apparmor
- apparmor-profiles-samba4.15.diff: Update samba profiles for
  samba 4.15 (jsc#SLE-23330);
autofs
- autofs-5.1.6-fix-quoted-string-length-calc-in-expand.patch
  Fix problem with quote handling
  (bsc#1181715)
- 0005-autofs-5.1.4-fix-incorrect-locking-in-sss-lookup.patch
  Fix locking problem that causes deadlock when sss used.
  (bsc#1196485)
- 0004-autofs-5.1.3-add-port-parameter-to-rpc_ping.patch
  Suppress portmap calls when port explicitly given
  (bsc#1195697)
bash
- Add bsc1197674.patch to fix memory leak in array asignment (bsc#1197674)
bind
- When using forwarders, bogus NS records supplied by, or via, those
  forwarders may be cached and used by named if it needs to recurse
  for any reason, causing it to obtain and pass on potentially
  incorrect answers.
  [CVE-2021-25220, bsc#1197135, bind-9.11.37-0001-CVE-2021-25220.patch]
ca-certificates
- Require p11-kit-tools > 0.23.1 as older versions don't support
  pem-directory-hash (bsc#1196443, boo#1196812)
- p11-kit 0.23.1 supports pem-directory-hash. Add patch
  0001-p11-kit-0.23.1-supports-pem-directory-hash-now.patch
  (jsc#SLE-23330)
cifs-utils
- CVE-2022-27239: mount.cifs: fix length check for ip option
  parsing; (bsc#1197216) (bso#15025); CVE-2022-27239.
  * add 0016-CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch
cloud-regionsrv-client
- Update to version 10.0.3 (bsc#1198389)
  - Descend into the extension tree even if top level module is recommended
  - Cache license state for AHB support to detect type switch
  - Properly clean suse.com credentials when switching from SCC to update
    infrastructure
  - New log message to indicate base product registration success
- Update to version 10.0.2
  + Fix name of logfile in error message
  + Fix variable scoping to properly detect registration error
  + Cleanup any artifacts on registration failure
  + Fix latent bug with /etc/hosts population
  + Do not throw error when attemting to unregister a system that is not
    registered
  + Skip extension registration if the extension is recommended by the
    baseproduct as it gets automatically installed
- Update to version 10.0.1 (bsc#1197113)
  + Provide status feedback on registration, success or failure
  + Log warning message if data provider is configured but no data
    can be retrieved
- Update -addon-azure to 1.0.3 follow up fix for (bsc#1195414, bsc#1195564)
  + The repo enablement timer cannot depend on guestregister.service
- Update -addon-azure to 1.0.2 (bsc#1196305)
  + The is-registered() function expects a string of the update server FQDN.
    The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
    in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
  + Lower case the region hint to reduce issues with Azure region name
    case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
  + Refactor removes check_registration() function in utils implementation
  + Only start the registration service for PAYG images
  - addon-azure sub-package to version 1.0.1
- Follow up changes to (jsc#PCT-130, bsc#1182026)
  + Fix executable name for AHB service/timer
  + Update manpage for BYOS instance registration
coreutils
- Add coreutils-du-fts-xfs-noleaf.patch to remove problematic
  special leaf optimization cases for XFS that can lead to du
  crashes.  (bsc#1190354)
cyrus-sasl
-  CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
cyrus-sasl-saslauthd
-  CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
expat
- Security fixes:
  * (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
    breaks biboumi, ClairMeta, jxmlease, libwbxml,
    openleadr-python, rnv, xmltodict
  - Added expat-CVE-2022-25236-relax-fix.patch
- Security fixes:
  * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
    attackers to insert namespace-separator characters into
    namespace URIs
  - Added expat-CVE-2022-25236.patch
  * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
    2.4.5 does not check whether a UTF-8 character is valid in a
    certain context.
  - Added expat-CVE-2022-25235.patch
  * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
    build_model() via uncontrolled recursion
  - Added expat-CVE-2022-25313.patch
  - The fix upstream introduced a regression that was later
    amended in 2.4.6 version
    + Added expat-CVE-2022-25313-fix-regression.patch
  * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
  - Added expat-CVE-2022-25314-before.patch
  - Added expat-CVE-2022-25314.patch
  * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
  - Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
  * Expat (aka libexpat) before 2.4.4 has a signed integer overflow
    in XML_GetBuffer, for configurations with a nonzero
    XML_CONTEXT_BYTES
  * Add tests for CVE-2022-23852.
  * Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
  * Fix unsigned integer overflow in function doProlog triggered
    by large content in element type declarations when there is
    an element declaration handler present (from a prior call to
    XML_SetElementDeclHandler).
  * Add expat-CVE-2022-23990.patch
  * Added expat-CVE-2022-22827.patch
gcc11
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Add gcc11-D-dependence-fix.patch to fix memory corruption when
  creating dependences with the D language frontend.
- Sync cross.spec.in to avoid trying to build cross-aarch64-gcc1-bootstrap
  on aarch64 which is unresolvable.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recommends.
glib2
- Add glib2-CVE-2021-3800.patch: Fix a flaw due to random charset
  alias, pkexec can leak content from files owned by privileged
  users to unprivileged ones under the right condition (bsc#1191489,
  glgo#GNOME/glib!1369)
glibc
- clnt-create-unix-overflow.patch: Buffer overflow in sunrpc clnt_create
  for "/unix"/ (CVE-2022-23219, bsc#1194768, BZ #22542)
- svcunix-create-overflow.patch: Buffer overflow in sunrpc svcunix_create
  (CVE-2022-23218, bsc#1194770, BZ #28768)
- getcwd-erange.patch: getcwd: Set errno to ERANGE for size == 1
  (CVE-2021-3999, bsc#1194640, BZ #28769)
- hton-identity.patch: Make endian-conversion macros always return correct
  types (bsc#1193478, BZ #16458)
- dl-sort-maps.patch, dlopen-filter-object.patch: Allow dlopen of filter
  object to work (bsc#1192620, BZ #16272)
- cancelable-syscall-stack-align.patch: x86: fix stack alignment in
  cancelable syscall stub (bsc#1191835)
gzip
- Fix escaping of malicious filenames (CVE-2022-1271 bsc#1198062)
  * bsc1198062.patch
kdump
- Update kdump-add-watchdog-modules.patch
  Fix return code when no watchdog sysfs entry is found (bsc#1197069)
kernel-default
- drm: drm_file struct kABI compatibility workaround
  (bsc#1197914).
- commit 2eabdd0
- drm: use the lookup lock in drm_is_current_master (bsc#1197914).
- drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
- drm: serialize drm_file.master with a new spinlock
  (bsc#1197914).
- drm: add a locked version of drm_is_current_master
  (bsc#1197914).
- commit 4b9807b
- xhci: Fresco FL1100 controller should not have BROKEN_MSI
  quirk set (git-fixes).
- commit f63fa75
- blacklist.conf: add unwanted patches
- commit 712ff34
- NFSv4/pNFS: Fix another issue with a list iterator pointing
  to the head (git-fixes).
- NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error
  (git-fixes).
- NFS: Return valid errors from nfs2/3_decode_dirent()
  (git-fixes).
- commit e694ae1
- netfilter: nf_tables: initialize registers in nft_do_chain()
  (CVE-2022-1016 bsc#1197227).
- commit 4726ea9
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- commit caaa7d4
- can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb
  in error path (CVE-2022-28389 bsc#1198033).
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28388 bsc#1198032).
- can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28390 bsc#1198031).
- commit 2396928
- USB: storage: ums-realtek: fix error code in rts51x_read_mem()
  (git-fixes).
- commit 2ef8c04
- usb: ftdi-elan: fix memory leak on device disconnect
  (git-fixes).
- commit 94d2b0f
- net: asix: add proper error handling of usb read errors
  (git-fixes).
- commit af5488d
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
- tcp: change source port randomizarion at connect() time
  (bsc#1180153).
- commit 20b0855
- blacklist.conf: requires USB PD 3.0, which cannot be backported
  without breaking kABI
- commit ba8f1e1
- blacklist.conf: no support for gadget mode in SLE12
- commit 8c19cdb
- USB: chipidea: fix interrupt deadlock (git-fixes).
- commit 1257abd
- blacklist.conf: no support for gadget mode in SLE12
- commit 1e01d6f
- xhci: Enable trust tx length quirk for Fresco FL11 USB
  controller (git-fixes).
- commit add0990
- blacklist.conf: dropped in upstream for causing regressions
- commit 5dddec4
- usb: host: xhci-rcar: Don't reload firmware after the completion
  (git-fixes).
- commit 7040ffb
- RDMA/ib_srp: Fix a deadlock (git-fixes)
- commit 7755b1f
- RDMA/mlx4: Don't continue event handler after memory allocation failure (git-fixes)
- commit fd24776
- RDMA/cxgb4: Set queue pair state when being queried (git-fixes)
- commit 92c7602
- RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry (git-fixes)
- commit 51ac825
- RDMA/core: Let ib_find_gid() continue search even after empty entry (git-fixes)
- commit ae1d448
- RDMA/hns: Validate the pkey index (git-fixes)
- commit 1e9657a
- RDMA/bnxt_re: Scan the whole bitmap when checking if "/disabling RCFW with pending cmd-bit"/ (git-fixes)
- commit 71c6212
- RDMA/core: Don't infoleak GRH fields (git-fixes)
- commit 196723f
- IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr (git-fixes)
- commit 3c73374
- IB/hfi1: Insure use of smp_processor_id() is preempt disabled (git-fixes)
- commit 24be347
- IB/hfi1: Correct guard on eager buffer deallocation (git-fixes)
- commit 499f820
- RDMA/qedr: Fix NULL deref for query_qp on the GSI QP (git-fixes)
- commit 0d4e0bf
- RDMA/mlx4: Return missed an error if device doesn't support steering (git-fixes)
- commit 5065e25
- RDMA/rxe: Fix wrong port_cap_flags (git-fixes)
- commit 2330d6f
- IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields (git-fixes)
- commit 2759c92
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (git-fixes)
- commit 278e4d8
- RDMA/iwcm: Release resources if iw_cm module initialization fails (git-fixes)
- commit 5f34a1e
- IB/hfi1: Adjust pkey entry in index 0 (git-fixes)
- commit 94af39e
- IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs() (git-fixes)
- commit d416851
- RDMA/rxe: Don't overwrite errno from ib_umem_get() (git-fixes)
- commit 3c295ae
- RDMA/rxe: Fix extra copy in prepare_ack_packet (git-fixes)
- commit 8740201
- RDMA/rxe: Fix over copying in get_srq_wqe (git-fixes)
- commit e55d18b
- RDMA/rxe: Fix redundant call to ip_send_check (git-fixes)
- commit be2aac9
- RDMA/rxe: Fix failure during driver load (git-fixes)
- commit 9ddaf27
- RDMA/cxgb4: check for ipv6 address properly while destroying listener (git-fixes)
- commit ea675f7
- xprtrdma: fix incorrect header size calculations (CVE-2022-0812
  bsc#1196639).
- commit 19d5b1d
- SUNRPC: Fix transport accounting when caller specifies an
  rpc_xprt (bsc#1197531).
- commit 3d20b7c
- RDMA/rxe: Handle skb_clone() failure in rxe_recv.c (git-fixes)
- refresh: patches.suse/RDMA-rxe-Fix-coding-error-in-rxe_rcv_mcast_pkt.patch
- commit c27a191
- team: protect features update by RCU to avoid deadlock
  (git-fixes).
- commit 273ca16
- net: dsa: bcm_sf2: put device node before return (git-fixes).
- commit fe0fcce
- can: dev: can_restart: fix use after free bug (git-fixes).
- commit 8d5e03e
- netxen_nic: fix MSI/MSI-x interrupts (git-fixes).
- commit 3738b7d
- qed: select CONFIG_CRC32 (git-fixes).
- commit 139caca
- net: hdlc_ppp: Fix issues when mod_timer is called while timer
  is running (git-fixes).
- commit 989e97f
- net: hns: fix return value check in __lb_other_process()
  (git-fixes).
- commit 09b093d
- net: ethernet: ti: cpts: fix ethtool output when no ptp_clock
  registered (git-fixes).
- commit 70082f4
- net: ethernet: Fix memleak in ethoc_probe (git-fixes).
- commit f2a5b3d
- virtio_net: Fix recursive call to cpus_read_lock() (git-fixes).
- commit 8d27bf9
- mdio: fix mdio-thunder.c dependency & build error (git-fixes).
- commit 6f0f27e
- net: arc_emac: Fix memleak in arc_mdio_probe (git-fixes).
- commit c7c12d2
- RDMA/rxe: Return CQE error if invalid lkey was supplied (git-fixes)
- commit 5ebe135
- RDMA/rxe: Clear all QP fields if creation failed (git-fixes)
- commit 05011fb
- RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res (git-fixes)
- commit e7c9b71
- RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails (git-fixes)
- commit aad24e1
- RDMA/cxgb4: add missing qpid increment (git-fixes)
- commit ff35c65
- RDMA/bnxt_re: Fix error return code in bnxt_qplib_cq_process_terminal() (git-fixes)
- commit c2452c6
- scsi: lpfc: Fix locking for lpfc_sli_iocbq_lookup()
  (bsc#1197675).
- scsi: lpfc: Fix broken SLI4 abort path (bsc#1197675).
- scsi: lpfc: Update lpfc version to 14.2.0.1 (bsc#1197675).
- scsi: lpfc: Fix queue failures when recovering from PCI parity
  error (bsc#1197675 bsc#1196478).
- scsi: lpfc: Fix unload hang after back to back PCI EEH faults
  (bsc#1197675 bsc#1196478).
- scsi: lpfc: Improve PCI EEH Error and Recovery Handling
  (bsc#1197675 bsc#1196478).
- commit 3bf2bb3
- IB/hfi1: Fix error return code in parse_platform_config() (git-fixes)
- commit 8e874b0
- IB/hfi1: Use kzalloc() for mmu_rb_handler allocation (git-fixes)
- commit 2bfb6d5
- RDMA/addr: Be strict with gid size (git-fixes)
- commit d7c9ddd
- RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server (git-fixes)
- commit dc1337b
- RDMA/rxe: Fix missing kconfig dependency on CRYPTO (git-fixes)
- commit 5a0643a
- RDMA/rxe: Correct skb on loopback path (git-fixes)
- commit 419d931
- RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt (git-fixes)
- commit 96de427
- blacklist: add PA Semi network device
- commit f501a2d
- RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt() (git-fixes)
- commit 30def20
- RDMA/rxe: Fix coding error in rxe_recv.c (git-fixes)
- commit 8eddda6
- IB/umad: Return EPOLLERR in case of when device disassociated (git-fixes)
- commit 898c3b0
- IB/umad: Return EIO in case of when device disassociated (git-fixes)
- commit 70dbcce
- RDMA/cxgb4: Fix the reported max_recv_sge value (git-fixes)
- commit c42eafd
- RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp (git-fixes)
- commit 456446f
- RDMA/uverbs: Tidy input validation of ib_uverbs_rereg_mr() (git-fixes)
- commit 3376669
- RDMA/cxgb4: Validate the number of CQEs (git-fixes)
- commit 560601e
- RDMA/mlx5: Fix corruption of reg_pages in mlx5_ib_rereg_user_mr() (git-fixes)
- commit 7514626
- RDMA/rxe: Compute PSN windows correctly (git-fixes)
- commit 2491fe3
- RDMA/bnxt_re: Set queue pair state when being queried (git-fixes)
- commit 26639c3
- RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait (git-fixes)
- commit 9810a14
- IB/hfi1: Fix another case where pq is left on waitlist (git-fixes)
- commit 75af824
- printk: disable optimistic spin during panic (bsc#1197894).
- commit ce52f1e
- printk: Add panic_in_progress helper (bsc#1197894).
- commit d27056a
- blacklist.conf: printk: cosmetic problem
- commit 0450572
- blacklist.conf: Blacklist 480d42dc001bb
- commit 32cb203
- ext4: update i_disksize if direct write past ondisk size
  (bsc#1197806).
- commit 5f6c0ad
- ext4: check for out-of-order index extents in
  ext4_valid_extent_entries() (bsc#1194163 bsc#1196339).
- commit 2453de4
- ext4: check for inconsistent extents between index and leaf
  block (bsc#1194163 bsc#1196339).
- commit de4a86f
- ext4: prevent partial update of the extent blocks (bsc#1194163
  bsc#1196339).
- commit c09bc65
- scsi: lpfc: Copyright updates for 14.2.0.0 patches
  (bsc#1197675).
- scsi: lpfc: Update lpfc version to 14.2.0.0 (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor BSG paths (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor Abort paths (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor SCSI paths (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor CT paths (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor misc ELS paths
  (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor FDISC paths (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor LS_RJT paths (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor LS_ACC paths (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor the RSCN/SCR/RDF/EDC/FARPR
  paths (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor PLOGI/PRLI/ADISC/LOGO paths
  (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor base ELS paths and the
  FLOGI path (bsc#1197675).
- scsi: lpfc: SLI path split: Introduce lpfc_prep_wqe
  (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor fast and slow paths to
  native SLI4 (bsc#1197675).
- scsi: lpfc: SLI path split: Refactor lpfc_iocbq (bsc#1197675).
- scsi: lpfc: Use kcalloc() (bsc#1197675).
- scsi: lpfc: Fix typos in comments (bsc#1197675).
- scsi: lpfc: Remove failing soft_wwn support (bsc#1197675).
- scsi: lpfc: Use rport as argument for lpfc_chk_tgt_mapped()
  (bsc#1197675).
- scsi: lpfc: Use rport as argument for lpfc_send_taskmgmt()
  (bsc#1197675).
- scsi: lpfc: Use fc_block_rport() (bsc#1197675).
- scsi: lpfc: Drop lpfc_no_handler() (bsc#1197675).
- scsi: lpfc: Kill lpfc_bus_reset_handler() (bsc#1197675).
- scsi: lpfc: Remove redundant flush_workqueue() call
  (bsc#1197675).
- scsi: lpfc: Reduce log messages seen after firmware download
  (bsc#1197675).
- scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled
  (bsc#1197675).
- commit f0a6320
- ext4: make sure quota gets properly shutdown on error
  (bsc#1195480).
- commit 8ee1d16
- blacklist.conf: Blacklist 86399ea07109
- commit 9143f54
- isofs: Fix out of bound access for corrupted isofs image
  (bsc#1194591).
- commit 415784e
- quota: correct error number in free_dqentry() (bsc#1194590).
- commit 52c49c9
- mm: bdi: initialize bdi_min_ratio when bdi is unregistered
  (bsc#1197763).
- commit c769015
- block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
  (bsc#1194586).
- commit abe8d21
- blacklist.conf: Blacklist 35e4c6c1a2fc
- commit d4946a1
- block: bfq: fix bfq_set_next_ioprio_data() (bsc#1191451).
- commit 81d1afe
- ocfs2: mount fails with buffer overflow in strlen (bsc#1197760).
- commit b56665a
- ocfs2: remove ocfs2_is_o2cb_active() (bsc#1197758).
- commit dc084e8
- ext4: fix error handling in ext4_restore_inline_data()
  (bsc#1197757).
- commit e94b650
- ext4: don't use the orphan list when migrating an inode
  (bsc#1197756).
- commit a5f5139
- ext4: fix an use-after-free issue about data=journal writeback
  mode (bsc#1195482).
- commit 6c8da82
- ext4: Fix BUG_ON in ext4_bread when write quota data
  (bsc#1197755).
- commit 6d6702e
- ext4: fix lazy initialization next schedule time computation
  in more granular unit (bsc#1194580).
- commit 08e8e02
- ext4: add check to prevent attempting to resize an fs with
  sparse_super2 (bsc#1197754).
- commit 1f40962
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
  mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
  patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit e4d0718
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
  mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
  patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit 62bc950
- RDMA/mlx5: Fix potential race between destroy and CQE poll (git-fixes)
- commit 2be5062
- RDMA/qib: Remove superfluous fallthrough statements (git-fixes)
- commit 5f65d5b
- RDMA/hns: Add a check for current state before modifying QP (git-fixes)
- commit 0cbb5fa
- RDMA/hns: Optimize hns_roce_modify_qp function (git-fixes)
- commit 903fd47
- RDMA/ucma: Fix locking for ctx->events_reported (git-fixes)
- commit a622b5d
- RDMA/rxe: Fix panic when calling kmem_cache_create() (git-fixes)
- commit cade790
- RDMA/rxe: Remove rxe_link_layer() (git-fixes)
- commit 0f4ef23
- IB/sa: Resolv use-after-free in ib_nl_make_request() (git-fixes)
- commit fad610b
- RDMA/uverbs: Fix create WQ to use the given user handle (git-fixes)
- commit ab81ef4
- RDMA/mlx5: Fix udata response upon SRQ creation (git-fixes)
- commit 3fe7f63
- IB/hfi1: Ensure pq is not left on waitlist (git-fixes)
- commit db7c85c
- IB/hfi1: Acquire lock to release TID entries when user file is closed (git-fixes)
- commit 895ac06
- IB/core: Fix ODP get user pages flow (git-fixes)
- commit 77723db
- RDMA/mlx5: Put live in the correct place for ODP MRs (git-fixes)
- commit 342fe6e
- RDMA/mlx5: Do not allow rereg of a ODP MR (git-fixes)
- commit 51ff5e8
- RDMA/odp: Lift umem_mutex out of ib_umem_odp_unmap_dma_pages() (git-fixes)
- commit 7dc4fbf
- RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size() (git-fixes)
- commit 4ff7384
- Metadata update
- commit 8705efc
- scsi: qla2xxx: Fix typos in comments (bsc#1197661).
- scsi: qla2xxx: Update version to 10.02.07.400-k (bsc#1197661).
- scsi: qla2xxx: Increase max limit of ql2xnvme_queues
  (bsc#1197661).
- scsi: qla2xxx: Use correct feature type field during RFF_ID
  processing (bsc#1197661).
- scsi: qla2xxx: Fix stuck session of PRLI reject (bsc#1197661).
- scsi: qla2xxx: Reduce false trigger to login (bsc#1197661).
- scsi: qla2xxx: Fix laggy FC remote port session recovery
  (bsc#1197661).
- scsi: qla2xxx: Fix hang due to session stuck (bsc#1197661).
- scsi: qla2xxx: Fix N2N inconsistent PLOGI (bsc#1197661).
- scsi: qla2xxx: Fix crash during module load unload test
  (bsc#1197661).
- scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests
  (bsc#1197661).
- scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload
  test (bsc#1197661).
- scsi: qla2xxx: Fix disk failure to rediscover (bsc#1197661).
- scsi: qla2xxx: Fix incorrect reporting of task management
  failure (bsc#1197661).
- scsi: qla2xxx: Use named initializers for q_dev_state
  (bsc#1197661).
- scsi: qla2xxx: Use named initializers for port_state_str
  (bsc#1197661).
- scsi: qla2xxx: Stop using the SCSI pointer (bsc#1197661).
- commit 96344da
- series: Resort and update meta data
  Update meta data:
  - patches.suse/net-ibmvnic-Cleanup-workaround-doing-an-EOI-after-pa.patch
  - patches.suse/powerpc-add-link-stack-flush-mitigation-status-in-de.patch
  - patches.suse/powerpc-pseries-read-the-lpar-name-from-the-firmware.patch
  - patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch
  - patches.suse/scsi-qla2xxx-Add-devids-and-conditionals-for-28xx.patch
  - patches.suse/scsi-qla2xxx-Add-ql2xnvme_queues-module-param-to-con.patch
  - patches.suse/scsi-qla2xxx-Add-qla2x00_async_done-for-async-routin.patch
  - patches.suse/scsi-qla2xxx-Add-retry-for-exec-firmware.patch
  - patches.suse/scsi-qla2xxx-Check-for-firmware-dump-already-collect.patch
  - patches.suse/scsi-qla2xxx-Fix-T10-PI-tag-escape-and-IP-guard-opti.patch
  - patches.suse/scsi-qla2xxx-Fix-device-reconnect-in-loop-topology.patch
  - patches.suse/scsi-qla2xxx-Fix-premature-hw-access-after-PCI-error.patch
  - patches.suse/scsi-qla2xxx-Fix-scheduling-while-atomic.patch
  - patches.suse/scsi-qla2xxx-Fix-stuck-session-in-gpdb.patch
  - patches.suse/scsi-qla2xxx-Fix-warning-for-missing-error-code.patch
  - patches.suse/scsi-qla2xxx-Fix-warning-message-due-to-adisc-being-.patch
  - patches.suse/scsi-qla2xxx-Fix-wrong-FDMI-data-for-64G-adapter.patch
  - patches.suse/scsi-qla2xxx-Implement-ref-count-for-SRB.patch
  - patches.suse/scsi-qla2xxx-Refactor-asynchronous-command-initializ.patch
  - patches.suse/scsi-qla2xxx-Remove-unused-qla_sess_op_cmd_list-from.patch
  - patches.suse/scsi-qla2xxx-Suppress-a-kernel-complaint-in-qla_crea.patch
  - patches.suse/scsi-qla2xxx-Update-version-to-10.02.07.300-k.patch
  - patches.suse/scsi-qla2xxx-edif-Fix-clang-warning.patch
- commit 7e552c7
- net: ena: remove extra words from comments (bsc#1197099
  jsc#SLE-24125).
- Refresh
  patches.suse/net-ena-Fix-error-handling-when-calculating-max-IO-q.patch.
- commit b072f83
- net: ena: Extract recurring driver reset code into a function
  (bsc#1197099 jsc#SLE-24125).
- net: ena: Change the name of bad_csum variable (bsc#1197099
  jsc#SLE-24125).
- net: ena: Add debug prints for invalid req_id resets
  (bsc#1197099 jsc#SLE-24125).
- net: ena: Remove ena_calc_queue_size_ctx struct (bsc#1197099
  jsc#SLE-24125).
- net: ena: Move reset completion print to the reset function
  (bsc#1197099 jsc#SLE-24125).
- net: ena: Remove redundant return code check (bsc#1197099
  jsc#SLE-24125).
- net: ena: Change ENI stats support check to use capabilities
  field (bsc#1197099 jsc#SLE-24125).
- net: ena: Add capabilities field with support for ENI stats
  capability (bsc#1197099 jsc#SLE-24125).
- net: ena: Change return value of ena_calc_io_queue_size()
  to void (bsc#1197099 jsc#SLE-24125).
- net: ena: Fix wrong rx request id by resetting device
  (bsc#1197099 jsc#SLE-24125).
- ena: Remove rcu_read_lock() around XDP program invocation
  (bsc#1197099 jsc#SLE-24125).
- net: ena: make symbol 'ena_alloc_map_page' static (bsc#1197099
  jsc#SLE-24125).
- net: ena: re-organize code to improve readability (bsc#1197099
  jsc#SLE-24125).
- net: ena: Use dev_alloc() in RX buffer allocation (bsc#1197099
  jsc#SLE-24125).
- net: ena: aggregate doorbell common operations into a function
  (bsc#1197099 jsc#SLE-24125).
- net: ena: Remove module param and change message severity
  (bsc#1197099 jsc#SLE-24125).
- net: ena: add jiffies of last napi call to stats (bsc#1197099
  jsc#SLE-24125).
- net: ena: use build_skb() in RX path (bsc#1197099
  jsc#SLE-24125).
- net: ena: Improve error logging in driver (bsc#1197099
  jsc#SLE-24125).
- net: ena: Remove unused code (bsc#1197099 jsc#SLE-24125).
- net: ena: optimize data access in fast-path code (bsc#1197099
  jsc#SLE-24125).
- net: ena: fix DMA mapping function issues in XDP (bsc#1197099
  jsc#SLE-24125).
- net: ena: fix inaccurate print type (bsc#1197099 jsc#SLE-24125).
- ethernet: amazon: ena: A typo fix in the file ena_com.h
  (bsc#1197099 jsc#SLE-24125).
- net: ena: Update XDP verdict upon failure (bsc#1197099
  jsc#SLE-24125).
- net: ena: introduce ndo_xdp_xmit() function for XDP_REDIRECT
  (bsc#1197099 jsc#SLE-24125).
- net: ena: use xdp_return_frame() to free xdp frames (bsc#1197099
  jsc#SLE-24125).
- net: ena: introduce XDP redirect implementation (bsc#1197099
  jsc#SLE-24125).
- net: ena: use xdp_frame in XDP TX flow (bsc#1197099
  jsc#SLE-24125).
- net: ena: aggregate stats increase into a function (bsc#1197099
  jsc#SLE-24125).
- net: ena: fix coding style nits (bsc#1197099 jsc#SLE-24125).
- net: ena: store values in their appropriate variables types
  (bsc#1197099 jsc#SLE-24125).
- net: ena: add device distinct log prefix to files (bsc#1197099
  jsc#SLE-24125).
- net: ena: use constant value for net_device allocation
  (bsc#1197099 jsc#SLE-24125).
- ena_netdev: use generic power management (bsc#1197099
  jsc#SLE-24125).
- commit d3d7690
- net: ena: Use pci_sriov_configure_simple() to enable VFs
  (bsc#1197099 jsc#SLE-24125).
- Refresh
  patches.suse/net-ena-add-pci-shutdown-handler-to-allow-safe-kexec.patch.
- commit 2f8ef82
- powerpc/pseries: Fix use after free in remove_phb_dynamic()
  (bsc#1065729).
- powerpc/tm: Fix more userspace r13 corruption (bsc#1065729).
- powerpc/pseries: Fix use after free in remove_phb_dynamic()
  (bsc#1065729).
- powerpc/tm: Fix more userspace r13 corruption (bsc#1065729).
- powerpc/xive: fix return value of __setup handler (bsc#1065729).
- powerpc/sysdev: fix incorrect use to determine if list is empty
  (bsc#1065729).
- commit 39f1df9
- Update CVE tags in
  patches.suse/ext4-fix-kernel-infoleak-via-ext4_extent_header.patch
  (bsc#1189562 bsc#1196761 CVE-2022-0850).
- commit 3b2491d
- Update patches.suse/sr9700-sanity-check-for-packet-length.patch
  (bsc#1196836 CVE-2022-26966).
  fixed typo in References
- commit e04f4f1
- mm/rmap: always do TTU_IGNORE_ACCESS (bsc#1184207).
- commit 9103b34
- mm: drop NULL return check of pte_offset_map_lock()
  (bsc#1184207).
- commit 28f5b86
- xen/gntdev: update to new mmu_notifier semantic (bsc#1184207).
- commit 72e8a4d
- mm/rmap: update to new mmu_notifier semantic v2 (bsc#1184207).
- Refresh
  patches.suse/0001-mm-migration-fix-migration-of-huge-PMD-shared-pages.patch
- commit d9279be
- dax: update to new mmu_notifier semantic (bsc#1184207).
- Refresh
  patches.suse/fs-dax.c-release-PMD-lock-even-when-there-is-no-PMD-.patch
- commit da7fdba
- esp: Fix possible buffer overflow in ESP transformation
  (bsc#1197131 CVE-2022-0886).
- commit d9e58bc
- Refresh patches.suse/xfrm-fix-mtu-regression.patch.
- commit 0ee241b
- series.conf: sort our patches to the sections
- commit 452d7dc
- quota: check block number when reading the block in quota  file
  (bsc#1197366 CVE-2021-45868).
- commit b7d9616
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
  bsc#1197331).
- Refresh patches.kabi/ALSA-pcm-oss-rw_ref-kabi-fix.patch.
- commit f284bec
- Fixing a series_sort.py issue for a patch
  The patch: blk-mq-move-_blk_mq_update_nr_hw_queues-synchronize_rcu-call
  was placed at the end of the sorted section by series_insert.py at
  one time, but now series_sort.py is complaining. So move this patch
  to later in series.conf, outside of the sorted section, making
  series_sort.py happy.
- commit a65cae5
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
  bsc#1197331).
- commit 0e8ef03
- ALSA: pcm: Fix races among concurrent prealloc proc writes
  (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
  hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
  changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
  calls (CVE-2022-1048 bsc#1197331).
- commit 6f93797
- ALSA: pcm: Fix races among concurrent prealloc proc writes
  (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
  hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
  changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
  calls (CVE-2022-1048 bsc#1197331).
- commit 0f72275
- blacklist.conf: mark 647d41d3952d
  647d41d3952d ("/crypto: vmx - add missing dependencies"/) is a corner case
  fix needed only if people recompile kernel with CRYPTO_DEV_VMX_ENCRYPT=y
  (we build it as module).
  While useful for SLE15-SP4 (and thus backported there) for old branches
  is not needed.
- commit 8ab3ed6
- powercap: intel_rapl: add support for Sapphire Rapids
  (jsc#SLE-15288, jsc#ECO-2990).
- commit 11d4e14
- Refresh patches.suse/powerpc-64-Interrupts-save-PPR-on-stack-rather-than-.patch.
- commit cf0d212
- NFS: Do not report writeback errors in nfs_getattr()
  (git-fixes).
- NFSD: Clamp WRITE offsets (git-fixes).
- NFS: Fix initialisation of nfs_client cl_flags field
  (git-fixes).
- NFS: Avoid duplicate uncached readdir calls on eof (git-fixes).
- NFS: Don't skip directory entries when doing uncached readdir
  (git-fixes).
- nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed
  client (git-fixes).
- commit fa47801
- macros.kernel-source: Fix conditional expansion.
  Fixes: bb95fef3cf19 ("/rpm: Use bash for %() expansion (jsc#SLE-18234)."/)
- commit 7e857f7
- x86/speculation: Warn about Spectre v2 LFENCE mitigation
  (bsc#1114648).
- Refresh
  patches.suse/x86-speculation-warn-about-eibrs-lfence-unprivileged-ebpf-smt.patch.
- commit f6e58c8
- rpm: Use bash for %() expansion (jsc#SLE-18234).
  Since 15.4 alternatives for /bin/sh are provided by packages
  <something>-sh. While the interpreter for the build script can be
  selected the interpreter for %() cannot.
  The kernel spec files use bashisms in %().
  While this could technically be fixed there is more serious underlying
  problem: neither bash nor any of the alternatives are 100% POSIX
  compliant nor bug-free.
  It is not my intent to maintain bug compatibility with any number of
  shells for shell scripts embedded in the kernel spec file. The spec file
  syntax is not documented so embedding the shell script in it causes some
  unspecified transformation to be applied to it. That means that
  ultimately any changes must be tested by building the kernel, n times if
  n shells are supported.
  To reduce maintenance effort require that bash is used for kernel build
  always.
- commit bb95fef
- x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF +
  SMT (bsc#1114648).
- commit 660df0a
- Sort in upstreamed BHB patches
- Refresh
  patches.suse/documentation-hw-vuln-update-spectre-doc.patch.
- Refresh
  patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
  patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- Refresh
  patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch.
- commit 9848ad0
- net: bcmgenet: Fix a resource leak in an error handling path
  in the probe functin (git-fixes).
- commit 1def50c
- gtp: fix an use-before-init in gtp_newlink() (git-fixes).
- commit 2c87118
- net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after
  calling ether_setup (git-fixes).
- commit c80c336
- net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device
  (git-fixes).
- commit df21fd7
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
  (bsc#1196018).
- commit 95d7e2c
- net: usb: ax88179_178a: fix packet alignment padding
  (bsc#1196018).
- commit 065384f
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32
  (bsc#1196018).
- commit f59903f
- net: marvell: Fix OF_MDIO config check (git-fixes).
- commit 1100da4
- net: dp83867: Fix OF_MDIO config check (git-fixes).
- commit 7fae20e
- net: fec: only check queue 0 if RXF_0/TXF_0 interrupt is set
  (git-fixes).
- commit 4b13398
- blacklist.conf: update blacklist
- commit 7d99dbc
- Update patches.suse/sr9700-sanity-check-for-packet-length.patch
  (bac#1196836 CVE-2022-26966).
  added CVE number
- commit 7e940d6
- rpm: Run external scriptlets on uninstall only when available
  (bsc#1196514 bsc#1196114 bsc#1196942).
  When dependency cycles are encountered package dependencies may not be
  fulfilled during zypper transaction at the time scriptlets are run.
  This is a problem for kernel scriptlets provided by suse-module-tools
  when migrating to a SLE release that provides these scriptlets only as
  part of LTSS. The suse-module-tools that provides kernel scriptlets may
  be removed early causing migration to fail.
- commit ab8dd2d
- net: mcs7830: handle usb read errors properly (git-fixes).
- commit 5eb1cb7
- asix: fix wrong return value in asix_check_host_enable()
  (git-fixes).
- commit 2139099
- asix: fix uninit-value in asix_mdio_read() (git-fixes).
- commit 34bb081
- net: asix: fix uninit value bugs (git-fixes).
- commit b735ffe
- net: usb: asix: add error handling for asix_mdio_* functions
  (git-fixes).
- asix: Fix small memory leak in ax88772_unbind() (git-fixes).
- commit 3c90156
- asix: Add rx->ax_skb = NULL after usbnet_skb_return()
  (git-fixes).
- commit b6ab4c2
- asix: Ensure asix_rx_fixup_info members are all reset
  (git-fixes).
- commit fede28c
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- commit f0d0e90
- blacklist.conf: no gadget mode in SLE12
- commit abfa68a
- blacklist.conf:no gadget mode in SLE12
- commit b3d353a
- blacklist.conf: no gadget mode in SLE12
- commit db43c6c
- blacklist.conf: no gadget mode in SLE12
- commit fa6eb39
- blacklist.conf: no gadget mode in SLE12
- commit 2afa423
- blacklist.conf: no gadget mode in SLE12
- commit 67d7fc0
- blacklist.conf: no gadget mode in SLE12
- commit f043672
- blacklist.conf: mere cleanup
- commit 4e07fa1
- blacklist.conf: no gadget mode in SLE12
- commit a29721c
- blacklist.conf: no gadget mode in SLE12
- commit 2ce0821
- blacklist.conf: no gadget mode in SLE12
- commit d6d1cd7
- s390/bpf: Perform r1 range checking before accessing
  jit->seen_reg (git-fixes).
- s390/disassembler: increase ebpf disasm buffer size (git-fixes).
- commit d545d38
- Refresh
  patches.suse/s390-bpf-fix-64-bit-subtraction-of-the-0x80000000-constant.patch.
- Refresh
  patches.suse/s390-bpf-fix-optimizing-out-zero-extensions.patch.
- commit af985c2
- powerpc/64: Fix kernel stack 16-byte alignment (bsc#1196999
  ltc#196609S git-fixes).
- commit ec2e873
- rpm/kernel-source.spec.in: call fdupes per subpackage
  It is a waste of time to do a global fdupes when we have
  subpackages.
- commit 1da8439
- blacklist.conf: documentation
- commit 098451f
- powerpc/64: Interrupts save PPR on stack rather than
  thread_struct (bsc#1196999 ltc#196609).
- commit 916a84f
- net: sched: use Qdisc rcu API instead of relying on rtnl lock
  (bsc#1196973 CVE-2021-39713).
- net: sched: add helper function to take reference to Qdisc
  (bsc#1196973 CVE-2021-39713).
- net: sched: extend Qdisc with rcu (bsc#1196973 CVE-2021-39713).
- net: sched: rename qdisc_destroy() to qdisc_put() (bsc#1196973
  CVE-2021-39713).
- net: core: netlink: add helper refcount dec and lock function
  (bsc#1196973 CVE-2021-39713).
- commit a22ecb0
- powerpc/pseries: new lparcfg key/value pair:
  partition_affinity_score (jec#SLE-23780).
- powerpc/perf: consolidate GPCI hcall structs into asm/hvcall.h
  (jec#SLE-23780).
- commit 0380630
- EDAC: Fix calculation of returned address and next offset in
  edac_align_ptr() (bsc#1114648).
- commit 1c2d844
- xen/netfront: react properly to failing
  gnttab_end_foreign_access_ref() (bsc#1196488, XSA-396,
  CVE-2022-23042).
- commit 2b38f30
- xen/gnttab: fix gnttab_end_foreign_access() without page
  specified (bsc#1196488, XSA-396, CVE-2022-23041).
- commit 7149843
- xen/9p: use alloc/free_pages_exact() (bsc#1196488, XSA-396,
  CVE-2022-23041).
- commit a920e1c
- xen/usb: don't use gnttab_end_foreign_access() in
  xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- commit e8ca175
- xen/gntalloc: don't use gnttab_query_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23039).
- commit 02e08de
- xen/scsifront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23038).
- commit 78fd62a
- xen/netfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23037).
- commit 335a138
- xen/blkfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23036).
- commit 69cc608
- xen/grant-table: add gnttab_try_end_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23036, CVE-2022-23038).
- commit d8d4a06
- xen/xenbus: don't let xenbus_grant_ring() remove grants in
  error case (bsc#1196488, XSA-396, CVE-2022-23040).
- commit 9eb0e70
- genirq: Use rcu in kstat_irqs_usr() (bsc#1193738).
- commit d69c48c
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- commit 174a64f
- usb: host: xen-hcd: add missing unlock in error path
  (git-fixes).
- commit af60176
- Refresh
  patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch.
- commit ee8e3fd
- Refresh
  patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch.
- commit 29bb7f5
- rpm/kernel-docs.spec.in: use %%license for license declarations
  Limited to SLE15+ to avoid compatibility nightmares.
- commit 73d560e
- rpm/*.spec.in: Use https:// urls
- commit 77b5f8e
- blacklist.conf: 279eb8575fda EDAC/altera: Fix deferred probing
- commit 3db1890
- cgroup: Use open-time cgroup namespace for process migration
  perm checks (bsc#1196723).
- commit 131e183
- blacklist.conf: irrelevant in our config
- commit 5ffcec1
- blacklist.conf: not relevant in our gcc release
- commit ac8e2bf
- blacklist.conf: cleanup, not a bug fix
- commit 4b4434c
- blacklist.conf: kABI
- commit 11711a3
- cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv
  (bsc#1196723).
- commit d139e59
- blacklist.conf: Add 05c7b7a92cc8 cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug
- commit 0579a6b
- USB: serial: option: add Telit LE910R1 compositions (git-fixes).
- commit f41229c
- USB: serial: option: add support for DW5829e (git-fixes).
- commit e61b0c3
- xhci: Prevent futile URB re-submissions due to incorrect return
  value (git-fixes).
- commit c1a4d75
- xhci: re-initialize the HC during resume if HCE was set
  (git-fixes).
- USB: serial: cp210x: add CPI Bulk Coin Recycler id (git-fixes).
- commit 29c9fd0
- USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320
  (git-fixes).
- commit 89dd984
- USB: serial: option: add ZTE MF286D modem (git-fixes).
- commit a4f92c1
- USB: core: Fix hang in usb_kill_urb by adding memory barriers
  (git-fixes).
- commit ed7961f
- usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge
  (git-fixes).
- commit b0172f2
- SUNRPC: avoid race between mod_timer() and del_timer_sync()
  (bnc#1195403).
- commit a8e4854
- Metadata update
- commit 4d7c2c2
- USB: serial: ch341: add support for GW Instek USB2.0-Serial
  devices (git-fixes).
- commit f982b68
- USB: zaurus: support another broken Zaurus (git-fixes).
- commit 78a0f67
- tracing: Fix return value of __setup handlers (git-fixes).
- commit 298142b
- sr9700: sanity check for packet length (bsc#1196836).
- commit 7ac3395
- nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  (CVE-2022-26490 bsc#1196830).
- commit 47ae8c5
- Metadata update
- commit c85ca56
- arm64: Use the clearbhb instruction in mitigations (bsc#1191580
  CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: add ID_AA64ISAR2_EL1 sys register (bsc#1191580
  CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered
  and migrated (bsc#1191580 CVE-2022-0001 CVE-2022-000
  CVE-2022-23960).
- commit 48f8f30
- arm64: Mitigate spectre style branch history side channels
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- Update config files.
- commit ab2e377
- KVM: arm64: Add templates for BHB mitigation sequences
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: Add Cortex-X2 CPU part definition (bsc#1191580
  CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: Add Neoverse-N2, Cortex-A710 CPU part definition
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: Add part number for Arm Cortex-A77 (bsc#1191580
  CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: proton-pack: Report Spectre-BHB vulnerabilities as
  part of Spectre-v2 (bsc#1191580 CVE-2022-0001 CVE-2022-000
  CVE-2022-23960).
- arm64: Add percpu vectors for EL1 (bsc#1191580 CVE-2022-0001
  CVE-2022-000 CVE-2022-23960).
- arm64: entry: Add macro for reading symbol addresses from
  the trampoline (bsc#1191580 CVE-2022-0001 CVE-2022-000
  CVE-2022-23960).
- arm64: entry: Add vectors that have the bhb mitigation sequences
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: entry: Add non-kpti __bp_harden_el1_vectors for
  mitigations (bsc#1191580 CVE-2022-0001 CVE-2022-000
  CVE-2022-23960).
- arm64: entry: Allow the trampoline text to occupy multiple pages
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: entry: Make the kpti trampoline's kpti sequence optional
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: entry: Move trampoline macros out of ifdef'd section
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: entry: Don't assume tramp_vectors is the start of the
  vectors (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: entry: Allow tramp_alias to access symbols after
  the 4K boundary (bsc#1191580 CVE-2022-0001 CVE-2022-000
  CVE-2022-23960).
- arm64: entry: Move the trampoline data page before the text page
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: entry: Free up another register on kpti's tramp_exit path
  (bsc#1191580 CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: entry: Make the trampoline cleanup optional (bsc#1191580
  CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- arm64: entry.S: Add ventry overflow sanity checks (bsc#1191580
  CVE-2022-0001 CVE-2022-000 CVE-2022-23960).
- commit c5f724a
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 43f0d0b
- cgroup-v1: Correct privileges check in release_agent writes
  (bsc#1196723).
- commit f1913e7
- Refresh
  patches.suse/ibmvnic-schedule-failover-only-if-vioctl-fails.patch.
- commit 940b1e8
- Update patches.suse/ibmvnic-don-t-stop-queue-in-xmit.patch
  (bsc#1192273 ltc#194629 bsc#1191428 ltc#193985).
- commit 85dfe8e
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- commit d80ea6a
- kernel-binary.spec: Also exclude the kernel signing key from devel package.
  There is a check in OBS that fails when it is included. Also the key is
  not reproducible.
  Fixes: bb988d4625a3 ("/kernel-binary: Do not include sourcedir in certificate path."/)
- commit 68fa069
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- commit 88ba5ec
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
  (bsc#1196584).
- commit 589ad87
- x86/speculation: Use generic retpoline by default on AMD
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 2229053
- ibmvnic: Update driver return codes (bsc#1196516 ltc#196391).
- commit 6184b3b
- ibmvnic: Allow queueing resets during probe (bsc#1196516
  ltc#196391).
- ibmvnic: clear fop when retrying probe (bsc#1196516 ltc#196391).
- ibmvnic: init init_done_rc earlier (bsc#1196516 ltc#196391).
- ibmvnic: register netdev after init of adapter (bsc#1196516
  ltc#196391).
- ibmvnic: complete init_done on transport events (bsc#1196516
  ltc#196391).
- ibmvnic: define flush_reset_queue helper (bsc#1196516
  ltc#196391).
- ibmvnic: initialize rc before completing wait (bsc#1196516
  ltc#196391).
- ibmvnic: free reset-work-item when flushing (bsc#1196516
  ltc#196391).
- commit 5dd4d04
- tracing: Have traceon and traceoff trigger honor the instance
  (git-fixes).
- commit a93e3c2
- tracing: Dump stacktrace trigger to the corresponding instance
  (git-fixes).
- commit f5d1861
- x86/speculation: Include unprivileged eBPF status in Spectre v2
  mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- commit 902686b
- Documentation/hw-vuln: Update spectre doc (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- commit 6c7745b
- SUNRPC: change locking for xs_swap_enable/disable (bsc#1196367).
- commit 74b1736
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit 45191e7
- s390/hypfs: include z/VM guests with access control group set
  (bsc#1195638 LTC#196354).
- s390/cpumf: Support for CPU Measurement Sampling Facility LS
  bit (bsc#1195080 LTC#196090).
- s390/cpumf: Support for CPU Measurement Facility CSVN 7
  (bsc#1195080 LTC#196090).
- commit 6490f46
- scsi: zfcp: Fix failed recovery on gone remote port with
  non-NPIV FCP devices (bsc#1195377 LTC#196245).
- commit 53028f3
- crypto: af_alg - get_page upon reassignment to TX SGL
  (bsc#1195840).
- commit f9977fb
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- commit 9f1d160
- ibmvnic: schedule failover only if vioctl fails (bsc#1196400
  ltc#195815).
- commit ec1fbc9
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete patches.suse/do-not-default-to-ibrs-on-skl.patch.
  Remove a statement which cancels itself out with the following patch
  which removes it anyway.
- commit d8a59c7
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit bf75cfa
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1196079
  CVE-2022-0617).
- commit 2533a5b
- udf: Fix NULL ptr deref when converting from inline format
  (bsc#1196079 CVE-2022-0617).
- commit 87d491f
- x86/speculation: Merge one test in
  spectre_v2_user_select_mitigation() (bsc#1191580 CVE-2022-0001
  CVE-2022-0002).
- commit c1dcbbf
- cpu/SMT: create and export cpu_smt_possible() (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit 2f54b88
- kabi: Hide changes to s390/AP structures (jsc#SLE-20809).
- s390/AP: support new dynamic AP bus size limit (jsc#SLE-20809).
- s390/ap: rework crypto config info and default domain code
  (jsc#SLE-20809).
- commit 8315837
- Refresh sorted patches
- commit edafc9f
- Update patch reference for vfs fix (CVE-2022-0644 bsc#1196155)
- commit 4656612
- net/ibmvnic: Cleanup workaround doing an EOI after partition
  migration (bsc#1089644 ltc#166495 ltc#165544 git-fixes).
- commit a49ae38
- NFSv4.x: by default serialize open/close operations (bsc#1114893 bsc#1195934).
  Make this work-around optional
- commit 188b38c
- blacklist.conf: added two duplicates
- commit c74dc0a
- powerpc/pseries: read the lpar name from the firmware
  (bsc#1187716 ltc#193451).
- commit 6691bc3
- Refresh patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch
- commit b8f15d4
- powerpc: add link stack flush mitigation status in debugfs
  (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
- powerpc/64s: Fix debugfs_simple_attr.cocci warnings (bsc#1157038
  bsc#1157923 ltc#182612 git-fixes).
- commit d196896
- scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
- commit 1808416
- scsi: qla2xxx: Remove unused qla_sess_op_cmd_list from
  scsi_qla_host_t (bsc#1195823).
- scsi: qla2xxx: Add qla2x00_async_done() for async routines
  (bsc#1195823).
- scsi: qla2xxx: Update version to 10.02.07.300-k (bsc#1195823).
- scsi: qla2xxx: Check for firmware dump already collected
  (bsc#1195823).
- scsi: qla2xxx: Add devids and conditionals for 28xx
  (bsc#1195823).
- scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
  (bsc#1195823).
- scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for
  28XX adapters (bsc#1195823).
- scsi: qla2xxx: edif: Fix clang warning (bsc#1195823).
- scsi: qla2xxx: Fix warning for missing error code (bsc#1195823).
- scsi: qla2xxx: Fix device reconnect in loop topology
  (bsc#1195823).
- scsi: qla2xxx: Add ql2xnvme_queues module param to configure
  number of NVMe queues (bsc#1195823).
- scsi: qla2xxx: Fix wrong FDMI data for 64G adapter
  (bsc#1195823).
- scsi: qla2xxx: Add retry for exec firmware (bsc#1195823).
- scsi: qla2xxx: Fix scheduling while atomic (bsc#1195823).
- scsi: qla2xxx: Fix premature hw access after PCI error
  (bsc#1195823).
- scsi: qla2xxx: Fix warning message due to adisc being flushed
  (bsc#1195823).
- scsi: qla2xxx: Fix stuck session in gpdb (bsc#1195823).
- scsi: qla2xxx: Implement ref count for SRB (bsc#1195823).
- scsi: qla2xxx: Refactor asynchronous command initialization
  (bsc#1195823).
- scsi: qla2xxx: Update version to 10.02.07.200-k (bsc#1195823).
- scsi: qla2xxx: edif: Fix inconsistent check of db_flags
  (bsc#1195823).
- scsi: qla2xxx: edif: Reduce connection thrash (bsc#1195823).
- scsi: qla2xxx: edif: Tweak trace message (bsc#1195823).
- scsi: qla2xxx: edif: Replace list_for_each_safe with
  list_for_each_entry_safe (bsc#1195823).
- scsi: qla2xxx: Remove a declaration (bsc#1195823).
- scsi: qla2xxx: Fix unmap of already freed sgl (bsc#1195823).
- scsi: qla2xxx: Return -ENOMEM if kzalloc() fails (bsc#1195823).
- commit 94d7f50
- Bluetooth: bfusb: fix division by zero in send path (git-fixes).
- commit 615915b
- gve: Recording rx queue before sending to napi (bsc#1191655).
- ixgbevf: Require large buffers for build_skb on 82599VF
  (bsc#1101674 FATE#325150 FATE#325151).
- IB/rdmavt: Validate remote_addr during loopback atomic tests
  (bsc#1114685 FATE#325854).
- gve: fix the wrong AdminQ buffer queue index check
  (bsc#1191655).
- gve: Fix GFP flags when allocing pages (bsc#1191655).
- i40e: Increase delay to 1 s after global EMP reset (bsc#1101816
  FATE#325147 FATE#325149).
- phylib: fix potential use-after-free (bsc#1119113 FATE#326472).
- gve: Add consumed counts to ethtool stats (bsc#1191655).
- gve: Implement suspend/resume/shutdown (bsc#1191655).
- gve: Add optional metadata descriptor type GVE_TXD_MTD
  (bsc#1191655).
- gve: remove memory barrier around seqno (bsc#1191655).
- gve: Update gve_free_queue_page_list signature (bsc#1191655).
- gve: Move the irq db indexes out of the ntfy block struct
  (bsc#1191655).
- gve: Correct order of processing device options (bsc#1191655).
- iavf: Fix limit of total number of queues to active queues of VF
  (bsc#1111981 FATE#326312 FATE#326313).
- i40e: Fix for displaying message regarding NVM version
  (jsc#SLE-4797).
- net: ena: Fix error handling when calculating max IO queues
  number (bsc#1174852).
- net: ena: Fix undefined state when tx request id is out of
  bounds (bsc#1174852).
- igb: Fix removal of unicast MAC filters of VFs (bsc#1117495).
- ice: ignore dropped packets during init (bsc#1118661
  FATE#325277).
- i40e: Fix pre-set max number of queues for VF (bsc#1111981
  FATE#326312 FATE#326313).
- gve: fix for null pointer dereference (bsc#1191655).
- net: marvell: mvpp2: Fix the computation of shared CPUs
  (bsc#1119113 FATE#326472).
- RDMA/netlink: Add __maybe_unused to static inline in C file
  (bsc#1046306 FATE#322942).
- i40e: Fix display error code in dmesg (bsc#1109837 bsc#1111981
  FATE#326312).
- i40e: Fix creation of first queue by omitting it if is not
  power of two (bsc#1101816 FATE#325147 FATE#325149).
- i40e: Fix ping is lost after configuring ADq on VF
  (bsc#1094978).
- i40e: Fix changing previously set num_queue_pairs for PFs
  (bsc#1094978).
- i40e: Fix correct max_pkt_size on VF RX queue (bsc#1101816
  FATE#325147 FATE#325149).
- iavf: prevent accidental free of filter structure (bsc#1111981
  FATE#326312 FATE#326313).
- cxgb4: fix eeprom len when diagnostics not implemented
  (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583
  bsc#1097584).
- gve: fix unmatched u64_stats_update_end() (bsc#1191655).
- RDMA/bnxt_re: Fix query SRQ failure (bsc#1050244 FATE#322915).
- net: phylink: avoid mvneta warning when setting pause parameters
  (bsc#1119113 FATE#326472).
- gve: Add a jumbo-frame device option (bsc#1191655).
- gve: Implement packet continuation for RX (bsc#1191655).
- gve: Add RX context (bsc#1191655).
- gve: Track RX buffer allocation failures (bsc#1191655).
- gve: Allow pageflips on larger pages (bsc#1191655).
- gve: Add netif_set_xps_queue call (bsc#1191655).
- gve: Do lazy cleanup in TX path (bsc#1191655).
- gve: Add rx buffer pagecnt bias (bsc#1191655).
- gve: Switch to use napi_complete_done (bsc#1191655).
- gve: Use kvcalloc() instead of kvzalloc() (bsc#1191655).
- gve: DQO: avoid unused variable warnings (bsc#1191655).
- ice: Delete always true check of PF pointer (bsc#1118661
  FATE#325277).
- net: Prevent infinite while loop in skb_tx_hash() (bsc#1109837).
- RDMA/mlx5: Set user priority for DCT (bsc#1103991 FATE#326007).
- e1000e: Fix packet loss on Tiger Lake and later (bsc#1158533).
- mqprio: Correct stats in mqprio_dump_class_stats()
  (bsc#1109837).
- platform/mellanox: mlxreg-io: Fix argument base in kstrtou32()
  call (bsc#1112374).
- i40e: Fix freeing of uninitialized misc IRQ vector (bsc#1101816
  FATE#325147 FATE#325149).
- gve: report 64bit tx_bytes counter from
  gve_handle_report_stats() (bsc#1191655).
- gve: fix gve_get_stats() (bsc#1191655).
- gve: Properly handle errors in gve_assign_qpl (bsc#1191655).
- gve: Avoid freeing NULL pointer (bsc#1191655).
- gve: Correct available tx qpl check (bsc#1191655).
- qed: rdma - don't wait for resources under hw error recovery
  flow (bsc#1136460 jsc#SLE-4691 bsc#1136461 jsc#SLE-4692).
- qed: Handle management FW error (git-fixes).
- commit 287122e
- blacklist.conf: logging only
- commit d52bed3
- PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA
  controller (git-fixes).
- commit 99c4459
- net: usb: pegasus: Do not drop long Ethernet frames (git-fixes).
- commit f3b4a43
- rndis_host: support Hytera digital radios (git-fixes).
- commit 409a861
- blacklist.conf: optimization, not a bug fix
- commit 8686052
- powerpc/pseries/ddw: Revert "/Extend upper limit for huge DMA
  window for persistent memory"/ (bsc#1195995 ltc#196394).
- commit af87ae6
- f2fs: fix to do sanity check on inode type during garbage
  collection (CVE-2021-44879 bsc#1195987).
- commit e8b60dc
- Update
  patches.suse/0001-PCI-hv-Use-expected-affinity-when-unmasking-IRQ.patch
  (bsc#1185973, bsc#1195536).
- commit b3ac9c4
- tipc: improve size validations for received domain records
  (bsc#1195254, CVE-2022-0435).
- commit daaae48
- yam: fix a memory leak in yam_siocdevprivate() (CVE-2022-24959
  bsc#1195897).
- commit 2b51111
- EDAC/xgene: Fix deferred probing (bsc#1114648).
- commit cfd65af
- RDMA/hns: Encapsulate some lines for setting sq size in user mode (git-fixes)
- commit c6447b9
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487).
- commit b3ff0d9
- sunrpc/auth_gss: support timeout on gss upcalls (bsc#1193857).
- commit 69bbdfa
- kernel-binary: Do not include sourcedir in certificate path.
  The certs macro runs before build directory is set up so it creates the
  aggregate of supplied certificates in the source directory.
  Using this file directly as the certificate in kernel config works but
  embeds the source directory path in the kernel config.
  To avoid this symlink the certificate to the build directory and use
  relative path to refer to it.
  Also fabricate a certificate in the same location in build directory
  when none is provided.
- commit bb988d4
- constraints: Also adjust disk requirement for x86 and s390.
- commit 9719db0
- constraints: Increase disk space for aarch64
- commit 09c2882
- fuse: annotate lock in fuse_reverse_inval_entry() (bsc#1195795).
- commit 60fd4d3
- ext4: avoid trim error on fs with small groups (bsc#1191271).
- commit 00cdce0
- scsi: bnx2fc: Flush destroy_work queue before calling
  bnx2fc_interface_put() (git-fixes).
- scsi: nsp_cs: Check of ioremap return value (git-fixes).
- scsi: qedf: Fix potential dereference of NULL pointer
  (git-fixes).
- scsi: ufs: Fix race conditions related to driver data
  (git-fixes).
- scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write()
  (git-fixes).
- scsi: scsi_debug: Sanity check block descriptor length in
  resp_mode_select() (git-fixes).
- commit 4931645
- Added git-fix commmit to blacklist: too pervasive
- commit eaa0f49
- cgroup-v1: Require capabilities to set release_agent
  (bsc#1195543 CVE-2022-0492).
- commit 25a96a7
- NFSv4: Handle case where the lookup of a directory fails
  (bsc#1195612 CVE-2022-24448).
- commit fe40712
- usb: common: ulpi: Fix crash in ulpi_match() (git-fixes).
- commit f38a194
- usb: typec: tcpm: Do not disconnect while receiving VBUS off
  (git-fixes).
- commit 5916f0b
- NFSv4: nfs_atomic_open() can race when looking up a non-regular
  file (git-fixes).
- NFSv4: Handle case where the lookup of a directory fails
  (git-fixes).
- nfsd: fix use-after-free due to delegation race (git-fixes).
- NFSv42: Fix pagecache invalidation after COPY/CLONE (git-fixes).
- NFSv42: Don't fail clone() unless the OP_CLONE operation failed
  (git-fixes).
- commit ecc4580
- blacklist.conf: add unneeded commit
- commit 8b757b2
- blacklist.conf: irrelevant in our kernel config
- commit b5c4448
- blacklist.conf: this is an optimization, not a fix
- commit a07f81d
- blacklist.conf: for a compiler option we don't use
- commit 8631da6
- Update
  patches.suse/net-tipc-validate-domain-record-count-on-input.patch
  (bsc#1195254 CVE-2022-0435).
- commit 0369cb6
- net: allow retransmitting a TCP packet if original is still
  in queue (bsc#1188605 bsc#1187428).
- commit 8ae7229
- kernel-obs-build: include 9p (boo#1195353)
  To be able to share files between host and the qemu vm of the build
  script, the 9p and 9p_virtio kernel modules need to be included in
  the initrd of kernel-obs-build.
- commit 0cfe67a
- Update patch reference for BT fix (CVE-2021-3564 bsc#1186207)
- commit ea7857c
- Bluetooth: fix the erroneous flush_work() order (git-fixes).
- commit 9b1f0b0
- Update patch reference for BT fix (CVE-2021-3564 bsc#1186207)
- commit b2df5e2
- Update patch reference for vgacon patch (CVE-2020-28097 bsc#1187723 jsc#SLE-23486)
- commit 8272c66
- net: tipc: validate domain record count on input (bsc#1195254).
- commit eff4836
- s390/pci: move pseudo-MMIO to prevent MIO overlap (bsc#1194965).
- commit 3996412
- ucsi_ccg: Check DEV_INT bit only when starting CCG4 (git-fixes).
- commit afd5597
- crypto: qat - fix undetected PFVF timeout in ACK loop
  (git-fixes).
- commit 22ebc8e
- s390/cio: make ccw_device_dma_* more robust (bsc#1193242).
- commit 8bea447
- kABI fixup after adding vcpu_idx to struct kvm_cpu
  (bsc#1190973).
- KVM: remember position in kvm->vcpus array (bsc#1190973).
- commit 768c666
- KVM: s390: index kvm->arch.idle_mask by vcpu_idx (bsc#1190973).
- commit 67bbbe2
- IB/qib: Use struct_size() helper (git-fixes)
- commit bf41f9c
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
  CVE-2021-45095).
- commit 413134f
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- Delete
  patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch.
  which caused a regression (bsc#1194048).
- Replace with an alternative fix for bsc#1185377
- commit 3800186
- Refresh
  patches.suse/ibmvnic-Allow-extra-failures-before-disabling.patch.
- Refresh patches.suse/ibmvnic-don-t-spin-in-tasklet.patch.
- Refresh patches.suse/ibmvnic-init-running_cap_crqs-early.patch.
- Refresh
  patches.suse/ibmvnic-remove-unused-wait_capability.patch.
- commit d68e92d
- ext4: set csum seed in tmp inode while migrating to extents
  (bsc#1195272).
- commit 294d77e
- nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
  Refresh:
  - patches.kabi/kabi-nvme-multipath-fix-iopolicy.patch.
  - patches.suse/nvme-multipath-disable-native-NVMe-multipath-per-def.patch.
- commit f17ae54
- drm/vmwgfx: Fix stale file descriptors on failed usercopy
  (CVE-2022-22942 bsc#1195065).
- commit 136a4b2
- s390/pci: add s390_iommu_aperture kernel parameter
  (bsc#1193234).
- virtio: write back F_VERSION_1 before validate (bsc#1193235).
- commit a307e0d
- bpf: Verifer, adjust_scalar_min_max_vals to always call
  update_reg_bounds() (bsc#1194227).
- commit c098fc7
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit 39c5f8e
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Add XDP support (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- net, xdp: Introduce xdp_prepare_buff utility routine
  (bsc#1193507).
- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193507).
- commit c70ed8e
- usb: gadget: configfs: Fix use-after-free issue with udc_name
  (bsc#1193861 CVE-2021-39648).
- commit 9ec119b
- fget: clarify and improve __fget_files() implementation
  (bsc#1193727).
- commit 3ce5a50
- ibmvnic: remove unused ->wait_capability (bsc#1195073
  ltc#195713).
- ibmvnic: don't spin in tasklet (bsc#1195073 ltc#195713).
- ibmvnic: init ->running_cap_crqs early (bsc#1195073 ltc#195713).
- ibmvnic: Allow extra failures before disabling (bsc#1195073
  ltc#195713).
- commit 3d370d2
- tee: handle lookup of shm with reference count 0 (bsc#1193767
  CVE-2021-44733).
- commit 10b0db6
- kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr
  directory (bsc#1195051).
- commit c80b5de
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit 20f1914
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit bd11976
- kabi/severities: Add a kabi exception for drivers/tee/tee
  According to the partner modules database, the structs of this driver
  are not used by anything external so make a kABI exception for them.
  Do that on purpose so that any external module using this fails to load
  instead of causing a potential memory corruption due to a kabi
  workaround which would use the same offset but for a different thing:
  - struct dma_buf *dmabuf;
  +	refcount_t refcount;
  See upstream commit
  dfd0743f1d9e ("/tee: handle lookup of shm with reference count 0"/)
- commit ac7feb6
- sctp: account stream padding length for reconf chunk
  (bsc#1194985 CVE-2022-0322).
- commit f5ee3ee
- of: Fix cpu node iterator to not ignore disabled cpu nodes
  (bsc#1065729).
- commit d8d9d32
- Refresh
  patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch.
- Refresh
  patches.suse/scsi-lpfc-Add-additional-debugfs-support-for-CMF.patch.
- Refresh
  patches.suse/scsi-lpfc-Adjust-CMF-total-bytes-and-rxmonitor.patch.
- Refresh patches.suse/scsi-lpfc-Cap-CMF-read-bytes-to-MBPI.patch.
- Refresh
  patches.suse/scsi-lpfc-Change-return-code-on-I-Os-received-during.patch.
- Refresh
  patches.suse/scsi-lpfc-Fix-NPIV-port-deletion-crash.patch.
- Refresh
  patches.suse/scsi-lpfc-Fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch.
- Refresh
  patches.suse/scsi-lpfc-Fix-lpfc_force_rscn-ndlp-kref-imbalance.patch.
- Refresh
  patches.suse/scsi-lpfc-Trigger-SLI4-firmware-dump-before-doing-dr.patch.
- Refresh
  patches.suse/scsi-lpfc-Update-lpfc-version-to-14.0.0.4.patch.
- commit f21e440
- vfs: check fd has read access in kernel_read_file_from_fd() (bsc#1194888).
- commit b248150
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
  Using the the default path is broken since Linux 5.17
- commit 68b36f0
- powerpc/pseries/mobility: ignore ibm, platform-facilities
  updates (bsc#1065729).
- commit 965bacc
- powerpc/traps: do not enable irqs in _exception (bsc#1065729).
- powerpc: add interrupt_cond_local_irq_enable helper
  (bsc#1065729).
- commit 4a386a2
- blacklist.conf: Add a2308836880b powerpc: Fix arch_stack_walk() to have
  running function as first entry
  The stacktrace interface in this kernel version does not provide the
  parameters used to implement the fix.
- commit 21795fd
- blacklist.conf: Add 79ca6f74dae0 tpm: fix Atmel TPM crash caused by too frequent queries
  Breaks kABI, there is no report of this problem affecting users, likely
  broken old TPM firmware.
- commit 8a8da53
- tpm: Check for integer overflow in tpm2_map_response_body()
  (bsc#1082555).
- commit efacd25
- tpm: add request_locality before write TPM_INT_ENABLE
  (bsc#1082555).
- commit 8057fac
- moxart: fix potential use-after-free on remove path
  (bsc#1194516).
- commit 5a3dfcb
- memstick: rtsx_usb_ms: fix UAF (bsc#1194516).
- commit 9692e25
- livepatch: Avoid CPU hogging with cond_resched (bsc#1071995).
- commit e59d06e
- of: add node name compare helper functions (bsc#1065729).
- commit 5ef3ecd
- of: Fix property name in of_node_get_device_type (bsc#1065729).
- of: Add device_type access helper functions (bsc#1065729).
- commit fd75973
- of: Add cpu node iterator for_each_of_cpu_node() (bsc#1065729).
- commit e0452f1
- powerpc/prom_init: Fix improper check of prom_getprop()
  (bsc#1065729).
- commit 1a169ee
- powerpc/pseries/cpuhp: delete add/remove_by_count code
  (bsc#1065729).
- powerpc/pseries/cpuhp: cache node corrections (bsc#1065729).
- commit ab66a06
- powerpc/perf: Fix data source encodings for L2.1 and L3.1
  accesses (bsc#1065729).
- commit 532dbbd
- tpm: fix potential NULL pointer access in tpm_del_char_device
  (bsc#1184209 ltc#190917 git-fixes bsc#1193660 ltc#195634).
- commit c218b13
- tracing/kprobes: 'nmissed' not showed correctly for kretprobe
  (git-fixes).
- commit 38d905a
- blacklist.conf: 77360f9bbc7e ("/tracing: Add test for user space strings when filtering on string pointers"/)
  The code in question was heavily modified by 80765597bc58 ("/tracing:
  Rewrite filter logic to be simpler and faster"/) which is not present in
  SLE12-SP5. The reproducer does not work and the logic is different, so
  the existing code seems to be safe.
- commit 4313ee6
- blacklist.conf: 3e2a56e6f639 ("/tracing: Have syscall trace events use trace_event_buffer_lock_reserve()"/)
  Optimization only.
- commit 856add1
- mm/hwpoison: do not lock page again when me_huge_page()
  successfully recovers (bsc#1194814).
- commit 5a48d23
- nfs: don't dirty kernel pages read by direct-io (bsc#1194410).
- commit 80f1a10
- select: Fix indefinitely sleeping task in
  poll_schedule_timeout() (bsc#1194027).
- commit 1e8594d
- x86/platform/uv: Add more to secondary CPU kdump info
  (bsc#1194493).
- commit 303a333
- blacklist.conf: f28439db470c ("/tracing: Tag trace_percpu_buffer as a percpu pointer"/)
  It fixes a sparse warning only.
- commit c384e17
- tracing: Fix check for trace_percpu_buffer validity in
  get_trace_buf() (git-fixes).
- commit 1ad63e6
- tcp: Export tcp_{sendpage,sendmsg}_locked() for ipv6 (bsc#1194541).
- commit f9177fa
- cgroup: Use open-time credentials for process migraton perm
  checks (bsc#1194302 CVE-2021-4197).
- commit b76ad03
- NFC: add NCI_UNREG flag to eliminate the race (CVE-2021-4202
  bsc#1194529).
- NFC: reorder the logic in nfc_{un,}register_device
  (CVE-2021-4202 bsc#1194529).
- NFC: reorganize the functions in nci_request (CVE-2021-4202
  bsc#1194529).
- commit 68b4b42
- Update patches.suse/tcp-fix-a-race-in-inet_diag_dump_icsk.patch
  (networking-stable-19_01_04 bsc#1186222).
  Fix bsc#1186222 by using proper atomic helper.
- commit bd29e90
- fget: check that the fd still exists after getting a ref to it
  (bsc#1193727 CVE-2021-4083).
- commit 5441599
- kprobes: Limit max data_size of the kretprobe instances
  (bsc#1193669).
- commit 3600b27
- btrfs: unlock newly allocated extent buffer after error (bsc#1194001, CVE-2021-4149).
- commit 0a8af05
- netdevsim: Zero-initialize memory for new map's value in
  function nsim_bpf_map_alloc (bsc#1193927 CVE-2021-4135).
- commit 1d46c55
- USB: serial: option: add Telit FN990 compositions (git-fixes).
- commit 20a8f2b
- usb: core: config: fix validation of wMaxPacketValue entries
  (git-fixes).
- commit 650dbdc
- blacklist.conf: Add 7ee285395b21 cgroup: Make rebind_subsystems() disable v2 controllers all at once
- commit 1412cd9
- net: usb: lan78xx: add Allied Telesis AT29M2-AF (git-fixes).
- commit 8f95759
- net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
  (git-fixes).
- commit 7655e21
- blacklist.conf: cosmetics for clang
- commit a46466a
- usbnet: fix error return code in usbnet_probe() (git-fixes).
- commit a1b9e9d
- usbnet: sanity check for maxpacket (git-fixes).
- commit 97566d2
- fix rpm build warning
  tumbleweed rpm is adding these warnings to the log:
  It's not recommended to have unversioned Obsoletes: Obsoletes:      microcode_ctl
- commit 3ba8941
- build initrd without systemd
  This reduces the size of the initrd by over 25%, which
  improves startup time of the virtual machine by 0.5-0.6s on
  very fast machines, more on slower ones.
- commit ef4c569
- kernel-obs-build: remove duplicated/unused parameters
  lbs=0 - this parameters is just giving "/unused parameter"/ and it looks
  like I can not find any version that implemented this.
  rd.driver.pre=binfmt_misc is not needed when setup_obs is used, it
  alread loads the kernel module.
  quiet and panic=1 will now be also always added by OBS, so we don't have
  to set it here anymore.
- commit 972c692
- nvme: return BLK_STS_TRANSPORT unless DNR for
  NVME_SC_NS_NOT_READY (bsc#1163405).
- commit a71cfce
- Revert "/- rpm/*build: use buildroot macro instead of env variable"/
  buildroot macro is not being expanded inside a shell script. go
  back to the environment variable usage. This reverts parts of
  commit e2f60269b9330d7225b2547e057ef0859ccec155.
- commit fe85f96
- kernel-obs-build: include the preferred kernel parameters
  Currently the Open Build Service hardcodes the kernel boot parameters
  globally. Recently functionality was added to control the parameters
  by the kernel-obs-build package, so make use of that. parameters here
  will overwrite what is used by OBS otherwise.
- commit a631240
- kernel-obs-build: inform build service about virtio-serial
  Inform the build worker code that this kernel supports virtio-serial,
  which improves performance and relability of logging.
- commit 301a3a7
- rpm/*.spec.in: use buildroot macro instead of env variable
  The RPM_BUILD_ROOT variable is considered deprecated over
  a buildroot macro. future proof the spec files.
- commit e2f6026
- SUNRPC: Optimise transport balancing code (bnc#1192729).
- SUNRPC: Fix initialisation of struct rpc_xprt_switch
  (bnc#1192729).
- SUNRPC: Skip zero-refcount transports (bnc#1192729).
- SUNRPC: Replace division by multiplication in calculation of
  queue length (bnc#1192729).
- SUNRPC: Add basic load balancing to the transport switch - kabi fix.
  (bnc#1192729).
- commit 54dcd98
- SUNRPC: Add basic load balancing to the transport switch.
  (bnc#1192729)
- commit 6b24397
- Revert "/net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)"/
  This reverts commit 1c59b584ef0cc166f6f5c9f8ed6f47e2e811e1c0.
  With the backport of the upstream fix for bsc#1183405 race, this workaround
  is no longer needed.
- commit 0bfd1f2
- kabi: mask new member "/empty"/ of struct Qdisc (bsc#1183405).
- kabi: revert drop of Qdisc::atomic_qlen (bsc#1183405).
- net: sched: add barrier to ensure correct ordering for lockless
  qdisc (bsc#1183405).
- net: sched: avoid unnecessary seqcount operation for lockless
  qdisc (bsc#1183405).
- net: sched: fix tx action reschedule issue with stopped queue
  (bsc#1183405).
- net: sched: fix tx action rescheduling issue during deactivation
  (bsc#1183405).
- net: sched: fix packet stuck problem for lockless qdisc
  (bsc#1183405).
- net: sched: replaced invalid qdisc tree flush helper in
  qdisc_replace (bsc#1183405).
- net: sch_generic: aviod concurrent reset and enqueue op for
  lockless qdisc (bsc#1183405).
- net_sched: get rid of unnecessary dev_qdisc_reset()
  (bsc#1183405).
- net_sched: avoid resetting active qdisc for multiple times
  (bsc#1183405).
- net_sched: use qdisc_reset() in qdisc_destroy() (bsc#1183405).
- Revert "/net: dev: introduce support for sch BYPASS for lockless
  qdisc"/ (bsc#1183405).
- net/sched: annotate lockless accesses to qdisc->empty
  (bsc#1183405).
- net: sched: Avoid using yield() in a busy waiting loop
  (bsc#1183405).
- net/sched: fix race between deactivation and dequeue for NOLOCK
  qdisc (bsc#1183405).
- net/sched: pfifo_fast: fix wrong dereference in
  pfifo_fast_enqueue (bsc#1183405).
- net/sched: pfifo_fast: fix wrong dereference when qdisc is reset
  (bsc#1183405).
- Revert: "/net: sched: put back q.qlen into a single location"/
  (bsc#1183405).
- net: sched: when clearing NOLOCK, clear TCQ_F_CPUSTATS, too
  (bsc#1183405).
- net: sched: always do stats accounting according to
  TCQ_F_CPUSTATS (bsc#1183405).
- net: sched: prefer qdisc_is_empty() over direct qlen access
  (bsc#1183405).
- net: caif: avoid using qdisc_qlen() (bsc#1183405).
- net: dev: introduce support for sch BYPASS for lockless qdisc
  (bsc#1183405).
- net: sched: add empty status flag for NOLOCK qdisc
  (bsc#1183405).
- commit 53153a5
- rpm/kernel-obs-build.spec.in: move to zstd for the initrd
  Newer distros have capability to decompress zstd, which
  provides a 2-5% better compression ratio at very similar
  cpu overhead. Plus this tests the zstd codepaths now as well.
- commit 3d53a5b
libnettle
- Update to version 3.1: (jsc#SLE-23330)
  * SONAME bumps libnettle5, libhogweed3
  * Rebased patches:
  - CVE-2015-8805.patch
  - libnettle-CVE-2021-20305.patch
  - libnettle-CVE-2021-3580.patch
  - nettle-CVE-2016-6489.patch
libpwquality
- Replace %make_build with "/make -O %{?_smp_mflags}"/ for pre-SLE15
  builds.
  [jsc#SLE-22490, libpwquality.spec]
- update to 1.4.4
  * e11f2bd Fix regression with enabling cracklib check
  * 02e6728 Use make macros in rpm spec file
  * xxxxxxx Translated using Weblate (Polish, Turkish, Ukrainian)
- update to 1.4.3
  * 1213d33 Update translation files
  * a951fbe Add --disable-cracklib-check configure parameter
  * 6a8845b fixup static compilation
  * 92c6066 python: Add missing getters/setters for newly added settings
  * bfef79d Add usersubstr check
  * 09a2e65 pam_pwquality: Add debug message for the local_users_only option
  * a6f7705 Fix some gcc warnings
  * 8c8a260 pwmake: Properly validate the bits parameter.
  * 7be4797 we use Fedora Weblate now
  * xxxxxxx Translated using Weblate (Azerbaijani, Bulgarian,
    Chinese (Simplified), Czech, French, Friulian, Hungarian, Italian,
    Japanese, Norwegian Bokmål, Persian, Russian, Spanish, Turkish)
- update to 1.4.2:
  * Fix regression in handling retry, enforce_for_root, and
    local_users_only options introduced with the previous
    release.
- Register with pam-config in %post(un)
- Add baselibs.conf
- Update to version 1.4.1:
  + Minor bugfix update of the library.
- Drop libpwquality-pythons.patch: Fixed upstream. Following this,
  drop autoconf, automake and libtool BuildRequires and autoreconf
  call.
- Use modern macros.
- Do not recommend lang package. The lang package already has a
  supplements.
- Modernize spec-file by calling spec-cleaner
- Update RPM groups and summaries.
- Switch url to https://github.com/libpwquality/libpwquality/
- Update to release 1.4.0:
  * Fix possible buffer overflow with data from /dev/urandom
    in pwquality_generate().
  * Do not try to check presence of too short username in password.
    (thanks to Nikos Mavrogiannopoulos)
  * Make the user name check optional (via usercheck option).
  * Add an 'enforcing' option to make the checks to be warning-only
    in PAM.
  * The difok = 0 setting will disable all old password similarity
    checks except new and old passwords being identical.
  * Updated translations from Zanata.
- Add patch libpwquality-pythons.patch to avoid duping pythondir
- Make python3 default and enable py2 only when needed
- Build python3 version of bindings as well
libsolv
- fix memory leaks in SWIG generated code
- fix misparsing of '&' in attributes with libxml2
- try to keep packages from a cycle close togther in the
  transaction order [bsc#1189622]
- fix split provides not working if the update includes a
  forbidden vendor change [bsc#1195485]
- fix segfault on conflict resolution when using bindings
- do not replace noarch problem rules with arch dependent ones
  in problem reporting
- fix and simplify pool_vendor2mask implementation
- bump version to 0.6.39
libtirpc
- fix memory leak in client protocol version 2 code (bsc#1193805)
  - update: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
libxml2
- Security fix: [bsc#1196490, CVE-2022-23308]
  * Use-after-free of ID and IDREF attributes.
- Add libxml2-CVE-2022-23308.patch
libzypp
- Hint on ptf resolver conflicts (bsc#1194848)
- Fix package signature check (bsc#184501)
  Pay attention that header and payload are secured by a valid
  signature and report more detailed which signature is missing.
- Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.
- version 16.22.4 (0)
mozilla-nss
- Mozilla NSS 3.68.3 (bsc#1197903)
  This release improves the stability of NSS when used in a multi-threaded
  environment. In particular, it fixes memory safety violations that
  can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
  We presume that with enough effort these memory safety violations are exploitable.
  * Remove token member from NSSSlot struct (bmo#1756271).
  * Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
    (bmo#1755555).
  * Check return value of PK11Slot_GetNSSToken (bmo#1370866).
nfs-utils
- Add 0200-mountd-Initialize-logging-early.patch
  If an error or warning message is produced before
  closeall() is called, mountd gets confused and doesn't work.
  (bsc#1194661)
- 0191-mount-don-t-bind-a-socket-needlessly.patch
  Don't bind() a non-priv socket immediately before connecting,
  as this wastes port numbers.
  (bsc#1187922)
openldap2
- bsc#1193296 - Resolve double free in sssvlv overlay
  * 0223-ITS-8592-Fix-double-free-in-sssvlv-overlay.patch
openssl-1_0_0
- Security Fix: [bsc#1196249]
  * Allow CRYPTO_THREADID_set_callback to be called with NULL parameter
  * Add openssl-CRYPTO_THREADID_set_callback.patch
- Security Fix: [bsc#1196877, CVE-2022-0778]
  * Infinite loop in BN_mod_sqrt() reachable when parsing certificates
  * Add openssl-CVE-2022-0778.patch
p11-kit
- call update-ca-certificates in post to make sure certs are regenerated even
  if ca-certificates was installed before p11-kit for whatever reason
  (bsc#1196443)
- make sure p11-kit components have matching versions (boo#1196812)
- Update to 0.23.2; (jsc#SLE-23330);
  * Fix forking issues with libffi
  * Fix various crashes in corner cases
  * Updated translations
  * Build fixes
- Make building more verbose
- Enable tests
- Small spec file cleanup with spec-cleaner
- Fix multiple integer overflows in rpc code (bsc#1180064
  CVE-2020-29361):
  * 0001-common-Use-reallocarray-instead-of-realloc-as-approp.patch
  * 0001-Check-for-arithmetic-overflows-before-allocating.patch
  * 0001-Follow-up-to-arithmetic-overflow-fix.patch
- Rebased patches:
  * 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch
  * 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch
- Drop patches fixed in the update:
  * 0001-trust-Allow-BEGIN-PUBLIC-KEY-PEM-blocks-in-.p11-kit-.patch
  * 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
  * trust-Fix-segfaults-in-expand_homedir-when-pw_dir-NULL.patch
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993,
  0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch)
- add bcond to spec file to enable debug easily
- Also build documentation (boo#1013125)
- Use %license instead of %doc [bsc#1082318]
- 32-bit compatibility fixes:
  * Add PKCS11 module to p11-kit-32bit (bsc#996047#c39)
  * Add p11-kit-nss-trust-32bit NSS module
  * Fix potential bi-arch issue with private binaries
    (fdo#98817, p11-kit-biarch.patch)
patterns-sles
- downgrade requires of libopenssl-1_1-hmac to avoid explicit pulling
  in perhaps unwanted openssl 1.1.1 (bsc#1196307)
polkit
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
  added CVE-2021-4115.patch
psmisc
  * Determine the namespace of a process only once to speed
    up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
python
- python-2.7.9-sles-disable-verification-by-default.patch: removed,
  was no longer been used (default was "/enabled"/ since a while).
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
python-base
- python-2.7.9-sles-disable-verification-by-default.patch: removed,
  was no longer been used (default was "/enabled"/ since a while).
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
python3
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
python3-base
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
release-notes-sles
- 12.5.20220202 (tracked in bsc#933411)
- Added kernel parameter change (bsc#1195107)
- Added note about deprecating XFS V4 (jsc#SLE-22661)
- Updated note about unixODBC drivers in production (jsc#SLE-20553)
salt
- Clear network interfaces cache on grains request (bsc#1196050)
- Handle old qemu-img not supporting -U parameter (bsc#1195221)
- Added:
  * clear-network-interface-cache-when-grains-are-reques.patch
  * handle-old-qemu-img-not-supporting-u-parameter-bsc-1.patch
- Renamed:
  * patch_for_cve_bsc1197417.patch -> fix-multiple-security-issues-bsc-1197417.patch
- Restrict "/state.orchestrate_single"/ to pass a pillar value if it exists (bsc#1194632)
- Added:
  * fix-state.orchestrate_single-to-not-pass-pillar-none.patch
- Fix sparse disk errors on Python 2 (virt module)
- Added:
  * python2-adjustments-for-virt-module.patch
- Fix multiple security fixes (bsc#1197417)
  * Sign authentication replies to prevent MiTM (CVE-2020-22935)
  * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
  * Prevent job and fileserver replays (CVE-2022-22936)
  * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
- Added:
  * patch_for_cve_bsc1197417.patch
- Fix inspector module export function (bsc#1097531)
- Wipe NOTIFY_SOCKET from env in cmdmod (bsc#1193357)
- Fix possible traceback on ip6_interface grain (bsc#1193565)
- Don't check for cached pillar errors on state.apply (bsc#1190781)
- Added:
  * vendor-stateresult.patch
  * fix-possible-traceback-on-ip6_interface-grain-bsc-11.patch
  * state.apply-don-t-check-for-cached-pillar-errors.patch
  * wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
  * fix-inspector-module-export-function-bsc-1097531-478.patch
- Simplify "/transactional_update"/ module to not use SSH wrapper and allow more flexible execution
- Add "/--no-return-event"/ option to salt-call to prevent sending return event back to master.
- Make "/state.highstate"/ to acts on concurrent flag.
- Added:
  * refactor-and-improvements-for-transactional-updates-.patch
samba
- Fix ntlm authentications with "/winbind use default domain = yes"/;
  (bso#13126); (bsc#1173429); (bsc#1196308).
- Update spec file to do not provide nor require the bundled talloc,
  tdb, tevent and ldb libraries; (bsc#1195510);
- CVE-2021-44141: Information leak via symlinks of existance of
  files or directories outside of the exported share; (bso#14911);
  (bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
  in VFS module vfs_fruit allows code execution; (bso#14914);
  (bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
  account can impersonate arbitrary services; (bso#14950);
  (bsc#1195048);
- Update to version 4.15.4; (jsc#SLE-23330);
  + CVE-2021-43566: Symlink race error can allow directory creation
    outside of the exported share; (bso#13979); (bsc#1139519);
  + CVE-2021-20316: Symlink race error can allow metadata read and
    modify outside of the exported share; (bso#14842); (bsc#1191227);
- Build samba with embedded talloc, pytalloc, pytalloc-util, tdb,
  pytdb, tevent, pytevent, ldb, pyldb and pyldb-util libraries.
  The tdb and ldb tools are installed in /usr/lib[64]/samba/bin and
  their manpages in /usr/lib[64]/samba/man
- Update to 4.15.4
  * Duplicate SMB file_ids leading to Windows client cache
    poisoning; (bso#14928);
  * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
    NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
  * kill_tcp_connections does not work; (bso#14934);
  * Can't connect to Windows shares not requiring authentication
    using KDE/Gnome; (bso#14935);
  * smbclient -L doesn't set "/client max protocol"/ to NT1 before
    calling the "/Reconnecting with SMB1 for workgroup listing"/
    path; (bso#14939);
  * Cross device copy of the crossrename module always fails;
    (bso#14940);
  * symlinkat function from VFS cap module always fails with an
    error; (bso#14941);
  * Fix possible fsp pointer deference; (bso#14942);
  * Missing pop_sec_ctx() in error path inside close_directory();
    (bso#14944);
  * "/smbd --build-options"/ no longer works without an smb.conf file;
    (bso#14945);
- Use pkgconfig(krb5) as dependency for the -devel package: allow
  OBS to pick the right flavor of krb5-devel (full vs mini).
- Do not require the 'krb5' symbol by samba-client-libs: this
  package has an automatic dependency due to linkage on
  libgssapi_krb5.so.2. Automatic deps are always better.
- Do not require the 'krb5' symbol from samba-libs: samba-libs
  requires samba-client-libs, which in turn requires krb5
  libraries. Samba-libs itself has no need for krb5 (but get it
  indirectly anyway).
- Reorganize libs packages. Split samba-libs into samba-client-libs,
  samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
  public libraries depending on internal samba libraries into these
  packages as there were dependency problems everytime one of these
  public libraries changed its version (bsc#1192684). The devel
  packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Add python-rpm-macros to build requirements
- Update the symlink create by samba-dsdb-modules to private samba
  ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
  /usr/lib64/ldb2/modules/ldb/samba
sudo
- Add support in the LDAP filter for negated users, patch taken
  from upstream (jsc#20068)
  * Adds sudo-feature-negated-LDAP-users.patch
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)
  * feature-upstream-restrict-sudo-U-other-l.patch
supportutils-plugin-suse-public-cloud
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
  + Include cloud-init logs whenever they are present
  + Update the packages we track in AWS, Azure, and Google
  + Include the ecs logs for AWS ECS instances
suse-build-key
- extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
- added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- extended expiry of SUSE SLES11 key (bsc#1194845)
- added SUSE Contaner signing key in PEM format for use e.g. by cosign.
- SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
- removed old security key.
systemd
- Import commit d2bcac88a6f3e540774efcd9ab12672da12cf3fe
  7076cc48ad core: make sure we always free the list of changes
  1d69ad935b Install: correctly report symlink creations
  0ea76851fb core: make sure we generate a nicer error when a linked unit is attempted to be enabled
  8c4d1006cc install: unify checking whether operations may be applied to a unit file in a new function
  f072dc87b0 install: fix errno handling
  ca63895cec systemctl: Allow 'edit' and 'cat' on unloaded units
  f535ae8ee3 Don't open /var journals in volatile mode when runtime_journal==NULL
  d6c79be377 udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
  c6274db870 man: tweak description of auto/noauto (bsc#1191502)
- Import commit 81e1235110a58f78e4e7514b45a2897ceddadf88
  8348b7f7ea systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871)
  d827639164 systemctl: exit with 1 if no unit files found (bsc#1193841)
  99d0949499 umount: show correct error message
  16f9b8a5fa core/umount: fix unitialized fields in MountPoint in dm_list_get()
  8f7b39e250 umount: Add more asserts and remove some unused arguments
  6858714b68 umount: Fix memory leak
  4a83c21fb1 mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
  dbf8419fdb busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861)
tcl
- New version 8.6.12:
  * (bug)[d43f96] [string trim*] broken for Emoji
  * (bug)[22324b] [string reverse] broken for Emoji
  * (bug)[1dab71,7c64aa] BRE broken by uninitialized value use
  * (bug)[8419c5] Unix tty channels tolerate EINTR
  * ** POTENTIAL INCOMPATIBILITY ***
  * (bug)[4c591f] [string compare] EIAS violation
  * (bug)[266494] [concat foo [list #]] EIAS violation
  * (bug)[24b918] Save IO buffers from modern optimizers
  * (new) support for POSIX error EILSEQ
  * (bug)[688fcc] segfault during traced delete of alias
  * (bug)[ccc448] segfault in ensemble rewrite machinery
  * (new) Update to Unicode-14
  * (bug)[a8579d] failed proc argument spec processing
  * Obsoletes tcl-aa4a13c15516da45.patch
- Bump %itclver and ensure it stays in sync.
- bsc#1185662: Move tcl.macros /usr/lib/rpm/macros.d .
- https://core.tcl-lang.org/thread/tktview?name=98ae20f0f5:
  Add tcl-aa4a13c15516da45.patch to disable lto for the stubs
  libraries.
- tclConfig.sh: Fix path names and avoid braces in TCL_PACKAGE_PATH
- Set TCL_LIBRARY at configure time for better consistency.
- New version: 8.6.11:
  * Add tcltest::(Setup|Eval|Cleanup|)Test
  * Update to Unicode-13
  * Add 3 libtommath functions to stub table
  * Many more bug fixes
- Potentially incompatible changes:
  * (bug)[ffeb20] [binary decode base64] ignore invalid chars
  * (bug)[b8e82d] some -maxlen values break uuencode round trip
  * (bug)[085913] Tcl_DStringAppendElement # quoting precision
  * (bug)[81242a] revised documentation for Tcl_UtfAtIndex()
  * (bug)[ed2980] Tcl_UtfToUniChar reads > TCL_UTF_MAX bytes
  * (bug)[a1bd37] [clock scan] new ISO format (clock-34.(19-24))
  * (bug)[501974] [clock scan] +time zone (clock-34.(53-68))
  * (new) force -eofchar 032 when evaluating library scripts
  * (new)[48898a] improve error message consistency
  * (new) revised case of module names
- Add a manpage symlink for tclsh8.6.
- Fix build with RPM 4.16: error: bare words are no longer
  supported, please use "/..."/:  lib64 == lib64.
- New version: 8.6.10:
  * (bug)[7a9dc5] [file normalize ~/~foo] segfault
  * (bug)[3cf3a9] variable 'timezone' deprecated in vc2017
  * (bug)[cc1e91] [list [list {*}[set a "/ "/]]] regression
    obsoletes tcl-expand-regression.patch.
  * (bug)[e3f481] tests var-1.2[01]
  * (new) Update to Unicode 12.0
  * (new)[TIP 527] New command [timerate]
  * (bug)[39fed4] [package require] memory validity
  * (new) New command tcl::unsupported::corotype
  * (bug) memlink when namespace deletion kills linked var
  * (new) README file converted to README.md in Markdown
  * (bug)[8b9854] [info level 0] regression with ensembles
  * (bug)[6bdadf] crash multi-arg write-traced [lappend]
  * (bug)[f8a33c] crash Tcl_Exit before init
  * (bug)[fa6bf3] Bytecode fails epoch recovery at numLevel=0
  * (bug)[fec0c1] C stack overflow compiling bytecode
  * tzdata updated to Olson's tzdata2019c
  * (bug)[16768d] Fix [info hostname] on NetBSD
  * (new) libtommath updated to release 1.2.0
  * (bug)[bcd100] bad fs cache when system encoding changes
  * (bug)[135804] segfault in [next] after destroy
  * (bug)[13657a] application/json us text, not binary
- binary-40.3 is expected to fail on riscv64 which does not support NaN
  propagation
- Use FAT LTO objects in order to provide proper static
  library (boo#1138797).
- Fix a regression in the handling of denormalized empty lists
  (tcl-expand-regression.patch, tcl#cc1e91552c).
- New version: 8.6.9:
  * NR-enable [package require]
  * (bug)[9fd5c6] crash in object deletion, test oo-11.5
  * (bug)[3c32a3] crash deleting object with class mixed in
  * (platform) stop using -lieee, removed from glibc-2.27
    (bsc#1179615, bsc#1181840).
  * (bug)[8e6a9a] bad binary [string match], test string-11.55
  * (bug)[1873ea] repair multi-thread std channel init
  * (bug)[db36fa] broken bytecode for index values
  * (bug) broken compiled [string replace], test string-14.19
  * (bug) [string trim*] engine crashed on invalid UTF
  * (bug) missing trace in compiled [array set], test var-20.11
  * (bug)[46a241] crash in unset array with search, var-13.[23]
  * (bug)[27b682] race made [file delete] raise "/no such file"/
  * (bug)[925643] 32/64 cleanup of filesystem DIR operations
  * (bug) leaks in TclSetEnv and env cache
  * (bug)[3592747] [yieldto] dying namespace, tailcall-14.1
  * (bug)[270f78] race in [file mkdir]
  * (bug)[3f7af0] [file delete] raised "/permission denied"/
  * (bug)[d051b7] overflow crash in [format]
  * revised quoting of [exec] args in generated command line
  * HTTP Keep-Alive with pipelined requests
  * (new)[TIP 505] [lreplace] accepts all out of range indices
  * (bug) Prevent crash from NULL keyName in the registry package
  * Update tcltest package for Travis support
  * (bug)[35a8f1] overlong string length of some lists
  * (bug)[00d04c] Repair [binary encode base64]
- handle s390 like s390x (bnc#1085480)
- Version 8.6.8:
  * [array names -regexp] supports backrefs
  * Fix gcc build failures due to #pragma placement
  * (bug)[b50fb2] exec redir append stdout and stderr to file
  * (bug)[2a9465] http state 100 continue handling broken
  * (bug)[0e4d88] replace command, delete trace kills namespace
  * (bug)[1a5655] [info * methods] includes mixins
  * (bug)[fc1409] segfault in method cloning, oo-15.15
  * (bug)[3298012] Stop crash when hash tables overflow 32 bits
  * (bug)[5d6de6] Close failing case of [package prefer stable]
  * (bug)[4f6a1e] Crash when ensemble map and list are same
  * (bug)[ce3a21] file normalize failure when tail is empty
  * (new)[TIP 477] nmake build system reform
  * (bug)[586e71] EvalObjv exception handling at level #0
- adapt check section for rpm-4.14.0
- Add more tests in Whitelist as bypass boo#1072657
  identified following tests failed on PowerPC
  interp-34.9 interp-34.13 http-3.25 timer-2.1 thread-20.9
- Whitelist known-failing tests. Further investigation needed.
tcpdump
- Security fix: [bsc#1195825, CVE-2018-16301]
  * Fix segfault when handling large files
  * Add tcpdump-CVE-2018-16301.patch
timezone
- timezone update 2022a (bsc#1177460):
  * Palestine will spring forward on 2022-03-27, not -03-26*
  * zdump -v now outputs better failure indications
  * Bug fixes for code that reads corrupted TZif data
util-linux
- Apply a simple work-around for root owning of
  /var/lib/libuuid/clock.txt (bsc#1194642#c66).
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
  util-linux-libuuid-extend-cache.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
  util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
  (bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
util-linux-systemd
- Apply a simple work-around for root owning of
  /var/lib/libuuid/clock.txt (bsc#1194642#c66).
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
  util-linux-libuuid-extend-cache.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
  util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
  (bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
wicked
- fsm: fix device rename via yast (bsc#1194392)
  Reset worker config instead to reject a NULL/empty config
  xml node -- introduced in wicked 0.6.67 by commit c2a0385.
  [+ 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
- version 0.6.68
- sysctl: process sysctl.d directories as in sysctl --system
- sysctl: fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- dhcp4: add option to set route pref-src to dhcp IP (bsc#1192353)
- cleanup: warnings, time calculations and dhcp fixes (bsc#1188019)
- wireless: reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- tuntap: avoid sysfs attr read error (bsc#1192311)
- ifstatus: fix warning of unexpected interface flag combination (bsc#1192164)
- dbus: config files in /usr shouldn't be marked as config in spec
- version 0.6.67
- dbus: install bus config in /usr (bsc#1183407,jsc#SLE-9750)
- logging: log reaped sub-process command and as debug, not error
- ifstatus: Don't show link as "/up"/ without RUNNING flag set
- firewalld: Make the zone assignment permanent (boo#1189560)
- fsm: cleanup and improve ifconfig and ifpolicy access utils
- dbus: cleanup the dbus-service.h file and unused property makros
- cleanup: applied code-spell run typo corrections
- dracut: initial fixes and improved option handling (boo#1182227)
- version 0.6.66
- wireless: migrate to wpa-supplicant v1 DBus interface (bsc#1156920)
  - support multiple networks configurations per interface
  - show connection status and scan-results (bsc#1160654)
  - corrected eap-tls,ttls cetificate handling and open vs. shared
    wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
  - cleanups and several other improvements, see changes
  - updated man ifcfg-wireless manual pages
- nanny: fix identify node owner exit condition
- schema: several xml-schema and dbus/property improvements
- utils: format/parse bitmap to array and string alternatives
- client: expose ethtool --get-permanent-address option
- removed sle15-sp3 patches included in the master sources (bsc#1181812)
  [- 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
  [- 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- dhcp4: discover on reboot timeout after start-delay (bsc#1181812)
  [+ 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
- dhcp6: request nis options on sle15 by default (bsc#1181812)
  [+ 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- version 0.6.65
- ifconfig: differentiate if to re-trigger dad on address updates (bsc#1177215)
- client: parse sysctl files in the correct order (bsc#1181186)
- ifup: fix for set up with unenslave from unconfigured master (boo#954329)
- rpm: prepare for new builds using usrmerged rpm macro (boo#1029961)
- rpm: Let wicked-service also provide service(network)
- cleanup: remove obsolete use-nanny=false (gh#openSUSE/wicked#815)
- dbus: add variant container, generic object-path and uint32 array macros
xen
- bsc#1196915 - VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401:
  xen: BHB speculation issues (XSA-398)
  xsa398-1.patch
  xsa398-2.patch
  xsa398-3.patch
  xsa398-4.patch
  xsa398-5.patch
  xsa398-6.patch
- bsc#1193447 - Slow execution of hvmloader+ovmf when VM contains
  an sriov device
  61bc429f-revert-hvmloader-PA-range-should-be-UC.patch
- bsc#1194576 - VUL-0: CVE-2022-23033: xen: arm:
  guest_physmap_remove_page not removing the p2m mappings (XSA-393)
  xsa393.patch
- bsc#1194581 - VUL-0: CVE-2022-23034: xen: a PV guest could DoS
  Xen while unmapping a grant (XSA-394)
  xsa394.patch
- bsc#1194588 - VUL-0: CVE-2022-23035: xen: insufficient cleanup of
  passed-through device IRQs (XSA-395)
  xsa395.patch
- Upstream bug fixes (bsc#1027519)
  619b7ac9-harden-assign_pages.patch (Replaces xsa385.patch)
  - Drop xsa385.patch
  619b8cb0-x86-PoD-misaligned-GFNs.patch (Replaces xsa388-1.patch)
  - Drop xsa388-1.patch
  619b8cb1-x86-PoD-intermediate-page-orders.patch (Replaces xsa388-2.patch)
  - Drop xsa388-2.patch
  619b8cb2-x86-P2M-set-partial-success.patch (Replaces xsa389.patch)
  - Drop xsa389.patch
  61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch
xz
- Fix ZDI-CAN-16587 Fix escaping of malicious filenames
  (ZDI-CAN-16587 bsc#1198062 CVE-2022-1271)
  * bsc1198062.patch
yast2-samba-client
- With latest versions of samba (>=4.15.0) calling 'net ads lookup'
  with '-U%' fails; (boo#1193533).
- yast-samba-client fails to join if /etc/samba/smb.conf or
  /etc/krb5.conf don't exist; (bsc#1089938)
- Do not stop nmbd while nmbstatus is running, it is not necessary
  anymore; (bsc#1158916);
- 3.1.23
zlib
- CVE-2018-25032: Fix memory corruption on deflate, bsc#1197459
  * bsc1197459.patch
zsh
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
  unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Add CVE-2018-1100.patch: it fixes buffer overflow in utils.c:checkmailpath()
  can lead to local arbitrary code execution (CVE-2018-1100 bsc#1089030)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
  could be exploited through e.g.  VCS_Info to execute arbitrary shell
  commands (CVE-2021-45444 bsc#1196435)