- autofs
-
- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
Fix off-by-one error in recursive map handling. (bsc#1209653)
- avahi
-
- Add avahi-CVE-2023-1981.patch: emit error if requested service
is not found (boo#1210328 CVE-2023-1981).
- bind
-
- Security Fix:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit.
[bsc#1212544, CVE-2023-2828, bind-CVE-2023-2828.patch]
- cloud-init
-
- Sensitive data exposure (bsc#1210277, CVE-2023-1786)
+ Add hidesensitivedata
+ Add cloud-init-cve-2023-1786-redact-inst-data.patch
+ Do not expose sensitive data gathered from the CSP
- Add cloud-init-log-file-mode.patch (bsc#1183939)
+ Change log file creation mode to 640
- Add cloud-init-no-pwd-in-log.patch (bsc#1184758, CVE-2021-3429)
+ Do not write the generated password to the log file
- Add cloud-init-purge-cache-py-ver-change.patch
- Add cloud-init-bonding-opts.patch (bsc#1184085)
+ Write proper bonding option configuration for SLE/openSUSE
- Fix application and inclusion of
use_arroba_to_include_sudoers_directory-bsc_1181283.patchfix (bsc#1181283)
- Add use_arroba_to_include_sudoers_directory-bsc_1181283.patchfix (bsc#1181283)
- Do not including sudoers.d directory twice
- cloud-netconfig
-
- Update to version 1.7:
+ Overhaul policy routing setup (issue #19)
+ Support alias IPv4 ranges (issue #14)
+ Add support for NetworkManager (bsc#1204549)
+ Remove dependency on netconfig
+ Install into libexec directory
+ Clear stale ifcfg files for accelerated NICs (bsc#1199853)
+ More debug messages
+ Documentation update
- /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in
Tumbleweed, update path (poo#116221)
- cloud-regionsrv-client
-
- Update to version 10.1.1 (bsc#1210020, bsc#1210021)
+ Clean up the system if baseproduct registraion fails to leave the
system in prestine state
+ Log when the registercloudguest command is invoked with --clean
- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
- Removes a warning about system_token entry present in the credentials
file.
- Adds logrotate configuration for log rotation.
- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
- Removes a warning about system_token entry present in the credentials
file.
- Adds logrotate configuration for log rotation.
- containerd
-
- unversion to golang requires to always use the current default go. (bsc#1210298)
- Update to containerd v1.6.19 for Docker v23.0.2-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.19>
Includes fixes for:
- CVE-2023-25153 bsc#1208423
- CVE-2023-25173 bsc#1208426
- Re-build containerd to use updated golang-packaging. jsc#1342
- Update to containerd v1.6.16 for Docker v23.0.1-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.16>
- Update to containerd v1.6.12 to fix CVE-2022-23471 bsc#1206235. Upstream
release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.12>
- coreutils
-
- Add coreutils-chcon-skip-validation-if-selinux-disabled.patch to
avoid unnecessary failure in case SELinux is disabled.
(bsc#1212999)
- cronie
-
- Let systemd finish jobs executed by cron after it gets killed, bsc#1211066
* cron.service
- cryptsetup
-
- luksFormat: Handle system with low memory and no swap space [bsc#1211079]
* Check for physical memory available also in PBKDF benchmark.
* Try to avoid OOM killer on low-memory systems without swap.
* Use only half of detected free memory on systems without swap.
* Add patches:
- cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
- cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
- cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
- cups
-
- cups-1.7.5-CVE-2023-32324.patch fixes CVE-2023-32324
"/Heap buffer overflow in cupsd"/
https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
bsc#1211643
- curl
-
- Security fix: [bsc#1213237, CVE-2023-32001]
* fopen race condition: libcurl can be told to save cookie,
HSTS and/or alt-svc data to files. When doing this, it
called 'stat()' followed by 'fopen()' in a way that made
it vulnerable to a TOCTOU race condition problem.
* Add curl-CVE-2023-32001.patch
- Security fixes:
* [bsc#1211230, CVE-2023-28319] use-after-free in SSH sha256
fingerprint check.
- Add curl-CVE-2023-28319.patch
* [bsc#1211231, CVE-2023-28320] siglongjmp race condition
- Add curl-CVE-2023-28320.patch
* [bsc#1211232, CVE-2023-28321] IDN wildcard matching
- Add curl-CVE-2023-28321.patch
* [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
- Add curl-CVE-2023-28322.patch
- Update to 8.0.1: [jsc#PED-2580]
* Remove the curl-mini package and associated files:
- curl-mini.changes curl-mini.spec pre_checkin.sh
* Rebase curl-use_DEFAULT_SUSE_cipher.patch
* Remove patches fixed in the update:
- curl-check-content-type.patch
- curl-fix-O_APPEND.patch
- curl-libssh-socket.patch
- curl-X509_V_FLAG_PARTIAL_CHAIN.patch
- curl-CVE-2018-0500.patch curl-CVE-2018-14618.patch
- curl-CVE-2018-16839.patch curl-CVE-2018-16840.patch
- curl-CVE-2018-16842.patch curl-CVE-2018-16890.patch
- curl-CVE-2019-3822.patch curl-CVE-2019-3823.patch
- curl-CVE-2019-5436.patch curl-CVE-2019-5481.patch
- curl-CVE-2019-5482.patch curl-CVE-2020-8177.patch
- curl-CVE-2020-8231.patch curl-CVE-2020-8284.patch
- curl-CVE-2020-8285.patch curl-CVE-2020-8286.patch
- curl-CVE-2021-22876.patch curl-CVE-2021-22876-URL-API.patch
- curl-CVE-2021-22898.patch curl-CVE-2021-22924.patch
- curl-CVE-2021-22925.patch curl-CVE-2021-22946.patch
- curl-CVE-2021-22947.patch curl-CVE-2023-27534-dynbuf.patch
- curl-CVE-2022-22576.patch curl-CVE-2022-27776.patch
- curl-CVE-2022-27781.patch curl-CVE-2022-27782.patch
- curl-CVE-2022-32206.patch curl-CVE-2022-32208.patch
- curl-CVE-2022-32221.patch curl-CVE-2022-35252.patch
- curl-CVE-2022-43552.patch curl-CVE-2023-23916.patch
- curl-CVE-2023-27533.patch curl-CVE-2023-27533-no-sscanf.patch
- curl-CVE-2023-27534.patch curl-CVE-2023-27535.patch
- curl-CVE-2023-27536.patch curl-CVE-2023-27538.patch
- Update to 8.0.1:
* Bugfixes:
- fix crash in curl_easy_cleanup
- Update to 8.0.0:
* Security fixes:
- TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
- SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
- FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
- GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
- HSTS double-free [bsc#1209213, CVE-2023-27537]
- SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
* Changes:
- build: remove support for curl_off_t < 8 bytes
* Bugfixes:
- aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
- BINDINGS: add Fortran binding
- cf-socket: use port 80 when resolving name for local bind
- cookie: don't load cookies again when flushing
- curl_path: create the new path with dynbuf
- CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
- ftp: active mode with SSL, add the filter
- hostip: avoid sscanf and extra buffer copies
- http2: fix for http2-prior-knowledge when reusing connections
- http2: fix handling of RST and GOAWAY to recognize partial transfers
- http: don't send 100-continue for short PUT requests
- http: fix unix domain socket use in https connects
- libssh: use dynbuf instead of realloc
- ngtcp2-gnutls.yml: bump to gnutls 3.8.0
- sectransp: make read_cert() use a dynbuf when loading
- telnet: only accept option arguments in ascii
- telnet: parse telnet options without sscanf
- url: fix the SSH connection reuse check
- url: only reuse connections with same GSS delegation
- urlapi: '%' is illegal in host names
- ws: keep the socket non-blocking
* Rebase libcurl-ocloexec.patch
- Security fixes:
* [bsc#1209209, CVE-2023-27533] TELNET option IAC injection
Add curl-CVE-2023-27533-no-sscanf.patch curl-CVE-2023-27533.patch
* [bsc#1209210, CVE-2023-27534] SFTP path ~ resolving discrepancy
Add curl-CVE-2023-27534.patch curl-CVE-2023-27534-dynbuf.patch
* [bsc#1209211, CVE-2023-27535] FTP too eager connection reuse
Add curl-CVE-2023-27535.patch
* [bsc#1209212, CVE-2023-27536] GSS delegation too eager connection re-use
Add curl-CVE-2023-27536.patch
* [bsc#1209214, CVE-2023-27538] SSH connection too eager reuse still
Add curl-CVE-2023-27538.patch
- Update to 7.88.1:
* Bugfix release
- Drop upstreamed patch:
* curl-fix-uninitialized-value-in-tests.patch
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
[bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
* Security fixes:
- CVE-2023-23914: HSTS ignored on multiple requests
- CVE-2023-23915: HSTS amnesia with --parallel
- CVE-2023-23916: HTTP multi-header compression denial of service
* Changes:
- curl.h: add CURL_HTTP_VERSION_3ONLY
- share: add sharing of HSTS cache among handles
- src: add --http3-only
- tool_operate: share HSTS between handles
- urlapi: add CURLU_PUNYCODE
- writeout: add %{certs} and %{num_certs}
* Bugfixes:
- cf-socket: keep sockaddr local in the socket filters
- cfilters:Curl_conn_get_select_socks: use the first non-connected filter
- curl.h: allow up to 10M buffer size
- curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
- curl/websockets.h: extend the websocket frame struct
- curl: output warning at --verbose output for debug-enabled version
- curl_free.3: fix return type of `curl_free`
- curl_log: for failf/infof and debug logging implementations
- dict: URL decode the entire path always
- docs/DEPRECATE.md: deprecate gskit
- easyoptions: fix header printing in generation script
- haxproxy: send before TLS handhshake
- hsts.d: explain hsts more
- hsts: handle adding the same host name again
- HTTP/[23]: continue upload when state.drain is set
- http: decode transfer encoding first
- http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
- http_proxy: do not assign data->req.p.http use local copy
- lib: connect/h2/h3 refactor
- libssh2: try sha2 algos for hostkey methods
- md4: fix build with GnuTLS + OpenSSL v1
- ngtcp2: replace removed define and stop using removed function
- noproxy: support for space-separated names is deprecated
- nss: implement data_pending method
- openldap: fix missing sasl symbols at build in specific configs
- openssl: adapt to boringssl's error code type
- openssl: don't ignore CA paths when using Windows CA store (redux)
- openssl: don't log raw record headers
- openssl: make the BIO_METHOD a local variable in the connection filter
- openssl: only use CA_BLOB if verifying peer
- openssl: remove attached easy handles from SSL instances
- openssl: store the CA after first send (ClientHello)
- setopt: use >, not >=, when checking if uarg is larger than uint-max
- smb: return error on upload without size
- socketpair: allow localhost MITM sniffers
- strdup: name it Curl_strdup
- tool_getparam: fix hiding of command line secrets
- tool_operate: fix error codes on bad URL & OOM
- tool_operate: repair --rate
- transfer: break the read loop when RECV is cleared
- typecheck: accept expressions for option/info parameters
- urlapi: avoid Curl_dyn_addf() for hex outputs
- urlapi: skip path checks if path is just "//"/
- urlapi: skip the extra dedotdot alloc if no dot in path
- urldata: cease storing TLS auth type
- urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
- urldata: make set.http200aliases conditional on HTTP being present
- urldata: move the cookefilelist to the 'set' struct
- urldata: remove unused struct fields, made more conditional
- vquic: stabilization and improvements
- vtls: fix hostname handling in filters
- vtls: manage current easy handle in nested cfilter calls
- vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
* Rebase libcurl-ocloexec.patch
* Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
- runtests: fix "/uninitialized value $port"/
- Add curl-fix-uninitialized-value-in-tests.patch
- Security Fix: [bsc#1207992, CVE-2023-23916]
* HTTP multi-header compression denial of service
* Add curl-CVE-2023-23916.patch
- Update to 7.87.0:
* Security fixes:
- CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
- CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
* Changes
- curl: add --url-query
- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
- openssl: reduce CA certificate bundle reparsing by caching
- version: add a feature names array to curl_version_info_data
* Bugfixes
- altsvc: fix rejection of negative port numbers
- aws_sigv4: consult x-%s-content-sha256 for payload hash
- aws_sigv4: fix typos in aws_sigv4.c
- base64: better alloc size
- base64: encode without using snprintf
- base64: faster base64 decoding
- build: assume assert.h is always available
- build: assume errno.h is always available
- c-hyper: CONNECT respones are not server responses
- c-hyper: fix multi-request mechanism
- CI: Change FreeBSD image from 12.3 to 12.4
- CI: LGTM.com will be shut down in December 2022
- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
- cmake: check for cross-compile, not for toolchain
- CMake: fix build with `CURL_USE_GSSAPI`
- cmake: really enable warnings with clang
- cmake: set the soname on the shared library
- cmdline-opts/gen.pl: fix the linkifier
- cmdline-opts/page-footer: remove long option nroff formatting
- config-mac: define HAVE_SYS_IOCTL_H
- config-mac: fix typo: size_T -> size_t
- config-mac: remove HAVE_SYS_SELECT_H
- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
- configure: require fork for NTLM-WB
- contributors.sh: actually use $CURLWWW instead of just setting it
- cookie: compare cookie prefixes case insensitively
- cookie: expire cookies at once when max-age is negative
- cookie: open cookie jar as a binary file
- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
- curl-rustls.m4: on macOS, rustls also needs the Security framework
- curl.h: include <sys/select.h> on SerenityOS
- curl.h: name all public function parameters
- curl.h: reword comment to not use deprecated option
- curl: override the numeric locale and set "/C"/ by force
- curl: timeout in the read callback
- curl_endian: remove Curl_write64_le from header
- curl_get_line: allow last line without newline char
- curl_path: do not add '/' if homedir ends with one
- curl_url_get.3: remove spurious backtick
- curl_url_set.3: document CURLU_DISALLOW_USER
- curl_url_set.3: fix typo
- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
- CURLOPT_COOKIEFILE.3: advice => advise
- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "/raw"/
- CURLOPT_POST.3: Explain setting to 0 changes request type
- docs/curl_ws_send: Fixed typo in websocket docs
- docs/EARLY-RELEASE.md: how to determine an early release
- docs/examples: spell correction ('Retrieve')
- docs/INSTALL.md: expand on static builds
- docs/WEBSOCKET.md: explain the URL use
- docs: add missing parameters for --retry flag
- docs: add more "/SEE ALSO"/ links to CA related pages
- docs: explain the noproxy CIDR notation support
- docs: extend the dump-header documentation
- docs: remove performance note in CURLOPT_SSL_VERIFYPEER
- examples/10-at-a-time: fix possible skipped final transfers
- examples: update descriptions
- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
- gen.pl: do not generate CURLHELP bitmask lines > 79 characters
- GHA: clarify workflows permissions, set least possible privilege
- GHA: NSS use clang instead of clang-9
- gnutls: use common gnutls init and verify code for ngtcp2
- headers: add endif comments
- HTTP-COOKIES.md: mention that http://localhost is a secure context
- HTTP-COOKIES.md: update the 6265bis link to draft-11
- http: do not send PROXY more than once
- http: fix the ::1 comparison for IPv6 localhost for cookies
- http: set 'this_is_a_follow' in the Location: logic
- http: use the IDN decoded name in HSTS checks
- hyper: classify headers as CONNECT and 1XX
- hyper: fix handling of hyper_task's when reusing the same address
- idn: remove Curl_win32_ascii_to_idn
- INSTALL: update operating systems and CPU archs
- KNOWN_BUGS: remove eight entries
- lib1560: add some basic IDN host name tests
- lib: connection filters (cfilter) addition to curl:
- lib: feature deprecation warnings in gcc >= 4.3
- lib: fix some type mismatches and remove unneeded typecasts
- lib: parse numbers with fixed known base 10
- lib: remove bad set.opt_no_body assignments
- lib: rewind BEFORE request instead of AFTER previous
- lib: sync guard for Curl_getaddrinfo_ex() definition and use
- lib: use size_t or int etc instead of longs
- libcurl-errors.3: remove duplicate word
- libssh2: return error when ssh_hostkeyfunc returns error
- limit-rate.d: see also --rate
- log2changes.pl: wrap long lines at 80 columns
- Makefile.mk: address minor issues
- Makefile.mk: improve a GNU Make hack
- Makefile.mk: portable Makefile.m32
- maketgz: set the right version in lib/libcurl.plist
- mime: relax easy/mime structures binding
- misc: Fix incorrect spelling
- misc: remove duplicated include files
- misc: typo and grammar fixes
- negtelnetserver.py: have it call its close() method
- netrc.d: provide mutext info
- netware: remove leftover traces
- noproxy: also match with adjacent comma
- noproxy: guard against empty hostnames in noproxy check
- noproxy: tailmatch like in 7.85.0 and earlier
- nroff-scan.pl: detect double highlights
- ntlm: improve comment for encrypt_des
- ntlm: silence ubsan warning about copying from null target_info pointer
- openssl/mbedtls: use %d for outputing port with failf (int)
- openssl: prefix errors with '[lib]/[version]: '
- os400: use platform socklen_t in Curl_getnameinfo_a
- page-header: grammar improvement (display transfer rate)
- proxy: refactor haproxy protocol handling as connection filter
- README.md: remove badges and xmas-tree garnish
- rtsp: fix RTSP auth
- runtests: --no-debuginfod now disables DEBUGINFOD_URLS
- runtests: do CRLF replacements per section only
- scripts/checksrc.pl: detect duplicated include files
- sendf: change Curl_read_plain to wrap Curl_recv_plain
- sendf: remove unnecessary if condition
- setup: do not require __MRC__ defined for Mac OS 9 builds
- smb/telnet: do not free the protocol struct in *_done()
- socks: fix username max size is 255 (0xFF)
- spellcheck.words: remove 'github' as an accepted word
- ssl-reqd.d: clarify that this is for upgrading connections only
- strcase: use curl_str(n)equal for case insensitive matches
- styled-output.d: this option does not work on Windows
- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
- system.h: support 64-bit curl_off_t for NonStop 32-bit
- test1421: fix typo
- test3026: reduce runtime in legacy mingw builds
- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
- tests: add authorityInfoAccess to generated certs
- tests: add HTTP/3 test case, custom location for proper nghttpx
- tls: backends use connection filters for IO, enabling HTTPS-proxy
- tool: determine the correct fopen option for -D
- tool_cfgable: free the ssl_ec_curves on exit
- tool_cfgable: make socks5_gssapi_nec a boolean
- tool_formparse: avoid clobbering on function params
- tool_getparam: make --no-get work as the opposite of --get
- tool_operate: provide better errmsg for -G with bad URL
- tool_operate: when aborting, make sure there is a non-NULL error buffer
- tool_paramhlp: free the proto strings on exit
- url: move back the IDN conversion of proxy names
- urlapi: reject more bad letters from the host name: &+()
- urldata: change port num storage to int and unsigned short
- vms: remove SIZEOF_SHORT
- vtls: fix build without proxy support
- vtls: localization of state data in filters
- WEBSOCKET.md: fix broken link
- Websocket: fixes for partial frames and buffer updates
- websockets: fix handling of partial frames
- windows: fail early with a missing windres in autotools
- windows: fix linking .rc to shared curl with autotools
- winidn: drop WANT_IDN_PROTOTYPES
- ws: if no connection is around, return error
- ws: return CURLE_NOT_BUILT_IN when websockets not built in
- x509asn1: avoid freeing unallocated pointers
- Add 1.50.0 as the minimum libnghttp2 build requirement version as
a bandaid. Curl's 7.86.0 release introduces the use of
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
introduced by nghttp2 1.50.0 release, without introducing a check
for the function/right version in their build scripts. This will
make Zypper/cURL unusable in some corner cases where users
installing something that requires libcurl4 before doing full
system upgrade, thus updating the cURL stack, but not
libnghttp2's. Background: boo#1204983, Factory mailing list
threadd:
"/? broken dependency in curl and/or *zyp* ?"/, and forums thread:
Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.
- Update to 7.86.0:
* Security fixes:
- POST following PUT confusion [bsc#1204383, CVE-2022-32221]
- .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
- HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
- HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
* Changes:
- NPN: remove support for and use of
- Websockets: initial support
* Bugfixes:
- altsvc: reject bad port numbers
- autotools: reduce brute-force when detecting recv/send arg list
- aws_sigv4: fix header computation
- cli tool: do not use disabled protocols
- connect: change verbose IPv6 address:port to [address]:port
- connect: fix builds without AF_INET6
- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
- connect: fix the wrong error message on connect failures
- content_encoding: use writer struct subclasses for different encodings
- content_encoding: use writer struct subclasses for different encodings
- cookie: reject cookie names or content with TAB characters
- curl/add_file_name_to_url: use the libcurl URL parser
- curl/get_url_file_name: use libcurl URL parser
- curl: warn for --ssl use, considered insecure
- docs/libcurl/symbols-in-versions: add several missing symbols
- ftp: ignore a 550 response to MDTM
- functypes: provide the recv and send arg and return types
- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
- header: define public API functions as extern c
- headers: reset the requests counter at transfer start
- hostip: guard PF_INET6 use
- hostip: lazily wait to figure out if IPv6 works until needed
- http, vauth: always provide Curl_allow_auth_to_host() functionality
- http2: make nghttp2 less picky about field whitespace
- http: try parsing Retry-After: as a number first
- http_proxy: restore the protocol pointer on error
- lib: add missing limits.h includes
- lib: prepare the incoming of additional protocols
- lib: sanitize conditional exclusion around MIME
- libssh: if sftp_init fails, don't get the sftp error code
- mprintf: reject two kinds of precision for the same argument
- mqtt: return error for too long topic
- netrc: compare user name case sensitively
- netrc: replace fgets with Curl_get_line
- netrc: use the URL-decoded user
- ngtcp2: fix build errors due to changes in ngtcp2 library
- noproxy: support proxies specified using cidr notation
- openssl: make certinfo available for QUIC
- resolve: make forced IPv4 resolve only use A queries
- schannel: ban server ALPN change during recv renegotiation
- schannel: don't reset recv/send function pointers on renegotiation
- schannel: when importing PFX, disable key persistence
- setopt: use the handler table for protocol name to number conversions
- setopt: when POST is set, reset the 'upload' field
- single_transfer: use the libcurl URL parser when appending query parts
- smb: replace CURL_WIN32 with WIN32
- tool: avoid generating ambiguous escaped characters in --libcurl
- tool_main: exit at once if out of file descriptors
- tool_operate: more transfer cleanup after parallel transfer fail
- tool_operate: prevent over-queuing in parallel mode
- tool_paramhelp: asserts verify maximum sizes for string loading
- tool_xattr: save the original URL, not the final redirected one
- url: a zero-length userinfo part in the URL is still a (blank) user
- url: allow non-HTTPS HSTS-matching for debug builds
- url: rename function due to name-clash in Watt-32
- url: use IDN decoded names for HSTS checks
- urlapi: detect scheme better when not guessing
- urlapi: fix parsing URL without slash with CURLU_URLENCODE
- urlapi: reject more bad characters from the host name field
* Remove patch upstream:
- connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Update connection info when using UNIX socket as endpoint
connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Change the deprecated configure option --enable-hidden-symbols
to the new --enable-symbol-hiding.
- Update to 7.85.0:
* Security fixes: [bsc#1202593, CVE-2022-35252]
- control code in cookie denial of service
* Changes:
- quic: add support via wolfSSL
- schannel: Add TLS 1.3 support
- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
* Bugfixes:
- asyn-thread: fix socket leak on OOM
- asyn-thread: make getaddrinfo_complete return CURLcode
- base64: base64url encoding has no padding
- configure: fix broken m4 syntax in TLS options
- configure: if asked to use TLS, fail if no TLS lib was detected
- connect: add quic connection information
- connect: set socktype/protocol correctly
- cookie: reject cookies with "/control bytes"/
- cookie: treat a blank domain in Set-Cookie: as non-existing
- curl: output warning when a cookie is dropped due to size
- Curl_close: call Curl_resolver_cancel to avoid memory-leak
- digest: fix memory leak, fix not quoted 'opaque'
- digest: fix missing increment of 'nc' value for auth-int
- digest: pass over leading spaces in qop values
- digest: reject broken header with session protocol but without qop
- doh: use https protocol by default
- easy_lock.h: include sched.h if available to fix build
- easy_lock.h: use __asm__ instead of asm to fix build
- easy_lock: switch to using atomic_int instead of bool
- ftp: use a correct expire ID for timer expiry
- h2h3: fix overriding the 'TE: Trailers' header
- hostip: resolve *.localhost to 127.0.0.1/::1
- HTTP3.md: update to msh3 v0.4.0
- hyper: use wakers for curl pause/resume
- lib3026: reduce the number of threads to 100
- libssh2: make atime/mtime date overflow return error
- libssh2: provide symlink name in SFTP dir listing
- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
- multi: use larger dns hash table for multi interface
- multi_wait: fix skipping to populate revents for extra_fds
- netrc: Use the password from lines without login
- ngtcp2: Fix build error due to change in nghttp3 prototypes
- ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
- ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
- openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL
- openssl: add cert path in error message
- openssl: add details to "/unable to set client certificate"/ error
- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
- select: do not return fatal error on EINTR from poll()
- sendf: fix paused header writes since after the header API
- sendf: skip storing HTTP headers if HTTP disabled
- url: really use the user provided in the url when netrc entry exists
- url: reject URLs with hostnames longer than 65535 bytes
- url: treat missing usernames in netrc as empty
- urldata: reduce size of several struct fields
- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
* Remove tests-for-32bit.patch fixed in the update
* Rebase libcurl-ocloexec.patch
- add tests-for-32bit.patch to fix testsuite on 32bit platforms
- Update to 7.84.0:
* Security fixes:
- (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
- (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
- (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
- (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
* Changes:
- curl: add --rate to set max request rate per time unit
- curl: deprecate --random-file and --egd-file
- curl_version_info: add CURL_VERSION_THREADSAFE
- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
- lib: make curl_global_init() threadsafe when possible
- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
- opts: deprecate RANDOM_FILE and EGDSOCKET
- socks: support unix sockets for socks proxy
* Bugfixes:
- aws-sigv4: fix potentional NULL pointer arithmetic
- bindlocal: don't use a random port if port number would wrap
- c-hyper: mark status line as status for Curl_client_write()
- ci: avoid `cmake -Hpath`
- CI: bump FreeBSD 13.0 to 13.1
- ci: update github actions
- cmake: add libpsl support
- cmake: do not add libcurl.rc to the static libcurl library
- cmake: enable curl.rc for all Windows targets
- cmake: fix detecting libidn2
- cmake: support adding a suffix to the OS value
- configure: skip libidn2 detection when winidn is used
- configure: use the SED value to invoke sed
- configure: warn about rustls being experimental
- content_encoding: return error on too many compression steps
- cookie: address secure domain overlay
- cookie: apply limits
- copyright.pl: parse and use .reuse/dep5 for skips
- copyright: make repository REUSE compliant
- curl.1: add a few see also --tls-max
- curl.1: mention exit code zero too
- curl: re-enable --no-remote-name
- curl_easy_pause.3: remove explanation of progress function
- curl_getdate.3: document that some illegal dates pass through
- Curl_parsenetrc: don't access local pwbuf outside of scope
- curl_url_set.3: clarify by default using known schemes only
- CURLOPT_ALTSVC.3: document the file format
- CURLOPT_FILETIME.3: fix the protocols this works with
- CURLOPT_HTTPHEADER.3: improve comment in example
- CURLOPT_NETRC.3: document the .netrc file format
- CURLOPT_PORT.3: We discourage using this option
- CURLOPT_RANGE.3: remove ranged upload advice
- digest: added detection of more syntax error in server headers
- digest: tolerate missing "/realm"/
- digest: unquote realm and nonce before processing
- DISABLED: disable 1021 for hyper again
- docs/cmdline-opts: add copyright and license identifier to each file
- docs/CONTRIBUTE.md: document the 'needs-votes' concept
- docs: clarify data replacement policy for MIME API
- doh: remove UNITTEST macro definition
- examples/crawler.c: use the curl license
- examples: remove fopen.c and rtsp.c
- FAQ: Clarify Windows double quote usage
- fopen: add Curl_fopen() for better overwriting of files
- ftp: restore protocol state after http proxy CONNECT
- ftp: when failing to do a secure GSSAPI login, fail hard
- GHA/hyper: enable debug in the build
- gssapi: improve handling of errors from gss_display_status
- gssapi: initialize gss_buffer_desc strings
- headers api: remove EXPERIMENTAL tag
- http2: always debug print stream id in decimal with %u
- http2: reject overly many push-promise headers
- http: restore header folding behavior
- hyper: use 'alt-used'
- krb5: return error properly on decode errors
- lib: make more protocol specific struct fields #ifdefed
- libcurl-security.3: add "/Secrets in memory"/
- libcurl-security.3: document CRLF header injection
- libssh: skip the fake-close when libssh does the right thing
- links: update dead links to the curl-wiki
- log2changes: do not indent empty lines [ci skip]
- macos9: remove partial support
- Makefile.am: fix portability issues
- Makefile.m32: delete obsolete options, improve -On [ci skip]
- Makefile.m32: delete two obsolete OpenSSL options [ci skip]
- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
- max-time.d: clarify max-time sets max transfer time
- mprintf: ignore clang non-literal format string
- netrc: check %USERPROFILE% as well on Windows
- netrc: support quoted strings
- ngtcp2: allow curl to send larger UDP datagrams
- ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
- ngtcp2: enable Linux GSO
- ngtcp2: extend QUIC transport parameters buffer
- ngtcp2: fix alert_read_func return value
- ngtcp2: fix typo in preprocessor condition
- ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
- ngtcp2: send appropriate connection close error code
- ngtcp2: support boringssl crypto backend
- ngtcp2: use helper funcs to simplify TLS handshake integration
- ntlm: provide a fixed fake host name
- projects: fix third-party SSL library build paths for Visual Studio
- quic: add Curl_quic_idle
- quiche: support ca-fallback
- rand: stop detecting /dev/urandom in cross-builds
- remote-name.d: mention --output-dir
- runtests.pl: add the --repeat parameter to the --help output
- runtests: fix skipping tests not done event-based
- runtests: skip starting the ssh server if user name is lacking
- scripts/copyright.pl: fix the exclusion to not ignore man pages
- sectransp: check for a function defined when __BLOCKS__ is undefined
- select: return error from "/lethal"/ poll/select errors
- server/sws: support spaces in the HTTP request path
- speed-limit/time.d: mention these affect transfers in either direction
- strcase: some optimisations
- test 2081: add a valid reply for the second request
- test 675: add missing CR so the test passes when run through Privoxy
- test414: add the '--resolve' keyword
- test681: verify --no-remote-name
- tests 266, 116 and 1540: add a small write delay
- tests/data/test1501: kill ftp server after slow LIST response
- tests/getpart: fix getpartattr to work with "/data"/ and "/data2"/
- tests/server/sws.c: change the HTTP writedelay unit to milliseconds
- test{440,441,493,977}: add "/HTTP proxy"/ keywords
- tool_getparam: fix --parallel-max maximum value constraint
- tool_operate: make sure --fail-with-body works with --retry
- transfer: fix potential NULL pointer dereference
- transfer: maintain --path-as-is after redirects
- transfer: upload performance; avoid tiny send
- url: free old conn better on reuse
- url: remove redundant #ifdefs in allocate_conn()
- url: URL encode the path when extracted, if spaces were set
- urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
- urlapi: support CURLU_URLENCODE for curl_url_get()
- urldata: reduce size of a few struct fields
- urldata: remove three unused booleans from struct UserDefined
- urldata: store tcp_keepidle and tcp_keepintvl as ints
- version: allow stricmp() for sorting the feature list
- vtls: make curl_global_sslset thread-safe
- wolfssh.h: removed
- wolfssl: correct the failf() message when a handle can't be made
- wolfSSL: explicitly use compatibility layer
- x509asn1: mark msnprintf return as unchecked
- Update to 7.83.1:
* Security fixes:
- (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot
- (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse
- (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop
- (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host
- (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD
- (bsc#1199220, CVE-2022-27778) removes wrong file on error
* Bugfixes:
- altsvc: fix host name matching for trailing dots
- cirrus: Update to FreeBSD 12.3
- cirrus: Use pip for Python packages on FreeBSD
- conn: fix typo 'connnection' -> 'connection' in two function names
- cookies: make bad_domain() not consider a trailing dot fine
- curl: free resource in error path
- curl: guard against size_t wraparound in no-clobber code
- CURLOPT_DOH_URL.3: mention the known bug
- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
- CURLOPT_SSH_AUTH_TYPES.3: fix the default
- data/test376: set a proper name
- GHA/mbedtls: enabled nghttp2 in the build
- gha: build msh3
- gskit: fixed bogus setsockopt calls
- gskit: remove unused function set_callback
- hsts: ignore trailing dots when comparing hosts names
- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
- http: move Curl_allow_auth_to_host()
- http_proxy/hyper: handle closed connections
- hyper: fix test 357
- Makefile: fix "/make ca-firefox"/
- mbedtls: bail out if rng init fails
- mbedtls: fix compile when h2-enabled
- mbedtls: fix some error messages
- misc: use "/autoreconf -fi"/ instead buildconf
- msh3: get msh3 version from MsH3Version
- msh3: print boolean value as text representation
- msh3: psss remote_port to MsH3ConnectionOpen
- ngtcp2: add ca-fallback support for OpenSSL backend
- nss: return error if seemingly stuck in a cert loop
- openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
- post_per_transfer: remove the updated file name
- sectransp: bail out if SSLSetPeerDomainName fails
- tests/server: declare variable 'reqlogfile' static
- tests: fix markdown formatting in README
- test{898,974,976}: add 'HTTP proxy' keywords
- tls: check more TLS details for connection reuse
- url: check SSH config match on connection reuse
- urlapi: address (harmless) UndefinedBehavior sanitizer warning
- urlapi: reject percent-decoding host name into separator bytes
- x509asn1: make do_pubkey handle EC public keys
- Patches rework:
* Refreshed all patches as -p1.
* Use autopatch macro.
* Renamed:
- dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
* Removed (already upstream):
- curl-fix-verifyhost.patch
- Update to 7.83.0:
* Security fixes:
- (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
- (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
- (bsc#1198608, CVE-2022-27774) Credential leak on redirect
- (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
* Changes:
- curl: add %header{name} experimental support in -w handling
- curl: add %{header_json} experimental support in -w handling
- curl: add --no-clobber
- curl: add --remove-on-error
- header api: add curl_easy_header and curl_easy_nextheader
- msh3: add support for QUIC and HTTP/3 using msh3
* Bugfixes:
- appveyor: add Cygwin build
- appveyor: only add MSYS2 to PATH where required
- BearSSL: add CURLOPT_SSL_CIPHER_LIST support
- BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
- BINDINGS.md: add Hollywood binding
- CI: Do not use buildconf. Instead, just use: autoreconf -fi
- CI: install Python package impacket to run SMB test 1451
- configure.ac: move -pthread CFLAGS setting back where it used to be
- configure: bump the copyright year range int the generated output
- conncache: include the zone id in the "/bundle"/ hashkey
- connecache: remove duplicate connc->closure_handle check
- connect: make Curl_getconnectinfo work with conn cache from share handle
- connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
- cookie.d: clarify when cookies are sent
- cookies: improve errorhandling for reading cookiefile
- curl/system.h: update ifdef condition for MCST-LCC compiler
- curl: error out if -T and -d are used for the same URL
- curl: error out when options need features not present in libcurl
- curl: escape '?' in generated --libcurl code
- curl: fix segmentation fault for empty output file names.
- curl_easy_header: fix typos in documentation
- CURLINFO_PRIMARY_PORT.3: clarify which port this is
- CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS
- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
- CURLOPT_PROGRESSFUNCTION.3: fix typo in example
- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
- docs/HYPER.md: updated to reflect current hyper build needs
- docs/opts: Mention Schannel client cert type is P12
- docs: Fix missing semicolon in example code
- docs: lots of minor language polish
- English: use American spelling consistently
- fail.d: tweak the description
- firefox-db2pem.sh: make the shell script safer
- ftp: fix error message for partial file upload
- gen.pl: change wording for mutexed options
- GHA: add openssl3 jobs moved over from zuul
- GHA: build hyper with nightly rustc
- GHA: move bearssl jobs over from zuul
- gha: move the event-based test over from Zuul
- gtls: fix build for disabled TLS-SRP
- http2: handle DONE called for the paused stream
- http2: RST the stream if we stop it on our own will
- http: avoid auth/cookie on redirects same host diff port
- http: close the stream (not connection) on time condition abort
- http: reject header contents with nul bytes
- http: return error on colon-less HTTP headers
- http: streamclose "/already downloaded"/
- hyper: fix status_line() return code
- hyper: fix tests 580 and 581 for hyper
- hyper: no h2c support
- infof: consistent capitalization of warning messages
- ipv4/6.d: clarify that they are about using IP addresses
- json.d: fix typo (overriden -> overridden)
- keepalive-time.d: It takes many probes to detect brokenness
- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
- lib670: avoid double check result
- lib: #ifdef on USE_HTTP2 better
- lib: fix some misuse of curlx_convert_wchar_to_UTF8
- lib: remove exclamation marks
- libssh2: compare sha256 strings case sensitively
- libssh2: make the md5 comparison fail if wrong length
- libssh: fix build with old libssh versions
- libssh: fix double close
- libssh: Improve fix for missing SSH_S_ stat macros
- libssh: unstick SFTP transfers when done event-based
- macos: set .plist version in autoconf
- mbedtls: remove 'protocols' array from backend when ALPN is not used
- mbedtls: remove server_fd from backend
- mk-ca-bundle.pl: Use stricter logic to process the certificates
- mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl
- mlc_config.json: add file to ignore known troublesome URLs
- mqtt: better handling of TCP disconnect mid-message
- ngtcp2: add client certificate authentication for OpenSSL
- ngtcp2: avoid busy loop in low CWND situation
- ngtcp2: deal with sub-millisecond timeout
- ngtcp2: disconnect the QUIC connection proper
- ngtcp2: enlarge H3_SEND_SIZE
- ngtcp2: fix HTTP/3 upload stall and avoid busy loop
- ngtcp2: fix memory leak
- ngtcp2: fix QUIC_IDLE_TIMEOUT
- ngtcp2: make curl 1ms faster
- ngtcp2: remove remote_addr which is not used in a meaningful way
- ngtcp2: update to work after recent ngtcp2 updates
- ngtcp2: use token when detecting :status header field
- nonblock: restore setsockopt method to curlx_nonblock
- openssl: check SSL_get_peer_cert_chain return value
- openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL
- openssl: fix CN check error code
- options: remove mistaken space before paren in prototype
- perl: removed a double semicolon at end of line
- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
- projects/README: converted to markdown
- projects: Update VC version names for VS2017, VS2022
- rtsp: don't let CSeq error override earlier errors
- runtests: add 'bearssl' as testable feature
- runtests: make 'oldlibssh' be before 0.9.4
- schannel: remove dead code that will never run
- scripts/copyright.pl: ignore the new mlc_config.json file
- scripts: move three scripts from lib/ to scripts/
- test1135: sync with recent API updates
- test1459: disable for oldlibssh
- test375: fix line endings on Windows
- test386: Fix an incorrect test markup tag
- test718: edited slightly to return better HTTP
- tests/server/util.h: align WIN32 condition with util.c
- tests: refactor server/socksd.c to support --unix-socket
- timediff.[ch]: add curlx helper functions for timeval conversions
- tls: make mbedtls and NSS check for h2, not nghttp2
- tool and tests: force flush of all buffers at end of program
- tool_cb_hdr: Turn the Location: into a terminal hyperlink
- tool_getparam: error out on missing -K file
- tool_listhelp.c: uppercase URL
- tool_operate: fix a scan-build warning
- tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
- transfer: redirects to other protocols or ports clear auth
- unit1620: call global_init before calling Curl_open
- url: check sasl additional parameters for connection reuse.
- vtls: provide a unified APLN-disagree string for all backends
- vtls: use a backend standard message for "/ALPN: offers %s"/
- vtls: use a generic "/ALPN, server accepted"/ message
- winbuild/README.md: fixup dead link
- winbuild: Add a Visual Studio example to the README
- wolfssl: fix compiler error without IPv6
- Fix: openssl: fix CN check error code
* Add curl-fix-verifyhost.patch
- Update to 7.82.0:
* curl: add --json command line option
* curl: make it so that sensitive command line arguments do not
show as easily in the output of ps(1)
* curl_multi_socket.3: remove callback and typical usage descriptions
* ftp: provide error message for control bytes in path
* ldap: return CURLE_URL_MALFORMAT for bad URL
* lib: remove support for CURL_DOES_CONVERSIONS
* mqtt: plug some memory leaks
* multi: allow user callbacks to call curl_multi_assign
* multi: remember connection_id before returning connection to pool
* multi: set in_callback for multi interface callbacks
* netware: remove support
* ngtcp2: adapt to changed end of headers callback proto
* openldap: implement SASL authentication
* openssl: return error if TLS 1.3 is requested when not supported
* sectransp: mark a 3DES cipher as weak
* smb: pass socket for writing and reading data instead of FIRSTSOCKET
* tool_getparam: DNS options that need c-ares now fail without it
* TPF: drop support
* url: given a user in the URL, find pwd for that user in netrc
* url: keep trailing dot in host name
* urlapi: handle "/redirects"/ smarter
* urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
* urldata: remove conn->bits.user_passwd
- update to 7.81.0:
* mime: use percent-escaping for multipart form field and file names
* asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
* azure: make the "/w/o HTTP/SMTP/IMAP"/ build disable SSL proper
* BINDINGS: add cURL client for PostgreSQL
* BINDINGS: add one from Everything curl and update a link
* checksrc: detect more kinds of NULL comparisons we avoid
* CI: build examples for additional code verification
* CI: bump job to use mbedtls 3.1.0
* cmake: don't set _USRDLL on a static Windows build
* cmake: prevent dev warning due to mismatched arg
* cmake: private identifiers use CURL_ instead of CMAKE_ prefix
* config.d: update documentation to match the path search
* configure: add -lm to configure for rustls build.
* configure: better diagnostics if hyper is built wrong
* configure: don't enable TLS when --without-* flags are used
* configure: fix runtime-lib detection on macOS
* curl.1: require "/see also"/ for every documented option
* curl: improve error message for --head with -J
* curl_easy_cleanup.3: remove from multi handle first
* curl_easy_escape.3: call curl_easy_cleanup in example
* curl_easy_unescape.3: call curl_easy_cleanup in example
* curl_multi_init.3: fix EXAMPLE formatting
* curl_multi_perform/socket_action.3: clarify what errors mean
* curl_share_setopt.3: split out options into their own manpages
* CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
* digest: compute user:realm:pass digest w/o userhash
* docs/checksrc: Add documentation for STRERROR
* docs/cmdline-opts: do not say "/protocols: all"/
* docs/examples: workaround broken -Wno-pedantic-ms-format
* docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
* docs/INSTALL.md: typo fix : added missing "/get"/ verb
* docs/URL-SYNTAX.md: space is not fine in a given URL
* docs: add known bugs list to HTTP3.md
* docs: address proselint nits
* docs: consistent manpage SYNOPSIS
* docs: fix dead links, remove ECH.md
* docs: fix typo in OpenSSL 3 build instructions
* docs: Update the Reducing Size section
* example/progressfunc: remove code for old libcurls
* examples/multi-single.c: remove WAITMS()
* FAQ: typo fix : "/yout"/ ➤ "/your"/
* ftp: disable warning 4706 in MSVC
* gen.pl: improve example output format
* github workflow: add wolfssl (removed from zuul)
* github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
* gtls: check return code for gnutls_alpn_set_protocols
* hash: lazy-alloc the table in Curl_hash_add()
* http2:set_transfer_url() return early on OOM
* HTTP3: update quiche build instructions
* http: enable haproxy support for hyper backend
* http: Fix CURLOPT_HTTP200ALIASES
* http_proxy: don't close the socket (too early)
* insecure.d: detail its use for SFTP and SCP as well
* insecure.d: expand and clarify
* libcurl-multi.3: "/SOCKS proxy handshakes"/ are not blocking
* libcurl-security.3: mention address and URL mitigations
* libssh2: fix error message for sha256 mismatch
* libtest: avoid "/assignment within conditional expression"/
* lift: ignore is a deprecated config option, use ignoreRules
* linkcheck.yml: add CI job that checks markdown links
* m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
* Makefile.m32: rename -winssl option to -schannel and tidy up
* mbedTLS: add support for CURLOPT_CAINFO_BLOB
* mbedtls: fix CURLOPT_SSLCERT_BLOB
* mbedtls: fix private member designations for v3.1.0
* misc: remove unused doh flags when CURL_DISABLE_DOH is defined
* misc: s/e-mail/email
* multi: cleanup the socket hash when destroying it
* multi: handle errors returned from socket/timer callbacks
* multi: shut down CONNECT in Curl_detach_connnection
* netrc.d: edit the .netrc example to look nicer
* ngtcp2: verify the server cert on connect (quictls)
* ngtcp2: verify the server certificate for the gnutls case
* nss:set_cipher don't clobber the cipher list
* openldap: implement STARTTLS
* openldap: process search query response messages one by one
* openldap: several minor improvements
* openldap: simplify ldif generation code
* openssl: check the return value of BIO_new()
* openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
* openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
* openssl: remove usage of deprecated `SSL_get_peer_certificate`
* openssl: use non-deprecated API to read key parameters
* page-footer: add a mention of how to report bugs to the man page
* page-footer: document more environment variables
* request.d: refer to 'method' rather than 'command'
* retry-all-errors.d: make the example complete
* runtests: make the SSH library a testable feature
* rustls: read of zero bytes might be okay
* rustls: remove comment about checking handshaking
* rustls: remove incorrect EOF check
* sha256/md5: return errors when init fails
* socks5: use appropriate ATYP for numerical IP address host names
* test1156: enable for hyper
* test1156: fixup the stdout check for Windows
* test1525: tweaked for hyper
* test1526: enable for hyper
* test1527: enable for hyper
* test1528: enable for hyper
* test1554: adjust for hyper
* test1556: adjust for hyper
* test302[12]: run only with the libssh2 backend
* test661: enable for hyper
* tests/CI.md: add more information on CI environments
* tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
* tftp: mark protocol as not possible to do over CONNECT
* tool_findfile: updated search for a file in the homedir
* tool_operate: only set SSH related libcurl options for SSH URLs
* tool_operate: warn if too many output arguments were found
* url.c: fix the SIGPIPE comment for Curl_close
* url: check ssl_config when re-use proxy connection
* url: reduce ssl backend count for CURL_DISABLE_PROXY builds
* urlapi: accept port number zero
* urlapi: if possible, shorten given numerical IPv6 addresses
* urlapi: provide more detailed return codes
* urlapi: reject short file URLs
* version_win32: Check build number and platform id
* vtls/rustls: adapt to the updated rustls_version proto
* writeout: fix %{http_version} for HTTP/3
* x509asn1: return early on errors
* zuul.d: update rustls-ffi to version 0.8.2
* zuul: fix quiche build pointing to wrong Cargo
- Update to 7.80.0:
* Changes:
- CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
- CURLOPT_PREREQFUNCTION: add new callback
- libssh2: add SHA256 fingerprint support
- urlapi: add curl_url_strerror()
* Bugfixes:
- aws-sigv4: make signature work when post data is binary
- c-hyper: don't abort CONNECT responses early when auth-in-progress
- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
- cmake: add CURL_ENABLE_SSL option
- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
- configure.ac: replace krb5-config with pkg-config
- configure: when hyper is selected, deselect nghttp2
- curl-confopts.m4: remove --enable/disable-hidden-symbols
- curl-openssl.m4: modify library order for openssl linking
- curl_ntlm_core: use OpenSSL only if DES is available
- Curl_updateconninfo: store addresses for QUIC connections too
- ftp: make the MKD retry to retry once per directory
- http: fix Basic auth with empty name field in URL
- http: reject HTTP response codes < 100
- http: remove assert that breaks hyper
- http: set content length earlier
- imap: display quota information
- libssh2: Get the version at runtime if possible
- md5: fix compilation with OpenSSL 3.0 API
- ngtcp2: advertise h3 as well as h3-29
- ngtcp2: compile with the latest nghttp3
- ngtcp2: use latest QUIC TLS RFC9001
- NTLM: use DES_set_key_unchecked with OpenSSL
- openssl: if verifypeer is not requested, skip the CA loading
- openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
- schannel: fix memory leak due to failed SSL connection
- sendf: accept zero-length data in Curl_client_write()
- sha256: use high-level EVP interface for OpenSSL
- sws: fix memory leak on exit
- tool_operate: a failed etag save now only fails that transfer
- url: check the return value of curl_url()
- url: set "/k->size"/ -1 at start of request
- urlapi: skip a strlen(), pass in zero
- urlapi: URL decode percent-encoded host names
- vtls: Fix a memory leak if an SSL session cannot be added to the cache
- wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
* Use --with-openssl configure option, --with-ssl is now deprecated
- Update to 7.79.1:
* Bugfixes:
- Curl_http2_setup: don't change connection data on repeat invokes
- curl_multi_fdset: make FD_SET() not operate on sockets out of range
- dist: provide lib/.checksrc in the tarball
- FAQ: add GOPHERS + curl works on data, not files
- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
- hsts: handle unlimited expiry
- http: fix the broken >3 digit response code detection
- strerror: use sys_errlist instead of strerror on Windows
- test1184: disable: https://github.com/curl/curl/issues/7725
- tests/sshserver.pl: make it work with openssh-8.7p1
- Temporarily disable flaky test 1184
* See https://github.com/curl/curl/issues/7725
- Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
[bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
* Changes:
- bearssl: support CURLOPT_CAINFO_BLOB
- http: consider cookies over localhost to be secure
- secure transport: support CURLINFO_CERTINFO
* Bugfixes:
- CVE-2021-22945: clear the leftovers pointer when sending succeeds
- CVE-2021-22946: do not ignore --ssl-reqd
- CVE-2021-22947: reject STARTTLS server response pipelining
- auth: do not append zero-terminator to authorisation id in kerberos
- auth: properly handle byte order in kerberos security message
- auth: use sasl authzid option in kerberos
- auth: we do not support a security layer after kerberos authentication
- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
- c-hyper: initial step for 100-continue support
- c-hyper: initial support for "/dumping"/ 1xx HTTP responses
- curl-openssl.m4: show correct output for OpenSSL v3
- docs/MQTT: update state of username/password support
- docs: the security list is reached at security at curl.se now
- getparameter: fix the --local-port number parser
- hostip: Make Curl_ipv6works function independent of getaddrinfo
- http_proxy: fix the User-Agent inclusion in CONNECT
- http_proxy: fix user-agent and custom headers for CONNECT with hyper
- http_proxy: only wait for writable socket while sending request
- mailing lists: move from cool.haxx.se to lists.haxx.se
- mbedtls: avoid using a large buffer on the stack
- mbedTLS: initial 3.0.0 support
- ngtcp2: remove the acked_crypto_offset struct field init
- ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
- ngtcp2: reset the oustanding send buffer again when drained
- ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
- ngtcp2: stop buffering crypto data
- ngtcp2: utilize crypto API functions to simplify
- openssl: when creating a new context, there cannot be an old one
- scripts: invoke interpreters through /usr/bin/env
- tests/runtests.pl: cleanup copy&paste mistakes and unused code
- tests: be explicit about using 'python3' instead of 'python'
- tool/tests: fix potential year 2038 issues
- tool_operate: Fix --fail-early with parallel transfers
- x509asn1: fix heap over-read when parsing x509 certificates
* Rebase libcurl-ocloexec.patch
- Update to 7.78.0:
[bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
[bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
* Changes:
- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
- hostip: make 'localhost' return fixed values
- mbedtls: add support for cert and key blob options
- metalink: remove all support for it
- mqtt: add support for username and password
* Bugfixes:
- ares: always store IPv6 addresses first
- c-hyper: abort CONNECT response reading early on non 2xx responses
- c-hyper: add support for transfer-encoding in the request
- c-hyper: bail on too long response headers
- c-hyper: clear NTLM auth buffer when request is issued
- c-hyper: fix NTLM on closed connection tested with test159
- conncache: lowercase the hash key for better match
- curl_multibyte: Remove local encoding fallbacks
- Curl_ntlm_core_mk_nt_hash: fix OOM in error path
- Curl_ssl_getsessionid: fail if no session cache exists
- easy: during upkeep, attach Curl_easy to connections in the cache
- gnutls: set the preferred TLS versions in correct order
- hsts: ignore numberical IP address hosts
- HSTS: not experimental anymore
- http2: init recvbuf struct for pushed streams
- http: fix crash in rate-limited upload
- http: make the haproxy support work with unix domain sockets
- http_proxy: deal with non-200 CONNECT response with Hyper
- lib: don't compare fd to FD_SETSIZE when using poll
- lib: fix compiler warnings with CURL_DISABLE_NETRC
- lib: fix type of len passed to *printf's %*s
- lib: more %u for port and int for %*s fixes
- lib: use %u instead of %ld for port number printf
- libssh2: limit time a disconnect can take to 1 second
- mqtt: detect illegal and too large file size
- msnprintf: return number of printed characters excluding null byte
- multi: add scan-build-6 work-around in curl_multi_fdset
- multi: alter transfer timeout ordering
- multi: do not switch off connect_only flag when closing
- multi: fix crash in curl_multi_wait / curl_multi_poll
- ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
- openssl: avoid static variable for seed flag
- openssl: don't remove session id entry in disassociate
- socketpair: fix potential hangs
- socks4: scan for the IPv4 address in resolve results
- ssl: read pending close notify alert before closing the connection
- telnet: fix option parser to not send uninitialized contents
- TLS: prevent shutdown loops to get stuck
- vtls: exit addsessionid if no cache is inited
- vtls: fix connection reuse checks for issuer cert and case sensitivity
- Update to 7.77.0: [bsc#1186114, CVE-2021-22898]
[bsc#1186115, bsc#1185579, CVE-2021-22901]
* Security fixes:
- CVE-2021-22297: schannel cipher selection surprise
- CVE-2021-22298: TELNET stack contents disclosure
- CVE-2021-22901: TLS session caching disaster
* Changes:
- configure: make the TLS library choice(s) explicit
- curl: ignore options asking for SSLv2 or SSLv3
- hsts: enable by default
- SSL: support in-memory CA certs for some backends
- vtls: refuse setting any SSL version
* Bugfixes:
- configure: provide --with-openssl, deprecate --with-ssl
- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
- curl: include libmetalink version in --version output
- data_pending: check only SECONDARY socket for FTP(S) transfers
- gnutls: don't allow TLS 1.3 for versions that don't support it
- gnutls: make setting only the MAX TLS allowed version work
- http2: fix resource leaks in set_transfer_url() and push_promise()
- http: limit the initial send amount to used upload buffer size
- rustls: only return CURLE_AGAIN when TLS session is fully drained
- rustls: use ALPN
- schannel: Disable auto credentials; add an option to enable it
- schannel: Support strong crypto option
- sectransp: allow cipher name to be specified
- sockfilt: avoid getting stuck waiting for writable socket
- update to 7.76.1:
- ngtcp2: Use ALPN h3-29 for now
- TODO: remove 18.22 --fail-with-body
- Update to 7.76.0
* Security fixes:
- [bsc#1183933, CVE-2021-22876]: strip credentials from the
auto-referer header field
- [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to
Curl_ssl_get/addsessionid()
* Changes:
- cookies: Support multiple -b parameters
- curl: add --fail-with-body
- doh: add options to disable ssl verification
- http: add support to read and store the referrer header
- sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
- vtls: initial implementation of rustls backend
* Bugfixes:
- CVE-2021-22876: strip credentials from the auto-referer header field
- CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
- c-hyper: support automatic content-encoding
- configure: only add OpenSSL paths if they are defined
- configure: provide Largefile feature for curl-config
- curl: set CURLOPT_NEW_FILE_PERMS if requested
- doh: Fix sharing user's resolve list with DOH handles
- doh: Inherit CURLOPT_STDERR from user's easy handle
- dynbuf: bump the max HTTP request to 1MB
- ftp: add 'list_only' to the transfer state struct
- ftp: add 'prefer_ascii' to the transfer state struct
- ftp: allow SIZE to fail when doing (resumed) upload
- ftp: avoid SIZE when asking for a TYPE A file
- ftp: fix memory leak in ftp_done
- ftp: never set data->set.ftp_append outside setopt
- gnutls: assume nettle crypto support
- http2: don't set KEEP_SEND when there's no more data to be sent
- http2: fail if connection terminated without END_STREAM
- http: do not add a referrer header with empty value
- http: strip default port from URL sent to proxy
- http: use credentials from transfer, not connection
- lib: remove 'conn->data' completely
- multi: close the connection when h2=>h1 downgrading
- multi: do once-per-transfer inits in before_perform in DID state
- multi: rename the multi transfer states
- multi: update pending list when removing handle
- ngtcp2: adapt to the new recv_datagram callback
- ngtcp2: clarify calculation precedence
- ngtcp2: sync with recent API updates
- openssl: adapt to v3's new const for a few API calls
- openssl: ensure to check SSL_CTX_set_alpn_protos return values
- openssl: remove get_ssl_version_txt in favor of SSL_get_version
- parse_proxy: fix a memory leak in the OOM path
- url: fix memory leak if OOM in the HSTS handling
- url: fix possible use-after-free in default protocol
- urldata: don't touch data->set.httpversion at run-time
- urldata: merge "/struct DynamicStatic"/ into "/struct UrlState"/
- urldata: remove the 'rtspversion' field
- urldata: remove the _ORIG suffix from string names
- wolfssl: don't store a NULL sessionid
- Harden build, enable full RELRO
- Never allow undefined symbols anywhere.
- Update to 7.75.0
* Changes:
- curl: add --create-file-mode [mode]
- curl: add new variables to --write-out
- dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
- gopher: implement secure gopher protocol
- http: add Hyper as new optional HTTP backend
- http: introduce AWS HTTP v4 Signature support
* Bugfixes:
- cmake: Add an option to disable libidn2
- cmake: enable gophers correctly in curl-config
- cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
- digest_sspi: Show InitializeSecurityContext errors in verbose mode
- getinfo: build with disabled HTTP support
- http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
- http_proxy: Fix CONNECT chunked encoding race condition
- httpauth: make multi-request auth work with custom port
- lib: pass in 'struct Curl_easy *' to most functions
- lib: remove Curl_ prefix from many static functions
- lib: save a bit of space with some structure packing
- libssh: avoid plain free() of libssh-memory
- mime: make sure setting MIMEPOST to NULL resets properly
- multi_runsingle: bail out early on data->conn == NULL
- ngtcp2: Fix http3 upload stall
- ngtcp2: Fix stack buffer overflow
- openssl: lowercase the hostname before using it for SNI
- socks: use the download buffer instead
- speedcheck: exclude paused transfers
- tooĺ_writeout: fix the -w time output units
- url: if IDNA conversion fails, fallback to Transitional
- Refresh libcurl-ocloexec.patch
- Enable zstd and brotli support
- Update to 7.74.0
* Changes:
hsts: add experimental support for Strict-Transport-Security
* Bugfixes:
- Inferior OCSP verification [bsc#1179593, CVE-2020-8286]
- FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285]
- trusting FTP PASV responses [bsc#1179398, CVE-2020-8284]
- Revert "/multi: implement wait using winsock events"/
- openssl: free mem_buf in error path
- ntlm: avoid malloc(0) on zero length user and domain
- ngtcp2: use the minimal version of QUIC supported by ngtcp2
- ngtcp2: advertise h3 ALPN unconditionally
- file: avoid duplicated code sequence
- openssl: guard against OOM on context creation
- docs: document the 8MB input string limit for curl_easy_escape
and curl_easy_setopt()
- hsts: add read/write callbacks
- hsts: add support for Strict-Transport-Security
- alt-svc: enable by default
- checksrc: warn on empty line before open brace
- connect: repair build without ipv6 availability
- curl.se: new home
- ftp: retry getpeername for FTP with TCP_FASTOPEN
- gnutls: fix memory leaks (certfields memory wasn't released)
- http: pass correct header size to debug callback for chunked post
- libssh2: fix transport over HTTPS proxy
- openssl: guard against OOM on context creation
- openssl: use OPENSSL_init_ssl() with >= 1.1.0
- Revert "/multi: implement wait using winsock events"/
- socks: check for DNS entries with the right port number
- tool_operate: --retry for HTTP 408 responses too
- tool_operate: bail out proper on errors during parallel transfers
- urlapi: don't accept blank port number field without scheme
- urlapi: URL encode a '+' in the query part
- vquic/ngtcp2.h: define local_addr as sockaddr_storage
- Update check section:
* runtests now supports dynamically base64 encoded sections in tests
* Replace env interpreter for perl and python3
- Remove curl-use_OPENSSL_config.patch since the OpenSSL initialization
has been updated to use OPENSSL_init_ssl() with >= 1.1.0
- Update patches to fix compiling warnings:
* curl-disabled-redirect-protocol-message.patch
* libcurl-ocloexec.patch
- Enable test 1165
- Update to 7.73.0
* Changes:
- curl: add --output-dir
- curl: support XDG_CONFIG_HOME to find .curlrc
- curl: update --help with categories
- curl_easy_option_*: new API for meta-data about easy options
- CURLE_PROXY: new error code
- mqtt: enable by default
- sftp: add new quote commands 'atime' and 'mtime'
- ssh: add the option CURLKHSTAT_FINE_REPLACE
- tls: add CURLOPT_SSL_EC_CURVES and --curves
* Bugfixes:
- base64: also build for smtp, pop3 and imap
- cleanups: avoid curl_ on local variables
- configure: let --enable-debug set -Wenum-conversion with gcc >= 10
- conn: check for connection being dead before reuse
- curl: in retry output don't call all problems "/transient"/
- curl: make checkpasswd, file2memory, file2string and
glob_match_url use dynbuf
- curl: retry delays in parallel mode no longer sleeps blocking
- curl: use curlx_dynbuf for realloc when loading config files
- curl:parallel_transfers: make sure retry readds the transfer
- curl_get_line: build only if cookies or alt-svc are enabled
- Curl_pgrsTime - return new time to avoid timeout integer overflow
- Curl_send: return error when pre_receive_plain can't malloc
- dynbuf: make sure Curl_dyn_tail() zero terminates
- etag: save and use the full received contents
- ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND
- ftp: avoid risk of reading uninitialized integers
- ftp: get rid of the PPSENDF macro
- ftp: make a 552 response return CURLE_REMOTE_DISK_FULL
- ftp: separate FTPS from FTP over "/HTTPS proxy"/
- HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29
- http: consolidate nghttp2_session_mem_recv() call paths
- http_proxy: do not count proxy headers in the header bytecount
- http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
- imap: make imap_send use dynbuf for the send buffer management
- imap: set cselect_bits to CURL_CSELECT_IN initially
- lib1560: verify "/redirect"/ to double-slash leading URL
- lib: make Curl_gethostname accept a const pointer
- libssh2: handle the SSH protocols done over HTTPS proxy
- libssh2: pass on the error from ssh_force_knownhost_key_type
- memdebug: remove 9 year old unused debug function
- multi: expand pre-check for socket readiness
- ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define
- ngtcp2: adapt to the new pkt_info arguments
- openssl: avoid error conditions when importing native CA
- openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification
- parsedate: tune the date to epoch conversion
- pause: only trigger a reread if the unpause sticks
- pingpong: use a dynbuf for the *_pp_sendf() function
- runtests: allow creating files without newlines
- runtests: allow generating a binary sequence from hex
- runtests: clear pid variables when failing to start a server
- schannel: fix memory leak when using get_cert_location
- schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root
- sectransp: make it build with --disable-proxy
- select.h: make socket validation macros test for INVALID_SOCKET
- select: align poll emulation to return all relevant events
- select: fix poll-based check not detecting connect failure
- select: simplify return code handling for poll and select
- setopt: if the buffer exists, refuse the new BUFFERSIZE
- setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument
- socketpair: allow CURL_DISABLE_SOCKETPAIR
- sockfilt: handle FD_CLOSE winsock event on write socket
- symbian: drop support
- tests: remove pipelining tests
- tls: fix SRP detection by using the proper #ifdefs
- tls: provide the CApath verbose log on its own line
- tool_setopt: escape binary data to hex, not octal
- url: use blank credentials when using proxy w/o username and password
- urlapi: use more Curl_safefree
- vtls: deduplicate client certificates in ssl_config_data
- Update to 7.72.0 [bsc#1175109, CVE-2020-8231]
* Changes:
- content_encoding: add zstd decoding support
- CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
- CURLINFO_EFFECTIVE_METHOD: added
* Bugfixes:
- CVE-2020-8231: libcurl: wrong connect-only connection
- curl-config: ignore REQUIRE_LIB_DEPS in --libs output
- curl: improve the existing file check with -J
- curl_multi_setopt: fix compiler warning "/result is always false"/
- curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
- docs: Add video link to docs/CONTRIBUTE.md
- docs: clarify MAX_SEND/RECV_SPEED functionality
- ftp: don't do ssl_shutdown instead of ssl_close
- ftpserver: don't verify SMTP MAIL FROM names
- getinfo: reset retry-after value in initinfo
- gnutls: repair the build with 'CURL_DISABLE_PROXY'
- gtls: survive not being able to get name/issuer
- h2: repair trailer handling
- http2: close the http2 connection when no more requests may be sent
- http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
- libssh2: s/ssherr/sftperr/
- mprintf: Fix dollar string handling
- mprintf: Fix stack overflows
- multi_remove_handle: close unused connect-only connections
- ngtcp2: adapt to error code rename
- ngtcp2: adjust to recent sockaddr updates
- ngtcp2: update to modified qlog callback prototype
- ntlm: free target_info before (re-)malloc
- page-header: provide protocol details in the curl.1 man page
- quiche: handle calling disconnect twice
- setopt: unset NOBODY switches to GET if still HEAD
- smtp_parse_address: handle blank input string properly
- socks: use size_t for size variable
- tls-max.d: this option is only for TLS-using connections
- tlsv1.3.d. only for TLS-using connections
- tool_getparam: make --krb option work again
- transfer: fix data_pending for builds with both h2 and h3 enabled
- transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
- transfer: move retrycount from connect struct to easy handle
- url: fix CURLU and location following
- Update to 7.71.1
* Bugfixes:
- Curl_inet_ntop: always check the return code
- CURLOPT_READFUNCTION.3: provide the upload data size up front
- escape: make the URL decode able to reject only %00-bytes
- escape: zero length input should return a zero length output
- examples/multithread.c: call curl_global_cleanup()
- http2: set the correct URL in pushed transfers
- http: fix proxy auth with blank password
- mbedtls: fix build with disabled proxy support
- ngtcp2: sync with current master
- Revert "/multi: implement wait using winsock events"/
- sendf: improve the message on client write errors
- terminology: call them null-terminated strings
- tool_cb_hdr: Fix etag warning output and return code
- url: allow user + password to contain "/control codes"/ for HTTP(S)
- vtls: compare cert blob when finding a connection to reuse
- Update to 7.71.0 [bsc#1173026, CVE-2020-8169][bsc#1173027, CVE-2020-8177]
* Changes:
- CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl)
- setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
- setopt: support certificate options in memory with struct curl_blob
- tool: Add option --retry-all-errors to retry on any error
* Bugfixes:
- *_sspi: fix bad uses of CURLE_NOT_BUILT_IN
- altsvc: bump to h3-29
- altsvc: fix 'dsthost' may be used uninitialized in this function
- altsvc: fix parser for lines ending with CRLF
- altsvc: remove the num field from the altsvc struct
- asyn-*: remove support for never-used NULL entry pointers
- azure: use matrix strategy to avoid configuration redundancy
- build: disable more code/data when built without proxy support
- buildconf: remove -print from the find command that removes files
- checksrc: enhance the ASTERISKSPACE and update code accordingly
- cirrus: disable SFTP and SCP tests
- CMake: add ENABLE_ALT_SVC option
- CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
- CMake: add libssh build support
- configure: fix pthread check with static boringssl
- configure: for wolfSSL, check for the DES func needed for NTLM
- configure: only strip first -L from LDFLAGS
- configure: repair the check if argv can be written to
- configure: the wolfssh backend does not provide SCP
- connect: improve happy eyeballs handling
- connect: make happy eyeballs work for QUIC (again)
- curl: remove -J "/informational"/ written on stdout
- Curl_addrinfo: use one malloc instead of three
- dynbuf: introduce internal generic dynamic buffer functions
- easy: fix dangling pointer on easy_perform fail
- examples/ephiperfifo: turn off interval when setting timerfd
- examples/http2-down/upload: add error checks
- FILEFORMAT: add more features that tests can depend on
- FILEFORMAT: describe verify/stderr
- ftp: make domore_getsock() return the secondary socket properly
- ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void)
- ftp: shut down the secondary connection properly when SSL is used
- GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
- hostip: make Curl_printable_address not return anything
- http2: keep trying to send pending frames after req.upload_done
- http2: simplify and clean up trailer handling
- http: move header storage to Curl_easy from connectdata
- libssh2: improved error output for wrong quote syntax
- libssh2: keep sftp errors as 'unsigned long'
- libssh2: set the expected total size in SCP upload init
- multi: add defensive check on data->multi->num_alive
- multi: implement wait using winsock events
- ngtcp2: cleanup memory when failing to connect
- ngtcp2: fix build with current ngtcp2 master implementing draft 28
- ngtcp2: fix happy eyeballs quic connect crash
- ngtcp2: introduce qlog support
- ngtcp2: never call fprintf() in lib code in release version
- ngtcp2: update with recent API changes
- ntlm: enable NTLM support with wolfSSL
- OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
- openssl: set FLAG_TRUSTED_FIRST unconditionally
- projects: Add crypt32.lib to dependencies for all OpenSSL configs
- quiche: clean up memory properly when failing to connect
- quiche: enable qlog output
- quiche: update SSLKEYLOGFILE support
- Revert "/ssh: ignore timeouts during disconnect"/
- select: fix overflow protection in Curl_socket_check
- sendf: make failf() use the mvsnprintf() return code
- server/sws: fix asan warning on use of uninitialized variable
- server/util: fix logmsg format using curl_off_t argument
- sha256: fixed potentially uninitialized variable
- share: don not set the share flag it something fails
- sockfilt: make select_ws stop waiting on exit signal event
- socks: detect connection close during handshake
- socks: fix expected length of SOCKS5 reply
- socks: remove unreachable breaks in socks.c and mime.c
- source cleanup: remove all custom typedef structs
- timeouts: change millisecond timeouts to timediff_t from time_t
- timeouts: move ms timeouts to timediff_t from int and long
- tool_cfgable: free login_options at exit
- tool_getparam: -i is not OK if -J is used
- tool_getparam: fix memory leak in parse_args
- tool_operate: fixed potentially uninitialized variables
- tool_paramhlp: fixed potentially uninitialized strtol() variable
- transfer: close connection after excess data has been read
- typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *'
- unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode'
- url: accept "/any length"/ credentials for proxy auth
- url: alloc the download buffer at transfer start
- url: make the updated credentials URL-encoded in the URL
- url: reject too long input when parsing credentials
- url: sort the protocol schemes in rough popularity order
- urlapi: accept :: as a valid IPv6 address
- urldata: leave the HTTP method untouched in the set.* struct
- urlglob: treat literal IPv6 addresses with zone IDs as a host name
- user-agent.d: spell out what happens given a blank argument
- vauth/cleartext: fix theoretical integer overflow
- version.d: expanded and alpha-sorted
- vtls: Extract and simplify key log file handling from OpenSSL
- wolfssl: add SSLKEYLOGFILE support
- wording: avoid blacklist/whitelist stereotypes
- write-out.d: added "/response_code"/
- Change with-gssapi configure parameter: krb5 is changing location
in the future: ask krb5-config about the correct prefix values.
- Update to 7.70.0
* Changes:
- curl: add --ssl-revoke-best-effort to allow a "/best effort"/ revocation check
- mqtt: add new experimental protocol
- schannel: add "/best effort"/ revocation check option: CURLSSLOPT_REVOKE_BEST_EFFORT
- writeout: support to generate JSON output with '%{json}'
* Bugfixes:
- gnutls: Don't skip really long certificate fields
- gnutls: ensure TLS 1.3 when SRP isn't requested
- lib: never define CURL_CA_BUNDLE with a getenv
- libcurl-multi.3: added missing full stop
- libssh: avoid options override by configuration files
- libssh: Use new ECDSA key types to check known hosts
- tons of other fixes
- Update to 7.69.1
* Bugfixes:
- ares: store dns parameters for duphandle
- cirrus-ci: disable the FreeBSD 13 builds
- curl_share_setopt.3: Note sharing cookies doesn't enable the engine
- lib1564: reduce number of mid-wait wakeup calls
- libssh: Fix matching user-specified MD5 hex key
- MANUAL: update a dict-using command line
- mime: do not perform more than one read in a row
- mime: fix the binary encoder to handle large data properly
- mime: latch last read callback status
- multi: skip EINTR check on wakeup socket if it was closed
- pause: bail out on bad input
- pause: force a connection recheck after unpausing (take 2)
- pause: return early for calls that don't change pause state
- runtests.1: rephrase how to specify what tests to run
- runtests: fix missing use of exe_ext helper function
- seek: fix fall back for missing ftruncate on Windows
- sftp: fix segfault regression introduced by #4747 in 7.69.0
- sha256: Added SecureTransport implementation
- sha256: Added WinCrypt implementation
- socks4: fix host resolve regression
- socks5: host name resolv regression fix
- tests/server: fix missing use of exe_ext helper function
- tests: fix static ip:port instead of dynamic values being used
- tests: make sleeping portable by avoiding select
- unit1612: fix the inclusion and compilation of the HMAC unit test
- urldata: remove the 'stream_was_rewound' connectdata struct member
- version: make curl_version* thread-safe without using global context
- ignore_runtests_failure.patch: remove, no longer needed
- Update to 7.69.0
* Changes:
- polarssl: removed
- smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
- wolfSSH: new SSH backend
* Bugfixes:
- altsvc: improved header parser
- altsvc: keep a copy of the file name to survive handle reset
- altsvc: make saving the cache an atomic operation
- altsvc: use h3-27
- azure: disable brotli on the macos debug-builds
- build: remove all HAVE_OPENSSL_ENGINE_H defines
- cleanup: fix several comment typos
- cleanup: fix typos and wording in docs and comments
- cmake: add support for CMAKE_LTO option
- cmake: clean up and improve build procedures
- cmake: Show HTTPS-proxy in the features output
- cmake: use check_symbol_exists also for inet_pton
- configure.ac: fix comments about --with-quiche
- configure: disable metalink if mbedTLS is specified
- configure: disable metalink support for incompatible SSL/TLS
- conn: do not reuse connection if SOCKS proxy credentials differ
- conncache: removed unused Curl_conncache_bundle_size()
- connect: remove some spurious infof() calls
- connection reuse: respect the max_concurrent_streams limits
- cookie: check __Secure- and __Host- case sensitively
- cookies: make saving atomic with a rename
- create-dirs.d: mention the mode
- curl: avoid using strlen for testing if a string is empty
- curl: error on --alt-svc use w/o support
- curl: let -D merge headers in one file again
- curl: make #0 not output the full URL
- curl: make the -# spaceship bar not wrap the line
- curl: remove 'config' field from OutStruct
- curl:progressbarinit: ignore column width from terminals < 20
- curl_escape.3: add a link to curl_free
- curl_getenv.3: fix the memory handling description
- curl_global_init: assume the EINTR bit by default
- curl_global_init: move the IPv6 works status bool to multi handle
- CURLINFO_COOKIELIST.3: Fix example
- CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording
- CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3
- CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section
- data.d: remove "/Multiple files can also be specified"/
- digest: do not quote algorithm in HTTP authorisation
- docs/HTTP3: add --enable-alt-svc to curl's configure
- docs/HTTP3: update the OpenSSL branch to use for ngtcp2
- docs: fix typo on CURLINFO_RETRY_AFTER
- easy: remove dead code
- form.d: fix two minor typos
- ftp: convert 'sock_accepted' to a plain boolean
- ftp: remove superfluous checking for crlf in user or pwd
- ftp: shrink temp buffers used for PORT
- github: Instructions to post "/uname -a"/ on Unix systems in issues
- GnuTLS: always send client cert
- gtls: fixed compilation when using GnuTLS < 3.5.0
- hostip: move code to resolve IP address literals to 'Curl_resolv'
- HTTP-COOKIES: describe the cookie file format
- HTTP-COOKIES: mention that a trailing newline is required
- http2: make pausing/unpausing set/clear local stream window
- http2: now requires nghttp2 >= 1.12.0
- http: added 417 response treatment
- http: increase EXPECT_100_THRESHOLD to 1Mb
- http: mark POSTs with no body as "/upload done"/ from the start
- http: move "/oauth_bearer"/ from connectdata to Curl_easy
- include: remove non-curl prefixed defines
- KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header
- libssh2: add support for forcing a hostkey type
- libssh2: fix variable type
- libssh: improve known hosts handling
- llist: removed unused Curl_llist_move()
- location.d: the method change is from POST to GET only
- md4: fixed compilation issues when using GNU TLS gcrypt
- md4: use init/update/final functions in Secure Transport
- md5: added implementation for mbedTLS
- mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
- multi: change curl_multi_wait/poll to error on negative timeout
- multi: fix outdated comment
- multi: if Curl_readwrite sets 'comeback' use expire, not loop
- multi_done: if multiplexed, make conn->data point to another transfer
- multi_wait: stop loop when sread() returns zero
- ngtcp2: add error code for QUIC connection errors
- ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6
- ngtcp2: update to git master and its draft-25 support
- ntlm: removed the dependency on the TLS libaries when using MD5
- ntlm_wb: use Curl_socketpair() for greater portability
- oauth2-bearer.d: works for HTTP too
- openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
- openssl: remove redundant assignment
- os400: fixed the build
- pause: force-drain the transfer on unpause
- quiche: update to draft-25
- README: mention that the docs is in docs/
- runtests: make random seed fixed for a month
- runtests: restore the command log
- schannel_verify: Fix alt names manual verify for UNICODE builds
- sha256: use crypto implementations when available
- singleuse.pl: support new API functions, fix curl_dbg_ handling
- smtp: support the SMTPUTF8 extension
- smtp: support UTF-8 based host names in MAIL FROM
- SOCKS: make the connect phase non-blocking
- strcase: turn Curl_raw_tolower into static
- strerror: increase STRERROR_LEN 128 -> 256
- test1323: added missing 'unit test' feature requirement
- tests: add a unit test for MD4 digest generation
- tests: add a unit test for SHA256 digest generation
- tests: add a unit test for the HMAC hash generation
- tests: deduce the tool name from the test case for unit tests
- tests: fix Python 3 compatibility of smbserver.py
- tool_dirhie: allow directory traversal during creation
- tool_homedir: change GetEnv() to use libcurl's curl_getenv()
- url: include the failure reason when curl_win32_idn_to_ascii() fails
- urlapi: guess scheme properly with credentials given
- urldata: do string enums without #ifdefs for build scripts
- vtls: refactor Curl_multissl_version to make the code clearer
- Refresh patches:
* curl-secure-getenv.patch
* libcurl-ocloexec.patch
- Eliminate curl-mini: The reason for this to exist was that cmake
pulled in curl into too many places, causing build cycles. A new
cmake-mini was generated, eliminating that need.
- Update to 7.68.0
* Changes:
- TLS: add BearSSL vtls implementation
- XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
- curl: add --etag-compare and --etag-save
- curl: add --parallel-immediate
- multi: add curl_multi_wakeup()
- openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
* Bugfixes:
- CVE-2019-15601: file: on Windows, refuse paths that start with /
- Azure Pipelines: add several builds
- CMake: add support for building with the NSS vtls backend
- CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
- CURLOPT_HEADERFUNCTION.3: Document that size is always 1
- CURLOPT_QUOTE.3: fix typos
- CURLOPT_READFUNCTION.3: fix the example
- CURLOPT_URL.3: "/curl supports SMB version 1 (only)"/
- CURLOPT_VERBOSE.3: see also ERRORBUFFER
- HISTORY: added cmake, HTTP/3 and parallel downloads with curl
- HISTORY: the SMB(S) support landed in 2014
- INSTALL.md: provide Android build instructions
- KNOWN_BUGS: Connection information when using TCP Fast Open
- KNOWN_BUGS: LDAP on Windows doesn't work correctly
- KNOWN_BUGS: TLS session cache doesn't work with TFO
- OPENSOCKETFUNCTION.3: correct the purpose description
- TrackMemory tests: always remove CR before LF
- altsvc: bump to h3-24
- altsvc: make the save function ignore NULL filenames
- build: Disable Visual Studio warning "/conditional expression is constant"/
- build: fix for CURL_DISABLE_DOH
- checksrc.bat: Add a check for vquic and vssh directories
- checksrc: repair the copyrightyear check
- cirrus-ci: enable clang sanitizers on freebsd 13
- cirrus: Drop the FreeBSD 10.4 build
- config-win32: cpu-machine-OS for Windows on ARM
- configure: avoid unportable `==' test(1) operator
- configure: enable IPv6 support without `getaddrinfo`
- configure: fix typo in help text
- conncache: CONNECT_ONLY connections assumed always in-use
- conncache: fix multi-thread use of shared connection cache
- copyrights: fix copyright year range
- create_conn: prefer multiplexing to using new connections
- curl -w: handle a blank input file correctly
- curl.h: add two missing defines for "/pre ISO C"/ compilers
- curl/parseconfig: fix mem-leak
- curl/parseconfig: use curl_free() to free memory allocated by libcurl
- curl: cleanup multi handle on failure
- curl: fix --upload-file . hangs if delay in STDIN
- curl: fix -T globbing
- curl: improved cleanup in upload error path
- curl: make a few char pointers point to const char instead
- curl: properly free mimepost data
- curl: show better error message when no homedir is found
- curl: show error for --http3 if libcurl lacks support
- curl_setup_once: consistently use WHILE_FALSE in macros
- define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
- docs: Change 'experiemental' to 'experimental'
- docs: TLS SRP doesn't work with TLS 1.3
- docs: fix several typos
- docs: mention CURL_MAX_INPUT_LENGTH restrictions
- doh: improved both encoding and decoding
- doh: make it behave when built without proxy support
- examples/postinmemory.c: Call curl_global_cleanup always
- examples/url2file.c: corrected erroneous comment
- examples: add multi-poll.c
- global_init: undo the "/intialized"/ bump in case of failure
- hostip: suppress compiler warning
- http_ntlm: Remove duplicate NSS initialisation
- lib: Move lib/ssh.h -> lib/vssh/ssh.h
- lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
- lib: fix warnings found when porting to NuttX
- lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
- lib: remove erroneous +x file permission on some c files
- libssh2: add support for ECDSA and ed25519 knownhost keys
- multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header
- multi: free sockhash on OOM
- multi_poll: avoid busy-loop when called without easy handles attached
- ngtcp2: Support the latest update key callback type
- ngtcp2: fix thread-safety bug in error-handling
- ngtcp2: free used resources on disconnect
- ngtcp2: handle key updates as ngtcp2 master branch tells us
- ngtcp2: increase QUIC window size when data is consumed
- ngtcp2: use overflow buffer for extra HTTP/3 data
- ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
- ntlm_wb: fix double-free in OOM
- openssl: Revert to less sensitivity for SYSCALL errors
- openssl: improve error message for SYSCALL during connect
- openssl: prevent recursive function calls from ctx callbacks
- openssl: retrieve reported LibreSSL version at runtime
- openssl: set X509_V_FLAG_PARTIAL_CHAIN by default
- parsedate: offer a getdate_capped() alternative
- pause: avoid updating socket if done was already called
- projects: Fix Visual Studio projects SSH builds
- projects: Fix Visual Studio wolfSSL configurations
- quiche: reject HTTP/3 headers in the wrong order
- remove_handle: clear expire timers after multi_done()
- runtests: --repeat=[num] to repeat tests
- runtests: introduce --shallow to reduce huge torture tests
- schannel: fix --tls-max for when min is --tlsv1 or default
- setopt: Fix ALPN / NPN user option when built without HTTP2
- strerror: Add Curl_winapi_strerror for Win API specific errors
- strerror: Fix an error looking up some Windows error strings
- strerror: Fix compiler warning "/empty expression"/
- system.h: fix for MCST lcc compiler
- test/sws: search for "/Testno:"/ header unconditionally if no testno
- test1175: verify symbols-in-versions and libcurl-errors.3 in sync
- test1270: a basic -w redirect_url test
- test1456: remove the use of a fixed local port number
- test1558: use double slash after file:
- test1560: require IPv6 for IPv6 aware URL parsing
- tests/lib1557: fix mem-leak in OOM
- tests/lib1559: fix mem-leak in OOM
- tests/lib1591: free memory properly on OOM, in the trailers callback
- tests/unit1607: fix mem-leak in OOM
- tests/unit1609: fix mem-leak in OOM
- tests/unit1620: fix bad free in OOM
- tests: Change NTLM tests to require SSL
- tests: Fix bounce requests with truncated writes
- tests: fix build with `CURL_DISABLE_DOH`
- tests: fix permissions of ssh keys in WSL
- tests: make it possible to set executable extensions
- tests: make sure checksrc runs on header files too
- tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests
- tests: use DoH feature for DoH tests
- tests: use rn for log messages in WSL
- tool_operate: fix mem leak when failed config parse
- travis: Fix error detection
- travis: abandon coveralls, it is not reliable
- travis: build ngtcp2 with --enable-lib-only
- travis: export the CC/CXX variables when set
- vtls: make BearSSL possible to set with CURL_SSL_BACKEND
- winbuild: Define CARES_STATICLIB when WITH_CARES=static
- winbuild: Document CURL_STATICLIB requirement for static libcurl
- Remove curl-expire-clear.patch
- Fix segfault in zypper ref: [bsc#1156481]
* remove_handle: clear expire timers after multi_done()
* Add patch curl-expire-clear.patch
- Update spec file with spec-cleaner
- Update to 7.67.0
* Changes:
- curl: added --no-progress-meter
- setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
- urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
* Bugfixes:
- BINDINGS: five new bindings addded
- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
- CURLOPT_TIMEOUT.3: remove the mention of "/minutes"/
- ESNI: initial build/setup support
- FTP: FTPFILE_NOCWD: avoid redundant CWDs
- FTP: allow "/rubbish"/ prepended to the SIZE response
- FTP: remove trailing slash from path for LIST/MLSD
- FTP: skip CWD to entry dir when target is absolute
- FTP: url-decode path before evaluation
- HTTP3.md: move -p for mkdir, remove -j for make
- HTTP3: fix invalid use of sendto for connected UDP socket
- HTTP3: fix prefix parameter for ngtcp2 build
- HTTP3: show an --alt-svc using example too
- INSTALL: add missing space for configure commands
- INSTALL: add vcpkg installation instructions
- altsvc: accept quoted ma and persist values
- altsvc: both backends run h3-23 now
- appveyor: Add MSVC ARM64 build
- appveyor: Use two parallel compilation on appveyor with CMake
- appveyor: add --disable-proxy autotools build
- appveyor: publish artifacts on appveyor
- appveyor: upgrade VS2017 to VS2019
- asyn-thread: make use of Curl_socketpair() where available
- asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
- build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
- checksrc: fix uninitialized variable warning
- chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
- cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
- cirrus: switch off blackhole status on the freebsd CI machines
- cleanups: 21 various PVS-Studio warnings
- configure: only say ipv6 enabled when the variable is set
- configure: remove all cyassl references
- conn-reuse: requests wanting NTLM can reuse non-NTLM connections
- connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
- connect: silence sign-compare warning
- cookie: avoid harmless use after free
- cookie: pass in the correct cookie amount to qsort()
- cookies: change argument type for Curl_flush_cookies
- cookies: using a share with cookies shouldn't enable the cookie engine
- copyrights: update copyright notices to 2019
- curl: create easy handles on-demand and not ahead of time
- curl: ensure HTTP 429 triggers --retry
- curl: exit the create_transfers loop on errors
- curl: fix memory leaked by parse_metalink()
- curl: load large files with -d @ much faster
- docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
- docs: added multi-event.c example
- docs: disambiguate CURLUPART_HOST is for host name (ie no port)
- docs: note on failed handles not being counted by curl_multi_perform
- doh: allow only http and https in debug mode
- doh: avoid truncating DNS QTYPE to lower octet
- doh: clean up dangling DOH memory on easy close
- doh: fix (harmless) buffer overrun
- doh: fix undefined behaviour and open up for gcc and clang optimization
- doh: return early if there is no time left
- examples/sslbackend: fix -Wchar-subscripts warning
- gnutls: make gnutls_bye() not wait for response on shutdown
- http2: expire a timeout at end of stream
- http2: prevent dup'ed handles to send dummy PRIORITY frames
- http2: relax verification of :authority in push promise requests
- http2_recv: a closed stream trumps pause state
- http: lowercase headernames for HTTP/2 and HTTP/3
- ldap: Stop using wide char version of ldapp_err2string
- ldap: fix OOM error on missing query string
- mbedtls: add error message for cert validity starting in the future
- mime: when disabled, avoid C99 macro
- ngtcp2: adapt to API change
- ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
- ngtcp2: remove fprintf() calls
- openssl: close_notify on the FTP data connection doesn't mean closure
- openssl: use strerror on SSL_ERROR_SYSCALL
- os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
- parsedate: fix date parsing disabled builds
- quiche: don't close connection at end of stream
- quiche: persist connection details (fixes -I with --http3)
- quiche: set 'drain' when returning without having drained the queues
- quiche: update HTTP/3 config creation to new API
- redirect: handle redirects to absolute URLs containing spaces
- runtests: get textaware info from curl instead of perl
- schannel: reverse the order of certinfo insertions
- schannel_verify: Fix concurrent openings of CA file
- security: silence conversion warning
- setopt: handle ALTSVC set to NULL
- setopt: make it easier to add new enum values
- setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
- smb: check for full size message before reading message details
- smbserver: fix Python 3 compatibility
- socks: Fix destination host shown on SOCKS5 error
- test1162: disable MSYS2's POSIX path conversion
- test1591: fix spelling of http feature
- tests: add 'connect to non-listen' keywords
- tests: fix narrowing conversion warnings
- tests: fix the test 3001 cert failures
- tests: makes tests succeed when using --disable-proxy
- tests: use %FILE_PWD for file:// URLs
- tests: use port 2 instead of 60000 for a safer non-listening port
- tool_operate: Fix retry sleep time shown to user when Retry-After
- url: Curl_free_request_state() should also free doh handles
- url: don't set appconnect time for non-ssl/non-ssh connections
- url: fix the NULL hostname compiler warning
- url: normalize CURLINFO_EFFECTIVE_URL
- url: only reuse TLS connections with matching pinning
- urlapi: avoid index underflow for short ipv6 hostnames
- urlapi: fix URL encoding when setting a full URL
- urlapi: question mark within fragment is still fragment
- urldata: use 'bool' for the bit type on MSVC compilers
- vtls: fix narrowing conversion warnings
- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481]
* Changes:
- CURLINFO_RETRY_AFTER: parse the Retry-After header value
- HTTP3: initial (experimental still not working) support
- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
- curl: support parallel transfers with -Z
- curl_multi_poll: a sister to curl_multi_wait() that waits more
- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
* Bugfixes:
- CVE-2019-5481: FTP-KRB double-free
- CVE-2019-5482: TFTP small blocksize heap buffer overflow
- CMake: remove needless newlines at end of gss variables
- CMake: use platform dependent name for dlopen() library
- CURLINFO docs: mention that in redirects times are added
- CURLOPT_ALTSVC.3: use a "/"/ file name to not load from a file
- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
- CURLOPT_HEADERFUNCTION.3: clarify
- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
- CURLOPT_READFUNCTION.3: provide inline example
- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
- Curl_addr2string: take an addrlen argument too
- Curl_fillreadbuffer: avoid double-free trailer buf on error
- HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
- alt-svc: add protocol version selection masking
- alt-svc: fix removal of expired cache entry
- alt-svc: make it use h3-22 with ngtcp2 as well
- alt-svc: more liberal ALPN name parsing
- alt-svc: send Alt-Used: in redirected requests
- alt-svc: with quiche, use the quiche h3 alpn string
- asyn-thread: create a socketpair to wait on
- cleanup: move functions out of url.c and make them static
- cleanup: remove the 'numsocks' argument used in many places
- configure: avoid undefined check_for_ca_bundle
- curl.h: add CURL_HTTP_VERSION_3 to the version enum
- curl: cap the maximum allowed values for retry time arguments
- curl: handle a libcurl build without netrc support
- curl: make use of CURLINFO_RETRY_AFTER when retrying
- curl: use CURLINFO_PROTOCOL to check for HTTP(s)
- curl_global_init_mem.3: mention it was added in 7.12.0
- curl_version: bump string buffer size to 250
- curl_version_info.3: mentioned ALTSVC and HTTP3
- curl_version_info: offer quic (and h3) library info
- curl_version_info: provide nghttp2 details
- defines: avoid underscore-prefixed defines
- docs/ALTSVC: remove what works and the experimental explanation
- docs/EXPERIMENTAL: explain what it means and what's experimental now
- docs/MANUAL.md: converted to markdown from plain text
- docs/examples/curlx: fix errors
- docs: s/curl_debug/curl_dbg_debug in comments and docs
- easy: resize receive buffer on easy handle reset
- examples: Avoid reserved names in hiperfifo examples
- examples: add http3.c, altsvc.c and http3-present.c
- http09: disable HTTP/0.9 by default in both tool and library
- http2: when marked for closure and wanted to close == OK
- http2_recv: trigger another read when the last data is returned
- http: fix use of credentials from URL when using HTTP proxy
- http_negotiate: improve handling of gss_init_sec_context() failures
- md4: Use our own MD4 when no crypto libraries are available
- multi: call detach_connection before Curl_disconnect
- nss: use TLSv1.3 as default if supported
- openssl: build warning free with boringssl
- openssl: use SSL_CTX_set__proto_version() when available
- plan9: add support for running on Plan 9
- progress: reset download/uploaded counter between transfers
- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
- scp: fix directory name length used in memcpy
- smb: init *msg to NULL in smb_send_and_recv()
- smtp: check for and bail out on too short EHLO response
- source: remove names from source comments
- spnego_sspi: add typecast to fix build warning
- src/makefile: fix uncompressed hugehelp.c generation
- ssh-libssh: do not specify O_APPEND when not in append mode
- ssh: move code into vssh for SSH backends
- sspi: fix memory leaks
- tests: Replace outdated test case numbering documentation
- tftp: return error when packet is too small for options
- timediff: make it 64 bit (if possible) even with 32 bit time_t
- travis: reduce number of torture tests in 'coverage'
- url: make use of new HTTP version if alt-svc has one
- urlapi: verify the IPv6 numerical address
- urldata: avoid 'generic', use dedicated pointers
- vauth: Use CURLE_AUTH_ERROR for auth function errors
- Update to 7.65.3
* progress: make the progress meter appear again
- Update to 7.65.2
* Bugfixes:
- CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
- CMake: Fix finding Brotli on case-sensitive file systems
- CURLOPT_RANGE.3: Caution against using it for HTTP PUT
- CURLOPT_SEEKDATA.3: fix variable name
- bindlocal: detect and avoid IP version mismatches in bind()
- build: fix Codacy warnings
- c-ares: honor port numbers in CURLOPT_DNS_SERVERS
- config-os400: add getpeername and getsockname defines
- configure: --disable-progress-meter
- configure: fix --disable-code-coverage
- configure: more --disable switches to toggle off individual features
- configure: remove CURL_DISABLE_TLS_SRP
- conn_maxage: move the check to prune_dead_connections()
- curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
- docs: Explain behavior change in --tlsv1. options since 7.54
- docs: Fix links to OpenSSL docs
- docs: fix string suggesting HTTP/2 is not the default
- headers: Remove no longer exported functions
- http2: call done_sending on end of upload
- http2: don't call stream-close on already closed streams
- http2: remove CURL_DISABLE_TYPECHECK define
- http: allow overriding timecond with custom header
- http: clarify header buffer size calculation
- krb5: fix compiler warning
- lib: Use UTF-8 encoding in comments
- libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
- multi: enable multiplexing by default (again)
- multi: fix the transfer hashes in the socket hash entries
- multi: make sure 'data' can present in several sockhash entries
- netrc: Return the correct error code when out of memory
- nss: don't set unused parameter
- nss: inspect returnvalue of token check
- nss: only cache valid CRL entries
- openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
- openssl: fix pubkey/signature algorithm detection in certinfo
- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support
- quote.d: asterisk prefix works for SFTP as well
- runtests: keep logfiles around by default
- runtests: report single test time + total duration
- test1165: verify that CURL_DISABLE_ symbols are in sync
- test1521: adapt to SLISTPOINT
- test1523: test CURLOPT_LOW_SPEED_LIMIT
- test153: fix content-length to avoid occasional hang
- test188/189: fix Content-Length
- tests: have runtests figure out disabled features
- tests: support non-localhost HOSTIP for dict/smb servers
- tests: update fixed IP for hostip/clientip split
- tool_cb_prg: Fix integer overflow in progress bar
- typecheck: CURLOPT_CONNECT_TO takes an slist too
- typecheck: add 3 missing strings and a callback data pointer
- unit1654: cleanup on memory failure
- unpause: trigger a timeout for event-based transfers
- url: Fix CURLOPT_MAXAGE_CONN time comparison
- Rebased patch curl-use_OPENSSL_config.patch
- Disable new added failing test1165
- Update to 7.65.1
* Bugfixes:
- CURLOPT_LOW_SPEED_* repaired
- NTLM: reset proxy "/multipass"/ state when CONNECT request is done
- PolarSSL: deprecate support step 1. Removed from configure
- cmake: check for if_nametoindex()
- cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
- conncache: Remove the DEBUGASSERT on length check
- conncache: make "/bundles"/ per host name when doing proxy tunnels
- curl_share_setopt.3: improve wording
- dump-header.d: spell out that no headers == empty file
- example/http2-download: fix format specifier
- examples: cleanups and compiler warning fixes
- http2: Stop drain from being permanently set
- http: don't parse body-related headers in bodyless responses
- md4: build correctly with openssl without MD4
- md4: include the mbedtls config.h to get the MD4 info
- multi: track users of a socket better
- nss: allow to specify TLS 1.3 ciphers if supported by NSS
- parse_proxy: make sure portptr is initialized
- parse_proxy: use the IPv6 zone id if given
- sectransp: handle errSSLPeerAuthCompleted from SSLRead()
- singlesocket: use separate variable for inner loop
- ssl: Update outdated "/openssl-only"/ comments for supported backends
- tests: add HAProxy keywords
- tests: make test 1420 and 1406 work with rtsp-disabled libcurl
- tls13-docs: mention it is only for OpenSSL >= 1.1.1
- tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
- url: fix bad feature-disable #ifdef
- url: use correct port in ConnectionExists()
- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436]
* Changes:
- CURLOPT_DNS_USE_GLOBAL_CACHE: removed
- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
- pipelining: removed
* Bugfixes:
- CVE-2019-5435: Integer overflows in curl_url_set
- CVE-2019-5436: tftp: use the current blksize for recvfrom()
- --config: clarify that initial : and = might need quoting
- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
- CURLOPT_ADDRESS_SCOPE: fix range check and more
- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
- CURL_MAX_INPUT_LENGTH: largest acceptable string input size
- Curl_disconnect: treat all CONNECT_ONLY connections as "/dead"/
- OS400/ccsidcurl: replace use of Curl_vsetopt
- OpenSSL: Report -fips in version if OpenSSL is built with FIPS
- WRITEFUNCTION: add missing set_in_callback around callback
- altsvc: Fix building with cookies disabled
- auth: Rename the various authentication clean up functions
- base64: build conditionally if there are users
- cmake: avoid linking executable for some tests with cmake 3.6+
- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
- cmake: set SSL_BACKENDS
- configure: avoid unportable '==' test(1) operator
- configure: error out if OpenSSL wasn't detected when asked for
- configure: fix default location for fish completions
- cookie: Guard against possible NULL ptr deref
- curl: make code work with protocol-disabled libcurl
- curl: report error for "/--no-"/ on non-boolean options
- curlver.h: use parenthesis in CURL_VERSION_BITS macro
- docs/INSTALL: fix broken link
- doh: acknowledge CURL_DISABLE_DOH
- doh: disable DOH for the cases it doesn't work
- examples: remove unused variables
- ftplistparser: fix LGTM alert "/Empty block without comment"/
- hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
- http: acknowledge CURL_DISABLE_HTTP_AUTH
- http: mark bundle as not for multiuse on < HTTP/2 response
- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
- http_negotiate: do not treat failure of gss_init_sec_context() as fatal
- http_ntlm: Corrected the name of the include guard
- http_ntlm_wb: Handle auth for only a single request
- http_ntlm_wb: Return the correct error on receiving an empty auth message
- lib509: add missing include for strdup
- lib557: initialize variables
- mbedtls: enable use of EC keys
- mime: acknowledge CURL_DISABLE_MIME
- multi: improved HTTP_1_1_REQUIRED handling
- netrc: acknowledge CURL_DISABLE_NETRC
- nss: allow fifos and character devices for certificates
- nss: provide more specific error messages on failed init
- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
- openssl: mark connection for close on TLS close_notify
- openvms: Remove pre-processor for SecureTransport
- parse_proxy: use the URL parser API
- parsedate: disabled on CURL_DISABLE_PARSEDATE
- pingpong: disable more when no pingpong protocols are enabled
- polarssl_threadlock: remove conditionally unused code
- progress: acknowledge CURL_DISABLE_PROGRESS_METER
- proxy: acknowledge DISABLE_PROXY more
- resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
- revert "/multi: support verbose conncache closure handle"/
- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
- sasl: only enable if there's a protocol enabled using it
- singleipconnect: show port in the verbose "/Trying ..."/ message
- socks5: user name and passwords must be shorter than 256
- socks: fix error message
- socksd: new SOCKS 4+5 server for tests
- spnego_gssapi: fix return code on gss_init_sec_context() failure
- ssh-libssh: remove unused variable
- ssh: define USE_SSH if SSH is enabled (any backend)
- ssh: move variable declaration to where it's used
- test1002: correct the name
- test2100: Fix typos in test description
- tests: Run global cleanup at end of tests
- tests: make Impacket (SMB server) Python 3 compatible
- tool_cb_wrt: fix bad-function-cast warning
- tool_formparse: remove redundant assignment
- tool_help: Warn if curl and libcurl versions do not match
- tool_help: include for strcasecmp
- url: always clone the CUROPT_CURLU handle
- url: convert the zone id from a IPv6 URL to correct scope id
- urlapi: add CURLUPART_ZONEID to set and get
- urlapi: increase supported scheme length to 40 bytes
- urlapi: require a non-zero host name length when parsing URL
- urlapi: stricter CURLUPART_PORT parsing
- urlapi: strip off zone id from numerical IPv6 addresses
- urlapi: urlencode characters above 0x7f correctly
- vauth/cleartext: update the PLAIN login to match RFC 4616
- vauth/oauth2: Fix OAUTHBEARER token generation
- vauth: Fix incorrect function description for Curl_auth_user_contains_domain
- vtls: fix potential ssl_buffer stack overflow
- wildcard: disable from build when FTP isn't present
- xattr: skip unittest on unsupported platforms
- Install curl.fish completions file from curl rather than from the fish package
- update to version 7.64.1
* Changes:
- alt-svc: experiemental support added
- configure: add --with-amissl
* Bugfixes:
- AppVeyor: switch VS 2015 builds to VS 2017 image
- CURLU: fix NULL dereference when used over proxy
- Curl_easy: remove req.maxfd - never used!
- Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
- DoH: inherit some SSL options from user's easy handle
- Secure Transport: no more "/darwinssl"/
- Secure Transport: tvOS 11 is required for ALPN support
- cirrus: Added FreeBSD builds using Cirrus CI
- cleanup: make local functions static
- cli tool: do not use mime.h private structures
- cmdline-opts/proxytunnel.d: the option tunnnels all protocols
- configure: add additional libraries to check for LDAP support
- configure: remove the unused fdopen macro
- configure: show features as well in the final summary
- conncache: use conn->data to know if a transfer owns it
- connection: never reuse CONNECT_ONLY connections
- connection_check: restore original conn->data after the check
- connection_check: set ->data to the transfer doing the check
- cookie: Add support for cookie prefixes
- cookies: dotless names can set cookies again
- cookies: fix NULL dereference if flushing cookies with no CookieInfo set
- curl.1: --user and --proxy-user are hidden from ps output
- curl.1: mark the argument to --cookie as
- curl.h: use __has_declspec_attribute for shared builds
- curl: display --version features sorted alphabetically
- curl: fix FreeBSD compiler warning in the --xattr code
- curl: remove MANUAL from -M output
- curl_easy_duphandle.3: clarify that a duped handle has no shares
- curl_multi_remove_handle.3: use at any time, just not from within callbacks
- curl_url.3: this API is not experimental anymore
- dns: release sharelock as soon as possible
- docs: update max-redirs.d phrasing
- examples/10-at-a-time.c: improve readability and simplify
- examples/cacertinmem.c: use multiple certificates for loading CA-chain
- examples/crawler: Fix the Accept-Encoding setting
- examples/ephiperfifo.c: various fixes
- examples/externalsocket: add missing close socket calls
- examples/http2-download: cleaned up
- examples/http2-serverpush: add some sensible error checks
- examples/http2-upload: cleaned up
- examples/httpcustomheader: Value stored to 'res' is never read
- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
- examples/sftpuploadresume: Value stored to 'result' is never read
- examples: only include
- examples: remove recursive calls to curl_multi_socket_action
- examples: remove superfluous null-pointer checks
- file: fix "/Checking if unsigned variable 'readcount' is less than zero."/
- fnmatch: disable if FTP is disabled
- gnutls: remove call to deprecated gnutls_compression_get_name
- gopher: remove check for path == NULL
- gssapi: fix deprecated header warnings
- hostip: make create_hostcache_id avoid alloc + free
- http2: multi_connchanged() moved from multi.c, only used for h2
- http2: verify :athority in push promise requests
- http: make adding a blank header thread-safe
- http: send payload when (proxy) authentication is done
- http: set state.infilesize when sending multipart formposts
- makefile: make checksrc and hugefile commands "/silent"/
- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
- mbedtls: release sessionid resources on error
- memdebug: log pointer before freeing its data
- memdebug: make debug-specific functions use curl_dbg_ prefix
- mime: put the boundary buffer into the curl_mime struct
- multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME
- multi: remove verbose "/Expire in"/ ... messages
- multi: removed unused code for request retries
- multi: support verbose conncache closure handle
- negotiate: fix for HTTP POST with Negotiate
- openssl: add support for TLS ASYNC state
- openssl: if cert type is ENG and no key specified, key is ENG too
- pretransfer: don't strlen() POSTFIELDS set for GET requests
- rand: Fix a mismatch between comments in source and header
- runtests: detect "/schannel"/ as an alias for "/winssl"/
- schannel: be quiet - remove verbose output
- schannel: close TLS before removing conn from cache
- schannel: support CALG_ECDH_EPHEM algorithm
- scripts/completion.pl: also generate fish completion file
- singlesocket: fix the 'sincebefore' placement
- source: fix two 'nread' may be used uninitialized warnings
- ssh: fix Condition '!status' is always true
- ssh: loop the state machine if not done and not blocking
- strerror: make the strerror function use local buffers
- test578: make it read data from the correct test
- tests: Fixed XML validation errors in some test files
- tests: add stderr comparison to the test suite
- tests: fix multiple may be used uninitialized warnings
- threaded-resolver: shutdown the resolver thread without error message
- tool_cb_wrt: fix writing to Windows null device NUL
- tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr
- tool_operate: build on AmigaOS
- tool_operate: fix typecheck warning
- transfer.c: do not compute length of undefined hex buffer
- travis: add build using gnutls
- travis: add scan-build
- travis: bump the used wolfSSL version to 4.0.0
- travis: enable valgrind for the iconv tests
- travis: use updated compiler versions: clang 7 and gcc 8
- unit1307: require FTP support
- unit1651: survive curl_easy_init() fails
- url/idnconvert: remove scan for <= 32 ascii values
- url: change conn shutdown order to ensure SOCKETFUNCTION callbacks
- urlapi: reduce variable scope, remove unreachable 'break'
- urldata: convert bools to bitfields and move to end
- urldata: simplify bytecounters
- urlglob: Argument with 'nonnull' attribute passed null
- version.c: silent scan-build even when librtmp is not enabled
- vtls: rename some of the SSL functions
- wolfssl: stop custom-adding curves
- x509asn1: "/Dereference of null pointer"/
- x509asn1: cleanup and unify code layout
- zsh.pl: escape ':' character
- zsh.pl: update regex to better match curl -h output
- Dropped patches fixed upstream:
* 0001-connection_check-set-data-to-the-transfer-doing-the-.patch
* 0002-connection_check-restore-original-conn-data-after-th.patch
* curl-singlesocket-sincebefore-placement.patch
- Fix variable placement that wasn't properly reset within a loop
missing to notify sockets. [bsc#1129083, bsc#1129470]
* Added curl-singlesocket-sincebefore-placement.patch
- Add patches to fix use-after-free (boo#1127849):
* 0001-connection_check-set-data-to-the-transfer-doing-the-.patch
* 0002-connection_check-restore-original-conn-data-after-th.patch
- BuildRequire libcurl4-mini for !bootstrap to avoid build cycles
due to cmake pulling libcurl4
- update to version 7.64.0
[bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822]
[bcs#1123378, CVE-2019-3823]
* Changes:
- cookies: leave secure cookies alone
- hostip: support wildcard hosts
- http: Implement trailing headers for chunked transfers
- http: added options for allowing HTTP/0.9 responses
- timeval: Use high resolution timestamps on Windows
* Bugfixes:
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
- FAQ: remove mention of sourceforge for github
- OS400: handle memory error in list conversion
- OS400: upgrade ILE/RPG binding.
- README: add codacy code quality badge
- Revert http_negotiate: do not close connection
- THANKS: added several missing names from year <= 2000
- build: make 'tidy' target work for metalink builds
- cmake: added checks for variadic macros
- cmake: updated check for HAVE_POLL_FINE to match autotools
- cmake: use lowercase for function name like the rest of the code
- configure: detect xlclang separately from clang
- configure: fix recv/send/select detection on Android
- configure: rewrite --enable-code-coverage
- conncache_unlock: avoid indirection by changing input argument type
- cookie: fix comment typo
- cookies: allow secure override when done over HTTPS
- cookies: extend domain checks to non psl builds
- cookies: skip custom cookies when redirecting cross-site
- curl --xattr: strip credentials from any URL that is stored
- curl -J: refuse to append to the destination file
- curl/urlapi.h: include "/curl.h"/ first
- curl_multi_remove_handle() don't block terminating c-ares requests
- darwinssl: accept setting max-tls with default min-tls
- disconnect: separate connections and easy handles better
- disconnect: set conn->data for protocol disconnect
- docs/version.d: mention MultiSSL
- docs: fix the --tls-max description
- docs: use $(INSTALL_DATA) to install man page
- docs: use meaningless port number in CURLOPT_LOCALPORT example
- gopher: always include the entire gopher-path in request
- http2: clear pause stream id if it gets closed
- if2ip: remove unused function Curl_if_is_interface_name
- libssh: do not let libssh create socket
- libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
- libssh: free sftp_canonicalize_path() data correctly
- libtest/stub_gssapi: use "/real"/ snprintf
- mbedtls: use VERIFYHOST
- multi: multiplexing improvements
- multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
- ntlm: fix NTMLv2 compliance
- ntlm_sspi: add support for channel binding
- openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
- openssl: fix the SSL_get_tlsext_status_ocsp_resp call
- openvms: fix OpenSSL discovery on VAX
- openvms: fix typos in documentation
- os400: add a missing closing bracket
- os400: fix extra parameter syntax error
- pingpong: change default response timeout to 120 seconds
- pingpong: ignore regular timeout in disconnect phase
- printf: fix format specifiers
- runtests.pl: Fix perl call to include srcdir
- schannel: fix compiler warning
- schannel: preserve original certificate path parameter
- schannel: stop calling it "/winssl"/
- sigpipe: if mbedTLS is used, ignore SIGPIPE
- smb: fix incorrect path in request if connection reused
- ssh: log the libssh2 error message when ssh session startup fails
- test1558: verify CURLINFO_PROTOCOL on file:// transfer
- test1561: improve test name
- test1653: make it survive torture tests
- tests: allow tests to pass by 2037-02-12
- tests: move objnames-* from lib into tests
- timediff: fix math for unsigned time_t
- timeval: Disable MSVC Analyzer GetTickCount warning
- tool_cb_prg: avoid integer overflow
- travis: added cmake build for osx
- urlapi: Fix port parsing of eol colon
- urlapi: distinguish possibly empty query
- urlapi: fix parsing ipv6 with zone index
- urldata: rename easy_conn to just conn
- winbuild: conditionally use /DZLIB_WINAPI
- wolfssl: fix memory-leak in threaded use
- spnego_sspi: add support for channel binding
- Fix wrong summary, curl is at version 7, not 4.
- Provide libcurl4 = %version in the mini library package
- Update to version 7.63.0
Changes:
* curl: add %{stderr} and %{stdout} for --write-out
* curl: add undocumented option --dump-module-paths for w32
* setopt: add CURLOPT_CURLU
Bugfixes:
* (lib)curl.rc: fixup for minor bugs
* CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
* CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis/desc
* CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
* Curl_follow: accept non-supported schemes for "/fake"/ redirects
* KNOWN_BUGS: add --proxy-any connection issue
* NTLM: Remove redundant ifdef USE_OPENSSL
* NTLM: force the connection to HTTP/1.1
* OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
* SECURITY-PROCESS: bountygraph shuts down again
* TODO: Have the URL API offer IDN decoding
* ares: remove fd from multi fd set when ares is about to close the fd
* axtls: removed
* checksrc: add COPYRIGHTYEAR check
* cmake: fix MIT/Heimdal Kerberos detection
* configure: include all libraries in ssl-libs fetch
* configure: show CFLAGS, LDFLAGS etc in summary
* connect: fix building for recent versions of Minix
* cookies: create the cookiejar even if no cookies to save
* cookies: expire "/Max-Age=0"/ immediately
* curl: --local-port range was not "/including"/
* curl: fix --local-port integer overflow
* curl: fix memory leak reading --writeout from file
* curl: fixed UTF-8 in current console code page (Win)
* curl_easy_perform: fix timeout handling
* curl_global_sslset(): id == -1 is not necessarily an error
* curl_multibyte: fix a malloc overcalculation
* curle: move deprecated error code to ifndef block
* docs: curl_formadd field and file names are now escaped
* docs: escape "/n"/ codes
* doh: fix memory leak in OOM situation
* doh: make it work for h2-disabled builds too
* examples/ephiperfifo: report error when epoll_ctl fails
* ftp: avoid unsigned int overflows in FTP listing parser
* host names: allow trailing dot in name resolve, then strip it
* http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
* http: don't set CURLINFO_CONDIITON_UNMET for http status code 204
* http: fix HTTP DIgest auth to include query in URI
* http_negotiate: do not close connection until negotiation is completed
* impacket: add LICENSE
* infof: clearly indicate truncation
* ldap: fix LDAP URL parsing regressions
* libcurl: stop reading from paused transfers
* mprintf: avoid unsigned integer overflow warning
* netrc: don't ignore the login name specified with "/--user"/
* nss: Fall back to latest supported SSL version
* nss: Fix compatibility with nss versions 3.14 to 3.15
* nss: fix fallthrough comment to fix picky compiler warning
* nss: remove version selecting dead code
* nss: set default max-tls to 1.3/1.2
* openssl: Remove SSLEAY leftovers
* openssl: do not log excess "/TLS app data"/ lines for TLS 1.3
* openssl: do not use file BIOs if not requested
* openssl: fix unused variable compiler warning with old openssl
* openssl: support session resume with TLS 1.3
* openvms: fix example name
* os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
* os400: add CURLOPT_CURLU to ILE/RPG binding
* os400: fix return type of curl_easy_pause() in ILE/RPG binding
* packages: remove old leftover files and dirs
* pop3: only do APOP with a valid timestamp
* runtests: use the local curl for verifying
* schannel: be consistent in Schannel capitalization
* schannel: better CURLOPT_CERTINFO support
* schannel: use Curl_prefix for global private symbols
* snprintf: renamed and now we only use msnprintf()
* ssl: fix compilation with OpenSSL 0.9.7
* ssl: replace all internal uses of CURLE_SSL_CACERT
* symbols-in-versions: add missing CURLU_symbols
* test328: verify Content-Encoding: none
* tests: disable SO_EXCLUSIVEADDRUSE for stunnel/Win
* tests: drop http_pipe.py script no longer used
* tests: drop http_pipe.py script no longer used
* tool_cb_wrt: Silence function cast compiler warning
* tool_doswin: Fix uninitialized field warning
* travis: build with clang sanitizers
* travis: remove curl before a normal build
* url: a short host name + port is not a scheme
* url: fix IPv6 numeral address parser
* urlapi: only skip encoding the first '=' with APPENDQUERY set
- refreshed curl-disabled-redirect-protocol-message.patch
- Update to version 7.62.0
Changes:
* multiplex: enable by default
* url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
* setopt: add CURLOPT_DOH_URL
* curl: --doh-url added
* setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
* imap: change from "/FETCH"/ to "/UID FETCH"/
* configure: add option to disable automatic OpenSSL config loading
* upkeep: add a connection upkeep API: curl_easy_upkeep()
* URL-API: added five new functions
* vtls: MesaLink is a new TLS backend
Bugfixes:
* CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758]
* CVE-2018-16840: use-after-free in handle close [bsc#1113029]
* CVE-2018-16842: warning message out-of-buffer read [bsc#1113660]
* CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
* Curl_dedotdotify(): always nul terminate returned string
* Curl_follow: Always free the passed new URL
* Curl_http2_done: fix memleak in error path
* Curl_retry_request: fix memory leak
* Curl_saferealloc: Fixed typo in docblock
* FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
* GnutTLS: TLS 1.3 support
* SECURITY-PROCESS: mention the bountygraph program
* VS projects: add USE_IPV6:
* certs: generate tests certs with sha256 digest algorithm
* checksrc: enable strict mode and warnings
* checksrc: handle zero scoped ignore commands
* cmake: Backport to work with CMake 3.0 again
* cmake: Improve config installation
* cmake: add support for transitive ZLIB target
* cmake: disable -Wpedantic-ms-format
* cmake: don't require OpenSSL if USE_OPENSSL=OFF
* cmake: fixed path used in generation of docs/tests
* cmake: remove unused *SOCKLEN_T variables
* cmake: suppress MSVC warning C4127 for libtest
* cmake: test and set missed defines during configuration
* config: Remove unused SIZEOF_VOIDP
* configure: force-use -lpthreads on HPUX
* configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
* configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
* cookies: Remove redundant expired check
* cookies: fix leak when writing cookies to file
* curl-config.in: remove dependency on bc
* curl.1: --ipv6 mutexes ipv4 (fixed typo)
* curl: update the documentation of --tlsv1.0
* curl_multi_wait: call getsock before figuring out timeout
* curl_ntlm_wb: check aprintf() return codes
* data-binary.d: clarify default content-type is x-www-form-urlencoded
* docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers
* docs/CIPHERS: fix the TLS 1.3 cipher names
* docs/CIPHERS: mention the colon separation for OpenSSL
* docs/examples: URL updates
* docs: add "/see also"/ links for SSL options
* example/asiohiper: insert warning comment about its status
* example/htmltidy: fix include paths of tidy libraries
* examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
* examples/parseurl.c: show off the URL API
* examples: Fix memory leaks from realloc errors
* examples: do not wait when no transfers are running
* ftp: include command in Curl_ftpsend sendbuffer
* gskit: make sure to terminate version string
* gtls: Values stored to but never read
* hostip: fix check on Curl_shuffle_addr return value
* http2: fix memory leaks on error-path
* http: fix memleak in rewind error path
* krb5: fix memory leak in krb_auth
* memory: add missing curl_printf header
* memory: ensure to check allocation results
* multi: Fix error handling in the SENDPROTOCONNECT state
* multi: fix memory leak in content encoding related error path
* multi: make the closure handle "/inherit"/ CURLOPT_NOSIGNAL
* netrc: free temporary strings if memory allocation fails
* nss: try to connect even if libnssckbi.so fails to load
* ntlm_wb: Fix memory leaks in ntlm_wb_response
* ntlm_wb: bail out if the response gets overly large
* openssl: assume engine support in 0.9.8 or later
* openssl: enable TLS 1.3 post-handshake auth
* openssl: fix gcc8 warning
* openssl: load built-in engines too
* openssl: make 'done' a proper boolean
* openssl: output the correct cipher list on TLS 1.3 error
* openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
* openssl: show "/proper"/ version number for libressl builds
* pipelining: deprecated
* rand: add comment to skip a clang-tidy false positive
* rtmp: fix for compiling with lwIP
* runtests: ignore disabled even when ranges are given
* schannel: unified error code handling
* sendf: Fix whitespace in infof/failf concatenation
* ssh: free the session on init failures
* ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
* system.h: use proper setting with Sun C++ as well
* test1299: use single quotes around asterisk
* test1452: mark as flaky
* test1651: unit test Curl_extract_certinfo()
* test320: strip out more HTML when comparing
* tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
* tests: add unit tests for url.c
* tool_cb_hdr: handle failure of rename()
* travis: add a "/make tidy"/ build that runs clang-tidy
* travis: add build for "/configure --disable-verbose"/
* travis: bump the Secure Transport build to use xcode
* travis: make distcheck scan for BOM markers
* unit1300: fix stack-use-after-scope AddressSanitizer warning
* urldata: Fix "/connecting"/ comment
* urlglob: improve error message on bad globs
* vtls: fix ssl version "/or later"/ behavior change for many backends
* x509asn1: Fix SAN IP address verification
* x509asn1: always check return code from getASN1Element()
* x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
* x509asn1: suppress left shift on signed value
- Rebased patches after update:
* curl-disabled-redirect-protocol-message.patch
* curl-use_OPENSSL_config.patch
- Update to version 7.61.1
Bugfixes:
* CVE-2018-14618: NTLM password overflow via integer overflow (bsc#1106019)
* CURLINFO_SIZE_UPLOAD: fix missing counter update
* CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
* CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse
* Curl_getoff_all_pipelines: improved for multiplexed
* DEPRECATE: remove release date from 7.62.0
* HTTP: Don't attempt to needlessly decompress redirect body
* INTERNALS: require GnuTLS >= 2.11.3
* README.md: add LGTM.com code quality grade for C/C++
* SSLCERTS: improve the openssl command line
* Silence GCC 8 cast-function-type warnings
* ares: check for NULL in completed-callback
* asyn-thread: Remove unused macro
* auth: only pick CURLAUTH_BEARER if we *have* a Bearer token
* auth: pick Bearer authentication whenever a token is available
* cmake: CMake config files are defining CURL_STATICLIB for static builds
* cmake: Respect BUILD_SHARED_LIBS
* cmake: Update scripts to use consistent style
* cmake: bumped minimum version to 3.4
* cmake: link curl to the OpenSSL targets instead of lib absolute paths
* configure: conditionally enable pedantic-errors
* configure: fix for -lpthread detection with OpenSSL and pkg-config
* conn: remove the boolean 'inuse' field
* content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
* cookie tests: treat files as text
* cookies: support creation-time attribute for cookies
* curl: Fix segfault when -H @headerfile is empty
* curl: add http code 408 to transient list for --retry
* curl: fix time-of-check, time-of-use race in dir creation
* curl: use Content-Disposition before the "/URL end"/ for -OJ
* curl: warn the user if a given file name looks like an option
* curl_threads: silence bad-function-cast warning
* darwinssl: add support for ALPN negotiation
* docs/CURLOPT_URL: fix indentation
* docs/CURLOPT_WRITEFUNCTION: size is always 1
* docs/SECURITY-PROCESS: mention bounty, drop pre-notify
* docs/examples: add hiperfifo example using linux epoll/timerfd
* docs: add disallow-username-in-url.d and haproxy-protocol.d to dist
* docs: clarify NO_PROXY env variable functionality
* docs: improved the manual pages of some callbacks
* docs: mention NULL is fine input to several functions
* formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT
* gopher: Do not translate `?' to `%09'
* header output: switch off all styles, not just unbold
* hostip: fix unused variable warning
* http2: Use correct format identifier for stream_id
* http2: abort the send_callback if not setup yet
* http2: avoid set_stream_user_data() before stream is assigned
* http2: check nghttp2_session_set_stream_user_data return code
* http2: clear the drain counter in Curl_http2_done
* http2: make sure to send after RST_STREAM
* http2: separate easy handle from connections better
* http: fix for tiny "/HTTP/0.9"/ response
* http_proxy: Remove unused macro SELECT_TIMEOUT
* lib/Makefile: only do symbol hiding if told to
* lib1502: fix memory leak in torture test
* lib1522: fix curl_easy_setopt argument type
* libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation
* mime: check Curl_rand_hex's return code
* multi: always do the COMPLETED procedure/state
* openssl: assume engine support in 1.0.0 or later
* openssl: fix debug messages
* projects: Improve Windows perl detection in batch scripts
* retry: return error if rewind was necessary but didn't happen
* reuse_conn(): memory leak - free old_conn->options
* schannel: client certificate store opening fix
* schannel: enable CALG_TLS1PRF for w32api >= 5.1
* schannel: fix MinGW compile break
* sftp: don't send post-qoute sequence when retrying a connection
* smb: fix memory leak on early failure
* smb: fix memory-leak in URL parse error path
* smb_getsock: always wait for write socket too
* ssh-libssh: fix infinite connect loop on invalid private key
* ssh-libssh: reduce excessive verbose output about pubkey auth
* ssh-libssh: use FALLTHROUGH to silence gcc8
* ssl: set engine implicitly when a PKCS#11 URI is provided
* sws: handle EINTR when calling select()
* system_win32: fix version checking
* telnet: Remove unused macros TELOPTS and TELCMDS
* test1143: disable MSYS2's POSIX path conversion
* test1148: disable if decimal separator is not point
* test1307: (fnmatch testing) disabled
* test1422: add required file feature
* test1531: Add timeout
* test1540: Remove unused macro TEST_HANG_TIMEOUT
* test214: disable MSYS2's POSIX path conversion for URL
* test320: treat curl320.out file as binary
* tests/http_pipe.py: Use /usr/bin/env to find python
* tests: Don't use Windows path %PWD for SSH tests
* tests: fixes for Windows line endlings
* tool_operate: Fix setting proxy TLS 1.3 ciphers
* travis: build darwinssl on macos 10.12 to fix linker errors
* travis: execute "/set -eo pipefail"/ for coverage build
* travis: run a 'make checksrc' too
* travis: update to GCC-8
* travis: verify that man pages can be regenerated
* upload: allocate upload buffer on-demand
* upload: change default UPLOAD_BUFSIZE to 64KB
* urldata: remove unused pipe_broke struct field
* vtls: reinstantiate engine on duplicated handles
* windows: implement send buffer tuning
* wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random
- Remove patch included upstream:
* curl-switch-off-all-styles.patch
- Added curl-switch-off-all-styles.patch: Fix output of wrong escape sequences,
which might mess up the terminal (bsc#1105624)
- Update to version 7.61.0
[bsc#1099793, CVE-2018-0500]
Changes:
* getinfo: add microsecond precise timers for seven intervals
* curl: show headers in bold, switch off with --no-styled-output
* httpauth: add support for Bearer tokens
* Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
* curl: --tls13-ciphers and --proxy-tls13-ciphers
* Add CURLOPT_DISALLOW_USERNAME_IN_URL
* curl: --disallow-username-in-url
Bugfixes:
* CVE-2018-0500: smtp: fix SMTP send buffer overflow
* schannel: disable client cert option if APIs not available
* schannel: disable manual verify if APIs not available
* tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
* openssl: acknowledge --tls-max for default version too
* stub_gssapi: fix 'unused parameter' warnings
* examples/progressfunc: make it build on both new and old libcurls
* docs: mention it is HA Proxy protocol "/version 1"/
* curl_fnmatch: only allow two asterisks for matching
* docs: clarify CURLOPT_HTTPGET
* configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
* configure: do compile-time SIZEOF checks instead of run-time
* checksrc: make sure sizeof() is used *with* parentheses
* CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
* schannel: make CAinfo parsing resilient to CR/LF
* tftp: make sure error is zero terminated before printfing it
* http resume: skip body if http code 416 (range error) is ignored
* configure: add basic test of --with-ssl prefix
* cmake: set -d postfix for debug builds
* multi: provide a socket to wait for in Curl_protocol_getsock
* content_encoding: handle zlib versions too old for Z_BLOCK
* winbuild: only delete OUTFILE if it exists
* winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
* schannel: add failf calls for client certificate failures
* cmake: Fix the test for fsetxattr and strerror_r
* curl.1: Fix cmdline-opts reference errors
* cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
* cmake: check for getpwuid_r
* configure: fix ssh2 linking when built with a static mbedtls
* psl: use latest psl and refresh it periodically
* fnmatch: insist on escaped bracket to match
* KNOWN_BUGS: restore text regarding #2101
* INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
* configure: override AR_FLAGS to silence warning
* os400: implement mime api EBCDIC wrappers
* curl.rc: embed manifest for correct Windows version detection
* strictness: correct {infof, failf} format specifiers
* tests: update .gitignore for libtests
* configure: check for declaration of getpwuid_r
* fnmatch: use the system one if available
* CURLOPT_RESOLVE: always purge old entry first
* multi: remove a potentially bad DEBUGF()
* curl_addrinfo: use same #ifdef conditions in source as header
* build: remove the Borland specific makefiles
* axTLS: not considered fit for use
* cmdline-opts/cert-type.d: mention "/p12"/ as a recognized type
* system.h: add support for IBM xlc C compiler
* tests/libtest: Add lib1521 to nodist_SOURCES
* mk-ca-bundle.pl: leave certificate name untouched
* boringssl + schannel: undef X509_NAME in lib/schannel.h
* openssl: assume engine support in 1.0.1 or later
* cppcheck: fix warnings
* test 46: make test pass after year 2025
* schannel: support selecting ciphers
* Curl_debug: remove dead printhost code
* test 1455: unflakified
* Curl_init_do: handle NULL connection pointer passed in
* progress: remove a set of unused defines
* mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
* GOVERNANCE.md: explains how this project is run
* configure: use pkg-config for c-ares detection
* configure: enhance ability to build with static openssl
* maketgz: fix sed issues on OSX
* multi: fix memory leak when stopped during name resolve
* CURLOPT_INTERFACE.3: interface names not supported on Windows
* url: fix dangling conn->data pointer
* cmake: allow multiple SSL backends
* system.h: fix for gcc on 32 bit OpenServer
* ConnectionExists: make sure conn->data is set when "/taking"/ a connection
* multi: fix crash due to dangling entry in connect-pending list
* CURLOPT_SSL_VERIFYPEER.3: Add performance note
* netrc: use a larger buffer to support longer passwords
* url: check Curl_conncache_add_conn return code
* configure: Add dependent libraries after crypto
* easy_perform: faster local name resolves by using *multi_timeout()
* getnameinfo: not used, removed all configure checks
* travis: add a build using the synchronous name resolver
* CURLINFO_TLS_SSL_PTR.3: improve the example
* openssl: allow TLS 1.3 by default
* openssl: make the requested TLS version the *minimum* wanted
* openssl: Remove some dead code
* telnet: fix clang warnings
* DEPRECATE: new doc describing planned item removals
* example/crawler.c: simple crawler based on libxml2
* libssh: goto DISCONNECT state on error, not SESSION_FREE
* CMake: Remove unused functions
* darwinssl: allow High Sierra users to build the code using GCC
* scripts: include _curl as part of CLEANFILES
* examples: fix -Wformat warnings
* curl_setup: include <winerror.h> before <windows.h>
* schannel: make more cipher options conditional
* CMake: remove redundant and old end-of-block syntax
* post303.d: clarify that this is an RFC violation
- refreshed libcurl-ocloexec.patch
- dbus-1
-
- Sometimes unprivileged users were able to crash dbus-daemon
(CVE-2023-34969, bsc#1212126)
* fix-upstream-CVE-2023-34969.patch
- dbus-1-x11
-
- Sometimes unprivileged users were able to crash dbus-daemon
(CVE-2023-34969, bsc#1212126)
* fix-upstream-CVE-2023-34969.patch
- dmidecode
-
4 dependencies from upstream to be able to apply one more fix:
- util-dont-leak-a-file-descriptor-in-read_file.patch: If memory
allocation fails, we should close the file descriptor before
returning the error.
- util-let-callers-pass-an-offset-to-read_file.patch: Make the
read_file() function more versatile.
- dmidecode-fix-reading-from-smbios-3-dump-files.patch: Use the
sysfs code path when reading from a dump file, as the
requirements are similar.
- util-dont-close-the-same-file-descriptor-twice.patch: Close file
descriptor once and only once on error
Fix a potential regression:
- use-read_file-to-read-from-dump.patch: Fix an old harmless bug
which would prevent root from using the --from-dump option since
the latest security fixes (bsc#1210418).
Security fixes (CVE-2023-30630)
- dmidecode-split-table-fetching-from-decoding.patch: dmidecode:
Clean up function dmi_table so that it does only one thing
(bsc#1210418).
- dmidecode-write-the-whole-dump-file-at-once.patch: When option
- -dump-bin is used, write the whole dump file at once, instead of
opening and closing the file separately for the table and then
for the entry point (bsc#1210418).
- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch:
Make sure that the file passed to option --dump-bin does not
already exist (bsc#1210418).
- ensure-dev-mem-is-a-character-device-file.patch: Add a safety
check on the type of the mem device file we are asked to read
from, if we are root (bsc#1210418).
4 dependencies from upstream to be able to apply the above fixes:
- avoid-sigbus-on-mmap-failure.patch: Prevent a crash when reading
non-existent portion of memory device file.
- fix-error-paths-in-mem_chunk.patch: Prevent a memory and file
descriptor leak.
- dmidecode-add-support-for-3-digit-versions.patch: Support
3-digit SMBIOS specification version comparison.
- dmidecode-only-scan-dev-mem-for-entry-point-on-x86.patch: Don't
attempt to read from /dev/mem on non-x86 systems.
6 recommended fixes from upstream:
- dmidecode-fortify-entry-point-length-checks.patch: Ensure that
the SMBIOS entry point is long enough to include all the fields
we need.
- dmidecode-fix-the-alignment-of-type-25-name.patch: Drop a stray
tabulation before the name of DMI record type 25.
- dmidecode-print-type-33-name-unconditionally.patch: Display the
name of DMI record type 33 even if we can't decode it.
- dmidecode-validate-structure-completeness-before-decoding.patch:
Ensure that the whole DMI structure fits in the announced table
length before performing any action on it.
- dmidecode-avoid-oob-read-on-invalid-entry-point-length.patch:
Don't let the entry point checksum verification run beyond the
end of the buffer holding it.
- dmioem-decode-hpe-uefi-type-219-misc-features.patch: Check the
correct bits to report UEFI support.
- docker
-
- update to 20.10.23-ce.
* see upstream changelog at https://docs.docker.com/engine/release-notes/#201023
- drop kubic flavor as kubic is EOL. this removes:
kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
- Update to Docker 20.10.21-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201021>. bsc#1206065
bsc#1205375 CVE-2022-36109
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
* 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
* 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- The PRIVATE-REGISTRY patch will now output a warning if it is being used (in
preparation for removing the feature). This feature was never meant to be
used by users directly (and is only available in the -kubic/CaaSP version of
the package anyway) and thus should not affect any users.
- Fix wrong After: in docker.service, fixes bsc#1188447
- dracut
-
- fix(dracut): do not read /proc/modules to get the host modules (bsc#1210910)
* add 0634-fix-dracut-do-not-read-proc-modules-to-get-the-host-.patch
- fix handling of omit_dracutmodules parameter (bsc#1208929)
* add 0633-fix-dracut.sh-omission-is-an-addition-to-other-omiss.patch
- fonts-config
-
- get the homedir from getpwuid when no $ENV{"/HOME"/} set
- added patches
fix bsc#1210700
+ fonts-config-homedir-getpwuid.patch
- gcc12
-
- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
* includes regression bug fixes
- Add gcc12-testsuite-fixes.patch to pick testsuite related fixes
from the branch after the release.
- Speed up builds with --enable-link-serialization.
- Update to gcc-12 branch head, 193f7e62815b4089dfaed4c2bd3, git749
- Don't rely on %usrmerged, set it based on standard %suse_version
- Update to gcc-12 branch head, e4b5fec75aa8d0d01f6e042ec28, git696
* remove gcc12-fifo-jobserver-support.patch which is now
included upstream
- avoid trailing backslashes at the end of post install scripts
- Update to gcc-12 branch head, 0aaef83351473e8f4eb774f8f99, git537
- Update embedded newlib to version 4.2.0
* includes newlib-4.1.0-aligned_alloc.patch
- add gcc12-riscv-inline-atomics.patch,
gcc12-riscv-pthread.patch: handle subword size inline atomics
(needed by several openSUSE packages)
- glib2
-
- Update glib2-fix-normal-form-handling-in-gvariant.patch:
Backported from upstream to fix regression on s390x.
(bsc#1210135, glgo#GNOME/glib!2978)
- Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported
from upstream to fix normal form handling in GVariant.
(CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713,
glgo#GNOME/glib!3125)
- grub2
-
- Fix error grub_file_filters not found in Azure virtual machine (bsc#1182012)
* 0001-Workaround-volatile-efi-boot-variable.patch
- Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064)
(bsc#1209234)
* 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch
- Fix installation over serial console ends up in infinite boot loop
(bsc#1187810) (bsc#1209667) (bsc#1209372)
* 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
- Fix aarch64 kiwi image's file not found due to '/@' prepended to path in
btrfs filesystem. (bsc#1209165)
* grub2-btrfs-05-grub2-mkconfig.patch
- Make grub.cfg invariant to efi and legacy platforms (bsc#1205200)
- Removed patch linuxefi
* grub2-secureboot-provide-linuxefi-config.patch
* grub2-secureboot-use-linuxefi-on-uefi-in-os-prober.patch
* grub2-secureboot-use-linuxefi-on-uefi.patch
- Rediff
* grub2-btrfs-05-grub2-mkconfig.patch
* grub2-efi-xen-cmdline.patch
* grub2-s390x-05-grub2-mkconfig.patch
* grub2-suse-remove-linux-root-param.patch
- Make linuxefi default command as linux (bsc#1176134) (bsc#1202838)
* 0001-Fix-symbols-appearing-in-several-modules-in-linux.patch
* 0002-linux-fixup.patch
* 0003-cmdline-Provide-cmdline-functions-as-module.patch
* 0004-efi-linux-provide-linux-command.patch
- kernel-default
-
- ceph: fix use-after-free bug for inodes when flushing capsnaps
(bsc#1212938).
- commit e731236
- blacklist.conf: gcc 12 issue
- commit 612c29c
- blacklist.conf: cosmetic fix to suppress a compiler warning
- commit f46848d
- fs: ocfs2: fix a possible null-pointer dereference in
ocfs2_write_end_nolock() (git-fixes).
- commit ea30d59
- fs: ocfs2: fix a possible null-pointer dereference in
ocfs2_info_scan_inode_alloc() (git-fixes).
- commit 4a538d4
- ocfs2: fix non-auto defrag path not working issue (git-fixes).
- commit 28a9871
- ocfs2: fix defrag path triggering jbd2 ASSERT (git-fixes).
- commit 190f99a
- ocfs2: fix memory leak in ocfs2_stack_glue_init() (git-fixes).
- commit ac6dbde
- ocfs2: clear dinode links count in case of error (git-fixes).
- commit f1a97d4
- ocfs2: fix BUG when iput after ocfs2_mknod fails (git-fixes).
- commit e11f180
- ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
(git-fixes).
- commit 70db5f3
- ocfs2: fix a NULL pointer dereference when call
ocfs2_update_inode_fsync_trans() (git-fixes).
- commit f3e26c1
- ocfs2: call journal flush to mark journal as empty after
journal recovery when mount (git-fixes).
- commit d5a28a3
- ocfs2: clear zero in unaligned direct IO (git-fixes).
- commit 4189b4d
- ocfs2: wait for recovering done after direct unlock request
(git-fixes).
- commit b3e22bb
- ocfs2: remove set but not used variable 'last_hash' (git-fixes).
- commit d403713
- ocfs2: fix a panic problem caused by o2cb_ctl (git-fixes).
- commit b701b96
- ocfs2: don't clear bh uptodate for block read (git-fixes).
- commit 30ca2be
- ocfs2: clear journal dirty flag after shutdown journal
(git-fixes).
- commit ccfe523
- ocfs2: fix panic due to unrecovered local alloc (git-fixes).
- commit 007a17f
- ocfs2: fix potential use after free (git-fixes).
- commit 49406d3
- ocfs2: fix deadlock caused by ocfs2_defrag_extent() (git-fixes).
- commit f258e7d
- ocfs2: fix clusters leak in ocfs2_defrag_extent() (git-fixes).
- commit 01bc1d8
- ocfs2: don't put and assigning null to bh allocated outside
(git-fixes).
- commit 760bd24
- fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in
dlm_print_one_mle() (git-fixes).
- commit 01c2b72
- ocfs2: take inode cluster lock before moving reflinked inode
from orphan dir (git-fixes).
- commit 7e1768a
- ocfs2/dlm: don't handle migrate lockres if already in shutdown
(git-fixes).
- commit 04cf6d0
- ipvlan:Fix out-of-bounds caused by unclear skb->cb (bsc#1212842
CVE-2023-3090).
- commit bd94484
- btrfs: unset reloc control if transaction commit fails in
prepare_to_relocate() (bsc#1212051 CVE-2023-3111).
- commit 6726801
- kprobes: Fix to handle forcibly unoptimized kprobes on
freeing_list (git-fixes).
- commit 35c8c33
- kprobes: Fix check for probe enabled in kill_kprobe()
(git-fixes).
- commit a744c64
- HID: intel_ish-hid: Add check for ishtp_dma_tx_map (git-fixes
bsc#1212606 CVE-2023-3358).
- commit 448bfe3
- igb: fix nvm.ops.read() error handling (git-fixes).
- bnxt_en: Query default VLAN before VNIC setup on a VF
(git-fixes).
- igb: fix bit_shift to be in [1..8] range (git-fixes).
- ixgbe: Enable setting RSS table to default values (git-fixes).
- ixgbe: Allow flow hash to be set via ethtool (git-fixes).
- bnxt_en: Fix typo in PCI id to device description string mapping
(git-fixes).
- igbvf: Regard vf reset nack as success (git-fixes).
- intel/igbvf: free irq on the error path in igbvf_request_msix()
(git-fixes).
- igb: Enable SR-IOV after reinit (git-fixes).
- bnxt_en: Fix mqprio and XDP ring checking logic (git-fixes).
- ixgbe: fix pci device refcount leak (git-fixes).
- igb: Initialize mailbox message for VF reset (git-fixes).
- igb: Allocate MSI-X vector when testing (git-fixes).
- bnxt_en: Remove debugfs when pci_register_driver failed
(git-fixes).
- bnxt_en: fix potentially incorrect return value for
ndo_rx_flow_steer (git-fixes).
- ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter
(git-fixes).
- bnxt_en: fix NQ resource accounting during vf creation on
57500 chips (git-fixes).
- igb: Add lock to avoid data race (git-fixes).
- ixgbe: Add locking to prevent panic when setting sriov_numvfs
to zero (git-fixes).
- bnxt_en: reclaim max resources if sriov enable fails
(git-fixes).
- igb: Make DMA faster when CPU is active on the PCIe link
(git-fixes).
- ixgbe: fix unexpected VLAN Rx in promisc mode on VF (git-fixes).
- ixgbe: fix bcast packets Rx on VF after promisc removal
(git-fixes).
- igb: skip phy status check where unavailable (git-fixes).
- dim: initialize all struct fields (bsc#1174852).
- ixgbe: ensure IPsec VF<->PF compatibility (git-fixes).
- igc: Fix BUG: scheduling while atomic (git-fixes).
- igc: Fix infinite loop in release_swfw_sync (git-fixes).
- ixgbe: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx
to skb (git-fixes).
- igc: igc_write_phy_reg_gpy: drop premature return (git-fixes).
- igc: igc_read_phy_reg_gpy: drop premature return (git-fixes).
- ixgbe: set X550 MDIO speed before talking to PHY (git-fixes).
- igbvf: fix double free in `igbvf_probe` (git-fixes).
- igb: fix netpoll exit with traffic (git-fixes).
- commit 34bf378
- powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall
(bsc#1212701).
- commit 207c27c
- blacklist.conf: Add 3f5f766d5f7f powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06
- commit 1a3b374
- sched/core: Use smp_mb() in wake_woken_function() (git-fixes)
- commit 5df8049
- sched/fair: Fix util_avg of new tasks for asymmetric systems (git-fixes)
- commit 828ccf7
- net: ks8851: Dequeue RX packets explicitly (git-fixes).
- commit fe5ef52
- net: dev: Use unsigned integer as an argument to left-shift
(git-fixes).
- commit 0bf77d3
- net: set static variable an initial value in atl2_probe()
(git-fixes).
- commit 08dc41f
- net: thunderx: make CFG_DONE message to run through generic
send-ack sequence (git-fixes).
- commit dbc5a3f
- net: marvell: mvneta: fix DMA debug warning (git-fixes).
- commit c48f8b1
- l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs
file (git-fixes).
- commit b182fac
- l2tp: hold reference on tunnels printed in pppol2tp proc file
(git-fixes).
- commit 1f7ac1f
- l2tp: hold reference on tunnels in netlink dumps (git-fixes).
- commit 9be2a0f
- ipv4: fix uninit-value in ip_route_output_key_hash_rcu()
(git-fixes).
- Refresh
patches.suse/ipv4-Return-ENETUNREACH-if-we-can-t-create-route-but.patch.
- commit ea68726
- netlabel: If PF_INET6, check sk_buff ip header version
(git-fixes).
- commit 058c41d
- blacklist.conf: renaming device
- commit 9dfee21
- blacklist.conf: cleanup; another dead reference
- commit 735761f
- blacklist.conf: kABI breakage; does not fix any bug
- commit 1276dc0
- usb: core: hub: disable autosuspend for TI TUSB8041 (git-fixes).
- commit 539dc8d
- put quirk_disable_autosuspend into a hole (git-fixes).
- commit d42a632
- USB: hub: Fix the broken detection of USB3 device in SMSC hub
(git-fixes).
- blacklist.conf: patch itself is useless, but needed as infrastructure
- commit f4a7f78
- USB: serial: option: add Quectel EM05-G (CS) modem (git-fixes).
- commit d8d554b
- netfilter: x_tables: add and use xt_check_proc_name (git-fixes).
- commit a579604
- blacklist.conf: update blacklist
- commit 1b6a52d
- s390/dasd: Use correct lock while counting channel queue length
(LTC#202775 bsc#1212443).
- commit c2ba548
- binfmt_elf: Take the mmap lock when walking the VMA list
(bsc#1209039 CVE-2023-1249).
- commit 6550df3
- relayfs: fix out-of-bounds access in relay_file_read
(bsc#1212502 CVE-2023-3268).
- kernel/relay.c: fix read_pos error when multiple readers
(bsc#1212502 CVE-2023-3268).
- commit f9dadc6
- bluetooth: Perform careful capability checks in hci_sock_ioctl()
(bsc#1210533 CVE-2023-2002).
- commit cb9bcb2
- media: dm1105: Fix use after free bug in dm1105_remove due to
race condition (bsc#1212501 CVE-2023-35824).
- commit a511fea
- x86/kprobes: Fix arch_check_optimized_kprobe check within
optimized_kprobe range (git-fixes).
- commit 261c02b
- e1000e: Disable TSO on i219-LM card to increase speed
(git-fixes).
- e1000e: Fix TX dispatch condition (git-fixes).
- net/mlx4: Check retval of mlx4_bitmap_init (git-fixes).
- net/mlx4_en: Fix wrong return value on ioctl EEPROM query
failure (git-fixes).
- e1000e: Fix possible overflow in LTR decoding (git-fixes).
- e1000e: Correct NVM checksum verification flow (git-fixes).
- net/mlx4_en: Fix an use-after-free bug in
mlx4_en_try_alloc_resources() (git-fixes).
- net/mlx4_en: Don't allow aRFS for encapsulated packets
(git-fixes).
- net/mlx4_en: Resolve bad operstate value (git-fixes).
- mlx5: count all link events (git-fixes).
- commit 084d4cc
- x86/kprobes: Fix __recover_optprobed_insn check optimizing logic
(git-fixes).
- commit 9ede6f6
- kprobes: Fix to check probe enabled before
disarm_kprobe_ftrace() (git-fixes).
- commit 0f174b4
- blacklist.conf: Add not needed kprobes fixes
- commit 9c2f070
- kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation
logic (git-fixes).
- commit 36f829b
- coda: fix build using bare-metal toolchain (git-fixes).
- commit 2df3146
- coda: add error handling for fget (git-fixes).
- commit c092001
- uapi linux/coda_psdev.h: move upc_req definition from uapi to
kernel side headers (git-fixes).
- commit 074a075
- coda: pass the host file in vma->vm_file on mmap (git-fixes).
- commit 728d4d8
- revert "/squashfs: harden sanity check in
squashfs_read_xattr_id_table"/ (git-fixes).
- commit fc7c6f6
- hfs/hfsplus: avoid WARN_ON() for sanity check, use proper
error handling (git-fixes).
- commit e8ee0dd
- affs: initialize fsdata in affs_truncate() (git-fixes).
- commit f9e83d6
- fs/affs: release old buffer head on error path (git-fixes).
- commit b0b572b
- fs/ufs: avoid potential u32 multiplication overflow (git-fixes).
- commit a84c265
- fs/adfs: super: fix use-after-free bug (git-fixes).
- commit 02200da
- Drop a buggy dvb-core fix patch (bsc#1205758)
Also the kabi workaround is dropped, too
- commit 34f0c8e
- README.BRANCH: Add Miroslav Franc as a co-maintainer
- commit e545474
- README.BRANCH: Update the maintainer list
- commit 65a6ad8
- blacklist.conf: removes exported symbol
- commit 39cf0dc
- blacklist.conf: add git-fix not needed
- commit 50851fb
- kprobes: Prohibit probes in gate area (git-fixes).
- commit 4a73d55
- kprobes: don't call disarm_kprobe() for disabled kprobes
(git-fixes).
- commit 5cbfb40
- kprobes: Forbid probing on trampoline and BPF code areas
(git-fixes).
- commit 667fe1b
- samples/kretprobes: Fix return value if register_kretprobe()
failed (git-fixes).
- commit 5b1b600
- kprobes: Do not use local variable when creating debugfs file
(git-fixes).
- commit 7286e91
- usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being
a V0.96 controller.
- commit b40a0f8
- USB: serial: qcserial: add new usb-id for Dell branded EM7455
(git-fixes).
- commit ab28954
- kretprobe: Avoid re-registration of the same kretprobe earlier
(git-fixes).
- commit c2cc176
- USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM
(git-fixes).
- commit 3561afe
- blacklist.conf: relevant only for kernel development
- commit 99f403c
- blacklist.conf: relevant only for kernel development
- commit 9c92369
- blacklist.conf: build fix irrelevant for us
- commit b9a3ab1
- blacklist.conf: build fix irrelevant for us
- commit 2f6b7fd
- blacklist.conf: only for kernel development
- commit cf47010
- blacklist.conf: relevant only for kernel development
- commit 1370701
- blacklist.conf: relevant only for kernel development
- commit f1f85a4
- blacklist.conf: unneeded build fix
- commit c531cca
- blacklist.conf: relevant only for kbuild irrelevant in the build system
- commit 1faed4b
- kprobes: fix kill kprobe which has been marked as gone
(git-fixes).
- commit 77940f3
- kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
(git-fixes).
- commit f08285c
- kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex
(git-fixes).
- commit 64b09f1
- kprobes: Set unoptimized flag after unoptimizing code
(git-fixes).
- commit e2d065d
- kprobes: Prohibit probing on BUG() and WARN() address
(git-fixes).
- commit 0a4ad8b
- kprobes: Fix error check when reusing optimized probes
(git-fixes).
- commit 11aecb3
- kprobes: Remove pointless BUG_ON() from reuse_unused_kprobe()
(git-fixes).
- Refresh
patches.suse/kprobes-Return-error-if-we-fail-to-reuse-kprobe-inst.patch.
- commit 1fb5f11
- kprobes: Don't call BUG_ON() if there is a kprobe in use on
free list (git-fixes).
- commit e0562e5
- kprobes: Use synchronize_rcu_tasks() for optprobe with
CONFIG_PREEMPT=y (git-fixes).
- commit 32c4978
- blacklist.conf: Add more powerpc unsupported platform paths
- commit 80240fd
- s390/dasd: fix no record found for raw_track_access (git-fixes
bsc#1212266).
- commit 9377e38
- blacklist.conf: just a cleanup, potential dead reference won't break anything
- commit ae3248a
- scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()
(git-fixes).
- scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS (git-fixes).
- scsi: core: Improve scsi_vpd_inquiry() checks (git-fixes).
- scsi: megaraid_sas: Fix crash after a double completion
(git-fixes).
- scsi: megaraid_sas: Fix fw_crash_buffer_show() (git-fixes).
- scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
(git-fixes).
- scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
(git-fixes).
- scsi: mpt3sas: Fix NULL pointer access in
mpt3sas_transport_port_add() (git-fixes).
- scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
(git-fixes).
- scsi: ipr: Work around fortify-string warning (git-fixes).
- scsi: ses: Don't attach if enclosure has no components
(git-fixes).
- scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
(git-fixes).
- scsi: ses: Fix possible desc_ptr out-of-bounds accesses
(git-fixes).
- scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
(git-fixes).
- scsi: ses: Fix slab-out-of-bounds in
ses_enclosure_data_process() (git-fixes).
- scsi: aic94xx: Add missing check for dma_map_single()
(git-fixes).
- scsi: mpt3sas: Fix a memory leak (git-fixes).
- scsi: libsas: Remove useless dev_list delete in
sas_ex_discover_end_dev() (git-fixes).
- commit 9bcdcf3
- s390/kasan: avoid vdso instrumentation (git-fixes bsc#1212244).
- commit e08fb9a
- CDC-NCM: avoid overflow in sanity checking (git-fixes).
- commit c5a973e
- net: fec: fix rare tx timeout (git-fixes).
- commit 8adec9a
- net: macb: Clean 64b dma addresses if they are not detected
(git-fixes).
- commit 889275f
- scsi: zfcp: assert that the ERP lock is held when tracing a
recovery trigger (git-fixes bsc#1212240).
- commit eb171ad
- openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS
(git-fixes).
- commit 444e066
- net: fix warning in af_unix (git-fixes).
- commit a389e79
- blacklist.conf: blacklist MDIO_BCM_UNIMAC
- commit 62fb3cf
- s390/smsgiucv: disable SMSG on module unload (git-fixes
bsc#1212236).
- commit 1cef259
- net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
(git-fixes).
- commit e119b8c
- net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
(git-fixes).
- commit cb1afd9
- xfrm: Refuse to insert 32 bit userspace socket policies on 64
bit systems (git-fixes).
- commit 413544a
- net: cdc_ncm: remove set but not used variable 'ctx'
(git-fixes).
- commit 0867b66
- blacklist.conf: update blacklist
- commit 7a1167e
- net/usb/drivers: Remove useless hrtimer_active check
(git-fixes).
- commit 5dc6e54
- fs: sysv: Fix sysv_nblocks() returns wrong value (git-fixes).
- commit d94e079
- s390/ctcm: Fix return type of ctc{mp,}m_tx() (git-fixes
bsc#1212185).
- commit 4d63d84
- fbcon: Check font dimension limits (CVE-2023-3161 bsc#1212154).
- commit 481687d
- s390/netiucv: Fix return type of netiucv_tx() (git-fixes
bsc#1212175).
- commit 8055c39
- s390/lcs: Fix return type of lcs_start_xmit() (git-fixes
bsc#1212173).
- commit bb085e1
- Move setting %%build_html to config.sh
- commit 647b21a
- s390/kprobes: fix irq mask clobbering on kprobe reenter from
post_handler (git-fixes bsc#1212170).
- commit 21760dd
- xfs: fix rm_offset flag handling in rmap keys (git-fixes).
- commit 09f5a59
- Squashfs: fix handling and sanity checking of xattr_ids count
(git-fixes).
- commit 78ee867
- squashfs: harden sanity check in squashfs_read_xattr_id_table
(git-fixes).
- commit 006d643
- fs: hfsplus: fix UAF issue in hfsplus_put_super (git-fixes).
- commit 4693a49
- hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
(git-fixes).
- commit 6189e17
- hfsplus: fix bug causing custom uid and gid being unable to
be assigned with mount (git-fixes).
- commit 3226ad8
- s390/kprobes: fix current_kprobe never cleared after kprobes
reenter (git-fixes bsc#1212167).
- commit 94cf46f
- hfs: Fix OOB Write in hfs_asc2mac (git-fixes).
- commit 5986c8d
- hfs: fix OOB Read in __hfs_brec_find (git-fixes).
- commit f70b4c6
- hfs/hfsplus: use WARN_ON for sanity check (git-fixes).
- commit 1caaab9
- hfs: add lock nesting notation to hfs_find_init (git-fixes).
- commit 37dff28
- hfs: fix high memory mapping in hfs_bnode_read (git-fixes).
- commit ae9031e
- hfs: add missing clean-up in hfs_fill_super (git-fixes).
- commit cc1fbe6
- hfsplus: fix crash and filesystem corruption when deleting files
(git-fixes).
- commit 3526c58
- fs/hfs/extent.c: fix array out of bounds read of array extent
(git-fixes).
- commit 5ff3c8a
- hfs: update timestamp on truncate() (git-fixes).
- commit f4e5f42
- hfsplus: update timestamps on truncate() (git-fixes).
- commit 5f7a4bc
- hfs: fix return value of hfs_get_block() (git-fixes).
- commit aa4ce83
- hfsplus: fix return value of hfsplus_get_block() (git-fixes).
- commit 1500cd0
- hfs: prevent btree data loss on ENOSPC (git-fixes).
- commit b6da074
- hfsplus: prevent btree data loss on ENOSPC (git-fixes).
- commit efe705c
- hfs: fix BUG on bnode parent update (git-fixes).
- commit e3129f2
- hfsplus: fix BUG on bnode parent update (git-fixes).
- commit ecc193f
- sysv: use BUILD_BUG_ON instead of runtime check (git-fixes).
- commit 33448c7
- reiserfs: Add security prefix to xattr name in
reiserfs_security_write() (git-fixes).
- commit 381baa2
- reiserfs: Add missing calls to reiserfs_security_free()
(git-fixes).
- commit 894cdec
- reiserfs: check directory items on read from disk (git-fixes).
- commit c73d26d
- reiserfs: add check for root_inode in reiserfs_fill_super
(git-fixes).
- commit 0112af8
- reiserfs: add check for invalid 1st journal block (git-fixes).
- commit 9fe53c4
- reiserfs: only call unlock_new_inode() if I_NEW (git-fixes).
- commit fdc0c7c
- reiserfs: Fix memory leak in reiserfs_parse_options()
(git-fixes).
- commit eda67ce
- reiserfs: prevent NULL pointer dereference in
reiserfs_insert_item() (git-fixes).
- commit 922f823
- reiserfs: propagate errors from fill_with_dentries() properly
(git-fixes).
- commit 529b15f
- reiserfs: change j_timestamp type to time64_t (git-fixes).
- commit 982e84f
- memstick: r592: Fix UAF bug in r592_remove due to race condition
(CVE-2023-3141 bsc#1212129 bsc#1211449).
- commit 77b88e9
- firewire: fix potential uaf in outbound_phy_packet_callback()
(CVE-2023-3159 bsc#1212128).
- commit f62d406
- s390/dasd: fix hanging blockdevice after request requeue
(git-fixes bsc#1212165).
- commit 2203987
- s390/qdio: fix do_sqbs() inline assembly constraint (git-fixes
bsc#1212164).
- commit e732a7c
- Fix missing top level chapter numbers on SLE12 SP5 (bsc#1212158).
- commit 7ebcbd5
- Refresh
patches.suse/0001-mm-mempolicy-make-mbind-return-EIO-when-MPOL_MF_STRI.patch.
fix the second instance of incorrect MPOL_MF_STRICT check.
- commit 47debde
- PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros (git-fixes).
- commit dd4da3b
- Refresh
patches.suse/ipmi-fix-initialization-when-workqueue-allocation-fa.patch.
Delete also the out: label. Upstream still has users for that label.
Unlike we.
Fixes:
drivers/char/ipmi/ipmi_msghandler.c:5366:1: error: label ‘out’ defined but not used
- commit 05b72bb
- wcn36xx: Fix max channels retrieval (gcc-warning-fixes).
Fixes:
drivers/net/wireless/ath/wcn36xx/smd.c: In function ‘wcn36xx_smd_update_channel_list’:
./include/linux/kernel.h:785:12: error: large integer implicitly truncated to unsigned type
- commit 6bbb096
- Refresh
patches.suse/btrfs-remove-nr_async_submits-and-async_submit_draining.patch.
Fix compiler warning:
fs/btrfs/disk-io.c:815:6: error: unused variable ‘limit’
The upstream patch removes 'limit' too, so follow that up.
- commit 45d33ba
- Refresh
patches.suse/0001-memcg-kmem-further-deprecate-kmem.limit_in_bytes.patch.
Drop memcg_update_kmem_limit() as it is unused now and the compiler
complains:
mm/memcontrol.c:2972:12: error: ‘memcg_update_kmem_limit’ defined but not used
This is done in the upstream patch too.
- commit 660e644
- Move setting %%split_optional to config.sh
- commit 8b0828d
- Refresh
patches.suse/0001-mm-mempolicy-make-mbind-return-EIO-when-MPOL_MF_STRI.patch.
Fix the MPOL_MF_STRICT condition (noticed by Jiri Slaby)
- commit b6b86f2
- Move setting %%supported_modules_check to config.sh
- commit 494d3df
- PCI: pciehp: Clear cmd_busy bit in polling mode (git-fixes).
- PCI: aardvark: Clear all MSIs at setup (git-fixes).
- PCI: pciehp: Fix infinite loop in IRQ handler upon power fault
(git-fixes).
- PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity()
(git-fixes).
- PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error (git-fixes).
- PCI/MSI: Mask MSI-X vectors only on success (git-fixes).
- PCI/MSI: Destroy sysfs before freeing entries (git-fixes).
- PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG
(git-fixes).
- PCI: aardvark: Fix return value of MSI domain .alloc() method
(git-fixes).
- PCI: aardvark: Do not unmask unused interrupts (git-fixes).
- PCI: aardvark: Do not clear status bits of masked interrupts
(git-fixes).
- commit fd8f739
- rpm/kernel-docs.spec.in: pass PYTHON=python3 to fix build error (bsc#1160435)
- commit 799f050
- PCI: aardvark: Replace custom macros by standard
linux/pci_regs.h macros (git-fixes).
- Refresh
patches.suse/PCI-aardvark-Fix-PCIe-Max-Payload-Size-setting.patch.
- blacklist.conf: remove it from there
While it's a cleanup, it's a prerequisite for the following patches.
- commit 4ef2916
- blacklist.conf: add some PCI git-fixes
- commit dcca97f
- rpm/kernel-binary.spec.in: Fix compatibility wth newer rpm
- commit 334fb4d
- net: hisilicon: Fix "/Trying to free already-free IRQ"/
(git-fixes).
- commit 997c2f2
- qed: Add cleanup in qed_slowpath_start() (git-fixes).
- commit 912dd32
- net: myri10ge: fix memory leaks (git-fixes).
- commit 47340d2
- cxgb4: fix a memory leak bug (git-fixes).
- commit 3c000ae
- net: cxgb3_main: Fix a resource leak in a error path in
'init_one()' (git-fixes).
- commit e158810
- net/ethernet/qlogic/qed: force the string buffer NULL-terminated
(git-fixes).
- commit 4ba9e6b
- qed: RDMA - Fix the hw_ver returned in device attributes
(git-fixes).
- commit 410eb8e
- blacklist.conf: update blacklist
- commit 2c3f74d
- ixgbe: Check DDM existence in transceiver before access
(git-fixes).
- commit 510e134
- net: axienet: Fix race condition causing TX hang (git-fixes).
- commit e7cf2ee
- bnx2x: Check if transceiver implements DDM before access
(git-fixes).
- commit c586a4b
- sched/rt: pick_next_rt_entity(): check list_entry (bsc#1208600 CVE-2023-1077)
- commit 6b28935
- Also include kernel-docs build requirements for ALP
- commit 114d088
- Move the kernel-binary conflicts out of the spec file.
Thie list of conflicting packages varies per release.
To reduce merge conflicts move the list out of the spec file.
- commit 4d81125
- Avoid unsuported tar parameter on SLE12
- commit 2b8c97b
- usb: xhci: rework grace period logic (git-fixes).
- commit 0d7b2a3
- xhci: Add grace period after xHC start to prevent premature
runtime suspend (git-fixes).
- commit 7c3b440
- Move obsolete KMP list into a separate file.
The list of obsoleted KMPs varies per release, move it out of the spec
file.
- commit 016bc55
- Trim obsolete KMP list.
SLE11 is out of support, we do not need to handle upgrading from SLE11
SP1.
- commit 08819bb
- powerpc/64s/radix: Fix soft dirty tracking (bsc#1065729).
- commit ad0e3ea
- Generalize kernel-doc build requirements.
- commit 23b058f
- kernel-binary: Add back kernel-default-base guarded by option
Add configsh option for splitting off kernel-default-base, and for
not signing the kernel on non-efi
- commit 8ad6a28
- gve: Remove the code of clearing PBA bit (bsc#1211519).
- gve: Secure enough bytes in the first TX desc for all TCP pkts
(bsc#1211519).
- gve: Cache link_speed value from device (bsc#1211519).
- gve: Handle alternate miss completions (bsc#1211519).
- gve: Adding a new AdminQ command to verify driver (bsc#1211519).
- gve: Fix error return code in gve_prefill_rx_pages()
(bsc#1211519).
- gve: Reduce alloc and copy costs in the GQ rx path
(bsc#1211519).
- gve: Fix GFP flags when allocing pages (bsc#1211519).
- google/gve:fix repeated words in comments (bsc#1211519).
- gve: Fix spelling mistake "/droping"/ -> "/dropping"/ (bsc#1211519).
- gve: enhance no queue page list detection (bsc#1211519).
- commit cda49a1
- usb: idmouse: fix an uninit-value in idmouse_open (git-fixes).
- commit e7f1d31
- net: stmmac: don't log oversized frames (git-fixes).
- commit 02a1ae5
- net: stmmac: fix dropping of multi-descriptor RX frames
(git-fixes).
- commit 0c5e8a5
- bonding: show full hw address in sysfs for slave entries
(git-fixes).
- commit 4640084
- net: ibm: fix possible object reference leak (git-fixes).
- commit 2cab0bb
- net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
(git-fixes).
- commit 1cfa1c0
- net: altera_tse: fix msgdma_tx_completion on non-zero fill_level
case (git-fixes).
- commit 82bd47b
- sfc: suppress duplicate nvmem partition types in
efx_ef10_mtd_probe (git-fixes).
- commit 17c6719
- net: altera_tse: fix connect_local_phy error path (git-fixes).
- commit da2fa27
- blacklist.conf: add FSL_UCC_HDLC
- commit cbbd4dd
- net/mlx4_core: Fix return codes of unsupported operations
(git-fixes).
- commit b2c5ba8
- vrf: mark skb for multicast or link-local as enslaved to VRF
(git-fixes).
- commit 9630bdb
- net: dsa: bcm_sf2: Turn on PHY to allow successful registration
(git-fixes).
- commit 00680d2
- net: netxen: fix a missing check and an uninitialized use
(git-fixes).
- commit 76249f8
- net: hisilicon: remove unexpected free_netdev (git-fixes).
- commit fc72200
- net: amd: add missing of_node_put() (git-fixes).
- commit 72cfaff
- blacklist.conf: add faraday network driver
- commit 8453351
- net: faraday: fix return type of ndo_start_xmit function
(git-fixes).
- commit 079382e
- net: smsc: fix return type of ndo_start_xmit function
(git-fixes).
- commit 56bd9aa
- net: micrel: fix return type of ndo_start_xmit function
(git-fixes).
- commit 96160a1
- net: sun: fix return type of ndo_start_xmit function
(git-fixes).
- commit 59f94b5
- net: broadcom: fix return type of ndo_start_xmit function
(git-fixes).
- commit 77fb78e
- net: xilinx: fix return type of ndo_start_xmit function
(git-fixes).
- commit 80ef560
- net: toshiba: fix return type of ndo_start_xmit function
(git-fixes).
- commit dbdb0d6
- net: hns3: fix return type of ndo_start_xmit function
(git-fixes).
- commit 5ba4bbc
- net: qla3xxx: Remove overflowing shift statement (git-fixes).
- commit 7055766
- blacklist.conf: update blacklist
- commit 804cac4
- blacklist.conf: Add 4ef0c5c6b5ba kernel/sched: Fix sched_fork() access an invalid sched_task_group
- commit 5d65c2b
- cifs: prevent infinite recursion in CIFSGetDFSRefer()
(bsc#1190317).
- commit 8982556
- netfilter: ebtables: convert BUG_ONs to WARN_ONs (git-fixes).
- commit 5f3d85f
- netfilter: ipt_CLUSTERIP: put config instead of freeing it
(git-fixes).
- commit 87f8afc
- netfilter: ipt_CLUSTERIP: put config struct if we can't
increment ct refcount (git-fixes).
- commit e675512
- net/tcp/illinois: replace broken algorithm reference link
(git-fixes).
- commit 1264c76
- sit: fix IFLA_MTU ignored on NEWLINK (git-fixes).
- commit 05e5b1a
- ip6_tunnel: fix IFLA_MTU ignored on NEWLINK (git-fixes).
- commit 678863c
- RDS: IB: Fix null pointer issue (git-fixes).
- commit 85f4095
- l2tp: remove l2specific_len dependency in l2tp_core (git-fixes).
- Refresh
patches.suse/l2tp-fix-reading-optional-fields-of-L2TPv3.patch.
- commit 80db1e0
- l2tp: remove configurable payload offset (git-fixes).
- Refresh
patches.suse/l2tp-reject-creation-of-non-PPP-sessions-on-L2TPv2-t.patch.
- commit e4e115d
- rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
(git-fixes).
- commit 2b478a1
- net: xfrm: allow clearing socket xfrm policies (git-fixes).
- commit cb50bb2
- sctp: avoid flushing unsent queue when doing asoc reset
(git-fixes).
- commit 271642c
- blacklist: add nvme fabrics git-fixes
The whole nvme fabrics part is missing fundamental changes which will
not be backported. Don't bother to port git-fixes for this part.
- commit f524f37
- blacklist.conf: update blacklist
- commit ec49bac
- blacklist.conf: add net/caif
- commit 7907ff7
- nvme-pci: fix a NULL pointer dereference in
nvme_alloc_admin_tags (git-fixes).
- nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs
(git-fixes).
- nvme: free sq/cq dbbuf pointers when dbbuf set fails
(git-fixes).
- nvme: refine the Qemu Identify CNS quirk (git-fixes).
- nvme: Fix u32 overflow in the number of namespace list
calculation (git-fixes).
- nvme: remove the ifdef around nvme_nvm_ioctl (git-fixes).
- nvme-pci: unquiesce admin queue on shutdown (git-fixes).
- nvme-pci: use the same attributes when freeing
host_mem_desc_bufs (git-fixes).
- commit f8a43a3
- Drivers: hv: vmbus: Optimize vmbus_on_event (bsc#1211622).
- scsi: storvsc: Parameterize number hardware queues
(bsc#1211622).
- commit f58838c
- scsi: qla2xxx: Replace all non-returning strlcpy() with
strscpy() (bsc#1211960).
- scsi: qla2xxx: Update version to 10.02.08.300-k (bsc#1211960).
- scsi: qla2xxx: Wait for io return on terminate rport
(bsc#1211960).
- scsi: qla2xxx: Fix mem access after free (bsc#1211960).
- scsi: qla2xxx: Fix hang in task management (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd fail due to unavailable
resource (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
- scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
- scsi: qla2xxx: Replace all non-returning strlcpy() with
strscpy() (bsc#1211960).
- scsi: qla2xxx: Update version to 10.02.08.300-k (bsc#1211960).
- scsi: qla2xxx: Wait for io return on terminate rport
(bsc#1211960).
- scsi: qla2xxx: Fix mem access after free (bsc#1211960).
- scsi: qla2xxx: Fix hang in task management (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd fail due to unavailable
resource (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
- scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
- scsi: qla2xxx: Declare SCSI host template const (bsc#1211960).
- scsi: qla2xxx: Refer directly to the qla2xxx_driver_template
(bsc#1211960).
- scsi: qla2xxx: Remove default fabric ops callouts (bsc#1211960).
- scsi: qla2xxx: Drop redundant pci_enable_pcie_error_reporting()
(bsc#1211960).
- commit 875f923
- kcm: Check if sk_user_data already set in kcm_attach
(git-fixes).
- Refresh patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch.
- commit 796ddfc
- ip6_tunnel: allow ip6gre dev mtu to be set below 1280
(git-fixes).
- Refresh
patches.suse/ip6_tunnel-remove-magic-mtu-value-0xFFF8.patch.
- commit 9359f96
- xfrm: Fix stack-out-of-bounds with misconfigured transport
mode policies (git-fixes).
- commit a397dd8
- sctp: fix the issue that a __u16 variable may overflow in
sctp_ulpq_renege (git-fixes).
- Refresh
patches.suse/sctp-implement-memory-accounting-on-rx-path.patch.
- commit dfdadd9
- fix kcm_clone() (git-fixes).
- Refresh
patches.suse/kcm-Fix-use-after-free-caused-by-clonned-sockets.patch.
- commit ff3266d
- blacklist.conf: update blacklist
- commit 6559dbc
- usrmerge: Compatibility with earlier rpm (boo#1211796)
- commit 2191d32
- Fix usrmerge error (boo#1211796)
- commit da84579
- s390/uaccess: add missing earlyclobber annotations to __clear_user()
(LTC#202116 bsc#1209857 git-fixes).
- commit 466ebf1
- media: radio-shark: Add endpoint checks (git-fixes).
- commit 645a65c
- USB: sisusbvga: Add endpoint checks (git-fixes).
- commit 0086804
- USB: core: Add routines for endpoint checks in old drivers
(git-fixes).
- commit 9b3a4b6
- mac80211: drop multicast fragments (git-fixes).
- Refresh patches.kabi/cfg80211-kabi-workaround.patch.
- Refresh
patches.suse/mac80211-add-fragment-cache-to-sta_info.patch.
- commit dcf3ad7
- mac80211: choose first enabled channel for monitor (git-fixes).
- commit 9005ef1
- mac80211: pause TX while changing interface type (git-fixes).
- commit 2e9a9ca
- IB/mlx5: Fix initializing CQ fragments buffer (git-fixes)
- commit ab52722
- RDMA/core: Don't access cm_id after its destruction (git-fixes)
- commit 3e6a35e
- mac80211: fix fast-rx encryption check (git-fixes).
- commit 6dc3740
- blacklist.conf: breaks kABI in a pretty unfixable way
- commit f0b7d32
- RDMa/mthca: Work around -Wenum-conversion warning (git-fixes)
- commit 4ec5513
- RDMA/bnxt_re: Restrict the max_gids to 256 (git-fixes)
- commit 45f80d9
- RDMA/hns: Bugfix for querying qkey (git-fixes)
- commit 916464c
- RDMA/mlx5: Block delay drop to unprivileged users (git-fixes)
- commit b67e136
- IB/rdmavt: Add __init/__exit annotations to module init/exit funcs (git-fixes)
- commit aef401f
- RDMA/usnic: fix set-but-not-unused variable 'flags' warning (git-fixes)
- commit 410f136
- RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() (git-fixes)
- commit 08b691c
- IB/hfi1: Assign npages earlier (git-fixes)
- commit 94a7a3d
- RDMA/srp: Move large values to a new enum for gcc13 (git-fixes)
- commit 21e4838
- RDMA/hfi1: Prevent panic when SDMA is disabled (git-fixes)
- commit 69d046f
- RDMA/cma: Fix rdma_resolve_route() memory leak (git-fixes)
- commit ebc12ea
- RDMA/cxgb4: Fix missing error code in create_qp() (git-fixes)
- commit 16a901d
- RDMA/rxe: Fix error type of mmap_offset (git-fixes)
- commit 78c6be8
- RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' (git-fixes)
- commit a8ed0c1
- RDMA/i40iw: Fix potential use after free (git-fixes)
- commit 078387e
- IB/iser: bound protection_sg size by data_sg size (git-fixes)
- commit c6057ed
- IB/mlx4: Fix memory leaks (git-fixes)
- commit 93dc3d9
- ipoib: correcly show a VF hardware address (git-fixes)
- commit b86fe95
- IB/mlx4: Increase the timeout for CM cache (git-fixes)
- commit bd695fb
- IB/usnic: Fix potential deadlock (git-fixes)
- commit 7517110
- RDMA/srp: Propagate ib_post_send() failures to the SCSI mid-layer (git-fixes)
- commit ce8a13e
- mlx4: Use snprintf instead of complicated strcpy (git-fixes)
- commit 8357ea9
- rxe: IB_WR_REG_MR does not capture MR's iova field (git-fixes)
- commit 737703b
- RDMA/cma: Do not change route.addr.src_addr.ss_family (git-fixes)
- commit 0f21ca2
- Update References
patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
(bsc#1198400 bsc#1209779 CVE-2023-1637).
- commit 8e47860
- smb3: fix problem remounting a share after shutdown
(bsc#1190317).
- commit faae71e
- seccomp: Set PF_SUPERPRIV when checking capability (git-fixes
bsc#1211816).
- commit f8e3006
- dm ioctl: fix nested locking in table_clear() to remove deadlock
concern (bsc#1210806, CVE-2023-2269).
- commit e962c83
- tcp: Fix data races around icsk->icsk_af_ops (bsc#1204405
CVE-2022-3566).
- commit 75b4182
- blacklist.conf: Add 9fc9e278a5c0 panic: Introduce warn_limit
- commit 43ad239
- blacklist.conf: Add 659c0ce1cb9e kernel/sys.c: fix and improve control flow in __sys_setres[ug]id()
- commit 28b437a
- Remove usrmerge compatibility symlink in buildroot (boo#1211796)
Besides Makefile depmod.sh needs to be patched to prefix /lib/modules.
Requires corresponding patch to kmod.
- commit b8e00c5
- ceph: force updating the msg pointer in non-split case
(bsc#1211801).
- commit ebc5c5b
- cifs_atomic_open(): fix double-put on late allocation failure
(bsc#1190317).
- commit 9b4a498
- CIFS: Spelling s/EACCESS/EACCES/ (bsc#1190317).
- Refresh
patches.suse/cifs-remove-various-function-description-warnings.patch.
- commit 154e2e3
- smb3: fix temporary data corruption in collapse range
(bsc#1190317).
- commit 48c460b
- smb3: fix temporary data corruption in insert range
(bsc#1190317).
- commit 6225020
- blacklist.conf: Append 'Revert "/fbcon: don't lose the console font across generic->chip driver switch"/'
- commit 0b0664b
- fbcon: Check font dimension limits (bsc#1154048)
Changes:
* rename drivers/video/fbdev/core to drivers/video/console
- commit 2e6300a
- fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() (bsc#1154048)
- commit 7a7fe7f
- backlight: lm3630a: Fix return code of .update_status() callback (bsc#1129770)
- commit 65a9461
- blacklist.conf: Append 'fbdev: udlfb: Fix endpoint check'
- commit c71f23c
- blacklist.conf: Append 'fbdev: arcfb: Fix error handling in arcfb_probe()'
- commit 3b8befa
- blacklist.conf: Append 'fbdev: au1200fb: Fix potential divide by zero'
- commit 99bcf68
- blacklist.conf: Append 'fbdev: lxfb: Fix potential divide by zero'
- commit 29ac883
- blacklist.conf: Append 'fbdev: intelfb: Fix potential divide by zero'
- commit c54aef0
- blacklist.conf: Append 'fbdev: nvidia: Fix potential divide by zero'
- commit 0180fb8
- blacklist.conf: Append 'fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks'
- commit 7424f1a
- blacklist.conf: Append 'fbdev: tgafb: Fix potential divide by zero'
- commit 3dfd2f8
- blacklist.conf: Append 'fbdev: omapfb: cleanup inconsistent indentation'
- commit e6f26fa
- blacklist.conf: Append 'fbdev: vermilion: decrease reference count in error path'
- commit bfe058e
- blacklist.conf: Append 'fbdev: via: Fix error in via_core_init()'
- commit 47cb95a
- blacklist.conf: Append 'fbdev: pm2fb: fix missing pci_disable_device()'
- commit 5d257c9
- blacklist.conf: Append 'fbdev: ssd1307fb: Drop optional dependency'
- commit 6cbf42c
- blacklist.conf: Append 'fbdev: cyber2000fb: fix missing pci_disable_device()'
- commit 06f0770
- blacklist.conf: Append 'fbdev: smscufx: Fix several use-after-free bugs'
- commit 62a32ff
- blacklist.conf: Append 'parisc: fbdev/stifb: Align graphics memory size to 4MB'
- commit 22da2c5
- blacklist.conf: Append 'fbdev: smscufx: Fix use-after-free in ufx_ops_open()'
- commit 02b683d
- blacklist.conf: Append 'fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init()'
- commit 489652a
- blacklist.conf: Append 'video: fbdev: i740fb: Check the argument of i740_calc_vclk()'
- commit c7b03dd
- blacklist.conf: Append 'video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write'
- commit ccb235b
- blacklist.conf: Append 'video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()'
- commit 9dffdbd
- blacklist.conf: Append 'video: fbdev: sm712fb: Fix crash in smtcfb_write()'
- commit d1847f5
- blacklist.conf: Append 'video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()'
- commit ac6af46
- blacklist.conf: Append 'video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()'
- commit 5a2e2fe
- blacklist.conf: Append 'video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit'
- commit 9966c33
- blacklist.conf: Append 'video: fbdev: cirrusfb: check pixclock to avoid divide by zero'
- commit 9b4a739
- blacklist.conf: Append 'video: fbdev: w100fb: Reset global state'
- commit 8c331fe
- blacklist.conf: Append 'video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow'
- commit e521feb
- blacklist.conf: Append 'video: fbdev: riva: Error out if 'pixclock' equals zero'
- commit cd1778b
- blacklist.conf: Append 'video: fbdev: kyro: Error out if 'pixclock' equals zero'
- commit e680120
- blacklist.conf: Append 'video: fbdev: asiliantfb: Error out if 'pixclock' equals zero'
- commit 4eef362
- blacklist.conf: Append 'video: fbdev: kyro: fix a DoS bug by restricting user input'
- commit 4dfa6f9
- cifs: fix confusing debug message (bsc#1190317).
- commit 5e1a930
- cifs: Fix uninitialized memory read for smb311 posix symlink
create (bsc#1190317).
- Refresh
patches.suse/cifs-Fix-uninitialized-memory-reads-for-oparms-mode.patch.
- commit 853e32c
- cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
(bsc#1190317).
- commit 4ae057c
- cifs: sanitize paths in cifs_update_super_prepath (bsc#1190317).
- commit 17664dd
- cifs: fix pcchunk length type in smb2_copychunk_range
(bsc#1190317).
- commit 2a739a8
- HID: asus: use spinlock to safely schedule workers (bsc#1208604
CVE-2023-1079).
- commit 95bf045
- HID: asus: use spinlock to protect concurrent accesses
(bsc#1208604 CVE-2023-1079).
- commit d755874
- blacklist.conf: changes behavior in user space
- commit 8e76d7a
- blacklist.conf: breaks existing user space
- commit 8a0f9f8
- git_sort: tests: add repositories with autorefresh
Without autorefresh containers are not rebuildable when cached
- commit 1dc067a
- KVM: x86: emulator: update the emulation mode after CR0 write
(git-fixes).
- commit 45c60e8
- KVM: x86: emulator: introduce emulator_recalc_and_set_mode
(git-fixes).
- commit cd1c312
- KVM: x86: emulator: em_sysexit should update ctxt->mode
(git-fixes).
- commit e33b7a7
- KVM: x86: fix incorrect comparison in trace event (git-fixes).
- commit e7c7c64
- x86/kvm: Don't call kvm_spurious_fault() from .fixup
(git-fixes).
- commit 2994486
- x86: kvm: avoid constant-conversion warning (git-fixes).
- commit 785e3c9
- KVM: x86: avoid misreporting level-triggered irqs as
edge-triggered in tracing (git-fixes).
- commit 3a2f7bf
- ring-buffer: Sync IRQ works before buffer destruction
(git-fixes).
- commit 7f66fa1
- ring-buffer: Ensure proper resetting of atomic variables in
ring_buffer_reset_online_cpus (git-fixes).
- commit 05b01b4
- f2fs: Fix f2fs_truncate_partial_nodes ftrace event (git-fixes).
- commit c9aec28
- KVM: nSVM: clear events pending from svm_complete_interrupts()
when exiting to L1 (git-fixes).
- commit dea3e13
- KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
(git-fixes).
- commit e8ac19f
- x86/kvm/vmx: fix old-style function declaration (git-fixes).
- commit 60914fa
- KVM: x86: fix empty-body warnings (git-fixes).
- commit 1ff0909
- kvm: mmu: Don't read PDPTEs when paging is not enabled
(git-fixes).
- commit 0c9e6c3
- KVM: x86: Update the exit_qualification access bits while
walking an address (git-fixes).
- commit fb42639
- kernel-source: Remove unused macro variant_symbols
- commit 915ac72
- ipv6: sr: fix out-of-bounds read when setting HMAC data
(bsc#1211592).
- commit b97c30d
- Move upstreamed media fixes into sorted section
- commit 488e428
- media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760).
- media: dvb_frontend: kABI workaround (CVE-2022-45885
bsc#1205758).
- commit df5f28a
- media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
(CVE-2022-45887 bsc#1205762).
- media: dvb-core: Fix use-after-free due to race condition at
dvb_ca_en50221 (CVE-2022-45919 bsc#1205803).
- media: dvb-core: Fix use-after-free due to race at
dvb_register_device() (CVE-2022-45884 bsc#1205756).
- media: dvb-core: Fix use-after-free due on race condition at
dvb_net (CVE-2022-45886 bsc#1205760).
- media: dvb-core: Fix kernel WARNING for blocking operation in
wait_event*() (CVE-2023-31084 bsc#1210783).
- media: dvb-core: Fix use-after-free on race condition at
dvb_frontend (CVE-2022-45885 bsc#1205758).
- media: dvbdev: fix error logic at dvb_register_device()
(CVE-2022-45884 bsc#1205756).
- media: dvbdev: Fix memleak in dvb_register_device
(CVE-2022-45884 bsc#1205756).
- media: media/dvb: Use kmemdup rather than duplicating its
implementation (CVE-2022-45884 bsc#1205756).
- commit f7cc9c8
- net: sched: sch_qfq: prevent slab-out-of-bounds in
qfq_activate_agg (bsc#1210940 CVE-2023-31436).
- commit a507e94
- i2c: xgene-slimpro: Fix out-of-bounds bug in
xgene_slimpro_i2c_xfer() (bsc#1210715 CVE-2023-2194).
- commit 3e58c3b
- net/iucv: Fix size of interrupt data (bsc#1211466).
- commit f3fc622
- blacklist.conf: update blacklist
- commit 6d6d566
- net: emac: fix fixed-link setup for the RTL8363SB switch (git-fixes).
- commit 9681063
- stmmac: fix valid numbers of unicast filter entries (git-fixes).
- commit ef24a07
- net: qca_spi: Fix log level if probe fails (git-fixes).
- commit 3f5bdc7
- net: davinci_emac: match the mdio device against its compatible if possible (git-fixes).
- commit bd607b2
- net: dsa: qca8k: Add support for QCA8334 switch (git-fixes).
- commit 7151502
- net: ethernet: ti: cpsw-phy-sel: check bus_find_device()
ret value (git-fixes).
- commit faf163d
- blacklist.conf: update blacklist
- commit ee5c63d
- blacklist.conf: update blacklist
- commit cb25c3b
- net: dsa: b53: Add BCM5389 support (git-fixes).
- commit 97f949b
- net: mvneta: fix enable of all initialized RXQs (git-fixes).
- commit c3670b0
- net: dsa: mt7530: fix module autoloading for OF platform drivers
(git-fixes).
- commit 5aa0e3c
- sunvnet: does not support GSO for sctp (git-fixes).
- commit 2c2cd3a
- net: qcom/emac: Use proper free methods during TX (git-fixes).
- commit 9e71f84
- net: Extra '_get' in declaration of
arch_get_platform_mac_address (git-fixes).
- commit a07f7ac
- net: arc_emac: fix arc_emac_rx() error paths (git-fixes).
- commit 055ed24
- net: mediatek: setup proper state for disabled GMAC on the
default (git-fixes).
- commit d4884c0
- blacklist.conf: update blacklist
- commit 3d40ef3
- bugzilla-create: take bugzilla email from BUGZILLA_ACCOUNT_EMAIL env var
Some people have emails in bugzilla that are completely different than
emails they use in git and providing one with -e option is tedious.
Make bugzilla-create more flexible by providing the third options that
sits between command line option and git-config automation.
- commit 3ebbd64
- sctp: fix erroneous inc of snmp SctpFragUsrMsgs (git-fixes).
- commit 1e6b878
- net: propagate dev_get_valid_name return code (git-fixes).
- commit 6c7e15c
- blacklist.conf: update blacklist
- commit 0b29eb6
- scripts: Update bugzilla-create self-docs
For new REST API.
- commit 375eae1
- bugzilla-create: always end email with @suse.com
- commit 795cb91
- s390/kasan: fix early pgm check handler execution (git-fixes
bsc#1211360).
- s390: ctcm: fix ctcm_new_device error return code (git-fixes
bsc#1211361).
- s390/pci: fix sleeping in atomic during hotplug (git-fixes
bsc#1211364).
- s390/sysinfo: add missing #ifdef CONFIG_PROC_FS (git-fixes
bsc#1211366).
- s390/extmem: fix gcc 8 stringop-overflow warning (git-fixes
bsc#1211363).
- s390/scm_blk: correct numa_node in scm_blk_dev_setup (git-fixes
bsc#1211365).
- s390/dasd: correct numa_node in dasd_alloc_queue (git-fixes
bsc#1211362).
- commit eaf6fde
- netrom: Fix use-after-free caused by accept on already
connected socket (bsc#1211186 CVE-2023-32269).
- commit 5091773
- net: tls: fix possible race condition between
do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
(bsc#1209366 CVE-2023-28466).
- commit 6a60b30
- ACPI: processor: Fix evaluating _PDC method when running as
Xen dom0 (git-fixes).
- commit dc522b8
- xen/netback: use same error messages for same errors
(git-fixes).
- commit 4db5f86
- xen/netback: don't do grant copy across page boundary
(git-fixes).
- commit 1db009c
- Refresh patches.suse/arm64-Discard-.note.GNU-stack-section.patch.
Add note about required followups for the upstream version.
- commit 22f581b
- powerpc/rtas: use memmove for potentially overlapping buffer
copy (bsc#1065729).
- powerpc: Don't try to copy PPR for task with NULL pt_regs
(bsc#1065729).
- powerpc: Squash lines for simple wrapper functions
(bsc#1065729).
- commit 5b5254d
- blacklist.conf: workqueue: Cosmetic change. Not worth backporting (bsc#1211275)
- commit 75d9c4f
- ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT
(git-fixes).
- commit 45358c3
- sctp: make use of pre-calculated len (git-fixes).
- commit 917a7de
- ipv6: icmp6: Allow icmp messages to be looped back (git-fixes).
- commit b8c6b46
- ipv4: ipv4_default_advmss() should use route mtu (git-fixes).
- commit b90f190
- net: ipv6: send NS for DAD when link operationally up
(git-fixes).
- commit 068ddeb
- blacklist.conf: update blacklist
- commit a62f4ec
- workqueue: Print backtraces from CPUs with hung CPU bound
workqueues (bsc#1211044).
- commit 9009e7b
- workqueue: Warn when a rescuer could not be created
(bsc#1211044).
- commit 729d6a5
- blacklist.conf: udapte blacklist
- commit 6f9c349
- blacklist.conf: update blacklist
- commit b77ff03
- workqueue: Interrupted create_worker() is not a repeated event
(bsc#1211044).
- commit 19f4343
- workqueue: Warn when a new worker could not be created
(bsc#1211044).
- commit 6849328
- workqueue: Fix hung time report of worker pools (bsc#1211044).
- commit 6603859
- blacklist.conf: dependencies cannot be met
- commit 719ca49
- wcn36xx: ensure pairing of init_scan/finish_scan and
start_scan/end_scan (git-fixes).
- commit 087dd65
- wcn36xx: Ensure finish scan is not requested before start scan
(git-fixes).
- commit caae985
- blacklist.conf: add one pci git-fixes
- commit 855c141
- wcn36xx: Specify ieee80211_rx_status.nss (git-fixes).
- commit 012d160
- wcn36xx: Fix warning due to bad rate_idx (git-fixes).
- commit a518de1
- wcn36xx: Disable bmps when encryption is disabled (git-fixes).
- commit ebc2371
- wcn36xx: Fix software-driven scan (git-fix).
- Refresh
patches.suse/wcn36xx-Channel-list-update-before-hardware-scan.patch.
- Refresh
patches.suse/wcn36xx-Move-hal_buf-allocation-to-devm_kmalloc-in-p.patch.
- commit 15a8b93
- wcn36xx: Use sequence number allocated by mac80211 (git-fixes).
- commit bb661ed
- wcn36xx: Fix TX data path (git-fixes).
- commit b77eb82
- wcn36xx: Increase number of TX retries (git-fixes).
- commit 97a8d22
- wcn36xx: Fix multiple AMPDU sessions support (git-fixes).
- commit 63b0807
- wcn36xx: Add ieee80211 rx status rate information (git-fixes).
- commit 4b6a254
- wcn36xx: fix spelling mistake "/to"/ -> "/too"/ (git-fixes).
- commit 7e6ee67
- wcn36xx: disable HW_CONNECTION_MONITOR (git-fixes).
- commit 4d8f867
- wcn36xx: fix typo (git-fixes).
- commit b5b95ed
- wcn36xx: remove unecessary return (git-fixes).
- commit 0eb75a5
- wcn36xx: use dma_zalloc_coherent instead of allocator/memset
(git-fixes).
- commit bbbad4b
- wcn36xx: Use kmemdup instead of duplicating it in
wcn36xx_smd_process_ptt_msg_rsp (git-fixes).
- commit aa805c7
- wcn36xx: Channel list update before hardware scan (git-fixes).
- commit fcf8c32
- wcn36xx: Add ability for wcn36xx_smd_dump_cmd_req to pass
two's complement (git-fixes).
- commit 39c25cd
- mwl8k: Fix a double Free in mwl8k_probe_hw (git-fixes).
- commit 9de04e1
- adm8211: fix error return code in adm8211_probe() (git-fixes).
- commit 8910841
- Documentation: Document sysfs interfaces purr, spurr, idle_purr,
idle_spurr (PED-3947 bsc#1210544 ltc#202303).
- powerpc/sysfs: Show idle_purr and idle_spurr for every CPU
(PED-3947 bsc#1210544 ltc#202303).
- powerpc/pseries: Account for SPURR ticks on idle CPUs (PED-3947
bsc#1210544 ltc#202303).
- powerpc/idle: Store PURR snapshot in a per-cpu global variable
(PED-3947 bsc#1210544 ltc#202303).
- powerpc: Move idle_loop_prolog()/epilog() functions to header
file (PED-3947 bsc#1210544 ltc#202303).
- cpuidle/powernv: avoid double irq enable coming out of idle
(PED-3947 bsc#1210544 ltc#202303).
- cpuidle: powerpc: no memory barrier after break from idle
(PED-3947 bsc#1210544 ltc#202303).
- cpuidle: powerpc: read mostly for common globals (PED-3947
bsc#1210544 ltc#202303).
- Refresh patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch
- cpuidle: powerpc: cpuidle set polling before enabling irqs
(PED-3947 bsc#1210544 ltc#202303).
- Refresh patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch
- commit 964f26b
- rpm/constraints.in: Increase disk size constraint for riscv64 to 52GB
- commit 1c1a4cd
- usb: early: xhci-dbc: Fix a potential out-of-bound memory access
(git-fixes).
- commit ad8060e
- fotg210-udc: Add missing completion handler (git-fixes).
- commit 3c809e3
- blacklist.conf: kABI
- commit dcd54c2
- usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode
(git-fixes).
- commit 9ea489a
- platform/x86: dell-smbios-wmi: Add missing kfree in error-exit
from run_smbios_call (git-fixes).
- commit bc58d39
- platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios
(git-fixes).
- commit 96326a4
- platform/x86: alienware-wmi: fix kfree on potentially
uninitialized pointer (git-fixes).
- commit 52b26a2
- platform/x86: alienware-wmi: fix format string overflow warning
(git-fixes).
- commit 9e6baf6
- platform/x86: alienware-wmi: constify attribute_group structures
(git-fixes).
- commit 804cedf
- platform/x86: alienware-wmi: Adjust instance of
wmi_evaluate_method calls to 0 (git-fixes).
- commit 17d45d2
- platform/x86: dell-laptop: fix rfkill functionality.
- commit 04ebc44
- wifi: brcmfmac: slab-out-of-bounds read in
brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
- commit 07a41fa
- Remove obsolete rpm spec constructs
defattr does not need to be specified anymore
buildroot does not need to be specified anymore
- commit c963185
- kernel-spec-macros: Fix up obsolete_rebuilds_subpackage to generate
obsoletes correctly (boo#1172073 bsc#1191731).
rpm only supports full length release, no provides
- commit c9b5bc4
- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
(bsc#1206878).
- commit 40e694d
- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878
bsc#1211105 CVE-2023-2513).
- commit a52726d
- git_sort: tests: Fix run_all.sh logic
- commit e9649f1
- kernel-binary: install expoline.o (boo#1210791 bsc#1211089)
- commit d6c8c20
- net: qcom/emac: Fix use after free bug in emac_remove due to
race condition (bsc#1211037 CVE-2023-2483).
- commit 6c7d167
- usb: chipidea: fix missing goto in `ci_hdrc_probe` (git-fixes).
- commit 8371d59
- USB: dwc3: fix runtime pm imbalance on unbind (git-fixes).
- commit 3c78b91
- USB: dwc3: fix runtime pm imbalance on probe errors (git-fixes).
- commit 07dd465
- cifs: return ENOENT for DFS lookup_cache_entry() (bsc#1190317).
- Refresh
patches.suse/cifs-handle-cache-lookup-errors-different-than-ENOENT.patch.
- Refresh
patches.suse/cifs-split-out-ses-and-tcon-retrieval-from-mount_get_conns-.patch.
- commit f050536
- PCI: aardvark: Fix PCIe Max Payload Size setting (git-fixes).
- PCI: Mark Atheros QCA6174 to avoid bus reset (git-fixes).
- PCI: xilinx-nwl: Enable the clock through CCF (git-fixes).
- PCI: aardvark: Fix masking and unmasking legacy INTx interrupts
(git-fixes).
- PCI: aardvark: Configure PCIe resources from 'ranges' DT
property (git-fixes).
- PCI: aardvark: Increase polling delay to 1.5s while waiting
for PIO response (git-fixes).
- PCI: aardvark: Fix checking for PIO status (git-fixes).
- PCI: Add ACS quirks for Cavium multi-function devices
(git-fixes).
- PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure
(git-fixes).
- PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported
(git-fixes).
- PCI: Call Max Payload Size-related fixup quirks early
(git-fixes).
- commit 4ba05a4
- ipmi: fix SSIF not responding under certain cond (git-fixes).
- commit fd75dd9
- blacklist.conf: add one char git-fixes
- commit e967264
- wifi: ath5k: fix an off by one check in
ath5k_eeprom_read_freq_list() (git-fixes).
- commit e7e4a01
- xfs: verify buffer contents when we skip log replay (bsc#1210498
CVE-2023-2124).
- commit d228bcf
- kcm: Only allow TCP sockets to be attached to a KCM mux
(git-fixes).
- Refresh patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch.
- commit 1c38f1b
- xhci: hide include of iommu.h (git-fixes).
- commit d4a90d2
- xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough
iommu (git-fixes).
- commit 25aa1f6
- struct ci_hdrc: hide new member at end (git-fixes).
- commit 10801c8
- usb: chipidea: core: fix possible concurrent when switch role
(git-fixes).
- commit b7e0f07
- x86/irq: Ensure PI wakeup handler is unregistered before module unload (git-fixes).
- commit 1ba0504
- x86/fpu: Prevent FPU state corruption (git-fixes).
- commit 7902778
- x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes).
- commit 7747d1d
- x86/tools/relocs: Fix non-POSIX regexp (git-fixes).
- commit bf7956d
- crypto: x86/ghash - fix unaligned access in ghash_setkey() (git-fixes).
- commit b2c2637
- x86/boot: Avoid using Intel mnemonics in AT&T syntax asm (git-fixes).
- commit 01320b7
- x86/virt: Mark flags and memory as clobbered by VMXOFF (git-fixes).
- commit 128b31b
- x86/virt: Eat faults on VMXOFF in reboot flows (git-fixes).
- commit d5a2713
- x86/tools: Fix objdump version check again (git-fixes).
- commit 2fac6b7
- x86/kprobes: Restore BTF if the single-stepping is cancelled (git-fixes).
- commit 675ef6d
- x86/kprobes: Fix to check non boostable prefixes correctly (git-fixes).
- commit 7707216
- blacklist.conf: Add a patch for kconfig option we don't have
- commit 133510f
- x86/bugs: Enable STIBP for IBPB mitigated RETBleed (git-fixes).
- commit 08350f2
- blacklist.conf: add nvme git-fixes
- commit 763e434
- nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is
not RESETTING (git-fixes).
- commit 289f082
- x86/bugs: Add Cannon lake to RETBleed affected CPU list (git-fixes).
- commit 765cf23
- keys: Fix linking a duplicate key to a keyring's assoc_array
(bsc#1207088).
- commit fd3a7e5
- keys: Hoist locking out of __key_link_begin() (bsc#1207088).
- commit 9d4b000
- keys: Change keyring_serialise_link_sem to a mutex (bsc#1207088).
- commit d0f80a2
- scsi: qla2xxx: Fix memory leak in qla2x00_probe_one()
(git-fixes).
- scsi: qla2xxx: Perform lockless command completion in abort path
(git-fixes).
- commit 9283be1
- kabi/severities: ignore KABI for NVMe, except nvme-fc (bsc#1174777)
Exported symbols under drivers/nvme/host/ are only used by the
nvme subsystem itself, except for the nvme-fc symbols.
- commit c973bd8
- blacklist.conf: add nvme git-fixes
The nvme fabric part is not really supported in sle12 and touching this
code with proper a lot of testing has a high change of regressions.
The nvme core bits are also very dangerous to update without introducing
regression because sle12 is still using mixed single queue and
multiqueue block layers infrastructures. All this fixes are addressing
issues reported against multiqueue only setups
- commit 039b5e1
- blacklist.conf: irrelevant in all our configs
- commit 21e8e20
- blacklist.conf: irrelevant in all our configs
- commit 5d97024
- blacklist.conf: irrelevant in all our configs
- commit ed95b61
- blacklist.conf: cleanup
- commit 2328a0e
- blacklist.conf: kABI
- commit 5ede269
- blacklist.conf: irrelevant with the compiler options of SLE12
- commit 09fdb2d
- blacklist.conf: architecture not supported in SLE12
- commit 0f802d0
- blacklist.conf: alters behavior in a way that could cause regression
- commit 9198a95
- blacklist.conf: cosmetic
- commit 8c47024
- audit: improve audit queue handling when "/audit=1"/ on cmdline
(bsc#1209969).
- commit 05326be
- MyBS: exclude openSUSE:Factory i586
It's present, but not built. People are supposed to add:
OBS_PROJECT_LEGACYX86=openSUSE:Factory:LegacyX86
to rpm/config.sh now.
- commit 9c22fe0
- xirc2ps_cs: Fix use after free bug in xirc2ps_detach
(bsc#1209871 CVE-2023-1670).
- commit cab17d2
- nvme-pci: fix doorbell buffer value endianness (git-fixes).
- nvme: retain split access workaround for capability reads
(git-fixes).
- commit 664dfaa
- cgroup/cpuset: Wake up cpuset_attach_wq tasks in
cpuset_cancel_attach() (bsc#1210827).
- commit c9ac567
- xfrm: policy: use hlist rcu variants on insert (git-fixes).
- commit 8f58d09
- blacklist.conf: update blacklist
- commit 94895b2
- powerpc/papr_scm: Update the NUMA distance table for the
target node (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509
FATE#327775 git-fixes).
- powerpc/pseries: Consolidate different NUMA distance update
code paths (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509
FATE#327775 git-fixes).
- powerpc/pseries: Rename TYPE1_AFFINITY to FORM1_AFFINITY
(bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- powerpc/pseries: rename min_common_depth to primary_domain_index
(bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- powerpc/numa: Consider the max NUMA node for migratable LPAR
(bsc#1209999 ltc#202140 bsc#1190544 ltc#194520 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- powerpc/numa: Detect support for coregroup (bsc#1209999
ltc#202140 bsc#1142685 ltc#179509 FATE#327775 git-fixes).
- powerpc/numa: Restrict possible nodes based on platform
(bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- powerpc/numa: Limit possible nodes to within num_possible_nodes
(bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- commit 2690e67
- cred: allow get_cred() and put_cred() to be given NULL
(bsc#1209887).
- commit b20510e
- scsi: iscsi_tcp: Fix UAF during login when accessing the shost
ipaddress (bsc#1210647 CVE-2023-2162).
- commit eba27cd
- drivers: net: lmc: fix case value for target abort error
(git-fixes).
- commit 9328eea
- net: axienet: Fix double deregister of mdio (git-fixes).
- commit ceccbaf
- net: prevent ISA drivers from building on PPC32 (git-fixes).
- commit 1665091
- blacklist.conf: update blacklist
- commit c7d12aa
- RDMA/core: Refactor rdma_bind_addr (bsc#1210629 CVE-2023-2176)
- commit 39d6889
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1210629 CVE-2023-2176)
- commit e746751
- RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1210629 CVE-2023-2176)
- commit 8101e86
- RDMA/cma: Make the locking for automatic state transition more clear (bsc#1210629 CVE-2023-2176)
- commit b3ddeab
- blacklist.conf: add !CONFIG_SYSFS entry
- commit ea663e2
- l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
(git-fixes).
- commit a6de55d
- l2tp: clean up stale tunnel or session in pppol2tp_connect's
error path (git-fixes).
- commit ac0c4ce
- l2tp: fix pseudo-wire type for sessions created by
pppol2tp_connect() (git-fixes).
- commit 3cea0f6
- netfilter: nft_set_rbtree: fix parameter of
__nft_rbtree_lookup() (git-fixes).
- commit d139e7b
- netfilter: x_tables: Add note about how to free percpu counters
(git-fixes).
- commit 370ae8e
- net: core: dst: Add kernel-doc for 'net' parameter (git-fixes).
- commit f4bb4ad
- net: core: dst_cache_set_ip6: Rename 'addr' parameter to
'saddr' for consistency (git-fixes).
- commit d4c9c59
- x86/boot/compressed: Disable relocation relaxation (git-fixes).
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- kretprobe: Prevent triggering kretprobe from within
kprobe_flush_task (git-fixes).
- x86/speculation/mds: Mark mds_user_clear_cpu_buffers()
__always_inline (git-fixes).
- x86_64: Fix jiffies ODR violation (git-fixes).
- x86/mm: Stop printing BRK addresses (git-fixes).
- bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX
BPF_B (git-fixes).
- x86: Don't let pgprot_modify() change the page encryption bit
(git-fixes).
- x86/pkeys: Add check for pkey "/overflow"/ (git-fixes).
- commit e67532f
- watchdog: pcwd_usb: Fix attempting to access uninitialized
memory (git-fixes).
- commit d040be6
- powercap: fix possible name leak in powercap_register_zone()
(git-fixes).
- commit 31ce59d
- usb: storage: Add check for kcalloc (git-fixes).
- commit 610895c
- usb: typec: Check for ops->exit instead of ops->enter in
altmode_exit (git-fixes).
- commit b4c0f7a
- blacklist.conf: add some x86 git-fixes
- commit decff2c
- blacklist.conf: cleanup
- commit b4c83c2
- usb: dwc3: gadget: Don't set IMI for no_interrupt (git-fixes).
- commit 7500ab7
- ath10k: Fix missing frame timestamp for beacon/probe-resp
(git-fixes).
- commit b6a1dea
- x86/speculation: Allow enabling STIBP with legacy IBRS
(bsc#1210506 CVE-2023-1998).
- commit 82dbdfe
- cifs: fix negotiate context parsing (bsc#1210301).
- commit e970e4b
- blacklist.conf: not needed; added also the commit introducing the regression
on the blacklist to stay on the safe side
- commit 39430c3
- blacklist.conf: not worth the risk
- commit 581559c
- blacklist.conf: printk: cosmetic problem; wrong value shown in log
- commit 68309f1
- printk: Give error on attempt to set log buffer length to over
2G (bsc#1210534).
- commit 416f599
- tuntap: fix dividing by zero in ebpf queue selection
(git-fixes).
- commit c7fc31c
- net: phy: realtek: Use the dummy stubs for MMD register access
for rtl8211b (git-fixes).
- commit 8197f03
- blacklist.conf: update blacklist
- commit 1eb047f
- iwlwifi: Fix -EIO error code that is never returned (git-fixes).
- commit e2a6440
- iwlwifi: pcie: gen2: fix locking when "/HW not ready"/
(git-fixes).
- commit a192018
- iwlwifi: pcie: fix locking when "/HW not ready"/ (git-fixes).
- commit 34a2104
- blacklist.conf: upstream error
- commit 82a830a
- iwlwifi: pcie: reschedule in long-running memory reads
(git-fixes).
- commit e6380b0
- blacklist.conf: cleanup for specific compiler
- commit 0396363
- iwlwifi: fw: make pos static in iwl_sar_get_ewrd_table() loop
(git-fixes).
- commit c845c94
- blacklist.conf: feature and optimization, not a fix
- commit 9a8bf0b
- blacklist.conf: kABI
- commit 7b6dc5b
- ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern
(git-fixes).
- commit a5c8a19
- ath10k: fix division by zero in send path (git-fixes).
- commit 995d86c
- ath10k: fix control-message timeout (git-fixes).
- commit 49a6469
- ath10k: add missing error return code in ath10k_pci_probe()
(git-fixes).
- commit 40313d2
- ath10k: Fix error handling in case of CE pipe init failure
(git-fixes).
- commit 29f18be
- struct wmi_svc_avail_ev_arg: new member to end (git-fixes).
- commit ace4238
- ath10k: Fix the parsing error in service available event
(git-fixes).
- commit 83c5772
- power: supply: da9150: Fix use after free bug in
da9150_charger_remove due to race condition (CVE-2023-30772
bsc#1210329).
- commit a67542a
- k-m-s: Drop Linux 2.6 support
- commit 22b2304
- Remove obsolete KMP obsoletes (bsc#1210469).
- commit 7f325c6
- git_sort: tests: Use correct SLE15 base container
- commit 698573d
- wq: handle VM suspension in stall detection (bsc#1210466).
- commit b6661b9
- git_sort: tests: Move docker files into one directory
Also accept build parameters like -q or --no-cache in run_all.sh
- commit 5b075af
- blacklist.conf: workqueue: Non-trivial reasoning why the change is correct.
Fixing a corner case.
- commit 5637e05
- workqueue: Fix missing kfree(rescuer) in destroy_workqueue()
(bsc#1210460).
- commit 3c2ae43
- workqueue: Fix spurious sanity check failures in
destroy_workqueue() (bsc#1210460).
- blacklist.conf: Remove the commit from the blacklist.
- commit dcf3af1
- cachefiles: Drop superfluous readpages aops NULL check
(bsc#1210430).
- cachefiles: Handle readpage error correctly (bsc#1210430).
- cachefiles: Fix race between read_waiter and read_copier
involving op->to_do (bsc#1210430).
- fscache, cachefiles: remove redundant variable 'cache'
(bsc#1210430).
- cachefiles: Fix page leak in cachefiles_read_backing_file
while vmscan is active (bsc#1210430).
- commit 08d094b
- blacklist.conf: cachefiles fix not applicable to 12SP5
- commit 76c59ea
- hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove
due to race condition (CVE-2023-1855 bsc#1210202).
- commit 8e7b0ea
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
due to unfinished work (CVE-2023-1989 bsc#1210336).
- commit 636a7de
- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
condition (git-fixes bsc#1210337 CVE-2023-1990).
- commit 6ec02e1
- intel_pmc_ipc: restore ability to call functions with irq
enabled (git-fixes).
- commit 8b76237
- Refresh
patches.suse/platform-x86-intel_pmc_ipc-Use-spin_lock-to-protect-.patch.
Added additional commit ID
- commit 32b5de9
- platform/x86: intel_pmc_ipc: Use spin_lock to protect GCR
updates (git-fixes).
- commit 6fd8245
- platform/x86: intel_pmc_ipc: Use devm_* calls in driver probe
function (git-fixes).
- commit 66a8daf
- blacklist.conf: irrelevant in our configs
- commit 77369a1
- s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
(git-fixes).
- commit 1101ba6
- net: usb: qmi_wwan: add Telit 0x1080 composition (git-fixes).
- commit cc9a7d7
- Refresh
patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Telit.patch.
Added additional ID
- commit ec0740e
- blacklist.conf: Add 6a2cbc58d6c9 seq_buf: Make trace_seq_putmem_hex() support data longer than 8
- commit 3b72881
- usb: dwc3: core: fix kernel panic when do reboot (git-fixes).
- commit e2fbf46
- usb/ohci-platform: Fix a warning when hibernating (git-fixes).
- commit f004188
- blacklist.conf: not a fix
- commit 579db14
- blacklist.conf: hardware this is relevant for not supported in SLE12
- commit 9c1574c
- usb: host: ohci-pxa27x: Fix and & vs | typo (git-fixes).
- commit 8a04e90
- blacklist.conf: update blacklist
- commit 960fe5e
- sctp: return error if the asoc has been peeled off in
sctp_wait_for_sndbuf (git-fixes).
- Refresh
patches.suse/sctp-implement-memory-accounting-on-tx-path.patch.
- commit ec9bf28
- sctp: use the right sk after waking up from wait_buf sleep
(git-fixes).
- Refresh
patches.suse/sctp-implement-memory-accounting-on-tx-path.patch.
- commit 09b20fd
- sctp: do not free asoc when it is already dead in sctp_sendmsg
(git-fixes).
- Refresh
patches.suse/sctp-implement-memory-accounting-on-tx-path.patch.
- commit 064e118
- net/ncsi: Don't return error on normal response (git-fixes).
- commit 0448b7b
- blacklist.conf: update blacklist
- commit dd82a70
- scripts/tar-up.sh: Exclude directories and files left over from conflict
resolution when copyting rpm/
Directories are not used by obs, there is no point copying them.
Files resulting from conflict resolution needlessly add noise, they
should not be included in the package.
- commit 079558f
- run_oldconfig.sh: Set VANILLA_ONLY with vanilla source variant.
VANILLA_ONLY is no longer set in config.sh, instead variant is set ot
vanilla. Make run_oldconfig.sh reflect that.
- commit 0b52d46
- blacklist.conf: add an intrusive ftrace refinement
- commit 1b629dd
- ftrace: Mark get_lock_parent_ip() __always_inline (git-fixes).
- commit f82808a
- ring-buffer: Fix race while reader and writer are on the same
page (git-fixes).
- commit 68f2c8a
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
Fix a performance bug introduced by the backports bsc#1210124
- commit 98fde8e
- btrfs: fix race between quota disable and quota assign ioctls
(CVE-2023-1611 bsc#1209687).
- commit 5262625
- Define kernel-vanilla as source variant
The vanilla_only macro is overloaded. It is used for determining if
there should be two kernel sources built as well as for the purpose of
determmioning if vanilla kernel should be used for kernel-obs-build.
While the former can be determined at build time the latter needs to be
baked into the spec file template. Separate the two while also making
the latter more generic.
$build_dtbs is enabled on every single rt and azure branch since 15.3
when the setting was introduced, gate on the new $obs_build_variant
setting as well.
- commit 36ba909
- timekeeping: Prevent 32bit truncation in (git-fixes)
- commit b5eceb5
- ntp: Limit TAI-UTC offset (git-fixes)
- commit cb87f16
- x86/decoder: Add TEST opcode to Group3-2 (git-fixes).
- x86/sysfb: Fix check for bad VRAM size (git-fixes).
- x86/mm: Use the correct function type for native_set_fixmap()
(git-fixes).
- x86/ioapic: Prevent inconsistent state when moving an interrupt
(git-fixes).
- x86/mce: Lower throttling MCE messages' priority to warning
(git-fixes).
- x86/apic: Soft disable APIC before initializing it (git-fixes).
- x86/reboot: Always use NMI fallback when shutdown via reboot
vector IPI fails (git-fixes).
- uprobes/x86: Fix detection of 32-bit user mode (git-fixes).
- x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled
machines (git-fixes).
- x86/apic: Handle missing global clockevent gracefully (git-fixes
bsc#1142926).
- x86/lib/cpu: Address missing prototypes warning (git-fixes).
- x86, boot: Remove multiple copy of static function
sanitize_boot_params() (git-fixes).
- commit 439b087
- blacklist.conf: add some x86 git-fixes
- commit 048281c
- netlink: limit recursion depth in policy validation
(CVE-2020-36691 bsc#1209613).
- commit 519d73a
- scsi: qla2xxx: Synchronize the IOCB count to be in order
(bsc#1209292 bsc#1209684 bsc#1209556).
- commit 18dd273
- net: usb: lan78xx: Limit packet length to skb->len (git-fixes).
- commit 58a7e43
- net: usb: smsc95xx: Limit packet length to skb->len (git-fixes).
- commit 4061009
- net: usb: smsc75xx: Move packet length check to prevent kernel
panic in skb_pull (git-fixes).
- commit 904473f
- rpm/constraints.in: increase the disk size for armv6/7 to 24GB
It grows and the build fails recently on SLE15-SP4/5.
- commit 41ac816
- NFSv4: Fix hangs when recovering open state after a server reboot (git-fixes).
[iivanov] Fix Patch-mainline to v6.3-rc5
- commit f23280a
- rpm/check-for-config-changes: add TOOLCHAIN_NEEDS_* to IGNORED_CONFIGS_RE
This new form was added in commit e89c2e815e76 ("/riscv: Handle
zicsr/zifencei issues between clang and binutils"/).
- commit 234baea
- cifs: Fix smb2_set_path_size() (bsc#1190317).
- commit 298a4d8
- cifs: Move the in_send statistic to __smb_send_rqst()
(bsc#1190317).
- commit c1a3dcd
- cifs: prevent data race in cifs_reconnect_tcon() (bsc#1190317).
- commit 46ad6ef
- update internal module version number for cifs.ko (bsc#1190317).
- commit 0d92429
- cifs: reuse cifs_match_ipaddr for comparison of dstaddr too
(bsc#1190317).
- commit 29571bf
- cifs: match even the scope id for ipv6 addresses (bsc#1190317).
- commit ffb4742
- cifs: Fix lost destroy smbd connection when MR allocate failed
(bsc#1190317).
- commit 8c42642
- cifs: get rid of dns resolve worker (bsc#1190317).
- commit 1597aa3
- cifs: Fix warning and UAF when destroy the MR list
(bsc#1190317).
- commit 57628d2
- cifs: Convert struct fealist away from 1-element array
(bsc#1190317).
- commit 450af82
- cifs: fix mount on old smb servers (bsc#1190317).
- commit b608d71
- cifs: Fix uninitialized memory reads for oparms.mode
(bsc#1190317).
- commit 4430e40
- cifs: remove unneeded 2bytes of padding from smb2 tree connect
(bsc#1190317).
- commit 3db0a6b
- cifs: Fix uninitialized memory read in smb3_qfs_tcon()
(bsc#1190317).
- commit 7fd60d0
- cifs: don't try to use rdma offload on encrypted connections
(bsc#1190317).
- commit b75ae7e
- cifs: split out smb3_use_rdma_offload() helper (bsc#1190317).
- commit 4ec903f
- cifs: introduce cifs_io_parms in smb2_async_writev()
(bsc#1190317).
- commit 9060955
- cifs: get rid of unneeded conditional in cifs_get_num_sgs()
(bsc#1190317).
- commit b970b4a
- cifs: prevent data race in smb2_reconnect() (bsc#1190317).
- commit e153e6f
- cifs: fix indentation in make menuconfig options (bsc#1190317).
- commit e3f6c21
- cifs: update Kconfig description (bsc#1190317).
- commit d50d5ca
- cifs: Get rid of unneeded conditional in the smb2_get_aead_req()
(bsc#1190317).
- commit 46dc317
- cifs: print last update time for interface list (bsc#1190317).
- commit aaab89f
- cifs: Replace zero-length arrays with flexible-array members
(bsc#1190317).
- commit 86e6cd6
- cifs: Use kstrtobool() instead of strtobool() (bsc#1190317).
- commit 103e49e
- cifs: Fix use-after-free in rdata->read_into_pages()
(bsc#1190317).
- commit 0bb36b3
- cifs: Fix oops due to uncleared server->smbd_conn in reconnect
(bsc#1190317).
- commit 7c17011
- cifs: do not include page data when checking signature
(bsc#1190317).
- commit 68b5c43
- cifs: fix return of uninitialized rc in
dfs_cache_update_tgthint() (bsc#1190317).
- commit aef9873
- cifs: handle cache lookup errors different than -ENOENT
(bsc#1190317).
- commit b259488
- cifs: remove duplicate code in __refresh_tcon() (bsc#1190317).
- commit 078424b
- cifs: don't take exclusive lock for updating target hints
(bsc#1190317).
- commit 0ba4f09
- cifs: avoid re-lookups in dfs_cache_find() (bsc#1190317).
- commit db9d0ac
- cifs: fix potential deadlock in cache_refresh_path()
(bsc#1190317).
- commit 8b47c8a
- cifs: fix potential memory leaks in session setup (bsc#1190317).
- commit 9d070b1
- cifs: fix double free on failed kerberos auth (bsc#1190317).
- commit e2bec13
- cifs: remove redundant assignment to the variable match
(bsc#1190317).
- commit 77ccb0d
- seq_buf: Fix overflow in seq_buf_putmem_hex() (bsc#1209549
CVE-2023-28772).
- commit 6692c8c
- x86/apic: Add name to irq chip (bsc#1206010).
- commit 89bba1e
- ipv4: route: fix inet_rtm_getroute induced crash (git-fixes).
- commit e25c3f6
- blacklist.conf: update blacklist
- commit ae3ef0f
- blacklist.conf: update blacklist
- commit 3e5530d
- x86/apic: Deinline x2apic functions (bsc#1181001 jsc#ECO-3191).
- x86/x2apic: Mark set_x2apic_phys_mode() as __init (bsc#1181001
jsc#ECO-3191).
- Refresh
patches.kabi/kABI-Fix-kABI-for-extended-APIC-ID-support.patch.
- Refresh
patches.suse/x86-msi-Force-affinity-setup-before-startup.patch.
Update to upstream patches.
Two easy cleanups added for simpler backports.
- commit 2c2baeb
- PCI: hv: Add a per-bus mutex state_lock (bsc#1207001).
- Revert "/PCI: hv: Fix a timing issue which causes kdump to fail
occasionally"/ (bsc#1207001).
- PCI: hv: Remove the useless hv_pcichild_state from struct
hv_pci_dev (bsc#1207001).
- PCI: hv: Fix a race condition in hv_irq_unmask() that can
cause panic (bsc#1207001).
- PCI: hv: fix a race condition bug in hv_pci_query_relations()
(bsc#1207001).
- commit e9cf69b
- x86/ioapic: Force affinity setup before startup (bsc#1193231).
- blacklist.conf: remove it from there as the prerequisities were
backported already
- commit 67a8716
- cifs: protect access of TCP_Server_Info::{dstaddr,hostname}
(bsc#1190317).
- commit f930e6e
- cifs: fix race in assemble_neg_contexts() (bsc#1190317).
- commit ea7fbbe
- cifs: ignore ipc reconnect failures during dfs failover
(bsc#1190317).
- commit afdee33
- cifs: update internal module number (bsc#1190317).
- commit 7b8d7fd
- cifs: split out ses and tcon retrieval from mount_get_conns()
(bsc#1190317).
- commit 15a2a87
- cifs: set resolved ip in sockaddr (bsc#1190317).
- commit d330759
- powerpc/btext: add missing of_node_put (bsc#1065729).
- commit 0e57c99
- kvm: initialize all of the kvm_debugregs structure before
sending it to userspace (bsc#1209532 CVE-2023-1513).
- commit 27afda9
- powerpc/xics: fix refcount leak in icp_opal_init()
(bsc#1065729).
- commit f9aeabf
- powerpc/powernv/ioda: Skip unallocated resources when mapping
to PE (bsc#1065729).
- commit 12e8c49
- powerpc/rtas: ensure 4KB alignment for rtas_data_buf
(bsc#1065729).
- powerpc/pseries/lparcfg: add missing RTAS retry status handling
(bsc#1065729).
- powerpc/pseries/lpar: add missing RTAS retry status handling
(bsc#1109158 ltc#169177 git-fixes).
- commit 4d6673f
- Input: atmel_mxt_ts - fix double free in mxt_read_info_block
(git-fixes).
- commit bd0fc95
- sbitmap: Avoid lockups when waker gets preempted (bsc#1209118).
- commit 32c7f24
- blacklist.conf: driver not in SLE12
- commit 3fbe4df
- blacklist.conf: driver not present in SLE12
- commit dad4545
- s390/vfio-ap: fix memory leak in vfio_ap device driver
(git-fixes).
- commit 0efdc1f
- Bluetooth: Fix double free in hci_conn_cleanup (bsc#1209052
CVE-2023-28464).
- commit ee49c52
- cifs: set correct ipc status after initial tree connect
(bsc#1190317).
- commit 37864d2
- cifs: set correct tcon status after initial tree connect
(bsc#1190317).
- commit 1a028fa
- cifs: Remove duplicated include in cifsglob.h (bsc#1190317).
- commit a1d08d1
- cifs: fix oops during encryption (bsc#1190317).
- commit f574daf
- cifs: fix missing display of three mount options (bsc#1190317).
- commit 93d0b09
- cifs: fix various whitespace errors in headers (bsc#1190317).
- commit bea92d2
- cifs: minor cleanup of some headers (bsc#1190317).
- commit eb82a98
- RDMA/core: Don't infoleak GRH fields (bsc#1209778 CVE-2021-3923)
- commit 007f267
- cifs: skip alloc when request has no pages (bsc#1190317).
- commit 10815ee
- cifs: remove ->writepage (bsc#1190317).
- commit 2c2004f
- cifs: stop using generic_writepages (bsc#1190317).
- commit 000147c
- cifs: add check for returning value of SMB2_set_info_init
(bsc#1190317).
- commit cba1815
- cifs: Fix wrong return value checking when GETFLAGS
(bsc#1190317).
- commit 3e78b62
- cifs: add check for returning value of SMB2_close_init
(bsc#1190317).
- commit 46060ff
- cifs: Fix connections leak when tlink setup failed
(bsc#1190317).
- commit 8cec257
- tipc: fix NULL deref in tipc_link_xmit() (bsc#1209289
CVE-2023-1390).
- commit 91c876a
- bs-upload-kernel: Do not skip post-build-checks
- commit 5443633
- Update
patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch
(bsc#1207036 CVE-2023-23454 bsc#1207125 CVE-2023-23455).
- Update
patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch
(bsc#1207036 CVE-2023-23454 bsc#1207125 CVE-2023-23455).
- commit 03cf48f
- timers: Clear timer_base::must_forward_clk with (bsc#1207890)
- commit 665e881
- arm64/cpufeature: Fix field sign for DIT hwcap detection (git-fixes)
- commit d6d271d
- arm64: cmpxchg_double*: hazard against entire exchange variable (git-fixes)
- commit a0c51f7
- net/sched: tcindex: update imperfect hash filters respecting
rcu (CVE-2023-1281 bsc#1209634).
- rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer()
(CVE-2023-1281 bsc#1209634).
- commit 79d6cb4
- crypto: arm64 - Fix unused variable compilation warnings of (git-fixes)
- commit 3f3dfdc
- arm64: fix oops in concurrently setting insn_emulation sysctls (git-fixes)
- commit 11f2537
- arm64: Do not forget syscall when starting a new thread. (git-fixes)
- commit 27dfefa
- arm64: Mark __stack_chk_guard as __ro_after_init (git-fixes)
- commit 551a661
- arm64/vdso: Discard .note.gnu.property sections in vDSO (git-fixes)
- commit b2f00e4
- blacklist.conf: ("/arm64: alternatives: Move length validation in alternative_{insn,"/)
- commit 750c32b
- KVM: arm64: Hide system instruction access to Trace registers (git-fixes)
- commit 2e3ed1c
- arm64: psci: Avoid printing in cpu_psci_cpu_die() (git-fixes)
- commit 66c3a8b
- blacklist.conf: ("/arm64: Change .weak to SYM_FUNC_START_WEAK_PI for"/)
- commit add4723
- arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE (git-fixes)
- commit 65bd4cc
- arm64/alternatives: move length validation inside the subsection (git-fixes)
- commit d2aefa8
- arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP (git-fixes)
- commit 2354853
- arm64/alternatives: don't patch up internal branches (git-fixes)
- commit 259ff6d
- arm64/alternatives: use subsections for replacement sequences (git-fixes)
- commit 206be22
- arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register (git-fixes)
Refresh patches.suse/arm64-cpufeature-Allow-different-PMU-versions-in-ID_DFR0_EL1.patch
- commit a0b4d86
- blacklist.conf: ("/arm64: cpufeature: Relax checks for AArch32 support at EL[0-2]"/)
- commit 99d129d
- blacklist.conf: ("/arm64: Delete the space separator in __emit_inst"/)
- commit e989773
- blacklist.conf: ("/arm64: fix alternatives with LLVM's integrated assembler"/)
- commit eabb21e
- Revert "/arm64: dts: juno: add dma-ranges property"/ (git-fixes)
- commit 472652a
- arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill() (git-fixes)
- commit 126253f
- blacklist.conf: ("/arm64: fix unreachable code issue with cmpxchg"/)
- commit 27e2384
- arm64: kpti: ensure patched kernel text is fetched from PoU (git-fixes)
- commit ed14da7
- arm64/mm: fix variable 'pud' set but not used (git-fixes)
- commit bb80a31
- arm64: unwind: Prohibit probing on return_address() (git-fixes)
- commit 84859a4
- blacklist.conf: ("/arm64/efi: Mark __efistub_stext_offset as an absolute symbol"/)
- commit 7448304
- arm64: Fix compiler warning from pte_unmap() with (git-fixes)
- commit f112362
- arm64: cpu_ops: fix a leaked reference by adding missing of_node_put (git-fixes)
- commit 80aa069
- arm64: kprobe: make page to RO mode when allocate it (git-fixes)
- commit 0375ba2
- cifs: fix use-after-free caused by invalid pointer `hostname`
(bsc#1190317).
- commit a20d808
- cifs: Fix pages leak when writedata alloc failed in
cifs_write_from_iter() (bsc#1190317).
- commit f847274
- cifs: Fix pages array leak when writedata alloc failed in
cifs_writedata_alloc() (bsc#1190317).
- commit d37ea58
- cifs: use stub posix acl handlers (bsc#1190317).
- commit ee8407b
- cifs: update internal module number (bsc#1190317).
- commit 7ab3edc
- cifs: Fix memory leak when build ntlmssp negotiate blob failed
(bsc#1190317).
- commit 98ff997
- cifs: fix memory leaks in session setup (bsc#1190317).
- commit c763ca5
- cifs: Fix xid leak in cifs_flock() (bsc#1190317).
- commit dacf024
- cifs: Fix xid leak in cifs_copy_file_range() (bsc#1190317).
- commit 3de8885
- cifs: Fix xid leak in cifs_create() (bsc#1190317).
- commit 705ac59
- smb3: improve SMB3 change notification support (bsc#1190317).
- commit fde51a0
- cifs: lease key is uninitialized in two additional functions
when smb1 (bsc#1190317).
- commit 2f04807
- cifs: lease key is uninitialized in smb1 paths (bsc#1190317).
- commit ff35bdf
- smb3: must initialize two ACL struct fields to zero
(bsc#1190317).
- commit 0955f83
- cifs: fix double-fault crash during ntlmssp (bsc#1190317).
- commit 9254cdc
- cifs: use ALIGN() and round_up() macros (bsc#1190317).
- Refresh patches.suse/cifs-fix-negotiate-context-parsing.patch.
- commit 53d873a
- cifs: prevent copying past input buffer boundaries
(bsc#1190317).
- commit 62868f6
- smb3: fix oops in calculating shash_setkey (bsc#1190317).
- commit 5afee83
- cifs: secmech: use shash_desc directly, remove sdesc
(bsc#1190317).
- commit 55bc867
- cifs: remove initialization value (bsc#1190317).
- commit 8fe3a94
- smb3: rename encryption/decryption TFMs (bsc#1190317).
- commit 87d5689
- usb: typec: altmodes/displayport: Fix probe pin assign check
(git-fixes).
- commit 5ce7845
- scsi: lpfc: Return DID_TRANSPORT_DISRUPTED instead of
DID_REQUEUE (bsc#1199837).
- commit 2f806c6
- USB: misc: iowarrior: fix up header size for
USB_DEVICE_ID_CODEMERCS_IOW100 (git-fixes).
- commit 198956a
- Fix formatting of client smbdirect RDMA logging (bsc#1190317).
- commit 51fd618
- Handle variable number of SGEs in client smbdirect send
(bsc#1190317).
- commit 6d2118f
- Reduce client smbdirect max receive segment size (bsc#1190317).
- commit 92e56ee
- Decrease the number of SMB3 smbdirect client SGEs (bsc#1190317).
- commit 7f2c69f
- cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
(bsc#1190317).
- commit 29e7c59
- cifs: destage dirty pages before re-reading them for cache=none
(bsc#1190317).
- commit 70d82b6
- cifs: return correct error in ->calc_signature() (bsc#1190317).
- commit b8c45e4
- cifs: misc: fix spelling typo in comment (bsc#1190317).
- commit 4f07bbc
- cifs: avoid use of global locks for high contention data
(bsc#1190317).
- Refresh
patches.suse/cifs-add-missing-spinlock-around-tcon-refcount.patch.
- Refresh patches.suse/cifs-remove-useless-DeleteMidQEntry-.patch.
Context adjustment.
- commit be7ee22
- cifs: add missing spinlock around tcon refcount (bsc#1190317).
- commit 0886941
- cifs: always initialize struct msghdr smb_msg completely
(bsc#1190317).
- commit bc42256
- cifs: don't send down the destination address to sendmsg for
a SOCK_STREAM (bsc#1190317).
- commit 4cd0dc6
- cifs: revalidate mapping when doing direct writes (bsc#1190317).
- commit fdcc906
- cifs: fix small mempool leak in SMB2_negotiate() (bsc#1190317).
- commit eb1b54c
- cifs: Add helper function to check smb1+ server (bsc#1190317).
- commit 260556f
- cifs: Use help macro to get the mid header size (bsc#1190317).
- commit 11dd1d2
- cifs: skip extra NULL byte in filenames (bsc#1190317).
- commit d9c1046
- cifs: Use help macro to get the header preamble size
(bsc#1190317).
- commit 1c1c393
- netlink: prevent potential spectre v1 gadgets (bsc#1209547
CVE-2017-5753).
- commit 179a403
- ppc64le: HWPOISON_INJECT=m (bsc#1209572).
- commit 9bc607c
- tracing/hwlat: Replace sched_setaffinity with
set_cpus_allowed_ptr (git-fixes).
- commit 10ecebb
- ring-buffer: remove obsolete comment for free_buffer_page()
(git-fixes).
- commit fb36562
- ftrace: Fix invalid address access in lookup_rec() when index
is 0 (git-fixes).
- commit 2107853
- blacklist.conf: add not-relevant tracing fixes
- commit 89e5ff0
- net: usb: smsc75xx: Limit packet length to skb->len (git-fixes).
- commit 59b5ef4
- tracing: Add NULL checks for buffer in
ring_buffer_free_read_page() (git-fixes).
- commit 4ba90d9
- blacklist.conf: might break certifications
- commit bd7ab11
- blacklist.conf: kABI
- commit c99b186
- blacklist.conf: irrelevant in our configs
- commit e0f4fc3
- blacklist.conf: kABI
- commit 9748c72
- blacklist.conf: kABI
- commit abd6f40
- blacklist.conf: blacklist Documentation because we
will not updaten the documentation package in SLE12 anyway
- commit b4fe007
- Refresh
patches.suse/scsi-qla2xxx-Add-option-to-disable-FC2-Target-suppor.patch.
- commit 37fbfe8
- xen-netfront: Fix NULL sring after live migration (git-fixes).
- commit 739342e
- xen/netfront: stop tx queues during live migration (git-fixes).
- commit ac8b9c0
- xen-netfront: fix potential deadlock in xennet_remove()
(git-fixes).
- Refresh
patches.suse/xen-netfront-force-data-bouncing-when-backend-is-unt.patch.
- commit 9294dd7
- xen/netfront: fix waiting for xenbus state change (git-fixes).
- commit fe29b44
- xen-netfront: wait xenbus state change when load module manually
(git-fixes).
- commit 0c71330
- xen-netfront: Update features after registering netdev
(git-fixes).
- commit c77bad3
- xen-netfront: Fix mismatched rtnl_unlock (git-fixes).
- commit db4108c
- xen-netfront: Fix race between device setup and open
(git-fixes).
- Refresh
patches.suse/xen-netfront-don-t-trust-the-backend-response-data-b.patch.
- commit a087822
- blacklist.conf: add 9e6246518592 ("/xen/netback: don't call kfree_skb() under spin_lock_irqsave()"/)
- commit cae7fc6
- blacklist.conf: add 7dfa764e0223 ("/xen/netback: fix build warning"/)
- commit 31b3ee5
- blacklist.conf: add 5834e72eda0b ("/xen/netback: do some code cleanup"/)
- commit 6487e56
- x86/xen: Fix memory leak in xen_init_lock_cpu() (git-fixes).
- commit 4ce0c85
- x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
(git-fixes).
- commit 36249b4
- xen/platform-pci: add missing free_irq() in error path
(git-fixes).
- commit dd25a55
- xen-netfront: enable device after manual module load
(git-fixes).
- commit 6ce0b56
- blacklist.conf: add ce6f7d087e2b ("/Input: xen-kbdfront - fix multi-touch XenStore node's locations"/)
- commit 9866d94
- blacklist.conf: added 02a0d9216d4da ("/Input: xen-kbdfront - do not advertise multi-touch pressure support"/)
- commit 4d70cca
- x86/paravirt: Fix callee-saved function ELF sizes (git-fixes).
- Refresh
patches.suse/x86-prepare-inline-asm-for-straight-line-speculation.patch.
- commit be50a99
- SUNRPC: Fix a server shutdown leak (git-fixes).
- commit b391b37
- Revert "/mei: me: enable asynchronous probing"/ (bsc#1208048,
bsc#1209126).
- commit 9a95c7f
- cifs: fix open leaks in open_cached_dir() (bsc#1209342).
- commit 6fa5ff4
- media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
(bsc#1209291 CVE-2023-28328).
- commit 0a0d765
- rpm/group-source-files.pl: Fix output difference when / is in location
While previous attempt to fix group-source-files.pl in 6d651362c38
"/rpm/group-source-files.pl: Deal with {pre,post}fixed / in location"/
breaks the infinite loop, it does not properly address the issue. Having
prefixed and/or postfixed forward slash still result in different
output.
This commit changes the script to use the Perl core module File::Spec
for proper path manipulation to give consistent output.
- commit 4161bf9
- Bluetooth: btusb: Add VID:PID 13d3:3529 for Realtek RTL8821CE
(git-fixes).
- commit a77868e
- Bluetooth: btusb: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit 0b2e609
- blacklist.conf: false positive
- commit 7dfc594
- ima: Fix function name error in comment (git-fixes).
- commit 889bacc
- kfifo: fix ternary sign extension bugs (git-fixes).
- commit efc9af2
- blacklist.conf: irrelevant in our configurations
- commit fcaf3c0
- blacklist.conf: kABI
- commit 5f50816
- blacklist.conf: changes exported defaults
- commit 6e19056
- PM: hibernate: flush swap writer after marking (git-fixes).
- commit d5d514d
- blacklist.conf: false positive
- commit bcee6d7
- blacklist.conf: kABI
- commit ee8665f
- blacklist.conf: false positive
- commit 38a7585
- kgdb: Drop malformed kernel doc comment (git-fixes).
- commit 16f0840
- blacklist.conf: kABI
- commit 836cdb8
- dt-bindings: reset: meson8b: fix duplicate reset IDs
(git-fixes).
- commit 758f2cb
- timers/sched_clock: Prevent generic sched_clock wrap caused
by tick_freeze() (git-fixes).
- commit c1996c6
- blacklist.conf: irrelevant documentation
- commit 14b48ad
- blacklist.conf: false positive
- commit 24553f6
- usb: dwc3: gadget: Stop processing more requests on IMI
(git-fixes).
- commit 1e1ba8c
- Update patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch.
- fix a mistake in the CVE-2023-0590 / bsc#1207795 backport
- commit 005c9da
- Require suse-kernel-rpm-scriptlets at all times.
The kernel packages call scriptlets for each stage, add the dependency
to make it clear to libzypp that the scriptlets are required.
There is no special dependency for posttrans, these scriptlets run when
transactions are resolved. The plain dependency has to be used to
support posttrans.
- commit 56c4dbe
- Replace mkinitrd dependency with dracut (bsc#1202353).
Also update mkinitrd refrences in documentation and comments.
- commit e356c9b
- prlimit: do_prlimit needs to have a speculation check
(bsc#1209256 CVE-2017-5753).
- commit fca254e
- rpm/kernel-obs-build.spec.in: Remove SLE11 cruft
- commit 871eeb4
- usb: dwc3: exynos: Fix remove() function (git-fixes).
- commit 1162027
- usb: chipidea: fix deadlock in ci_otg_del_timer (git-fixes).
- commit c85689a
- blacklist.conf: duplicate
- commit 9a30402
- blacklist.conf: false positive
- commit 6886a4a
- NET: usb: qmi_wwan: Adding support for Cinterion MV31
(git-fixes).
- commit 64d8c67
- Update
patches.suse/l2tp-fix-race-in-pppol2tp_release-with-session-objec.patch
(bsc#1076830 bsc#1208850 CVE-2022-20567).
- commit 47065bb
- tap: tap_open(): correctly initialize socket uid (CVE-2023-1076
bsc#1208599).
- tun: tun_chr_open(): correctly initialize socket uid
(CVE-2023-1076 bsc#1208599).
- net: add sock_init_data_uid() (CVE-2023-1076 bsc#1208599).
- netfilter: nf_tables: fix null deref due to zeroed list head
(CVE-2023-1095 bsc#1208777).
- commit c4928a4
- Delete
patches.suse/livepatch-define-a-macro-for-new-api-identification.patch.
This definition was used by kgraft codestreams (SLE12-SP3), but the
livepatch support for such codestreams has ended.
- commit 4fbaecf
- Do not sign the vanilla kernel (bsc#1209008).
- commit cee4d89
- PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently
(git-fixes).
- PCI: Use pci_update_current_state() in pci_enable_device_flags()
(git-fixes).
- PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes).
- PCI/MSI: Enforce MSI entry updates to be visible (git-fixes).
- PCI/MSI: Enforce that MSI-X table entry is masked for update
(git-fixes).
- PCI/MSI: Mask all unused MSI-X entries (git-fixes).
- PCI: aardvark: Fix checking for PIO Non-posted Request
(git-fixes).
- PCI: aardvark: Fix kernel panic during PIO transfer (git-fixes).
- PCI: xgene-msi: Fix race in installing chained irq handler
(git-fixes).
- PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 (git-fixes).
- PCI/PM: Avoid using device_may_wakeup() for runtime PM
(git-fixes).
- Refresh
patches.suse/0002-PCI-PM-Use-the-NEVER_SKIP-driver-flag.patch.
- commit 7a5a840
- media: platform: ti: Add missing check for devm_regulator_get
(git-fixes).
- commit 38e97d5
- media: coda: Add check for kmalloc (git-fixes).
- commit 95a83e8
- media: coda: Add check for dcoda_iram_alloc (git-fixes).
- commit da6b661
- rpm/group-source-files.pl: Deal with {pre,post}fixed / in location
When the source file location provided with -L is either prefixed or
postfixed with forward slash, the script get stuck in a infinite loop
inside calc_dirs() where $path is an empty string.
user@localhost:/tmp> perl "/$HOME/group-source-files.pl"/ -D devel.files -N nondevel.files -L /usr/src/linux-5.14.21-150500.41/
...
path = /usr/src/linux-5.14.21-150500.41/Documentation/Kconfig
path = /usr/src/linux-5.14.21-150500.41/Documentation
path = /usr/src/linux-5.14.21-150500.41
path = /usr/src
path = /usr
path =
path =
path =
... # Stuck in an infinite loop
This workarounds the issue by breaking out the loop once path is an
empty string. For a proper fix we'd want something that
filesystem-aware, but this workaround should be enough for the rare
occation that this script is ran manually.
Link: http://mailman.suse.de/mlarch/SuSE/kernel/2023/kernel.2023.03/msg00024.html
- commit 6d65136
- vxlan: changelink: Fix handling of default remotes (git-fixes).
- commit 353bf78
- vxlan: Fix error path in __vxlan_dev_create() (git-fixes).
- commit 4d54675
- net: aquantia: fix RSS table and key sizes (git-fixes).
- commit 3b040c8
- bonding: fix 802.3ad state sent to partner when unbinding slave
(git-fixes).
- commit 45191af
- vlan: Fix vlan insertion for packets without ethernet header
(git-fixes).
- commit 95ac5e1
- vlan: Fix out of order vlan headers with reorder header off
(git-fixes).
- commit 59cf369
- media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
(CVE-2023-1118 bsc#1208837).
- commit e793953
- xfrm: Copy policy family in clone_policy (git-fixes).
- commit 9d47068
- netfilter: ipvs: Fix inappropriate output of procfs (git-fixes).
- commit 8eff166
- netfilter: xt_connlimit: don't store address in the conn nodes
(git-fixes).
- commit b335237
- icmp: don't fail on fragment reassembly time exceeded
(git-fixes).
- commit ba8013a
- scsi: qla2xxx: Add option to disable FC2 Target support
(bsc#1198438 bsc#1206103).
- Delete
patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch.
- commit 6206180
- PCI: Unify ACS quirk desired vs provided checking (git-fixes).
- PCI: Make ACS quirk implementations more uniform (git-fixes).
- commit 6452eb0
- KABI FIX FOR: NFS: Pass error information to the pgio error
cleanup routine (git-fixes).
- commit 00c859b
- KABI FIX FOR - SUNRPC: Fix priority queue fairness (git-fixes).
- commit 91b67c9
- README.BRANCH: Adding myself to the maintainer list
- commit 8fc11b2
- kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179).
When -b is specified the script is prefixed with KMP_NEEDS_MKINITRD=1
which sets the variable for a simple command.
However, the script is no longer a simple command. Export the variable
instead.
- commit 152a069
- ocfs2: Fix data corruption after failed write (bsc#1208542).
- commit c0b9b40
- kabi/severities: add l2tp local symbols
- commit 63a39ae
- l2tp: Serialize access to sk_user_data with sk_callback_lock
(bsc#1205711 CVE-2022-4129).
- commit ef8f012
- l2tp: fix race in duplicate tunnel detection (bsc#1205711
CVE-2022-4129).
- commit 6a8247c
- l2tp: fix races in tunnel creation (bsc#1205711 CVE-2022-4129).
- commit 4e92c0b
- Refresh
patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
- commit d76f4ba
- nfsd: fix race to check ls_layouts (git-fixes).
- pNFS/filelayout: Fix coalescing test for single DS (git-fixes).
- SUNRPC: ensure the matching upcall is in-flight upon downcall
(git-fixes).
- nfsd: fix handling of readdir in v4root vs. mount upcall timeout
(git-fixes).
- nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create
failure (git-fixes).
- nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
(git-fixes).
- NFS: Pass error information to the pgio error cleanup routine
(git-fixes).
- SUNRPC: Fix priority queue fairness (git-fixes).
- commit 24274be
- blacklist.conf: updates
- commit 79d0f01
- scripts/sequence-patch.sh: remove obsolete egrep
Avoids a warning and prepares for ultimate removal - boo#1203092
- commit 7a787f7
- PCI: aardvark: Don't touch PCIe registers if no card connected
(git-fixes).
- PCI: aardvark: Indicate error in 'val' when config read fails
(git-fixes).
- PCI: aardvark: Improve link training (git-fixes).
- PCI: aardvark: Don't blindly enable ASPM L0s and don't write
to read-only register (git-fixes).
- PCI: aardvark: Train link immediately after enabling training
(git-fixes).
- PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints
(git-fixes).
- PCI: Avoid FLR for AMD Starship USB 3.0 (git-fixes).
- PCI: Avoid FLR for AMD Matisse HD Audio & USB 3.0 (git-fixes).
- PCI: endpoint: Fix for concurrent memory allocation in OB
address region (git-fixes).
- kabi: PCI: endpoint: Fix for concurrent memory allocation in
OB address region (git-fixes).
- PCI: endpoint: Cast the page number to phys_addr_t (git-fixes).
- PCI: aardvark: Remove PCIe outbound window configuration
(git-fixes).
- PCI: aardvark: Introduce an advk_pcie_valid_device() helper
(git-fixes).
- commit 36c0f12
- PCI: aardvark: Don't rely on jiffies while holding spinlock
(git-fixes).
- PCI: aardvark: Wait for endpoint to be ready before training
link (git-fixes).
- PCI/PM: Always return devices to D0 when thawing (git-fixes).
- PCI: tegra: Fix OF node reference leak (git-fixes).
- commit d6e8f39
- applicom: Fix PCI device refcount leak in applicom_init()
(git-fixes).
- PCI: Add ACS quirk for iProc PAXB (git-fixes).
- Refresh
patches.suse/PCI-Add-ACS-quirk-for-Amazon-Annapurna-Labs-root-por.patch.
- Refresh
patches.suse/PCI-Add-ACS-quirk-for-Broadcom-BCM57414-NIC.patch.
- PCI: PM: Avoid skipping bus-level PM on platforms without ACPI
(git-fixes).
- PCI: aardvark: Fix a leaked reference by adding missing
of_node_put() (git-fixes).
- commit 5dd1a12
- blacklist.conf: powerpc math emulation is not used
- commit 7904b57
- blacklist.conf: 8e1278444446 powerpc/32: Fix overread/overwrite of thread_struct via ptrace
- commit 1292ac8
- powerpc/fscr: Enable interrupts earlier before calling
get_user() (bsc#1065729).
- Refresh patches.suse/powerpc-add-interrupt_cond_local_irq_enable-helper.patch
- powerpc/powernv: Fix build error in opal-imc.c when NUMA=n
(bsc#1065729).
- commit 9101ec0
- powerpc/eeh: Fix use-after-release of EEH driver (bsc#1065729).
- powerpc/powernv: IMC fix out of bounds memory access at shutdown
(bsc#1065729).
- commit f7b6c1a
- blacklist.conf: Add oops_limit accretion disk
- commit 26414f9
- blacklist.conf: fda31c50292a signal: avoid double atomic counter increments for user accounting
- commit ad47077
- blacklist.conf: Add 11e31f608b49 watchdog/softlockup: Enforce that timestamp is valid on boot
- commit 312b206
- ipmi: fix initialization when workqueue allocation fails
(git-fixes).
- commit 62cff13
- ipmi: msghandler: Make symbol 'remove_work_wq' static
(git-fixes).
- commit f48a444
- blacklist.conf: Add 0e48f51cbbfb Revert "/libata, freezer: avoid block device removal while system is frozen"/
- commit 3b5d052
- net/ethernet/freescale: rework quiesce/activate for ucc_geth (git-fixes).
- commit 354903d
- net: bmac: Fix read of MAC address from ROM (git-fixes).
- commit f260cf5
- net: qed*: Reduce RX and TX default ring count when running inside kdump kernel (git-fixes).
- commit b08ffb4
- Refresh patches.suse/af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch.
- commit e51ef45
- Revert "/af_unix: fix races in sk_peer_pid and sk_peer_cred accesses"/
This reverts commit e49e1b0f7e662d5b071015f05ead8185cb31f049
since it breaks the kernel.
- commit f1351a4
- Revert "/sock.h: hide new member (bsc#1194535 CVE-2021-4203)."/
This reverts commit 3cef23f4011eda051233a2e9572ae1d789313f41
since it breaks the kernel
- commit f66a3cf
- SUNRPC: make lockless test safe (bsc#1207201).
- commit 155aec2
- sock.h: hide new member (bsc#1194535 CVE-2021-4203).
- commit 3cef23f
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
(bsc#1194535 CVE-2021-4203).
- commit e49e1b0
- sock.h: hide new member (bsc#1194535 CVE-2021-4203).
- commit ec6bedc
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
(bsc#1194535 CVE-2021-4203).
- commit b12b939
- Refresh
patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
- commit b1becb2
- net: mpls: fix stale pointer if allocation fails during device
rename (bsc#1208700 CVE-2023-26545).
- commit d61392c
- blacklist.conf: add few PCI patches
- commit 52e540a
- ARM: 8702/1: head-common.S: Clear lr before jumping to start_kernel() (git-fixes)
- commit 0e2e532
- x86/mm: Randomize per-cpu entry area (bsc#1207845
CVE-2023-0597).
- refresh patches.suse/x86-cpu_entry_area-Map-also-trace_idt_table.patch.
- commit 6cab2a4
- block: bio-integrity: Copy flags when bio_integrity_payload
is cloned (bsc#1208541).
- commit 1c1919f
- scsi: qla2xxx: Remove the unused variable wwn (bsc#1208570).
- scsi: qla2xxx: Simplify if condition evaluation (bsc#1208570).
- scsi: qla2xxx: Use a variable for repeated mem_size computation
(bsc#1208570).
- scsi: qla2xxx: Make qla_trim_buf() and __qla_adjust_buf()
static (bsc#1208570).
- scsi: qla2xxx: Fix printk() format string (bsc#1208570).
- scsi: qla2xxx: Update version to 10.02.08.200-k (bsc#1208570).
- scsi: qla2xxx: Select qpair depending on which CPU post_cmd()
gets called (bsc#1208570).
- scsi: qla2xxx: edif: Fix clang warning (bsc#1208570).
- scsi: qla2xxx: edif: Reduce memory usage during low I/O
(bsc#1208570).
- scsi: qla2xxx: edif: Fix stall session after app start
(bsc#1208570).
- scsi: qla2xxx: edif: Fix performance dip due to lock contention
(bsc#1208570).
- scsi: qla2xxx: Relocate/rename vp map (bsc#1208570).
- scsi: qla2xxx: Remove dead code (GNN ID) (bsc#1208570).
- scsi: qla2xxx: Remove dead code (GPNID) (bsc#1208570).
- scsi: qla2xxx: Remove dead code (bsc#1208570).
- scsi: qla2xxx: Update version to 10.02.08.100-k (bsc#1208570).
- scsi: qla2xxx: Fix IOCB resource check warning (bsc#1208570).
- scsi: qla2xxx: Remove increment of interface err cnt
(bsc#1208570).
- scsi: qla2xxx: Fix erroneous link down (bsc#1208570).
- scsi: qla2xxx: Remove unintended flag clearing (bsc#1208570).
- scsi: qla2xxx: Fix stalled login (bsc#1208570).
- scsi: qla2xxx: Fix exchange oversubscription for management
commands (bsc#1208570).
- scsi: qla2xxx: Fix exchange oversubscription (bsc#1208570).
- scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
(bsc#1208570).
- scsi: qla2xxx: Fix link failure in NPIV environment
(bsc#1208570).
- scsi: qla2xxx: Check if port is online before sending ELS
(bsc#1208570).
- commit 649e0ec
- git_sort: tests: do not disable package repository GPG check
This adds the Kernel repository key and enables GPG check for package
installation inside containers.
- commit b2615b2
- git_sort: tests: Adjust to new net repository location
- commit de2dc43
- git_sort: tests: Fix tests failing on SLE15
Use the correct base image, pygit2 is not found by pythong otherwise.
- commit 1088359
- git_sort: tests: exit on error
- commit 767bb07
- blacklist.conf: feature not a fix
- commit 1443bd3
- blacklist.conf: feature not a fix
- commit ee1e977
- ipmi: fix memleak when unload ipmi driver (git-fixes).
- commit d05158b
- blacklist.conf: cosmetic fix
- commit 4b9f79b
- ipmi: fix use after free in _ipmi_destroy_user() (git-fixes).
- commit 2d46d95
- git_sort: tests: Use 15.4, 15.3 is EOL
- commit 3624818
- git_sort: tests: Kernel:tools does not have Leap repos, use SLE
- commit 46626b0
- scripts/renamepatches: Fix grep warning
grep: warning: stray before /
- commit 20e6e67
- scripts/renamepatches: Exclude search in irrelevant files
Especially large files in kabi/ can be simply avoided on slow devices
(or NFS).
- commit 9e1b932
- ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
(git-fixes).
- commit 4c304c0
- ipmi: Move remove_work to dedicated workqueue (git-fixes).
- commit 7662fa0
- net: dsa: mv88e6xxx: Allow dsa and cpu ports in multiple vlans
(git-fixes).
- commit ae05a84
- blacklist.conf: add blacklist
- commit d1dd69b
- blacklist.conf: update blacklist
- commit 8b2622c
- blacklist.conf: update blacklist
- commit 50d7ebf
- blacklist.conf: update blacklist
- commit a32c2b4
- blacklist.conf: update blacklist
- commit 941a0ae
- blacklist.conf: update blacklist
- commit ac031d8
- x86/power: Fix 'nosmt' vs hibernation triple fault during resume
(git-fixes).
- Refresh
patches.suse/cpu-smt-create-and-export-cpu_smt_possible.patch.
- commit 3ddadd1
- x86/stacktrace: Prevent infinite loop in arch_stack_walk_user()
(git-fixes).
- x86/build: Add 'set -e' to mkcapflags.sh to delete broken
capflags.c (git-fixes).
- x86/atomic: Fix smp_mb__{before,after}_atomic() (git-fixes).
- x86/PCI: Fix PCI IRQ routing table memory leak (git-fixes).
- x86/mm: Remove in_nmi() warning from 64-bit implementation of
vmalloc_fault() (git-fixes).
- x86/irq/64: Limit IST stack overflow check to #DB stack
(git-fixes).
- x86/uaccess, signal: Fix AC=1 bloat (git-fixes).
- x86/ia32: Fix ia32_restore_sigcontext() AC leak (git-fixes).
- commit 4fdbd92
- blacklist.conf: add some x86 commits
- commit 89c0d93
- scripts/renamepatches: Optimize search
Use bash hashmap instead of grepping list file.
sample:
5.0s -> 2.5s
Composed result with previous commit on SLE15-SP4->SLE15-SP5:
original
Executed in 207.82 secs fish external
usr time 263.64 secs 459.00 micros 263.64 secs
sys time 60.61 secs 185.00 micros 60.61 secs
optimized
Executed in 65.73 secs fish external
usr time 49.16 secs 639.00 micros 49.16 secs
sys time 18.52 secs 0.00 micros 18.52 secs
- commit 68e276c
- scripts/renamepatches: Optimize forks
Use single awk instead of multiple utilites.
sample:
6.4s -> 5.0s
- commit c44b590
- blacklist.conf: kABI
- commit 6c2dd7a
- blacklist.conf: false positive from stable
- commit 4cb1a8d
- net: allwinner: Fix use correct return type for ndo_start_xmit()
(git-fixes).
- commit a06fb6c
- gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() (git-fixes).
- commit 8e95e4e
- net: systemport: suppress warnings on failed Rx SKB allocations
(git-fixes).
- commit 34c447d
- net: bcmgenet: suppress warnings on failed Rx SKB allocations
(git-fixes).
- commit e3d888b
- net/mlx5e: Set of completion request bit should not clear
other adjacent bits (git-fixes).
- commit 1fccfde
- net: stmmac: Fix sub-second increment (git-fixes).
- commit 7bcb4c9
- blacklist.conf: regression due to missing feature in boot loader
- commit d40e68d
- xhci: Don't show warning for reinit on known broken suspend
(git-fixes).
- commit 60f17f0
- USB: serial: console: move mutex_unlock() before
usb_serial_put() (git-fixes).
- commit e9ada32
- USB: serial: ch341: fix disabled rx timer on older devices
(git-fixes).
- commit 1f1a3d6
- usb: dwc3: fix PHY disable sequence (git-fixes).
- commit f44e5ac
- usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe
(git-fixes).
- commit c8ee3cd
- usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe
(git-fixes).
- commit d5892e7
- usb: dwc3: gadget: Fix event pending check (git-fixes).
- commit 3dadb30
- usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling (git-fixes).
- commit 9a54c12
- blacklist.conf: remove duplicated entry
- commit 09dbb7d
- Update SUSE Root certificate file
Pull the root certificate from a later bundle where it is correctly
marked as CA certificate. Without this the certificate won't be added
into CA bundle.
- commit b2e67d7
- prlimit: do_prlimit needs to have a speculation check
(git-fixes).
- signal handling: don't use BUG_ON() for debugging (git-fixes).
- panic: unset panic_on_warn inside panic() (git-fixes).
- ptrace: make ptrace() fail if the tracee changed its pid
unexpectedly (git-fixes).
- don't dump the threads that had been already exiting when zapped
(git-fixes).
- kernel/sys.c: avoid copying possible padding bytes in
copy_to_user (git-fixes).
- commit b9bfdd9
- kbuild: clear LDFLAGS in the top Makefile (bsc#1203200).
- Refresh patches.suse/supported-flag.
- commit d60d0fc
- blacklist.conf: add couple CORE patches
- commit 40318d8
- net: usb: qmi_wwan: add Quectel RM520N (git-fixes).
- commit 381f355
- net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990
(git-fixes).
- commit 4a8728c
- net: usb: qmi_wwan: Add support for Dell DW5829e (git-fixes).
- commit 7a53afd
- net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920
(git-fixes).
- commit 4eade98
- net: usb: lan78xx: don't modify phy_device state concurrently
(git-fixes).
- commit 6ef7677
- blacklist.conf: add a cleanup to disable -Wmaybe-uninitialized
- commit 5840861
- blacklist.conf: duplicate
- commit 59bea49
- blacklist.conf: add a mips-only specific revert
- commit 2cf8eeb
- net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
(git-fixes).
- commit 4e09bf9
- blacklist.conf: add a not-strictly needed fw-loading fix
- commit 229946b
- net: USB: Fix wrong-direction WARNING in plusb.c (git-fixes).
- commit 4cc9e19
- net: usb: sr9700: Handle negative len (git-fixes).
- commit e4e2a28
- usb: rndis_host: Secure rndis_query check against int overflow
(CVE-2023-23559 bsc#1207051).
- commit e207be8
- xfs: Fix unreferenced object reported by kmemleak in
xfs_sysfs_init() (git-fixes).
- commit 8137300
- xfs: fix realtime bitmap/summary file truncation when growing
rt volume (git-fixes).
- commit e4116fa
- xfs: make sure the rt allocator doesn't run off the end
(git-fixes).
- commit 6e43199
- xfs: initialize the shortform attr header padding entry
(git-fixes).
- commit 362da99
- xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init (git-fixes).
- commit 80c6365
- xfs: fix partially uninitialized structure in
xfs_reflink_remap_extent (git-fixes).
- commit 9049b82
- xfs: fix mount failure crash on invalid iclog memory access
(git-fixes).
- commit 1d08499
- xfs: fix attr leaf header freemap.size underflow (git-fixes).
- commit 1653047
- xfs: Fix bulkstat compat ioctls on x32 userspace (git-fixes).
- commit ab6f871
- xfs: require both realtime inodes to mount (git-fixes).
- commit 2e5ec52
- xfs: fix use-after-free race in xfs_buf_rele (git-fixes).
- commit fcdc154
- xfs: fix leaks on corruption errors in xfs_bmap.c (git-fixes).
- commit 2114c43
- drm/vmwgfx: Avoid NULL-ptr deref in vmw_cmd_dx_define_query() (bsc#1203331 CVE-2022-38096)
- commit e1a86c1
- blacklist.conf: Blacklist the patch below
- Delete
patches.suse/ext4-don-t-BUG-if-someone-dirty-pages-without-asking.patch
to replace it with a better alternative we have in other branches
- commit d1f6219
- x86/mce: Fix -Wmissing-prototypes warnings (git-fixes).
- Refresh
patches.suse/x86-mce-amd-edac-mce_amd-add-new-mp5-nbio-and-pcie-smca-bank-types.patch.
- commit 04b9b60
- cpu/hotplug: Fix "/SMT disabled by BIOS"/ detection for KVM
(git-fixes).
- kABI: cpu/hotplug: reexport cpu_smt_control (kabi).
- Refresh
patches.suse/cpu-smt-create-and-export-cpu_smt_possible.patch.
- commit 450f659
- x86/hpet: Prevent potential NULL pointer dereference
(git-fixes).
- x86/mm: Don't leak kernel addresses (git-fixes).
- x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk
(git-fixes).
- x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15
models (git-fixes).
- x86/kexec: Don't setup EFI info if EFI runtime is not enabled
(git-fixes).
- x86/fpu: Add might_fault() to user_insn() (git-fixes).
- commit 5915eb8
- x86/speculation: Remove SPECTRE_V2_IBRS in enum
spectre_v2_mitigation (bsc#1068032 CVE-2017-5754).
- Refresh
patches.suse/x86-retpoline-remove-minimal-retpoline-support.patch.
- Refresh
patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Refresh
patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- Refresh
patches.suse/x86-speculation-support-enhanced-ibrs-on-future-cpus.patch.
Make IBRS patches closer to upstream.
- commit 4cf6d38
- x86/speculation: Add support for STIBP always-on preferred mode
(git-fixes).
- x86/speculation: Change misspelled STIPB to STIBP (git-fixes).
- Refresh
patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Refresh
patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
patches.suse/x86-speculation-allow-ibpb-to-be-conditionally-enabled-on-cpus-with-always-on-stibp.patch.
- Refresh
patches.suse/x86-speculation-avoid-force-disabling-ibpb-based-on-stibp-and-enhanced-ibrs.patch.
- Refresh
patches.suse/x86-speculation-merge-one-test-in-spectre_v2_user_select_mitigation.patch.
- Refresh
patches.suse/x86-speculation-pr_spec_force_disable-enforcement-for-indirect-branches.patch.
Update STIBP patches to be closer to upstream.
- commit 1ef4c9a
- drm/vmwgfx: Validate the box size for the snooped cursor (bsc#1203332 CVE-2022-36280)
- commit 9894e8b
- x86/earlyprintk: Add a force option for pciserial device
(git-fixes).
- x86/mce-inject: Reset injection struct after injection
(git-fixes).
- kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not
fault on bad stack (git-fixes).
- x86/mce/mce-inject: Preset the MCE injection struct (git-fixes).
- commit f94b2cc
- blk-mq: fix possible memleak when register 'hctx' failed
(git-fixes).
- md/raid1: stop mdx_raid1 thread when raid1 array run failed
(git-fixes).
- md: fix a crash in mempool_free (git-fixes).
- nbd: Fix NULL pointer in flush_workqueue (git-fixes).
- commit e68f2dc
- blacklist.conf: add non-backport git-fixes commit
- commit b53530a
- x86: boot: Fix EFI stub alignment (git-fixes).
- commit 35efa28
- x86/bugs: Move the l1tf function and define pr_fmt properly
(git-fixes).
- Refresh
patches.suse/0001-x86-litf-Introduce-vmx-status-variable.patch.
- Refresh
patches.suse/0007-x86-kvm-Allow-runtime-control-of-L1D-flush.patch.
- Refresh
patches.suse/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch.
- Refresh
patches.suse/x86-speculation-mds-add-mitigation-control-for-mds.patch.
- Refresh
patches.suse/x86-speculation-reorder-the-spec_v2-code.patch.
- Refresh
patches.suse/x86-speculation-support-mitigations-cmdline-option.patch.
- commit 1843a69
- Refresh patches.suse/x86-l1tf-06-add-sysfs-report.patch.
- Refresh
patches.suse/0001-x86-litf-Introduce-vmx-status-variable.patch.
- Refresh
patches.suse/0010-x86-bugs-kvm-Introduce-boot-time-control-of-L1TF-mit.patch.
Update to upstream version (X86_FEATURE_L1TF_PTEINV).
- commit 89f9e4a
- blacklist.conf: Add 86989c41b5ea signal: Always ignore SIGKILL and SIGSTOP sent to the global init
- commit bed9df8
- scripts/osc_wrapper: Assign spec with *.spec file when building
Commit 270fc6884c5b ("/scripts/osc_wrapper: Pass more options to osc"/),
decided that only the last argument of osc_wrapper can be the spec file.
But on commit 30f26fbbe86c ("/scripts/osc_wrapper: Accept --ibs | --obs
as the first parameter"/), it swaps the order of arguments, leaving
- -ibs/--obs as the last ones.
This creates a problem when running osc_wrapper with --ibs
kernel-default.spec, since it'll add the specfile in osc_args, and
letting spec variable empty. Later on, if spec if empty, the find_spec
function is called, setting the spec automatically. The end result is
messy:
$ ./scripts/osc_wrapper --ibs kernel-source/kernel-default.spec
osc -A https://api.suse.de build --no-service --local-package --alternative-project=Devel:Kernel:SLE15-SP4 + kernel-source/kernel-default.spec + <some other options here...> + - -define klp_symbols 1 standard kernel-source/kernel-default.spec
The osc command contains two spec definitions, which is wrong. The first
one is wrongly assumed to be an argument to be used for osc or
osc_wrapper.
The fix is to respect the argument of *.spec and assign it to spec
variable, and let other options to be handled by the code that is
currently present.
- commit 86d0aae
- blacklist.conf: Add 4a7ba45b1a43 memcg: fix possible use-after-free in memcg_write_event_control()
- commit a63545b
- blacklist.conf: Add a4055888629b mm/memcg: warning on !memcg after readahead page charged
- commit df06b7b
- blacklist.conf: Add 9a137153fc87 mm/memcg: fix device private memcg accounting
- commit 633912b
- blacklist.conf: Add d477f8c202d1 cpuset: restore sanity to cpuset_cpus_allowed_fallback()
- commit 53f3608
- arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region (git-fixes)
- commit 5ab30ad
- net: mana: Fix IRQ name - add PCI and queue number
(bsc#1207875).
- commit b36fcf8
- x86/asm: Add instruction suffixes to bitops (git-fixes).
- x86/entry/64: Add instruction suffix (git-fixes).
- kprobes, x86/alternatives: Use text_mutex to protect
smp_alt_modules (git-fixes).
- x86/asm: Remove unnecessary nt in front of CC_SET() from
asm templates (git-fixes).
- blacklist.conf: remove it from there
- commit 42cc16d
- blacklist.conf: add some x86 commits
- commit 9547ab1
- x86/bugs: Flush IBP in ib_prctl_set() (bsc#1207773
CVE-2023-0045).
- commit 18b587b
- tracing: Make sure trace_printk() can output as soon as it
can be used (git-fixes).
- commit 15c6ed8
- tracing: Fix infinite loop in tracing_read_pipe on overflowed
print_trace_line (git-fixes).
- commit 720bed5
- jbd2: use the correct print format (git-fixes).
- commit 022b5a0
- tracing: Avoid adding tracer option before update_tracer_options
(git-fixes).
- commit 3c24529
- tracing: Fix sleeping function called from invalid context on
RT kernel (git-fixes).
- commit f5a6b6f
- tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate
(git-fixes).
- commit d9419a4
- tracing: Ensure trace buffer is at least 4096 bytes large
(git-fixes).
- commit 73dee6a
- tracing: Fix tp_printk option related with
tp_printk_stop_on_boot (git-fixes).
- commit 9ae70c5
- tracing: Fix a kmemleak false positive in tracing_map
(git-fixes).
- commit 146abd5
- scsi: target: core: Add CONTROL field for trace events
(git-fixes).
- commit 5f4b9f3
- blacklist.conf: add not-relevant tracing fixes
- commit 6dbf1ea
- blacklist.conf: add qcom one thanks to present workaround
- commit 56b5e15
- Refresh
patches.suse/PCI-ACPI-Allow-D3-only-if-Root-Port-can-signal-and-w.patch.
Avoid compiler warning:
drivers/pci/pci-acpi.c: In function ‘acpi_pci_bridge_d3’:
drivers/pci/pci-acpi.c:549:5: warning: unused variable ‘val’ [-Wunused-variable]
u8 val;
^~~
- commit 94c9b34
- PCI/sysfs: Fix double free in error path (git-fixes).
- PCI: Check for alloc failure in pci_request_irq() (git-fixes).
- PCI: Fix pci_device_is_present() for VFs by checking PF
(git-fixes).
- PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge
(git-fixes).
- PCI: Fix used_buses calculation in pci_scan_child_bus_extend()
(git-fixes).
- PCI/ASPM: Correct LTR_L1.2_THRESHOLD computation (git-fixes).
- PCI/ASPM: Declare threshold_ns as u32, not u64 (git-fixes).
- commit 1a1e3cb
- blacklist.conf: Add guards
- d6810d730022 ("/memcg, THP, swap: make mem_cgroup_swapout() support THP"/)
- 00f3ca2c2d66 ("/mm: memcontrol: per-lruvec stats infrastructure"/)
- 1f4aace60b0e ("/fs/seq_file.c: simplify seq_file iteration code and interface"/)
- commit fd302dd
- virtio_console: eliminate anonymous module_init & module_exit
(git-fixes).
- virtio_console: break out of buf poll on remove (git-fixes).
- commit 04f33be
- Update
patches.kabi/usb.h-struct-usb_device-hide-new-member.patch
(bsc#1206664 CVE-2022-4662).
- Update
patches.suse/USB-core-Prevent-nested-device-reset-calls.patch
(bsc#1206664 CVE-2022-4662).
- commit 3097f42
- net: sched: fix race condition in qdisc_graft() (CVE-2023-0590
bsc#1207795).
- net_sched: add __rcu annotation to netdev->qdisc (CVE-2023-0590
bsc#1207795).
- commit 880415e
- blacklist.conf: 8219d31effa7 powerpc/lib/sstep: Fix build errors with newer binutils
Always building for at least POWER8
- commit 224de10
- blacklist.conf: Add fb5bf31722d0 fork: fix some -Wmissing-prototypes warnings
- commit dcf40c8
- blacklist.conf: Add 22839869f21a signal: Introduce COMPAT_SIGMINSTKSZ for use in compat_sys_sigaltstack
- commit 4599dd7
- blacklist.conf: Ad db8dd9697238 cgroup-v1: cgroup_pidlist_next should update position index
- commit 6b34bd8
- memcg: remove memcg_cgroup::id from IDR on
mem_cgroup_css_alloc() failure (bsc#1208108).
- commit f958549
- blacklist.conf: Remove spurious whitespace
- commit 79063d5
- blacklist.conf: Add d08afa149acf mm, memcg: fix mem_cgroup_swapout() for THPs
- commit 0c330fd
- blacklist.conf: Add 4eaf431f6f71 memcg: fix per_node_info cleanup
- commit fb05fe9
- blacklist.conf: Add more unsupported ppc architecture paths
- commit e6a4392
- blacklist.conf: PCI bus numbering fixes for unsupported architectures
- commit 507eeac
- Update patches.suse/lightnvm-remove-lightnvm-implemenation.patch
(bsc#1191881 bsc#1201420 CVE-2022-2991).
- commit 125ae88
- blacklist.conf: not a fix, but a cleanup
- commit 6c62aaf
- blacklist.conf: cosmetic
- commit 89c1ac7
- blacklist.conf: feature, not a fix
- commit 7abc364
- blacklist.conf: false positive
- commit 89c7fc0
- scsi: hpsa: Fix allocation size for scsi_host_alloc()
(git-fixes).
- scsi: snic: Fix possible UAF in snic_tgt_create() (git-fixes).
- scsi: fcoe: Fix transport not deattached when fcoe_if_init()
fails (git-fixes).
- scsi: ipr: Fix WARNING in ipr_init() (git-fixes).
- scsi: scsi_debug: Fix possible name leak in
sdebug_add_host_helper() (git-fixes).
- scsi: fcoe: Fix possible name leak when device_register()
fails (git-fixes).
- scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
(git-fixes).
- scsi: hpsa: Fix error handling in hpsa_add_sas_host()
(git-fixes).
- scsi: mpt3sas: Fix possible resource leaks in
mpt3sas_transport_port_add() (git-fixes).
- scsi: hpsa: Fix possible memory leak in hpsa_init_one()
(git-fixes).
- scsi: scsi_debug: Fix a warning in resp_write_scat()
(git-fixes).
- drbd: destroy workqueue when drbd device was freed (git-fixes).
- drbd: use after free in drbd_create_device() (git-fixes).
- drbd: remove usage of list iterator variable after loop
(git-fixes).
- drbd: fix potential silent data corruption (git-fixes).
- Revert "/scsi: core: run queue if SCSI device queue isn't ready
and queue is idle"/ (git-fixes).
- drbd: dynamically allocate shash descriptor (git-fixes).
- drbd: Change drbd_request_detach_interruptible's return type
to int (git-fixes).
- drbd: fix print_st_err()'s prototype to match the definition
(git-fixes).
- drbd: do not block when adjusting "/disk-options"/ while IO is
frozen (git-fixes).
- drbd: reject attach of unsuitable uuids even if connected
(git-fixes).
- drbd: ignore "/all zero"/ peer volume sizes in handshake
(git-fixes).
- commit 0a624a5
- blacklist.conf: Add powerpc inapplicable fixes.
- commit 7e5ff14
- blacklist.conf: Add more unsupported architecture paths
- commit a9d28f3
- blacklist.conf: Giving up on memtrace on 4.12 kernel
It's hopelessly outdated. It may work for some uses but definitely
cannot be fixed to work reliably. It's only available on powernv, anyway.
- commit 52370b2
- Refresh
patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
- commit 850359a
- blacklist.conf: remove git-fix commit
Added before but now the context appears present.
- commit ca7ebf0
- Refresh
patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
Since it is not upstream.
- commit 71b544b
- scsi: smartpqi: use processor ID for hwqueue for non-mq case .
- commit f7c419d
- Revert "/scsi: smartpqi: set force_blk_mq=1.(bsc#1205397)"/
This reverts commit 10f3936c627ef942dd3b1e94d001f74978249b48.
- commit 08dc3b9
- module: Don't wait for GOING modules (bsc#1196058, bsc#1186449,
bsc#1204356, bsc#1204662).
- commit 4f27069
- sctp: fail if no bound addresses can be used for a given scope
(bsc#1206677).
- commit 297ccbe
- Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag
(git-fixes).
Heavily modified, as prerequisites for taking it as is would
utterly ruin kABI
- commit f6a5968
- iforce: restore old iforce_dump_packet (git-fixes).
- commit 4231d1c
- Input: iforce - reformat the packet dump output (git-fixes).
- commit dc68ca6
- Input: i8042 - Add quirk for Fujitsu Lifebook T725 (git-fixes).
- commit 234f459
- blacklist.conf: designed to break kABI
- commit 8b4ffca
- parisc: Fix HP SDC hpa address output (git-fixes).
- commit 810aa94
- parisc: Fix serio address output (git-fixes).
- commit 0f57ebf
- Input: do not use WARN() in input_alloc_absinfo() (git-fixes).
- commit 84da185
- Input: replace hard coded string with __func__ in pr_err()
(git-fixes).
- commit cda312b
- Input: convert autorepeat timer to use timer_setup()
(git-fixes).
- commit cbdf2f3
- Input: switch to using sizeof(*type) when allocating memory
(git-fixes).
- commit 8f71a2f
- Input: use seq_puts() in input_devices_seq_show() (git-fixes).
- commit 1b69f50
- Input: use seq_putc() in input_seq_print_bitmap() (git-fixes).
- commit f2b9cd4
- blacklist.conf: blacklist drivers/input/touchscreen/stmfts.c
Support for this driver has been added in v4.13 with
78bcac7b2ae1e4f6e96c68ff353c140669ea231c, which we have
not taken in SLE12. Silence the scripts.
- commit 86c295f
- struct dwc3: move new members to the end (git-fixes).
- commit 09b2302
- usb: dwc3: core: Fix ULPI PHYs and prevent phy_get/ulpi_init
during suspend/resume (git-fixes).
- Refresh
patches.suse/usb-dwc3-Disable-phy-suspend-after-power-on-reset.patch.
- commit d6a4fb0
- usb: dwc3: core: Call dwc3_core_get_phy() before initializing
phys (git-fixes).
- commit f2e20db
- usb: dwc3: core: initialize ULPI before trying to get the PHY
(git-fixes).
- commit ca7dae7
- README: remove copy of config and update the text (bsc#1191924)
* the config is copied by sequence_patch.
* it makes no sense to copy a file called "/default"/ to the build tree
anyway.
* update the text, so that prerequisites are pre-installed.
- commit aef2a28
- scripts/python-bugzilla: Apply SUSE Bugzilla URL
- commit 4e69d74
- scripts: Reduce repetitions of Bugzilla URL
Just use the DEFAULT_BZ as vendored with python-bugzilla.
(rpm/config.sh usually specifies BUGZILLA_SERVER but it has been ignored
so far, don't deviate from that).
- commit eb1f26e
- scripts/python-bugzilla: Apply SUSE patches to python-bugzilla
- commit 029c1e9
- scripts: Update scripts/bugzilla
Raw copy from [1] a7c324041175a4157823bc2332a046cc2a54d105.
To access the REST API add
[apibugzilla.suse.com]
api_key = your_api_key
to ~/.bugzillarc
[1] https://github.com/python-bugzilla/python-bugzilla
- commit ccf7f1d
- usb: dwc3: Disable phy suspend after power-on reset (git-fixes).
- commit ba1784c
- tracing/cfi: Fix cmp_entries_* functions signature mismatch
(git-fixes).
- commit 6fe5958
- tracing: Fix stack trace event size (git-fixes).
- commit 6ddfce9
- ftrace: Fix updating FTRACE_FL_TRAMP (git-fixes).
- commit f3f9c2c
- tracing: Use address-of operator on section symbols (git-fixes).
- commit ff93892
- trigger_next should increase position index (git-fixes).
- commit 6f1b4bf
- ftrace: fpid_next() should increase position index (git-fixes).
- commit c8a082f
- tracing: Set kernel_stack's caller size properly (git-fixes).
- commit b0151c0
- tracing: Adding NULL checks for trace_array descriptor pointer
(git-fixes).
- commit 08a9d55
- ftrace: Enable trampoline when rec count returns back to one
(git-fixes).
- Refresh
patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch.
- Refresh
patches.suse/ftrace-Fix-char-print-issue-in-print_ip_ins.patch.
- commit c714737
- ftrace: Fix NULL pointer dereference in
free_ftrace_func_mapper() (git-fixes).
- commit 5646431
- blacklist.conf: add not-relevant ftrace fixes
- commit 5961e96
- blacklist.conf: add a kdb fix which breaks kABI
- commit 7191d79
- blacklist.conf: add a kbuild compiler options cleanup
- commit 5e6755f
- blacklist.conf: add not-relevant fixes for the switch_sched event
- commit ebfa63d
- blacklist.conf: Add upstream config paths.
- commit 55c391f
- xen-netfront: Fix hang on device removal (bsc#1206698).
- commit 619f87d
- HID: check empty report_list in hid_validate_values()
(git-fixes, bsc#1206784).
- commit 0c3e451
- HID: betop: fix slab-out-of-bounds Write in betop_probe
(git-fixes, bsc#1207186).
- commit 29e41ae
- HID: betop: check shape of output reports (git-fixes,
bsc#1207186).
- commit b716c1e
- git_sort: add usb-linus branch for gregkh/usb
- commit ea34985
- audit: ensure userspace is penalized the same as the kernel
when under pressure (bsc#1204514).
- commit 424bf73
- ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent
UAF (CVE-2023-0266 bsc#1207134).
- commit 55a788e
- audit: improve robustness of the audit queue handling
(bsc#1204514).
- commit 6afddf3
- blacklist.conf: Add memcg unusable fixes
- Add c3cc39118c36 mm: memcontrol: fix NR_WRITEBACK leak in memcg and system stats
- Add e27be240df53 mm: memcg: make sure memory.events is uptodate when waking pollers
- Add c892fd82cc06 mm: memcg: add __GFP_NOWARN in __memcg_schedule_kmem_cache_create()
- Add 0b3d6e6f2dd0 mm: writeback: use exact memcg dirty counts
- commit 6350151
- dm thin: Use last transaction's pmd->root when commit failed
(git-fixes).
- dm thin: resume even if in FAIL mode (git-fixes).
- dm cache: set needs_check flag after aborting metadata
(git-fixes).
- dm cache: Fix ABBA deadlock between shrink_slab and
dm_cache_metadata_abort (git-fixes).
- dm thin: Fix ABBA deadlock between shrink_slab and
dm_pool_abort_metadata (git-fixes).
- dm cache: Fix UAF in destroy() (git-fixes).
- dm thin: Fix UAF in run_timer_softirq() (git-fixes).
- blktrace: Fix output non-blktrace event when blk_classic option
enabled (git-fixes).
- dm ioctl: fix misbehavior if list_versions races with module
loading (git-fixes).
- md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d (git-fixes).
- nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
(git-fixes).
- sbitmap: Avoid leaving waitqueue in invalid state in
__sbq_wake_up() (git-fixes).
- drivers:md:fix a potential use-after-free bug (git-fixes).
- nbd: fix io hung while disconnecting device (git-fixes).
- nbd: fix race between nbd_alloc_config() and module removal
(git-fixes).
- nbd: call genl_unregister_family() first in nbd_cleanup()
(git-fixes).
- md: protect md_unregister_thread from reentrancy (git-fixes).
- block, bfq: protect 'bfqd->queued' by 'bfqd->lock' (git-fixes).
- dm ioctl: prevent potential spectre v1 gadget (git-fixes).
- loop: use sysfs_emit() in the sysfs xxx show() (git-fixes).
- dm space map common: add bounds check to sm_ll_lookup_bitmap()
(git-fixes).
- dm btree: add a defensive bounds check to insert_at()
(git-fixes).
- floppy: Add max size check for user space request (git-fixes).
- blk-cgroup: fix missing put device in error path from
blkg_conf_pref() (git-fixes).
- blk-throttle: fix UAF by deleteing timer in blk_throtl_exit()
(git-fixes).
- cryptoloop: add a deprecation warning (git-fixes).
- virtio-blk: Fix memory leak among suspend/resume procedure
(git-fixes).
- dm space maps: don't reset space map allocation cursor when
committing (git-fixes).
- block: only update parent bi_status when bio fail (git-fixes).
- dm verity: skip verity work if I/O error when system is shutting
down (git-fixes).
- dm table: Remove BUG_ON(in_interrupt()) (git-fixes).
- Revert "/dm cache: fix arm link errors with inline"/ (git-fixes).
- nbd: fix a block_device refcount leak in nbd_release
(git-fixes).
- blk-cgroup: Pre-allocate tree node on blkg_conf_prep
(git-fixes).
- blk-cgroup: Fix memleak on error path (git-fixes).
- nbd: make the config put is called before the notifying the
waiter (git-fixes).
- blk-mq: insert request not through ->queue_rq into sw/scheduler
queue (git-fixes).
- bcache: fix super block seq numbers comparision in
register_cache_set() (git-fixes).
- blktrace: ensure our debugfs dir exists (git-fixes).
- blktrace: break out of blktrace setup on concurrent calls
(git-fixes).
- blktrace: fix endianness for blk_log_remap() (git-fixes).
- blktrace: fix endianness in get_pdu_int() (git-fixes).
- blktrace: use errno instead of bi_status (git-fixes).
- block/bio-integrity: don't free 'buf' if
bio_integrity_add_page() failed (git-fixes).
- dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to
find a zone (git-fixes).
- ps3disk: use the default segment boundary (git-fixes).
- null_blk: fix spurious IO errors after failed past-wp access
(git-fixes).
- Revert "/blkdev: check for valid request queue before issuing
flush"/ (git-fixes).
- block: Fix use-after-free issue accessing struct io_cq
(git-fixes).
- null_blk: Handle null_add_dev() failures properly (git-fixes).
- block, bfq: fix overwrite of bfq_group pointer in
bfq_find_set_group() (git-fixes).
- dm bio record: save/restore bi_end_io and bi_integrity
(git-fixes).
- brd: check and limit max_part par (git-fixes).
- nbd: add a flush_workqueue in nbd_start_device (git-fixes).
- compat_ioctl: block: handle BLKGETZONESZ/BLKGETNRZONES
(git-fixes).
- block: fix memleak when __blk_rq_map_user_iov() is failed
(git-fixes).
- nbd: fix shutdown and recv work deadlock v2 (git-fixes).
- nbd:fix memory leak in nbd_get_socket() (git-fixes).
- rsxx: add missed destroy_workqueue calls in remove (git-fixes).
- nbd: verify socket is supported during setup (git-fixes).
- nbd: handle racing with error'ed out commands (git-fixes).
- nbd: fix possible sysfs duplicate warning (git-fixes).
- commit 13f6ec9
- nbd: fix max number of supported devs (git-fixes).
- Refresh for the above change,
patches.suse/0006-nbd-don-t-update-block-size-after-device-is-started.patch.
- commit 0c94304
- nbd: add missing config put (git-fixes).
- loop: Add LOOP_SET_DIRECT_IO to compat ioctl (git-fixes).
- block/bio-integrity: fix a memory leak bug (git-fixes).
- nbd: fix crash when the blksize is zero (git-fixes).
- dm verity: use message limit for data block corruption message
(git-fixes).
- blk-mq: move cancel of requeue_work into blk_mq_release
(git-fixes).
- block: sed-opal: fix IOC_OPAL_ENABLE_DISABLE_MBR (git-fixes).
- block, bfq: increase idling for weight-raised queues
(git-fixes).
- dm thin: add sanity checks to thin-pool and external snapshot
creation (git-fixes).
- zram: fix double free backing device (git-fixes).
- dm flakey: Properly corrupt multi-page bios (git-fixes).
- dm crypt: use u64 instead of sector_t to store iv_offset
(git-fixes).
- dm kcopyd: Fix bug causing workqueue stalls (git-fixes).
- sunvdc: Do not spin in an infinite loop when vio_ldc_send()
returns EAGAIN (git-fixes).
- dm raid: avoid bitmap with raid4/5/6 journal device (git-fixes).
- amiflop: clean up on errors during setup (git-fixes).
- swim: fix cleanup on setup error (git-fixes).
- drivers/block/zram/zram_drv.c: fix bug storing backing_dev
(git-fixes).
- nbd: handle unexpected replies better (git-fixes).
- nbd: don't requeue the same request twice (git-fixes).
- nbd: Add the nbd NBD_DISCONNECT_ON_CLOSE config flag
(git-fixes).
- commit 687c872
- block: add a lower-level bio_add_page interface (git-fixes).
- Refresh for the above change,
patches.suse/block-remove-bvec_to_phys.patch.
- commit 1c0212c
- dm: Use kzalloc for all structs with embedded biosets/mempools
(git-fixes).
- block/swim: Select appropriate drive on device open (git-fixes).
- block/swim: Fix IO error at end of medium (git-fixes).
- block/swim: Check drive type (git-fixes).
- block/swim: Rename macros to avoid inconsistent inverted logic
(git-fixes).
- block/swim: Don't log an error message for an invalid ioctl
(git-fixes).
- m68k/mac: Don't remap SWIM MMIO region (git-fixes).
- commit 7216c12
- blacklist.conf: Add hung task detector optimizations
- Add 401c636a0eeb kernel/hung_task.c: show all hung tasks before panic
- Add a1c6ca3c6de7 kernel: hung_task.c: disable on suspend
- Add 168e06f7937d kernel/hung_task.c: force console verbose before panic
- Add 304ae42739b1 kernel/hung_task.c: break RCU locks based on jiffies
- commit 106657e
- blacklist.conf: Add de5b55c1d4e3 stop_machine: Use raw spinlocks
- commit 70e34be
- net: sched: disallow noqueue for qdisc classes (bsc#1207237
CVE-2022-47929).
- commit a70de61
- blacklist.conf: remove the following commits which will be
backported as git-fixes,
- f01b411f41f91fc3196eae4317cf8b4d872830a6
- 35d2835d2ac41dc0b3e3469f8e2b08ce9709ace8
- commit f91ec99
- blacklist.conf: add git-fixes commits which won't be backported
- commit b06014b
- blacklist.conf: Blacklist 307af6c87937
- commit c4d1659
- mbcache: add functions to delete entry if unused (bsc#1198971).
- commit e12f310
- mbcache: don't reclaim used entries (bsc#1198971).
- commit f6dfab7
- Update tags
patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch.
- commit b091c25
- rpm/mkspec-dtb: add riscv64 dtb-renesas subpackage
- commit 6020754
- blacklist.conf: Blacklist c915fb80eaa6
- commit 4862158
- blacklist.conf: Blacklist 7159a986b420
- commit 8b03a93
- udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
(bsc#1206649).
- commit ef0b25b
- udf_get_extendedattr() had no boundary checks (bsc#1206648).
- commit 903c6ab
- udf: Check LVID earlier (bsc#1207108).
- commit 015783c
- udf: Fix NULL pointer dereference in udf_symlink function
(bsc#1206646).
- commit a391f82
- udf: fix silent AED tagLocation corruption (bsc#1206645).
- commit 1573f9a
- udf: Limit sparing table size (bsc#1206643).
- commit 458f745
- udf: Avoid accessing uninitialized data on failed inode read
(bsc#1206642).
- commit ae4803c
- udf: Fix free space reporting for metadata and virtual
partitions (bsc#1206641).
- commit a21c3d0
- udf: Fix BUG on corrupted inode (bsc#1207107).
- commit 142aae1
- quota: Check next/prev free block number after reading from
quota file (bsc#1206640).
- commit 1fd21c3
- blacklist.conf: Blacklist dd5532a4994b
- commit 1a95452
- blacklist.conf: Blacklist 10f04d40a9fa
- commit 9db6570
- blacklist.conf: Blacklist 6fcbcec9cfc7
- commit a38aa89
- quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF}
quotactls (bsc#1207104).
- commit 9272ca4
- mm/filemap.c: clear page error before actual read (bsc#1206635).
- commit 9135482
- blacklist.conf: Blacklist 28ce50f8d96e
- commit 4884298
- isofs: reject hardware sector size > 2048 bytes (bsc#1207103).
- commit e46cdb2
- sbitmap: fix lockup while swapping (bsc#1206602).
- commit 6127981
- sbitmap: Avoid leaving waitqueue in invalid state in
__sbq_wake_up() (git-fixes).
- commit 8e6d6a5
- block, bfq: protect 'bfqd->queued' by 'bfqd->lock'
(bsc#1207102).
- commit 7338cee
- block, bfq: fix overwrite of bfq_group pointer in
bfq_find_set_group() (bsc#1175995,jsc#SLE-15608).
- commit d71d0e3
- blacklist.conf: Blacklist 5c099c4fdc43
- commit 665ce36
- ext4: fix undefined behavior in bit shift for
ext4_check_flag_values (bsc#1206890).
- commit 7faea59
- ext4: fix use-after-free in ext4_ext_shift_extents
(bsc#1206888).
- commit 0eea07e
- ext4: fix warning in 'ext4_da_release_space' (bsc#1206887).
- commit 7a14dda
- blacklist.conf: Blacklist d1052d236edd
- commit 0c9fa3b
- ext4: make ext4_lazyinit_thread freezable (bsc#1206885).
- commit bc2f14a
- ext4: fix null-ptr-deref in ext4_write_info (bsc#1206884).
- commit 9a43afd
- ext4: avoid crash when inline data creation follows DIO write
(bsc#1206883).
- commit b5cdb98
- ext4: continue to expand file system when the target size
doesn't reach (bsc#1206882).
- commit 49d324e
- blacklist.conf: Blacklist 613c5a85898d
- commit 54c3380
- ext4: avoid resizing to a partial cluster size (bsc#1206880).
- commit b7ada6c
- ext4: fix race when reusing xattr blocks (bsc#1198971).
- commit c7f8ba9
- ext4: unindent codeblock in ext4_xattr_block_set()
(bsc#1198971).
- commit cd983c4
- blacklist.conf: Blacklist 6bc0d63dad7f
- commit eaa9493
- blacklist.conf: Blacklist b24e77ef1c6d
- commit 7e9aa45
- ext4: recover csum seed of tmp_inode after migrating to extents
(bsc#1202713).
- commit 2f31cd1
- ext4: correct the misjudgment in ext4_iget_extra_inode
(bsc#1206878).
- commit 84de60f
- ext4: correct max_inline_xattr_value_size computing
(bsc#1206878).
- commit 65f415c
- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878).
- commit 3e25d04
- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
(bsc#1206878).
- commit cc87a22
- ext4: fix extent status tree race in writeback error recovery
path (bsc#1206877).
- commit ede473e
- ext4: update s_overhead_clusters in the superblock during an
on-line resize (bsc#1206876).
- commit 4f9eee6
- ext4: add reserved GDT blocks check (bsc#1202712).
- commit 22a4adc
- ext4: don't BUG if someone dirty pages without asking ext4 first
(bsc#1207097).
- blacklist.conf: Blacklist ea_inode related commits
- commit 9502092
- blacklist.conf: Blacklist 5dccdc5a1916
- commit 4f5adf1
- blacklist.conf: Blacklist b5776e7524af
- commit f1a0a1a
- ext4: Detect already used quota file early (bsc#1206873).
- commit 87720a2
- blacklist.conf: Blacklist 11215630aada
- commit eb3396e
- blacklist.conf: Blacklist 8418897f1bf8
- commit 16639ef
- blacklist.conf: Blacklist 907ea529fc4c
- commit 6a4fc32
- blacklist.conf: Blacklist a17a9d935dc4
- commit a76a169
- ext4: use matching invalidatepage in ext4_writepage
(bsc#1206858).
- commit aba337c
- blacklist.conf: Blacklist c96e2b8564ad
- commit 49f777f
- ext4: fix a data race at inode->i_disksize (bsc#1206855).
- commit 1cd40a2
- blacklist.conf: Blacklist f629afe3369e
- commit 2a1b322
- blacklist.conf: Blacklist 64d4ce892383
- commit ab3ecba
- blacklist.conf: Blacklist 65db869c754e
- commit bd9d268
- blacklist.conf: Blacklist 8c380ab4b7b5
- commit 6d50017
- ext4: prohibit fstrim in norecovery mode (bsc#1207094).
- commit 968ac45
- blacklist.conf: Blacklist 6c7328400e04
- commit 192eee8
- blacklist.conf: Blacklist ddccb6dbe780
- commit b7b4229
- ext4: clear mmp sequence number when remounting read-only
(bsc#1207093).
- commit 7957fbf
- ext4: fix argument checking in EXT4_IOC_MOVE_EXT (bsc#1207092).
- commit 9556f87
- blacklist.conf: Blacklist couple of commits
- commit d7f2f6c
- rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs
This makes in-tree KMPs more consistent with externally built KMPs and
silences several rpmlint warnings.
- commit 02b7735
- rpm/check-for-config-changes: add OBJTOOL and FTRACE_MCOUNT_USE_*
Dummy gcc pretends to support -mrecord-mcount option but actual gcc on
ppc64le does not. Therefore ppc64le builds of 6.2-rc1 and later in OBS
enable FTRACE_MCOUNT_USE_OBJTOOL and OBJTOOL config options, resulting in
check failure.
As we already have FTRACE_MCOUNT_USE_CC and FTRACE_MCOUNT_USE_RECORDMCOUNT
in the exception list, replace them with a general pattern. And add OBJTOOL
as well.
- commit 887416f
- Add Tegra repository to git_sort.
- commit a3bc12e
- ext4: Fixup pages without buffers (bsc#1205495).
- commit 707f425
- Add support for enabling livepatching related packages on -RT (jsc#PED-1706)
- commit 9d41244
- scripts/git_sort/git_sort.py: Add arm-soc for-next tree.
- commit e5f5f10
- rpm/check-for-config-changes: add TOOLCHAIN_HAS_* to IGNORED_CONFIGS_RE
This new form was added in commit b8c86872d1dc (riscv: fix detection of
toolchain Zicbom support).
- commit e9f2ba6
- Add suse-kernel-rpm-scriptlets to kmp buildreqs (boo#1205149)
- commit 888e01e
- rpm/check-for-config-changes: loosen pattern for AS_HAS_*
This is needed to handle CONFIG_AS_HAS_NON_CONST_LEB128.
- commit bdc0bf7
- arm64: Discard .note.GNU-stack section (bsc#1203693 bsc#1209798).
- commit cab7952
- Revert "/constraints: increase disk space for all architectures"/
(bsc#1203693).
This reverts commit 43a9011f904bc7328d38dc340f5e71aecb6b19ca.
- commit 3d33373
- constraints: increase disk space for all architectures
References: bsc#1203693
aarch64 is already suffering. SLE15-SP5 x86_64 stats show that it is
very close to the limit.
- commit 43a9011
- scripts/CKC: don't output from shopt
shopt outputs the status of the flag, so that git grep looks like:
git grep -qi 'nocasematch off
^References:.*bsc#1202195' remotes/origin/SLE15-SP2-RT -- 'patches.*'
I don't know how it can work (it does -- maybe thanks to ^), but it's
not definitely OK.
So make shopt in term2regex() quiet.
- commit 9ca71fb
- scripts/CKC: store local branches with $USER prefix
So that on shared machines, it can be overwritten when expires.
- commit 1dae151
- scripts/CKC: speed up the git-grep
Search only in patches.*. I.e. skip especially all those large kabi
files.
The speedup is significant:
real 1m28,309s
to:
real 0m57,260s
- commit 2ea817a
- scripts/CKC: simplify print_branch
AFAIU, it's simply:
printf "/%-23s"/
- commit ec10bb9
- scripts/CKC: test accepts only =, not ==
And put $1 into "/"/ too.
- commit acae7f9
- scripts/CKC: Don't use empty branches file
Don't use it and don't write neither.
- commit 311b204
- scripts/python/suse_git/header.py: Catch the use of "/Not yet, submitted"/
Also add a test case for it.
For submitted patches, you should use "/Patch-mainline: Submitted"/
rather than "/Not yet, submitted"/. Enforce this in check-patchhdr so
that such mistakes are caught earlier.
- commit 475b64b
- scripts/CKC: Search also CVE and generic references
Sometimes it's useful to check that references exits, not the commit
itself.
- commit c34e0ed
- scripts/CKC: Make checker more specific
- commit 5cdb9a3
- scripts/CKC: Make checker script download branches.conf
Requires curl, downloads and caches the branches.conf file.
- commit e7c8885
- scripts/CKC: Modify check-kernel-commit to parse branches.conf
Thus we can use the same source of truth.
- commit 0c2b4b3
- scripts: Add helper script to search commit presence in kernel-source
The helper can have various uses. Checking for CVE patches is on of the
existing use cases.
This version of the script relies on file with branches to check.
It will be modified to be interoperable with branches.conf.
- commit 809939e
- x86: link vdso and boot with -z noexecstack
- -no-warn-rwx-segments (bsc#1203200).
- Makefile: link with -z noexecstack --no-warn-rwx-segments
(bsc#1203200).
- commit 7e1d602
- git_sort: update netfilter repositories
The official URL of netfilter repositories (nf and nf-next) was changed by
mainline commit 1f6339e034d5 ("/MAINTAINERS: netfilter: update git links"/)
and the old repositories (with "/pablo"/) have not been updated since
May 2022.
- commit 33c6a43
- Update patch reference for libata fix (bsc#1118212).
- commit 16b85ae
- rpm/kernel-binary.spec.in: Fix missing kernel-preempt-devel and KMP Provides (bsc#1199046)
- commit 84d7ba8
- scripts/wd-functions.sh: fix get_branch_name() in worktree
Instead of using a hard-coded path for the git directory, use git
rev-parse with --git-dir flag, introduced since 0.99.7, to find the git
directory so branch name can be correctly detected while in git
worktrees.
- commit 283838a
- rpm/kernel-binary.spec.in: Add Provides of kernel-preempt (jsc#SLE-18857)
For smooth migration with the former kernel-preempt user, kernel-default
provides kernel-preempt now when CONFIG_PREEMPT_DYNAMIC is defined.
- commit d292a81
- libata: add horkage for ASMedia 1092 (git-fixes).
- commit 1ec1df0
- commit 8592674
- commit f575c68
- commit 2717fab
- krb5
-
- Fix prefix reported by krb5-config, libraries and headers are not
installed under /usr/lib/mit prefix. (bsc#1211411);
- Update logrotate script, call systemd to reload the services
instead of init-scripts; (bsc#1206152);
- libX11
-
- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
* Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138)
- U_Don-t-try-to-destroy-NULL-condition-variables.patch
* fixes regression introduced with security update for
CVE-2022-3555 (bsc#1204425, bsc#1208881)
- libcap
-
- Fixed integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup()
(bsc#1211419 / CVE-2023-2603) CVE-2023-2603.patch
- libseccomp
-
- Speed up database handling when handling lots of rules like in docker
(bsc#1209407)
Added backported patches:
- 01-21b98d85e8bfdb701a5f9afd54ff5175af910a45.patch
- 02-19af04da86e9a4168a443f3563fc7aec8839edf0.patch
- libxml2
-
- Security update:
* [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
isn't deterministic
- Added patch libxml2-CVE-2023-29469.patch
* [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
xmlSchemaFixupComplexType
- Added patch libxml2-CVE-2023-28484-1.patch
- Added patch libxml2-CVE-2023-28484-2.patch
- libxslt
-
- Security Fix: [bsc#1208574, CVE-2021-30560]
* Use after free in Blink XSLT
* Add libxslt-CVE-2021-30560.patch
- libzypp
-
- curl: Trim user agent and custom header strings (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. Violation
results in curl error: 92: HTTP/2 PROTOCOL_ERROR.
- version 16.22.8 (0)
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.]
(bsc#1208329)
Maximum time in seconds that you allow the connection phase to
the server to take. This only limits the connection phase, it has
no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT)
- version 16.22.7 (0)
- Removing a PTF without enabled repos should always fail
(bsc#1203248)
Without enabled repos, the dependent PTF-packages would be
removed (not replaced!) as well. To remove a PTF "/zypper install
- - -PTF"/ or a dedicated "/zypper removeptf PTF"/ should be used.
This will update the installed PTF packages to their latest
version.
- version 16.22.6 (0)
- lifecycle-data-sle-module-toolchain
-
- Added expiration data for GCC 11 yearly update for the Toolchain/Development modules.
(jsc#PM-3603, jsc#PED-2029)
- lvm2
-
- LVM volume groups are not being cleaned up after kiwi image build (bsc#1142550)
+ bug-1142550_02-LVM-vg-are-not-being-cleaned-up-after-kiwi-image-build.patch
- mozilla-nspr
-
- update to version 4.35
* fixes for building with clang
* use the number of online processors for the
PR_GetNumberOfProcessors() API on some platforms
* fix build on mips+musl libc
* Add support for the LoongArch 64-bit architecture
- mozilla-nss
-
- update to NSS 3.90
* bmo#1623338 - ride along: remove a duplicated doc page
* bmo#1623338 - remove a reference to IRC
* bmo#1831983 - clang-format lib/freebl/stubs.c
* bmo#1831983 - Add a constant time select function
* bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* bmo#1830973 - output early build errors by default
* bmo#1804505 - Update the technical constraints for KamuSM
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates
* bmo#1790763 - Enable default UBSan Checks
* bmo#1786018 - Add explicit handling of zero length records
* bmo#1829391 - Tidy up DTLS ACK Error Handling Path
* bmo#1786018 - Refactor zero length record tests
* bmo#1829112 - Fix compiler warning via correct assert
* bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp
* bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* bmo#1784163 - Fix reading raw negative numbers
* bmo#1748237 - Repairing unreachable code in clang built with gyp
* bmo#1783647 - Integrate Vale Curve25519
* bmo#1799468 - Removing unused flags for Hacl*
* bmo#1748237 - Adding a better error message
* bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* bmo#1782980 - Fall back to the softokn when writing certificate trust
* bmo#1806010 - FIPS-104-3 requires we restart post programmatically
* bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13
* bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes
* bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf
* bmo#1822076 - fix rst warnings in nss doc
* bmo#1821997 - Fix incorrect pygment style
* bmo#1821292 - Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Add nss-fix-bmo1836925.patch to fix build-errors
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages
into the respective libraries. (bsc#1185116)
- update to NSS 3.89.1
* bmo#1804505 - Update the technical constraints for KamuSM.
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
- update to NSS 3.89
* bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* bmo#1820175 - PR_STATIC_ASSERT is cursed
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1820175 - Fix unreachable code warning in fuzz builds
* bmo#1820175 - Fix various compiler warnings in NSS
* bmo#1820175 - Enable various compiler warnings for clang builds
* bmo#1815136 - set PORT error after sftk_HMACCmp failure
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt
* bmo#1804660 - Make high tag number assertion failure an error
* bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key
length from 284 to 384
* bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello
* bmo#1789436 - Fix build failure on Windows
* bmo#1811337 - migrate Win 2012 tasks to Azure
* bmo#1810702 - fix title length in doc
* bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite
* bmo#1570615 - Add presence/absence tests for TLS GREASE
* bmo#1804688 - Correct addition of GREASE value to ALPN xtn
* bmo#1789436 - CH extension permutation
* bmo#1570615 - TLS GREASE (RFC8701)
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
- update to NSS 3.88.1
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
- update to NSS 3.88
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
* bmo#1212915 - Add check for ClientHello SID max length
* bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
* bmo#1790357 - ECH client - Discard resumption TLS < 1.3
Session(IDs|Tickets) if ECH configs are setup
* bmo#1714245 - On HRR skip PSK incompatible with negotiated
ciphersuites hash algorithm
* bmo#1789410 - ECH client: Send ech_required alert on server
negotiating TLS 1.2. Fixed misleading Gtest,
enabled corresponding BoGo test
* bmo#1771100 - Added Bogo ECH rejection test support
* bmo#1771100 - Added ECH 0Rtt support to BoGo shim
* bmo#1747957 - RSA OAEP Wycheproof JSON
* bmo#1747957 - RSA decrypt Wycheproof JSON
* bmo#1747957 - ECDSA Wycheproof JSON
* bmo#1747957 - ECDH Wycheproof JSON
* bmo#1747957 - PKCS#1v1.5 wycheproof json
* bmo#1747957 - Use X25519 wycheproof json
* bmo#1766767 - Move scripts to python3
* bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
* bmo#1805907 - Extending RSA-PSS bltest test coverage
(Adding SHA-256 and SHA-384)
* bmo#1804091 - NSS needs to move off of DSA for integrity checks
* bmo#1805815 - Add initial testing with ACVP vector sets using
acvp-rust
* bmo#1806369 - Don't clone libFuzzer, rely on clang instead
- update to NSS 3.87
* bmo#1803226 - NULL password encoding incorrect
* bmo#1804071 - Fix rng stub signature for fuzzing builds
* bmo#1803595 - Updating the compiler parsing for build
* bmo#1749030 - Modification of supported compilers
* bmo#1774654 - tstclnt crashes when accessing gnutls server
without a user cert in the database.
* bmo#1751707 - Add configuration option to enable source-based
coverage sanitizer
* bmo#1751705 - Update ECCKiila generated files.
* bmo#1730353 - Add support for the LoongArch 64-bit architecture
* bmo#1798823 - add checks for zero-length RSA modulus to avoid
memory errors and failed assertions later
* bmo#1798823 - Additional zero-length RSA modulus checks
- Remove nss-fix-bmo1774654.patch which is now upstream
- update to NSS 3.86
* bmo#1803190 - conscious language removal in NSS
* bmo#1794506 - Set nssckbi version number to 2.60
* bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3
TrustCor Root Certificates
* bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
* bmo#1797559 - Remove EC-ACC root cert from NSS
* bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
* bmo#1794495 - Remove Network Solutions Certificate Authority
* bmo#1802331 - compress docker image artifact with zstd
* bmo#1799315 - Migrate nss from AWS to GCP
* bmo#1800989 - Enable static builds in the CI
* bmo#1765759 - Removing SAW docker from the NSS build system
* bmo#1783231 - Initialising variables in the rsa blinding code
* bmo#320582 - Implementation of the double-signing of the message
for ECDSA
* bmo#1783231 - Adding exponent blinding for RSA.
- update to NSS 3.85
* bmo#1792821 - Modification of the primes.c and dhe-params.c in
order to have better looking tables
* bmo#1796815 - Update zlib in NSS to 1.2.13
* bmo#1796504 - Skip building modutil and shlibsign when building
in Firefox
* bmo#1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard
* bmo#1796407 - Fix -Wunused-but-set-variable warning from clang 15
* bmo#1796308 - Fix -Wtautological-constant-out-of-range-compare
and -Wtype-limits warnings
* bmo#1796281 - Followup: add missing stdint.h include
* bmo#1796281 - Fix -Wint-to-void-pointer-cast warnings
* bmo#1796280 - Fix -Wunused-{function,variable,but-set-variable}
warnings on Windows
* bmo#1796079 - Fix -Wstring-conversion warnings
* bmo#1796075 - Fix -Wempty-body warnings
* bmo#1795242 - Fix unused-but-set-parameter warning
* bmo#1795241 - Fix unreachable-code warnings
* bmo#1795222 - Mark _nss_version_c unused on clang-cl
* bmo#1795668 - Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
- update to NSS 3.84
* bmo#1791699 - Bump minimum NSPR version to 4.35
* bmo#1792103 - Add a flag to disable building libnssckbi.
- update to NSS 3.83
* bmo#1788875 - Remove set-but-unused variables from
SEC_PKCS12DecoderValidateBags
* bmo#1563221 - remove older oses that are unused part3/ BeOS
* bmo#1563221 - remove older unix support in NSS part 3 Irix
* bmo#1563221 - remove support for older unix in NSS part 2 DGUX
* bmo#1563221 - remove support for older unix in NSS part 1 OSF
* bmo#1778413 - Set nssckbi version number to 2.58
* bmp#1785297 - Add two SECOM root certificates to NSS
* bmo#1787075 - Add two DigitalSign root certificates to NSS
* bmo#1778412 - Remove Camerfirma Global Chambersign Root from NSS
* bmo#1771100 - Added bug reference and description to disabled
UnsolicitedServerNameAck bogo ECH test
* bmo#1779361 - Removed skipping of ECH on equality of private and
public server name
* bmo#1779357 - Added comment and bug reference to
ECHRandomHRRExtension bogo test
* bmo#1779370 - Added Bogo shim client HRR test support. Fixed
overwriting of CHInner.random on HRR
* bmo#1779234 - Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
* bmo# 1771100 - Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
* bmo#1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
server accept_confirmation bugs
* bmo#1771100 - Update BoGo tests to recent BoringSSL version
* bmo#1785846 - Bump minimum NSPR version to 4.34.1
- update to NSS 3.82
* bmo#1330271 - check for null template in sec_asn1{d,e}_push_state
* bmo#1735925 - QuickDER: Forbid NULL tags with non-zero length
* bmo#1784724 - Initialize local variables in
TlsConnectTestBase::ConnectAndCheckCipherSuite
* bmo#1784191 - Cast the result of GetProcAddress
* bmo#1681099 - pk11wrap: Tighten certificate lookup based on
PKCS #11 URI.
- update to NSS 3.81
* bmo#1762831 - Enable aarch64 hardware crypto support on OpenBSD
* bmo#1775359 - make NSS_SecureMemcmp 0/1 valued
* bmo#1779285 - Add no_application_protocol alert handler and
test client error code is set
* bmo#1777672 - Gracefully handle null nickname in
CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not
sufficient (boo#1202118)
- update to NSS 3.80
* bmo#1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* bmo#1617956 - Add support for asynchronous client auth hooks.
* bmo#1497537 - nss-policy-check: make unknown keyword check optional.
* bmo#1765383 - GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* bmo#1773022 - Mark 3.79 as an ESR release.
* bmo#1764206 - Bump nssckbi version number for June.
* bmo#1759815 - Remove Hellenic Academic 2011 Root.
* bmo#1770267 - Add E-Tugra Roots.
* bmo#1768970 - Add Certainly Roots.
* bmo#1764392 - Add DigitCert Roots.
* bmo#1759794 - Protect SFTKSlot needLogin with slotLock.
* bmo#1366464 - Compare signature and signatureAlgorithm fields in
legacy certificate verifier.
* bmo#1771497 - Uninitialized value in cert_VerifyCertChainOld.
* bmo#1771495 - Unchecked return code in sec_DecodeSigAlg.
* bmo#1771498 - Uninitialized value in cert_ComputeCertType.
* bmo#1760998 - Avoid data race on primary password change.
* bmo#1769063 - Replace ppc64 dcbzl intrinisic.
* bmo#1771036 - Allow LDFLAGS override in makefile builds.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with
fixes to PBKDF2 parameter validation.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to
validate extra PBKDF2 parameters according to FIPS 140-3.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to
update session->lastOpWasFIPS before destroying the key after
derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases.
- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some
excess code.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546).
- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency
checks. Thanks to Martin for the DHKey parts.
- Add manpages to mozilla-nss-tools (bsc#1208242)
- update to NSS 3.79.4 (bsc#1208138)
* Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
(CVE-2023-0767)
- ncurses
-
- Modify patch ncurses-6.1.dif
* Secure writing terminfo entries by setfs[gu]id in s[gu]id
(boo#1210434, CVE-2023-29491)
* Reading is done since 2000/01/17
- nfs-utils
-
- 0206-gssd-Fix-inner-loop-variable-reuse.patch
Fix for previous patch
(bsc#1210136)
- 0205-nfsd.man-fix-typo-in-section-on-scope.patch
bsc#1209859
- 0204-Don-t-assume-the-machine-account-will-be-in-upp.patch
Be more flexabily with case of machine account name
(bsc#1207245)
- 0203-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch
Avoid modprobe errors when sysctl is not installed.
(bsc#1200710 bsc#1207022 bsc#1206781)
- ntp
-
- Update to 4.2.8p17:
* Fix some regressions of 4.2.8p16
- Update to 4.2.8p16:
* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date
* [Sec 3807], bsc#1210390, CVE-2023-26555:
praecis_parse() in the Palisade refclock driver has a
hypothetical input buffer overflow.
* [Sec 3767] An OOB KoD RATE value triggers an assertion when
debug is enabled.
* Obsoletes: ntp-CVE-2023-26551.patch, ntp-sntp-dst.patch,
ntp-ENOBUFS.patch
* Multiple bug fixes and improvements. For details, see:
/usr/share/doc/packages/ntp/ChangeLog
http://www.ntp.org/support/securitynotice/4_2_8-series-changelog/
- Follow upstream's suggestion to build with debugging disabled:
https://www.ntp.org/support/securitynotice/ntpbug3767/
- bsc#1210386: out-of-bounds writes in mstolfp()
* CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554
* Add ntp-CVE-2023-26551.patch
- openldap2
-
- bsc#1211795 - CVE-2023-2953 - Null pointer deref in ber_memalloc_x
* 0227-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
- openssh
-
- Add openssh-CVE-2023-38408-PKCS11-execution.patch, Abort if
requested to load a PKCS#11 provider that isnt a PKCS#11
provider (bsc#1213504,CVE-2023-38408)
- openssl-1_0_0
-
- Security fix: [bsc#1213487, CVE-2023-3446]
* Fix DH_check() excessive time with over sized modulus.
* The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("/p"/ parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the
key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found
to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
* Add openssl-CVE-2023-3446.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Reworked the Fix for the Timing Oracle in RSA Decryption
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s.
* Reworked openssl-CVE-2022-4304.patch
* Refreshed openssl-CVE-2023-0286.patch
- Security Fix: [CVE-2023-2650, bsc#1211430]
* Possible DoS translating ASN.1 object identifiers
* Add openssl-CVE-2023-2650.patch
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
- Fix DH key generation in FIPS mode, add support for constant BN for
DH parameters [bsc#1202062]
* Add patch: openssl-fips_fix_DH_key_generation.patch
- Security Fix: [bsc#1207533, CVE-2023-0286]
* Fix X.400 address type confusion in X.509 GENERAL_NAME_cmp
for x400Address
* Add openssl-CVE-2023-0286.patch
- Security Fix: [bsc#1207536, CVE-2023-0215]
* Use-after-free following BIO_new_NDEF()
* Add patches:
- openssl-CVE-2023-0215-1of4.patch
- openssl-CVE-2023-0215-2of4.patch
- openssl-CVE-2023-0215-3of4.patch
- openssl-CVE-2023-0215-4of4.patch
- openssl-Groundwork-for-a-perl-based-testing-framework.patch
- openssl-Add-recipes-for-the-larger-protocols.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Timing Oracle in RSA Decryption
* Add openssl-CVE-2022-4304.patch
- Update further expiring certificates that affect tests [bsc#1201627]
* Add openssl-Update-further-expiring-certificates.patch
- openssl-1_1
-
- Dont pass zero length input to EVP_Cipher because assembler
optimized AES cannot handle zero size. [bsc#1213517]
* Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
- Security fix: [bsc#1213487, CVE-2023-3446]
* Fix DH_check() excessive time with over sized modulus.
* The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("/p"/ parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the
key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found
to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
* Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Reworked the Fix for the Timing Oracle in RSA Decryption
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s.
* Add openssl-CVE-2022-4304.patch
* Removed patches:
- openssl-CVE-2022-4304-1of2.patch
- openssl-CVE-2022-4304-2of2.patch
* Refreshed openssl-CVE-2023-0286.patch
- Update further expiring certificates that affect tests [bsc#1201627]
* Add openssl-Update-further-expiring-certificates.patch
- Security Fix: [CVE-2023-2650, bsc#1211430]
* Possible DoS translating ASN.1 object identifiers
* Add openssl-CVE-2023-2650.patch
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
- Security Fix: [bsc#1207533, CVE-2023-0286]
* Fix X.400 address type confusion in X.509 GENERAL_NAME_cmp
for x400Address
* Add openssl-CVE-2023-0286.patch
- Security Fix: [bsc#1207536, CVE-2023-0215]
* Use-after-free following BIO_new_NDEF()
* Add patches:
- openssl-CVE-2023-0215-1of4.patch
- openssl-CVE-2023-0215-2of4.patch
- openssl-CVE-2023-0215-3of4.patch
- openssl-CVE-2023-0215-4of4.patch
- Security Fix: [bsc#1207538, CVE-2022-4450]
* Double free after calling PEM_read_bio_ex()
* Add patches:
- openssl-CVE-2022-4450-1of2.patch
- openssl-CVE-2022-4450-2of2.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Timing Oracle in RSA Decryption
* Add patches:
- openssl-CVE-2022-4304-1of2.patch
- openssl-CVE-2022-4304-2of2.patch
- perl
-
- enable TLS cert verification in CPAN [bnc#1210999] [CVE-2023-31484]
new patch: perl-cpan_verify_cert.diff
- perl-Bootloader
-
- merge gh#openSUSE/perl-bootloader#152
- use signed grub EFI binary when updating grub in default EFI
location (bsc#1210799)
- check whether grub2-install supports --suse-force-signed option
- 0.944
- merge gh#openSUSE/perl-bootloader#147
- UEFI: update also default location, if it is controlled by SUSE
(bsc#1210799, bsc#1201399)
- 0.943
- merge gh#openSUSE/perl-bootloader#142
- use fw_platform_size to distinguish between 32 bit and 64 bit
UEFI platforms (bsc#1208003)
- 0.942
- merge gh#openSUSE/perl-bootloader#141
- systemd-boot: easier initial setup
- 0.941
- merge gh#openSUSE/perl-bootloader#140
- add basic support for systemd-boot
- 0.940
- merge gh#openSUSE/perl-bootloader#139
- fix sysconfig parsing (bsc#1198828)
- 0.939
- merge gh#openSUSE/perl-bootloader#138
- grub2/install: reset error code when passing through recover code
(bsc#1198197)
- 0.938
- merge gh#openSUSE/perl-bootloader#137
- grub2 install: Support secure boot on powerpc (bsc#1192764
jsc#SLE-18271).
- 0.937
- merge gh#openSUSE/perl-bootloader#136
- report error if config file could not be updated (bsc#1188768)
- 0.936
- merge gh#openSUSE/perl-bootloader#135
- fix typo in update-bootloader
- 0.935
- merge gh#openSUSE/perl-bootloader#134
- install with --removable if efivars are not writable
(bsc#1182749, bsc#1174111, bsc#1184160)
- fix whitespace
- 0.934
- merge gh#openSUSE/perl-bootloader#133
- use shim on aarch64 (jsc#SLE-15823, jsc#SLE-15020)
- 0.933
- merge gh#openSUSE/perl-bootloader#131
- grub2 install: honor UPDATE_NVRAM in /etc/sysconfig/bootloader
(bsc#1157550 jsc#SLE-11500).
- 0.932
- merge gh#openSUSE/perl-bootloader#129
- Check tpm.mod in the new grub2 directory (bsc#1174320)
- 0.931
- merge gh#openSUSE/perl-bootloader#130
- Throw less warnings about fstab
- 0.930
- merge gh#openSUSE/perl-bootloader#128
- Do not warn about missing SECURE_BOOT sysconfig
- 0.929
- merge gh#openSUSE/perl-bootloader#127
- use correct target name on aarch64 (bsc#1172293)
- 0.928
- merge gh#openSUSE/perl-bootloader#126
- always install EFI fallback boot for aarch64 (bsc#1167015)
- 0.927
- merge gh#openSUSE/perl-bootloader#123
- Accept sysconfig values without quotes
- 0.926
- merge gh#openSUSE/perl-bootloader#122
- Replace --suse-signed-grub by --suse-force-signed to follow
update from boo#1136601
- 0.925
- merge gh#openSUSE/perl-bootloader#121
- Fix secureboot on aarch64 (boo#1136601)
- [RFC] Fix secureboot on aarch64 (boo#1136601)
- 0.924
- permissions
-
* mariadb: settings for new auth_pam_tool (bsc#1160285)
- Update to version 20170707:
- python
-
- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.
- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built
- The condition around libnsl-devel BuildRequires is NOT
switching off NIS support on SLE < 15, support for NIS used to
be in the glibc itself. Partial revert of sr#1061583.
- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
the documentation even with the current Sphinx. (SUSE-ONLY
PATCH, DO NOT SEND UPSTREAM!)
- Enable --with-system-ffi for non-standard architectures.
- SLE-12 builds nis.so as well.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
- Disable NIS for new products, it's deprecated and gets removed
- Add skip_unverified_test.patch because apparently switching off
SSL verification doesn't work on older SLE.
- Restore python-2.7.9-sles-disable-verification-by-default.patch
for SLE-12.
- python-base
-
- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.
- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built
- The condition around libnsl-devel BuildRequires is NOT
switching off NIS support on SLE < 15, support for NIS used to
be in the glibc itself. Partial revert of sr#1061583.
- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
the documentation even with the current Sphinx. (SUSE-ONLY
PATCH, DO NOT SEND UPSTREAM!)
- Enable --with-system-ffi for non-standard architectures.
- SLE-12 builds nis.so as well.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
- Disable NIS for new products, it's deprecated and gets removed
- Add skip_unverified_test.patch because apparently switching off
SSL verification doesn't work on older SLE.
- Restore python-2.7.9-sles-disable-verification-by-default.patch
for SLE-12.
- python-cffi
-
- Add require-writable.patch to support the optional argument
"/require_writable"/ in "/from_buffer"/ method, that's used by the
python-cryptography security fix gh#pyca/cryptography@9fbf84efc861
(bsc#1208036, CVE-2023-23931)
The upstream patch can be found here:
https://foss.heptapod.net/pypy/cffi/-/commit/c5c4d32c3e3ec0fbaabc4b9890fd17c9c58407d2
- python-cryptography
-
- Add patch CVE-2023-23931-dont-allow-update-into.patch (bsc#1208036, CVE-2023-23931)
* Don't allow update_into to mutate immutable objects
- python-requests
-
- Add CVE-2023-32681.patch to fix unintended leak of
Proxy-Authorization header (CVE-2023-32681, bsc#1211674)
Upstream commit: gh#psf/requests@74ea7cf7a6a2
- python-rsa
-
- Add cve_2020-25658.patch (CVE-2020-25658 bsc#1178676)
+ Reduce timing sensitivity on decryption for false ciphers
- python3
-
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
- Add CVE-2022-40899-ReDos-cookiejar.patch to Fix REDoS in http.cookiejar
(gh#python/cpython#17157, bsc#1206673, CVE-2022-40899)
- python3-base
-
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
- python3-requests
-
- Add CVE-2023-32681.patch to fix unintended leak of
Proxy-Authorization header (CVE-2023-32681, bsc#1211674)
Upstream commit: gh#psf/requests@74ea7cf7a6a2
- python36
-
- Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
gh#python/cpython!99366), fixing bsc#1211158.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
tarfile.extractall (PEP 706).
- Use python3 modules to build the documentation.
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
- Add bpo27321-email-no-replace-header.patch to stop
email.generator.py from replacing a non-existent header
(bsc#1208443, gh#python/cpython#71508).
- Add bsc1188607-pythreadstate_clear-decref.patch to fix crash in
the garbage collection (bsc#1188607).
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
extremely long domain names.
- runc
-
- Update to runc v1.1.5. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.5>.
Includes fixes for the following CVEs:
- CVE-2023-25809 bsc#1209884
- CVE-2023-27561 bsc#1208962
- CVE-2023-28642 bsc#1209888
* Fix the inability to use `/dev/null` when inside a container.
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
(a regression in 1.1.1). bsc#1168481
* Fix rare runc exec/enter unshare error on older kernels.
* nsexec: Check for errors in `write_log()`.
- Drop version-specific Go requirement.
- samba
-
- secure channel faulty since Windows 10/11 update 07/2023;
(bso#15418); (bsc#1213384).
- CVE-2022-2127: lm_resp_len not checked properly in
winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
- CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
- CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
- CVE-2023-34968: Spotlight server-side Share Path Disclosure;
(bso#15388); (bsc#1213171).
- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords
in cleartext; (bso#15315); (bsc#1209481).
- Prevent use after free of messaging_ctdb_fde_ev structs;
(bso#15293); (bsc#1207416).
- shadow
-
- bsc#1210507 (CVE-2023-29383):
Check for control characters
- Add shadow-CVE-2023-29383.patch
- shim
-
- add CVE number against bsc#
+ (bsc#1198458, CVE-2022-28737)
- Update shim to 15.7-150300.4.11.1 from SLE15-SP3
+ Version: 15.7, "/Thu Mar 17 2023"/
+ Update the SLE signatures
+ Include the fixes for bsc#1205588, bsc#1202120, bsc#1201066,
bsc#1198458, bsc#1198101, bsc#1193315, bsc#1193282
- sudo
-
- Fix CVE-2023-28486, sudo does not escape control characters in
log messages, (CVE-2023-28486, bsc#1209362)
* Add sudo-CVE-2023-28486.patch
- Fix CVE-2023-28487, sudo does not escape control characters in
sudoreplay output (CVE-2023-28487, bsc#1209361)
- sudo-dont-enable-read-after-pty_finish.patch
* bsc#1203201
* Do not re-enable the reader when flushing the buffers as part
of pty_finish().
* While sudo-observe-SIGCHLD patch applied earlier prevents a
race condition from happening, this fixes a related buffer hang.
- Added sudo-fix_NULL_deref_RunAs.patch
* bsc#1206483
* Fix a situation where "/sudo -U otheruser -l"/ would dereference
a NULL pointer.
- supportutils
-
- Removed iSCSI passwords CVE-2022-45154 (bsc#1207598)
- Fixed missing status detail for apparmor (bsc#1196933)
- Corrected invalid argument list in docker.txt (bsc#1206608)
- Changed _sanitize_file to include lio_setup.sh (bsc#1206350)
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.7 (bsc#1209026)
+ Include information about the cached registration data
+ Collect the data that is sent to the update infrastructure during
registration
- systemd
-
- Import commit 95ad6444b8d4c9cbd6c745ba9b4463264109ee11
acb6da7b4a pager: make pager secure when under euid is changed or explicitly requested
7c8bbe16a2 pager: set $LESSSECURE whenver we invoke a pager (bsc#1208958 CVE-2023-26604)
e931881112 core: if the start command vanishes during runtime don't hit an assert (bsc#1206985)
- tar
-
* bsc1202436-1.patch
* bsc1202436-2.patch
- Fix CVE-2022-48303, tar has a one-byte out-of-bounds read that
results in use of uninitialized memory for a conditional jump
(CVE-2022-48303, bsc#1207753)
* fix-CVE-2022-48303.patch
- Fix hang when unpacking test tarball, bsc#1202436
- tcl
-
- [bsc#1206623], tcl-string-compare.patch:
Fix [string compare -length] on big endian and improve
[string equal] on little endian.
- timezone
-
- timezone update 2023c:
* Revert changes made in 2023b
- timezone update 2023b:
* Lebanon delays the start of DST this year.
- timezone update 2023a:
* Egypt now uses DST again, from April through October.
* This year Morocco springs forward April 23, not April 30.
* Palestine delays the start of DST this year.
* Much of Greenland still uses DST from 2024 on.
* America/Yellowknife now links to America/Edmonton.
* tzselect can now use current time to help infer timezone.
* The code now defaults to C99 or later.
- Refresh tzdata-china.diff
- util-linux
-
- Add upstream patch fix-lib-internal-cache-size.patch
bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
- util-linux-systemd
-
- Add upstream patch fix-lib-internal-cache-size.patch
bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
- vim
-
- Updated to version 9.0 with patch level 1386, fixes the following security problems
* Fixing bsc#1207780 - (CVE-2023-0512) VUL-0: CVE-2023-0512: vim: Divide By Zero in GitHub repository vim/vim prior to 9.0.1247
* Fixing bsc#1208957 - (CVE-2023-1175) VUL-0: CVE-2023-1175: vim: Incorrect Calculation of Buffer Size
* Fixing bsc#1208959 - (CVE-2023-1170) VUL-0: CVE-2023-1170: vim: Heap-based Buffer Overflow in vim prior to 9.0.1376
* Fixing bsc#1208828 - (CVE-2023-1127) VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386
- wicked
-
- ifconfig: fix arp notify loop (boo#1212806) and burst sending
[+ 0001-fix_arp_notify_loop_and_burst_sending.patch]
- update to version 0.6.73
- spec: cleanup artefacts and fix some rpmlint warnings
- arp: allow verify/notify counter and interval configuration
- arp: handle ENOBUFS sending errors (bsc#1203300)
- extensions: improve environment variable handling
- firmware: refactor firmware extension definition
- firmware: enable, disable and revert cli commands
- code cleanup: fix memory leaks, add array/list utils
- wireless: Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026)
- cleanup /var/run leftovers in extension scripts (bsc#1194557)
- json: output formatting improvements and Unicode support
- bond: workaround 6.1 kernel enslave regression (boo#1206674)
- update to version 0.6.72
- client: add `wicked firmware extensions|interfaces|enable|disable`
command to improve `ibft`,`nbft`,`redfish` firmware extension and
interface handling.
- client: improve error handling in netif firmware discovery
extension execution and extension definition overrides in
the wicked-config.
- nanny: fix use-after-free in debug mode (bsc#1206447)
- spec: replace transitional `%usrmerged` macro with regular
version check (boo#1206798)
- client: improve to show `no-carrier` in ifstatus output
- linux: cleanup inclusions and update uapi header to 6.0
- ethtool: link mode nwords cleanup and new advertise mode names
- update to version 0.6.71
- dhcp: enable raw-ip support for wwan-qmi interfaces (jsc#PED-90)
- schema: fix the ip rule to-selector to handle network prefixes
- spec: Add /etc/sysconfig/network to file list, no longer in the
default list of a cleaned up filesystem package on tumbleweed
(https://github.com/openSUSE/wicked/pull/939).
- xen
-
- bsc#1209017 - VUL-0: CVE-2022-42332: xen: x86 shadow plus
log-dirty mode use-after-free (XSA-427)
xsa427.patch
- bsc#1209018 - VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM
pinned cache attributes mis-handling (XSA-428)
xsa428-1.patch
xsa428-2.patch
- bsc#1209019 - VUL-0: CVE-2022-42331: xen: x86: speculative
vulnerability in 32bit SYSCALL path (XSA-429)
xsa429.patch
- bsc#1205209 - VUL-0: CVE-2022-23824: xen: x86: Multiple
speculative security issues (XSA-422)
xsa422-01.patch
xsa422-02.patch
- yast2-packager
-
- Do not fail when the installation URL contains a space
(bsc#1201816)
- 3.3.5
- yast2-transfer
-
- Fixed TFTP download, truncate the target file to avoid garbage
at the end of the file when saving to an already existing file
(bsc#1208754)
- 3.1.4
- zlib
-
- Fix deflateBound() before deflateInit(), bsc#1210593
bsc1210593.patch
- Add DFLTCC support for using inflate() with a small window,
fixes bsc#1206513
* bsc1206513.patch
- zypper
-
- Add expert (allow-*) options to all installer commands
(bsc#428822)
- version 1.13.64
- Provide "/removeptf"/ command (bsc#1203249)
A remove command which prefers replacing dependant packages to
removing them as well.
A PTF is typically removed as soon as the fix it provides is
applied to the latest official update of the dependant packages.
But you don't want the dependant packages to be removed together
with the PTF, which is what the remove command would do. The
removeptf command however will aim to replace the dependant
packages by their official update versions.
- BuildRequires: libzypp-devel >= 16.22.6.
- version 1.13.63