- kernel-default
-
- ACPI: video: check for error while searching for backlight
device parent (bsc#1224686 CVE-2023-52693).
- commit aafdad5
- ACPI: LPIT: Avoid u32 multiplication overflow (bsc#1224627
CVE-2023-52683).
- commit 57dc5ae
- x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK (git-fixes).
- commit 90918cd
- netfilter: nft_set: preserve kabi (bsc#1215420 CVE-2023-4244).
- commit 4994a14
- netfilter: take a reference when looking up nft_sets
(bsc#1215420 CVE-2023-4244).
- commit 3f2e165
- netfilter: Implement reference counting for nft_sets
(bsc#1215420 CVE-2023-4244).
- commit b5c850d
- Fix the warning:
* return makes pointer from integer without a cast [enabled by default] in ../drivers/infiniband/hw/mlx5/srq.c in mlx5_ib_create_srq
../drivers/infiniband/hw/mlx5/srq.c: In function 'mlx5_ib_create_srq':
../drivers/infiniband/hw/mlx5/srq.c:259:3: warning: return makes pointer from integer without a cast [enabled by default]
- commit d292fa8
- x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK (git-fixes).
- commit 29d18ef
- fbdev: savage: Handle err return when savagefb_check_var failed (bsc#1227435 CVE-2024-39475)
- commit 3cf493f
- kgdb: Move the extern declaration kgdb_has_hit_break() to generic kgdb.h (git-fixes).
- commit 4c96601
- kgdb: Add kgdb_has_hit_break function (git-fixes).
- commit 096e8f7
- x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git-fixes).
- commit 51d4d78
- blacklist.conf: Blacklist unapplicable commit
- commit 8985317
- x86/numa: Use cpumask_available instead of hardcoded NULL check (git-fixes).
- commit 53fc2d1
- x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes (git-fixes).
- commit 4cbd29b
- x86/fpu: Return proper error codes from user access functions (git-fixes).
- commit 16cc345
- x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs (git-fixes).
- commit 530272a
- blacklist.conf: We don't support clang so black list related commit
- commit 0b88169
- x86/boot/e820: Fix typo in e820.c comment (git-fixes).
- commit 3e224a7
- x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys (git-fixes).
- commit f7c83aa
- x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 (git-fixes).
- commit fe70714
- PM: hibernate: x86: Use crc32 instead of md5 for hibernation e820 integrity check (git-fixes).
- commit 63895f5
- can: pch_can: pch_can_rx_normal: fix use after free (bsc#1225431
CVE-2021-47520).
- commit 0efd10b
- wifi: nl80211: don't free NULL coalescing rule (bsc#1225835 CVE-2024-36941).
- commit 6927c00
- powerpc/rtas: Prevent Spectre v1 gadget construction in
sys_rtas() (bsc#1227487).
- commit 564651d
- SUNRPC: Fix loop termination condition in
gss_free_in_token_pages() (git-fixes).
- sunrpc: fix NFSACL RPC retry on soft mount (git-fixes).
- SUNRPC: Fix gss_free_in_token_pages() (git-fixes).
- nfs: Handle error of rpc_proc_register() in nfs_net_init()
(git-fixes).
- commit 823e515
- btrfs: do not BUG_ON in link_to_fixup_dir (bsc#1222005
CVE-2021-47145).
- commit fb0f08c
- soc: fsl: qbman: Use raw spinlock for cgr_lock (bsc#1224683
CVE-2024-35819).
- commit 4f6a315
- soc: fsl: qbman: Add CGR update function (bsc#1224683
CVE-2024-35819).
- commit 3b2ce3f
- soc: fsl: qbman: Add helper for sanity checking cgr ops
(bsc#1224683 CVE-2024-35819).
- commit b33b9fc
- soc: fsl: qbman: Always disable interrupts when taking cgr_lock
(bsc#1224683 CVE-2024-35819).
- commit 99e6ba5
- drm/amdgpu/debugfs: fix error code when smc register accessors are NULL (git-fixes).
- commit a2420fb
- blacklist.conf: Add c7fcb99877f9 sched/rt: Fix sysctl_sched_rr_timeslice intial value
- commit 71427f6
- blacklist.conf: Add a57415f5d1e4 sched/deadline: Fix sched_dl_global_validate()
- commit b39262b
- sched/deadline: Fix BUG_ON condition for deboosted tasks
(bsc#1227407).
- commit 58fafac
- dyndbg: fix old BUG_ON in >control parser (bsc#1224647
CVE-2024-35947).
- commit 52ffbf7
- net: tulip: de4x5: fix the problem that the array 'lp->phy'
may be out of bound (bsc#1225505 CVE-2021-47547).
- commit 605a3ba
- drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL (CVE-2023-52817 bsc#1225569).
- commit d2e5a64
- blacklist.conf: cd90511557fd drm/amdgpu/vkms: fix a possible null pointer dereference
- commit d0def0c
- blacklist.conf: 80285ae1ec87 drm/amdgpu: Fix potential null pointer derefernce
- commit 95c5571
- blacklist.conf: 406e8845356d drm/amd: check num of link levels when update pcie param
- commit f93c72c
- drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga (CVE-2023-52819 bsc#1225532).
- commit d196cd8
- drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 (CVE-2023-52818 bsc#1225530).
- commit d67dcd9
- blacklist.conf: 282c1d793076 drm/amdkfd: Fix shift out-of-bounds issue
- commit cc813e8
- drm/amd/display: Avoid NULL dereference of timing generator (CVE-2023-52753 bsc#1225478).
- commit f316fd9
- blacklist.conf: 31729e8c21ec drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11
- commit 785f136
- blacklist.conf: add 2a19b28f7929866e1cec92a3619f4de9f2d20005.
- commit a4c7fa2
- drm/arm/malidp: fix a possible null pointer dereference (CVE-2024-36014 bsc#1225593).
- commit 3f35223
- llc: make llc_ui_sendmsg() more robust against bonding changes
(CVE-2024-26636 bsc#1221659).
- commit 727fec1
- llc: Drop support for ETH_P_TR_802_2 (CVE-2024-26635
bsc#1221656).
- commit 4792924
- wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()
(bsc#1224622 CVE-2024-35828).
- commit 9f39e76
- nfc: nci: assert requested protocol is valid (bsc#1220833, CVE-2023-52507).
- commit 78bd01e
- md: fix resync softlockup when bitmap size is less than array
size (CVE-2024-38598, bsc#1226757).
- commit e578184
- dm snapshot: fix lockup in dm_exception_table_exit (bsc#1224743,
CVE-2024-35805).
- dm: call the resume method on internal suspend (bsc#1223188,
CVE-2024-26880).
- dm rq: don't queue request to blk-mq during DM suspend
(bsc#1225357, CVE-2021-47498).
- bcache: avoid oversized read request in cache missing code path
(bsc#1224965, CVE-2021-47275).
- bcache: remove bcache device self-defined readahead
(bsc#1224965, CVE-2021-47275).
- commit 0df91b9
- net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() (bsc#1225229 CVE-2021-47438)
- commit dd90392
- net/mlx5e: Fix memory leak in mlx5_core_destroy_cq() error path (bsc#1225229 CVE-2021-47438)
- commit eebb92a
- usb-storage: alauda: Check whether the media is initialized
(CVE-2024-38619 bsc#1226861).
- commit 8f69e1a
- iavf: free q_vectors before queues in iavf_disable_vf
(CVE-2021-47201 bsc#1222792).
- commit 5fa75c2
- blacklist.conf: 9cb46b31f3d0 drm/xe/xe_migrate: Cast to output precision before multiplying operands
- commit 6d5246f
- ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
(CVE-2024-26641 bsc#1221654).
- commit 785d6bf
- hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021
CVE-2024-26863).
- net: hsr: fix placement of logical operator in a multi-line
statement (bsc#1223021).
- hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021
CVE-2024-26863).
- net: hsr: fix placement of logical operator in a multi-line
statement (bsc#1223021).
- commit bea7af4
- ip6_tunnel: fix NEXTHDR_FRAGMENT handling in
ip6_tnl_parse_tlv_enc_lim() (CVE-2024-26633 bsc#1221647).
- commit 6bed746
- blacklist.conf: ecedd99a9369 drm/amd/display: Skip on writeback when it's not applicable
- commit 7f9ee16
- net: sock: preserve kabi for sock (bsc#1221010 CVE-2021-47103).
- commit 00f2734
- inet: fully convert sk->sk_rx_dst to RCU rules (bsc#1221010
CVE-2021-47103).
- commit 955aaf2
- Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
(bsc#1224177 CVE-2024-27399).
- commit f1f5272
- ACPI: processor_idle: Fix memory leak in
acpi_processor_power_exit() (bsc#1223043 CVE-2024-26894).
- commit 69014d4
- scsi: bnx2fc: Remove spin_lock_bh while releasing resources
after upload (bsc#1224767 CVE-2024-36919).
- scsi: lpfc: Move NPIV's transport unregistration to after
resource clean up (bsc#1225898 CVE-2024-36592).
- scsi: bnx2fc: Remove spin_lock_bh while releasing resources
after upload (bsc#1224767 CVE-2024-36919).
- scsi: lpfc: Move NPIV's transport unregistration to after
resource clean up (bsc#1225898 CVE-2024-36592).
- commit 011e140
- selinux: fix double free of cond_list on error paths
(bsc#1226699 CVE-2022-48740).
- commit c27761a
- fs/9p: fix uninitialized values during inode evict (bsc#1225815
CVE-2024-36923).
- commit fccda1c
- btrfs: fix crash on racing fsync and size-extending write into
prealloc (bsc#1227101 CVE-2024-37354).
- btrfs: add helper to truncate inode items when logging inode
(bsc#1227101 CVE-2024-37354).
- btrfs: don't set the full sync flag when truncation does not
touch extents (bsc#1227101 CVE-2024-37354).
- btrfs: fix misleading and incomplete comment of btrfs_truncate()
(bsc#1227101 CVE-2024-37354).
- btrfs: make btrfs_truncate_inode_items take btrfs_inode
(bsc#1227101 CVE-2024-37354).
- commit 25e24a4
- blacklist.conf: kABI
- commit 2c68edf
- usb: typec: tcpm: Skip hard reset when in error recovery
(git-fixes).
- commit 74f41bf
- blacklist.conf: false positive
- commit b55e7fd
- bpf, scripts: Correct GPL license name (git-fixes).
- commit d41908e
- Update
patches.suse/0006-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch
(git-fixes CVE-2021-47600 bsc#1226575).
- Update
patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch
(git-fixes CVE-2021-47617 bsc#1226614).
- Update
patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch
(git-fixes CVE-2022-48760 bsc#1226712).
- Update
patches.suse/audit-improve-robustness-of-the-audit-queue-handling.patch
(bsc#1204514 CVE-2021-47603 bsc#1226577).
- Update
patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
(CVE-2022-22942 bsc#1195065 CVE-2022-48771 bsc#1226732).
- Update patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch
(git-fixes CVE-2021-47589 bsc#1226557).
- Update
patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
(bsc#1191958 CVE-2021-43389 CVE-2021-4439 bsc#1226670).
- Update
patches.suse/net-ieee802154-ca8210-Stop-leaking-skb-s.patch
(git-fixes CVE-2022-48722 bsc#1226619).
- Update
patches.suse/netfilter-complete-validation-of-user-input.patch
(git-fixes CVE-2024-35896 bsc#1224662 CVE-2024-35962
bsc#1224583).
- Update patches.suse/phylib-fix-potential-use-after-free.patch
(bsc#1119113 FATE#326472 CVE-2022-48754 bsc#1226692).
- Update
patches.suse/ring-buffer-Fix-a-race-between-readers-and-resize-checks.patch
(bsc#1222893 CVE-2024-38601 bsc#1226876).
- Update
patches.suse/scsi-bnx2fc-Flush-destroy_work-queue-before-calling-bnx2fc_interface_put
(git-fixes CVE-2022-48758 bsc#1226708).
- Update patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe
(git-fixes CVE-2022-48715 bsc#1226621).
- Update
patches.suse/scsi-libfc-Fix-potential-NULL-pointer-dereference-in-fc_lport_ptp_setup.patch
(git-fixes CVE-2023-52809 bsc#1225556).
- Update
patches.suse/scsi-qla2xxx-Fix-off-by-one-in-qla_edif_app_getstats.patch
(git-fixes CVE-2024-36025 bsc#1225704).
- Update
patches.suse/scsi-scsi_debug-Sanity-check-block-descriptor-length-in-resp_mode_select
(git-fixes CVE-2021-47576 bsc#1226537).
- Update
patches.suse/scsi-target-core-Add-TMF-to-tmr_list-handling.patch
(bsc#1223018 CVE-26845 CVE-2024-26845).
- Update
patches.suse/tipc-improve-size-validations-for-received-domain-re.patch
(bsc#1195254 CVE-2022-0435 CVE-2022-48711 bsc#1226672).
- commit c2edf0b
- tcp: do not accept ACK of bytes we never sent (CVE-2023-52881
bsc#1225611).
- commit d93d95b
- usb: port: Don't try to peer unused USB ports based on location
(git-fixes).
- commit c96b5c5
- blacklist.conf: logging only
- commit b17cfa5
- x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
(bsc#1222015 bsc#1226962).
- commit c9f769c
- iommu/vt-d: Allocate local memory for page request queue
(git-fixes).
- commit 541ce64
- iommu/amd: Fix sysfs leak in iommu init (git-fixes).
- commit cdae1dd
- KVM: x86: Handle SRCU initialization failure during page track
init (CVE-2021-47407, bsc#1225306).
- commit 61b3e37
- xen/events: close evtchn after mapping cleanup (CVE-2024-26687,
bsc#1222435).
- commit c56fe01
- net/9p: fix uninit-value in p9_client_rpc() (CVE-2024-39301 bsc#1226994).
- commit 1a033be
- media: lgdt3306a: Add a check against null-pointer-def
(CVE-2022-48772 bsc#1226976).
- commit 79e986b
- fpga: manager: add owner module and take its refcount
(CVE-2024-37021 bsc#1226950).
- commit 580ed12
- fpga: region: add owner module and take its refcount
(CVE-2024-35247 bsc#1226948).
- commit 75fbd8f
- fpga: bridge: add owner module and take its refcount
(CVE-2024-36479 bsc#1226949).
- commit 410068f
- enic: Validate length of nl attributes in enic_set_vf_port
(CVE-2024-38659 bsc#1226883).
- net: fec: remove .ndo_poll_controller to avoid deadlocks
(CVE-2024-38553 bsc#1226744).
- net/mlx5e: Fix netif state handling (CVE-2024-38608
bsc#1226746).
- eth: sungem: remove .ndo_poll_controller to avoid deadlocks
(CVE-2024-38597 bsc#1226749).
- net: amd-xgbe: Fix skb data length underflow (CVE-2022-48743
bsc#1226705).
- net: systemport: Add global locking for descriptor lifecycle
(CVE-2021-47587 bsc#1226567).
- commit 6fa5a1e
- usb: xhci-plat: fix crash when suspend if remote wake enable
(CVE-2022-48761 bsc#1226701).
- commit 6918857
- virtio-blk: fix implicit overflow on virtio_max_dma_size
(bsc#1225573 CVE-2023-52762).
- commit 630807b
- btrfs: fix use-after-free after failure to create a snapshot
(bsc#1226718 CVE-2022-48733).
- commit bc8f6e2
- vfio/platform: Create persistent IRQ handlers (bsc#1222809
CVE-2024-26813).
- commit a912042
- Update to fix a compiling error,
patches.suse/raid1-fix-use-after-free-for-original-bio-in-raid1_-fcf3.patch.
- commit 4738bf0
- s390/ap: Fix crash in AP internal function modify_bitmap()
(CVE-2024-38661 bsc#1226996 git-fixes).
- commit 642fe77
- block: fix overflow in blk_ioctl_discard() (bsc#1225770
CVE-2024-36917).
- commit fb1867c
- epoll: be better about file lifetimes (bsc#1226610
CVE-2024-38580).
- commit da86de7
- KVM: allow KVM_BUG/KVM_BUG_ON to handle 64-bit cond (git-fixes).
- commit 63ce06d
- drm/nouveau: fix off by one in BIOS boundary checking (bsc#1226716 CVE-2022-48732)
- commit bed5212
- Update references tag
patches.suse/Bluetooth-Disconnect-if-E0-is-used-for-Level-4.patch
(bsc#1171988 CVE-2020-10135 bsc#1218148 CVE-2023-24023).
- commit b41c397
- mm: Avoid overflows in dirty throttling logic (bsc#1222364
CVE-2024-26720).
- commit 6f98632
- media: stk1160: fix bounds checking in stk1160_copy_video()
(CVE-2024-38621 bsc#1226895).
- commit 617f122
- dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
(CVE-2024-38780 bsc#1226886).
- commit 0a1e3b6
- nvmet: fix ns enable/disable possible hang (git-fixes).
- commit 128ca3f
- ecryptfs: Fix buffer size for tag 66 packet (bsc#1226634, CVE-2024-38578).
- commit 41891c0
- stm class: Fix a double free in stm_register_device()
(CVE-2024-38627 bsc#1226857).
- commit b4ea481
- blacklist.conf: kABI
- commit 516146e
- crypto: bcm - Fix pointer arithmetic (bsc#1226637
CVE-2024-38579).
- commit be1545d
- drm/amd/display: Fix potential index out of bounds in color (bsc#1226767 CVE-2024-38552)
- commit fdaaa54
- drm/mediatek: Add 0 size check to mtk_drm_gem_obj (bsc#1226735 CVE-2024-38549)
- commit b67d29d
- drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable (bsc#1226698 CVE-2022-48756)
- commit bd95a05
- net: usb: rtl8150 fix unintiatilzed variables in
rtl8150_get_link_ksettings (git-fixes).
- commit 996e5c4
- RDMA/hns: Fix UAF for cq async event (bsc#1226595 CVE-2024-38545)
- commit 68cd4b9
- RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt (bsc#1226597 CVE-2024-38544)
- commit da8c605
- RDMA/mlx5: Add check for srq max_sge attribute (git-fixes)
- commit 6ee55be
- drm: vc4: Fix possible null pointer dereference (CVE-2024-38546
bsc#1226593).
- commit f5c6e94
- wifi: carl9170: add a proper sanity check for endpoints
(CVE-2024-38567 bsc#1226769).
- rpmsg: char: Fix race between the release of rpmsg_ctrldev
and cdev (CVE-2022-48759 bsc#1226711).
- commit 1d933f6
- wifi: ar5523: enable proper endpoint verification
(CVE-2024-38565 bsc#1226747).
- commit 7f113b6
- mac80211: track only QoS data frames for admission control
(CVE-2021-47602 bsc#1226554).
- commit 6d84852
- ALSA: timer: Set lower bound of start tick time (CVE-2024-38618
bsc#1226754).
- commit ea3c02c
- blacklist.conf: Add 7af443ee16976 sched/core: Require cpu_active() in select_task_rq(), for user tasks
- commit 35a10db
- bsc#1225894: Fix build warning
Fix the following build warning.
* unused-variable (i) in ../drivers/gpu/drm/amd/amdkfd/kfd_device.c in kgd2kfd_resume
../drivers/gpu/drm/amd/amdkfd/kfd_device.c: In function 'kgd2kfd_resume':
../drivers/gpu/drm/amd/amdkfd/kfd_device.c:621:11: warning: unused variable 'i' [-Wunused-variable]
- commit e16e5ba
- bsc#1225894: Fix patch references
- commit 7b4670a
- net/mlx5: Properly link new fs rules into the tree (bsc#1224588
CVE-2024-35960).
- commit 14f14ea
- net/mlx5e: fix a double-free in arfs_create_groups (bsc#1224605
CVE-2024-35835).
- commit 2cc5781
- firmware: arm_scpi: Fix string overflow in SCPI genpd driver (bsc#1226562 CVE-2021-47609)
- commit 4642449
- Fix compilation
- commit 3f5119e
- net: ena: Fix incorrect descriptor free behavior (bsc#1224677
CVE-2024-35958).
- commit 8f4768d
- bonding: stop the device in bond_setup_by_slave() (bsc#1224946
CVE-2023-52784).
- commit da74b6f
- blacklist.conf: bsc#1225555 CVE-2023-52808
patches code not present
- commit 35c5de8
- blacklist.conf: bsc#1223013 CVVE-2024-26482
does not apply
- commit c785e5a
- blacklist.conf: bsc#1222879 CVE-2021-47193
breaks kABI
- commit 5ac2f95
- blacklist.conf: bsc#1225559 CVE-2023-5281
Does not apply cleanly at all, and addresses
a corner case that it knows is rare.
- commit 66930cf
- scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
(bsc#1224651 CVE-2024-35930).
- scsi: target: core: Add TMF to tmr_list handling (bsc#1223018
CVE-26845).
- scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()
(bsc#122286 CVE-2021-47191).
- commit 3100b52
- usb: fix various gadget panics on 10gbps cabling (CVE-2021-47267
bsc#1224993).
- commit 3336e4a
- amd/amdkfd: sync all devices to wait all processes being evicted (bsc#1225872 CVE-2024-36949)
- commit aa91737
- drm/amdkfd: Rework kfd_locked handling (bsc#1225872)
- commit 030a69d
- drm/vmwgfx: Fix invalid reads in fence signaled events (bsc#1225872 CVE-2024-36960)
- commit fe8da4d
- nfsd: optimise recalculate_deny_mode() for a common case
(bsc#1217912).
- commit 90c611c
- NFSv4: Always clear the pNFS layout when handling ESTALE
(bsc#1221791).
- NFSv4: nfs_set_open_stateid must not trigger state recovery
for closed state (bsc#1221791).
- PNFS for stateid errors retry against MDS first (bsc#1221791).
- commit fcd364d
- block: prevent division by zero in blk_rq_stat_sum()
(bsc#1224661 CVE-2024-35925).
- commit 7fd346a
- ext4: fix corruption during on-line resize (bsc#1224735
CVE-2024-35807).
- commit 8431549
- fat: fix uninitialized field in nostale filehandles (git-fixes
CVE-2024-26973 bsc#1223641).
- commit 8b4f3fd
- ext4: avoid online resizing failures due to oversized flex bg
(bsc#1222080 CVE-2023-52622).
- commit a81bee5
- nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
(CVE-2021-47518 bsc#1225372).
- commit d0fabf7
- net_sched: fix NULL deref in fifo_set_limit()
(CVE-2021-47418 bsc#1225337).
- commit 54048d4
- net: validate lwtstate->data before returning from skb_tunnel_info()
(CVE-2021-47309 bsc#1224967).
- commit 2b76537
- net: fix uninit-value in caif_seqpkt_sendmsg
(CVE-2021-47297 bsc#1224976).
- commit 39164d4
- net/sched: act_skbmod: Skip non-Ethernet packets
(CVE-2021-47293 bsc#1224978).
- commit aedefe0
- netrom: Decrease sock refcount when sock timers expire
(CVE-2021-47294 bsc#1224977).
- commit 44bce11
- ipv6: Fix infinite recursion in fib6_dump_done() (CVE-2024-35886
bsc#1224670).
- commit 5d20998
- tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
(CVE-2024-36016 bsc#1225642).
- commit f5c4f31
- net: macb: fix use after free on rmmod (CVE-2021-47372
bsc#1225184).
- commit 5bb5ee7
- btrfs: use correct compare function of dirty_metadata_bytes (git-fixes)
- commit d51a7ff
- Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() (git-fixes)
- commit 4b455f0
- btrfs: fix describe_relocation when printing unknown flags (git-fixes)
- commit a147519
- btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (git-fixes)
- commit 0487247
- btrfs: fix crash when trying to resume balance without the resume flag (git-fixes)
- commit f0fa7bc
- Btrfs: clean up resources during umount after trans is aborted (git-fixes)
- commit c78d131
- Btrfs: bail out on error during replay_dir_deletes (git-fixes)
- commit 7a8f6ce
- Btrfs: fix NULL pointer dereference in log_dir_items (git-fixes)
- commit 02cab92
- Btrfs: send, fix issuing write op when processing hole in no data mode (git-fixes)
- Refresh
patches.suse/btrfs-send-fix-incorrect-file-layout-after-hole-punching-beyond-eof.patch.
- commit f710800
- Btrfs: fix unexpected EEXIST from btrfs_get_extent (git-fixes)
- commit 82c1e6b
- btrfs: tree-check: reduce stack consumption in check_dir_item (git-fixes)
- commit 36aca35
- btrfs: fix false EIO for missing device (git-fixes)
- Refresh
patches.suse/btrfs-ensure-that-a-dup-or-raid1-block-group-has-exactly-two-stripes.patch
- commit 01544ea
- USB: serial: option: add Quectel EG912Y module support
(git-fixes).
- commit a8d3e25
- blacklist.conf: pure cleanup
- commit c59c78d
- USB: serial: option: add Quectel RM500Q R13 firmware support
(git-fixes).
- commit b3dedc2
- USB: serial: option: add Foxconn T99W265 with new baseline
(git-fixes).
- commit 51f747d
- net: usb: smsc95xx: fix changing LED_SEL bit value updated
from EEPROM (git-fixes).
- commit d6ed297
- ocfs2: fix sparse warnings (bsc#1219224).
- ocfs2: speed up chain-list searching (bsc#1219224).
- ocfs2: adjust enabling place for la window (bsc#1219224).
- ocfs2: improve write IO performance when fragmentation is high
(bsc#1219224).
- commit d862a97
- smb: client: fix use-after-free bug in
cifs_debug_data_proc_show() (bsc#1225487, CVE-2023-52752).
- commit b2bff17
- blkcg: Fix multiple bugs in blkcg_activate_policy()
(CVE-2021-47379 bsc#1225203).
- blkcg: blkcg_activate_policy() should initialize ancestors first
(CVE-2021-47379 bsc#1225203).
- commit 5e6941f
- blacklist.conf: bsc#1225047 CVE-2021-47328: breaks kABI
Also, does not apply.
- commit 55744fb
- blk-cgroup: fix UAF by grabbing blkcg lock before destroying
blkg pd (CVE-2021-47379 bsc#1225203).
- commit 26f8206
- blacklist.conf: Blacklist 618f003199c61
- commit f552be9
- atl1c: Work around the DMA RX overflow issue (CVE-2023-52834
bsc#1225599).
- commit c880bf0
- btrfs: lock the inode in shared mode before starting fiemap
(bsc#1225484 CVE-2023-52737).
- commit e4a79d3
- ext4: correct offset of gdb backup in non meta_bg group to
update_backups (bsc#1224735 CVE-2024-35807).
- commit 57ba8ce
- raid1: fix use-after-free for original bio in raid1_write_request()
(bsc#1221097, bsc#1224572, CVE-2024-35979).
- commit daf8372
- fs/9p: only translate RWX permissions for plain 9P2000
(bsc#1225866 CVE-2024-36964).
- commit 7cf061b
- media: imon: fix access to invalid resource for the second
interface (CVE-2023-52754 bsc#1225490).
- commit 0f818a4
- firewire: ohci: mask bus reset interrupts between ISR and
bottom half (CVE-2024-36950 bsc#1225895).
- commit 342de59
- pinctrl: core: delete incorrect free in pinctrl_enable()
(CVE-2024-36940 bsc#1225840).
- commit 6103cd4
- staging: rtl8192e: Fix use after free in
_rtl92e_pci_disconnect() (CVE-2021-47571 bsc#1225518).
- commit 9243acc
- media: gspca: cpia1: shift-out-of-bounds in set_flicker
(CVE-2023-52764 bsc#1225571).
- wifi: mac80211: don't return unset power in
ieee80211_get_tx_power() (CVE-2023-52832 bsc#1225577).
- commit 74cf739
- Bluetooth: qca: add missing firmware sanity checks
(CVE-2024-36880 bsc#1225722).
- commit 1f313de
- drm/msm: Fix null pointer dereference on pointer edp (bsc#1225261 CVE-2021-47445)
- commit 7365fdb
- rpm/kernel-obs-build.spec.in: Add iso9660 (bsc#1226212)
Some builds don't just create an iso9660 image, but also mount it during
build.
- commit aaee141
- llc: verify mac len before reading mac header
(CVE-2023-52843 bsc#1224951).
- commit 048fdd1
- drm/sched: Avoid data corruptions (bsc#1225140 CVE-2021-47354)
- commit 735d57e
- nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
(CVE-2024-36915 bsc#1225758).
- commit d2aa3fc
- rpm/kernel-obs-build.spec.in: Add networking modules for docker
(bsc#1226211)
docker needs more networking modules, even legacy iptable_nat and _filter.
- commit 415e132
- Bluetooth: Add more enc key size check (bsc#1218148
CVE-2023-24023).
- commit 8b7d4c7
- rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
(CVE-2024-36017 bsc#1225681).
- commit eee2828
- netfilter: complete validation of user input
(git-fixes CVE-2024-35896 bsc#1224662).
- commit bd2bc6c
- tcp: fix page frag corruption on page fault
(CVE-2021-47544 bsc#1225463).
- commit 0c69f93
- netfilter: validate user input for expected length
(CVE-2024-35896 bsc#1224662).
- commit d09d89a
- Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt
(bsc#1218148 CVE-2023-24023).
- commit be61b35
- arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
(git-fixes).
- commit a33c0aa
- fbmon: prevent division by zero in fb_videomode_from_videomode() (bsc#1224660 CVE-2024-35922)
- commit 9990cdc
- bna: ensure the copied buf is NUL terminated (CVE-2024-36934
bsc#1225760).
- commit 5e5c793
- tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
(CVE-2023-52845 bsc#1225585).
- commit 28beea5
- blacklist.conf: Add 1971d13ffa84a "af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc()."
- commit 9ab8e4f
- HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent
lock-up (bsc#1224552 CVE-2024-35997).
- commit 31522d3
- wifi: nl80211: reject iftype change with mesh ID change
(CVE-2024-27410 bsc#1224432).
- commit 18882c6
- fix compat handling of FICLONERANGE, FIDEDUPERANGE and
FS_IOC_FIEMAP (bsc#1225848).
- blacklist.conf:
- fs: make fiemap work from compat_ioctl (bsc#1225848).
- commit e6c580c
- perf/core: Bail out early if the request AUX area is out of
bound (bsc#1225602 CVE-2023-52835).
- commit 0b197bf
- powerpc/imc-pmu: Add a null pointer check in
update_events_in_group() (bsc#1224504 CVE-2023-52675).
- commit 5ed0541
- blacklist.conf: CVE-2024-35956 bsc#1224674: not applicable bsc#1225945
Quoting bsc#1225945#c11:
"So the upstream 6.5 kernel commit (1b53e51a4a8f ("btrfs: don't commit
transaction for every subvol create")
) was never backported to SLE, so that fix eb96e221937a ("btrfs: fix
unwritten extent buffer after snapshotting a new subvolume") was never
backported."
- commit 13b6119
- usb: gadget: f_fs: Fix race between aio_cancel() and AIO
request complete (CVE-2024-36894 bsc#1225749).
- commit 66229f2
- proc/vmcore: fix clearing user buffer by properly using
clear_user() (CVE-2021-47566 bsc#1225514).
- commit 4f35255
- usb: dwc2: fix possible NULL pointer dereference caused by
driver concurrency (CVE-2023-52855 bsc#1225583).
- commit 304ea43
- wicked
-
- Update to version 0.6.76
- compat-suse: warn user and create missing parent config of
infiniband children (gh#openSUSE/wicked#1027)
- client: fix origin in loaded xml-config with obsolete port
references but missing port interface config, causing a
no-carrier of master (bsc#1226125)
- ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
- wireless: add frequency-list in station mode (jsc#PED-8715)
- client: fix crash while hierarchy traversing due to loop in
e.g. systemd-nspawn containers (bsc#1226664)
- man: add supported bonding options to ifcfg-bonding(5) man page
(gh#openSUSE/wicked#1021)
- arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019)
- man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018)
- client: warn on interface wait time reached (gh#openSUSE/wicked#1017)
- compat-suse: fix dummy type detection from ifname to not cause
conflicts with e.g. correct vlan config on dummy0.42 interfaces
(gh#openSUSE/wicked#1016)
- compat-suse: fix infiniband and infiniband child type detection
from ifname (gh#openSUSE/wicked#1015)
- Removed patches included in the source archive:
[- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
[- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- docker
-
[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2506>
- This update includes a fix for CVE-2024-41110. bsc#1228324
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
* 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
<https://github.com/moby/buildkit/pull/5060>. bsc#1221916
+ 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- Write volume options atomically so sudden system crashes won't result in
future Docker starts failing due to empty files. Backport of
<https://github.com/moby/moby/pull/48034>. bsc#1214855
+ 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
- _product:SLES-release
-
n/a
- _product:sle-sdk-release
-
n/a
- libxml2
-
- Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in
xmlHTMLPrintFileContext in xmllint.c
* Added libxml2-CVE-2024-34459.patch
- xen
-
- bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86
guest IRQ handling (XSA-458)
xsa458.patch
- Upstream bug fixes (bsc#1027519)
6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch
663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch
663eaa27-libxl-XenStore-error-handling-in-device-creation.patch
66450627-x86-respect-mapcache_domain_init-failing.patch
- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
History Injection (XSA-456)
Corrections to the following patches
661560bd-x86-spec-ctrl-BHB-clearing-sequences.patch
661560be-x86-spec-ctrl-wire-up-native-BHI-sequences.patch
- zypper
-
- Show rpm install size before installing (bsc#1224771)
If filesystem snapshots are taken before the installation (e.g.
by snapper) no disk space is freed by removing old packages. In
this case the install size of all packages is a hint how much
additional disk space is needed by the new packages static
content.
- version 1.13.67
- xfsprogs
-
- xfs_copy: bail out early when superblock cannot be verified
(bsc#1227150)
- add xfs_copy-bail-out-early-when-superblock-cannot-be-ve.patch
- shadow
-
- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
Add shadow-CVE-2013-4235.patch
- python36
-
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
condition in ssl.SSLContext certificate store methods.
- mozilla-nss
-
- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.
- update to NSS 3.101.1
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
* bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
* bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
* bmo#1899883 - fix formatting issues.
* bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
* bmo#1899593 - remove invalid acvp fuzz test vectors.
* bmo#1898830 - pad short P-384 and P-521 signatures gtests.
* bmo#1898627 - remove unused FreeBL ECC code.
* bmo#1898830 - pad short P-384 and P-521 signatures.
* bmo#1898825 - be less strict about ECDSA private key length.
* bmo#1854439 - Integrate HACL* P-521.
* bmo#1854438 - Integrate HACL* P-384.
* bmo#1898074 - memory leak in create_objects_from_handles.
* bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1748105 - clean up escape handling
* bmo#1896353 - Use lib::pkix as default validator instead of the old-one
* bmo#1827444 - Need to add high level support for PQ signing.
* bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
* bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
* bmo#1793811 - Implement support for PBMAC1 in PKCS#12
* bmo#1897487 - disable VLA warnings for fuzz builds.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
* bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update
* bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
* bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
- update to NSS 3.100
- bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
faster Xyber operations.
- bmo#1893752 - remove ckcapi.
- bmo#1893162 - avoid a potential PK11GenericObject memory leak.
- bmo#671060 - Remove incomplete ESDH code.
- bmo#215997 - Decrypt RSA OAEP encrypted messages.
- bmo#1887996 - Fix certutil CRLDP URI code.
- bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH.
- bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c.
- bmo#1548723 - Moving the decodedCert allocation to NSS.
- bmo#1885404 - Allow developers to speed up repeated local execution
of NSS tests that depend on certificates.
- update to NSS 3.99
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
- update to NSS 3.98
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
in TLS
* bmo#1879513 - Certificate Compression: enabling the check that
the compression was advertised
* bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
* bmo#1879945 - Remove Email trust bit from OISTE WISeKey
Global Root GC CA
* bmo#1877344 - Replace `distutils.spawn.find_executable` with
`shutil.which` within `mach` in `nss`
* bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
support Certificate compression
* bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
* bmo#1875356 - Add valgrind annotations to freebl kyber operations
for constant-time execution tests
* bmo#1870673 - Set nssckbi version number to 2.66
* bmo#1874017 - Add Telekom Security roots
* bmo#1873095 - Add D-Trust 2022 S/MIME roots
* bmo#1865450 - Remove expired Security Communication RootCA1 root
* bmo#1876179 - move keys to a slot that supports concatenation in
PK11_ConcatSymKeys
* bmo#1876800 - remove unmaintained tls-interop tests
* bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
flags
* bmo#1874937 - bogo: add support for the -curves shim flag and
update Kyber expectations
* bmo#1874937 - bogo: adjust expectation for a key usage bit test
* bmo#1757758 - mozpkix: add option to ignore invalid subject
alternative names
* bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
* bmo#1876390 - take ownership of ecckilla shims
* bmo#1874458 - add valgrind annotations to freebl/ec.c
* bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* bmo#1875965 - Update zlib to 1.3.1
- Use %patch -P N instead of deprecated %patchN.
- update to NSS 3.97
* bmo#1875506 - make Xyber768d00 opt-in by policy
* bmo#1871631 - add libssl support for xyber768d00
* bmo#1871630 - add PK11_ConcatSymKeys
* bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
* bmo#1871152 - add a FreeBL API for Kyber
* bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
* bmo#1835828 - Removing the calls to RSA Blind from loader.*
* bmo#1874111 - fix worker type for level3 mac tasks
* bmo#1835828 - RSA Blind implementation
* bmo#1869642 - Remove DSA selftests
* bmo#1873296 - read KWP testvectors from JSON
* bmo#1822450 - Backed out changeset dcb174139e4f
* bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* bmo#1871219 - Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
* bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
* bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
* bmo#1867408 - add a defensive check for large ssl_DefSend return values
* bmo#1869378 - Add dependency to the taskcluster script for Darwin
* bmo#1869378 - Upgrade version of the MacOS worker for the CI
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
explicit default trust flags" test needs longer than the allowed
6 seconds on s390x
- update to NSS 3.95
* bmo#1842932 - Bump builtins version number.
* bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
Firmaprofesional CIF A62634068 root cert.
* bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
* bmo#1850982 - Remove Camerfirma root certificates from NSS.
* bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
Certificate.
* bmo#1860670 - Add four Commscope root certificates to NSS.
* bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
* bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
* bmo#1861728 - Include P-256 Scalar Validation from HACL*.
* bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
256 ECC without DER wrapping at the softoken level
* bmo#1837987 - Add means to provide library parameters to C_Initialize
* bmo#1573097 - clang format
* bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
* bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
* bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
* bmo#1573097 - Fix Invalid casts in instance.c
- update to NSS 3.94
* bmo#1853737 - Updated code and commit ID for HACL*
* bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
current NSS
* bmo#1827303 - Softoken C_ calls should use system FIPS setting
to select NSC_ or FC_ variants
* bmo#1774659 - NSS needs a database tool that can dump the low level
representation of the database
* bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
* bmo#1852179 - avoid implicit conversion for ByteString
* bmo#1818766 - update rust version for acvp docker
* bmo#1852011 - Moving the init function of the mpi_ints before
clean-up in ec.c
* bmo#1615555 - P-256 ECDH and ECDSA from HACL*
* bmo#1840510 - Add ACVP test vectors to the repository
* bmo#1849077 - Stop relying on std::basic_string<uint8_t>
* bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
- Update to NSS 3.93:
* bmo#1849471 - Update zlib in NSS to 1.3.
* bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
* bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
- update to NSS 3.92
* bmo#1822935 - Set nssckbi version number to 2.62
* bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
* bmo#1839992 - Add 4 SSL.com Root CA certificates
* bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
* bmo#1840437 - Add LAWtrust Root CA2 (4096)
* bmo#1822936 - Remove E-Tugra Certification Authority root
* bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
* bmo#1840505 - Remove Hongkong Post Root CA 1
* bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
* bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
* bmo#1837431 - Implementation of the HW support check for ADX instruction
* bmo#1836925 - Removing the support of Curve25519
* bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
* bmo#1839327 - Adding args to enable-legacy-db build
* bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
default trust flags"
* bmo#1837617 - Initialize flags in slot structures
* bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
* bmo#1829112 - Followup Fixes
* bmo#1784253 - avoid processing unexpected inputs by checking for
m_exptmod base sign
* bmo#1826652 - add a limit check on order_k to avoid infinite loop
* bmo#1834851 - Update HACL* to commit 5f6051d2
* bmo#1753026 - add SHA3 to cryptohi and softoken
* bmo#1753026 - HACL SHA3
* bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch
- update to NSS 3.90.3
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1748105 - clean up escape handling.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1836925 - Disable ASM support for Curve25519.
* bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch
- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
when using FIPS-mode (bsc#1223724).
- Added "Provides: nss" so other RPMs that require 'nss' can
be installed (jira PED-6358).
- krb5
-
- Fix vulnerabilities in GSS message token handling, add patch
0016-Fix-vulnerabilities-in-GSS-message-token-handling.patch
* CVE-2024-37370, bsc#1227186
* CVE-2024-37371, bsc#1227187