.
  * Improved robustness of the --safe option in the CLI.
  * Other minor fixes to assert() statements and test cases.
- SQLite3 3.37.0:
  * STRICT tables provide a prescriptive style of data type
    management, for developers who prefer that kind of thing.
  * When adding columns that contain a CHECK constraint or a
    generated column containing a NOT NULL constraint, the
    ALTER TABLE ADD COLUMN now checks new constraints against
    preexisting rows in the database and will only proceed if no
    constraints are violated.
  * Added the PRAGMA table_list statement.
  * Add the .connection command, allowing the CLI to keep multiple
    database connections open at the same time.
  * Add the --safe command-line option that disables dot-commands
    and SQL statements that might cause side-effects that extend
    beyond the single database file named on the command-line.
  * CLI: Performance improvements when reading SQL statements that
    span many lines.
  * Added the sqlite3_autovacuum_pages() interface.
  * The sqlite3_deserialize() does not and has never worked
    for the TEMP database. That limitation is now noted in the
    documentation.
  * The query planner now omits ORDER BY clauses on subqueries and
    views if removing those clauses does not change the semantics
    of the query.
  * The generate_series table-valued function extension is modified
    so that the first parameter ("/START"/) is now required. This is
    done as a way to demonstrate how to write table-valued
    functions with required parameters. The legacy behavior is
    available using the -DZERO_ARGUMENT_GENERATE_SERIES
    compile-time option.
  * Added new sqlite3_changes64() and sqlite3_total_changes64()
    interfaces.
  * Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
  * Use less memory to hold the database schema.
  * bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
    extension when a column has no collating sequence.
sudo
- Modified sudo-sudoers.patch
  * bsc#1177578
  * Removed redundant and confusing 'secure_path' settings in
    sudo-sudoers file.
systemd-presets-branding-SLE
- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)
telnet
- Fix CVE-2022-39028, NULL pointer dereference in telnetd
  (CVE-2022-39028, bsc#1203759)
  CVE-2022-39028.patch
timezone
- Update to reflect new Chile DST change, bsc#1202310
  * bsc1202310.patch
unzip
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
  to a local string (CVE-2022-0530, bsc#1196177)
  * CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
  * CVE-2022-0529.patch
update-alternatives

      
util-linux
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
util-linux-systemd
- mesg: use only stat() to get the current terminal status
  (bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
  util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
  in utab (bsc#1198731,
  util-linux-libmount-moving-mount-point-sub-mounts.patch,
  util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
which
- https urls, added signature (but did not find the public key)
- Use %license instead of %doc [bsc#1082318]
- Move installinfo scriptlet to preun so it won't fail
- Cleanup spec file with spec-cleaner
- Correct usage of info scriplets
- GNU which 2.21:
  * Upgraded code from bash to version 4.3 (now uses eaccess).
  * Fixed a bug related to getgroups / sysconfig that caused Which
    not to see more than 64 groups for a single user
  * Build system maintenance.
- Update project and source URL to GNU project
xen
- bsc#1200549 VUL-0: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166:
  xen: x86: MMIO Stale Data vulnerabilities (XSA-404)
  xsa404-1.patch
  xsa404-2.patch
  xsa404-3.patch
- bsc#1201469 - VUL-0: CVE-2022-23816,CVE-2022-23825,CVE-2022-29900:
  xen: retbleed - arbitrary speculative code execution with return
  instructions (XSA-407)
  xsa407-0a.patch
  xsa407-0b.patch
  xsa407-0c.patch
  xsa407-0d.patch
  xsa407-0e.patch
  xsa407-0f.patch
  xsa407-0g.patch
  xsa407-0h.patch
  xsa407-0i.patch
  xsa407-0j.patch
  xsa407-0k.patch
  xsa407-0l.patch
  xsa407-0m.patch
  xsa407-1.patch
  xsa407-2.patch
  xsa407-3.patch
  xsa407-4.patch
  xsa407-5.patch
  xsa407-6.patch
  xsa407-7.patch
  xsa407-8.patch
- bsc#1201394 - VUL-0: CVE-2022-33745: xen: insufficient TLB flush
  for x86 PV guests in shadow mode (XSA-408)
  xsa408.patch
- bsc#1199965 - VUL-0: CVE-2022-26362: xen: Race condition in
  typeref acquisition (XSA-401)
  xsa401-1.patch
  xsa401-2.patch
- bsc#1199966 - VUL-0: CVE-2022-26363,CVE-2022-26364: xen:
  Insufficient care with non-coherent mappings (XSA-402)
  xsa402-0.patch
  xsa402-1.patch
  xsa402-2.patch
  xsa402-3.patch
  xsa402-4.patch
  xsa402-5.patch
xfsprogs
- mkfs: validate extent size hint parameters (bsc#1138247)
  - add xfsprogs-xfs-move-inode-extent-size-hint-validation-to-libxfs.patch
  - add xfsprogs-xfs_repair-use-libxfs-extsize-cowextsize-validation-.patch
  - add xfsprogs-mkfs-validate-extent-size-hint-parameters.patch
- xfs_repair: Fix root inode's parent when it's bogus for sf directory
  (bsc#1138227)
  - add xfsprogs-xfs_repair-Fix-root-inode-s-parent-when-it-s-bogus-f.patch
zlib
- Fix heap-based buffer over-read or buffer overflow in inflate via
  large gzip header extra field (bsc#1202175, CVE-2022-37434,
  CVE-2022-37434-extra-header-1.patch,
  CVE-2022-37434-extra-header-2.patch).
zypper
- Return ZYPPER_EXIT_INF_RPM_SCRIPT_FAILED (107) also if %posttrans
  script failed. Requires ZYPPER_ON_CODE12_RETURN_107=1 being set
  in the environment (bsc#1198139)
- version 1.13.62
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- version 1.13.61