suse-sles-12-sp5-v20250408-hvm-ssd-x86_64 Package Source Changes

python

- Update CVE-2024-11168-validation-IPv6-addrs.patch
  according modifications by the Debian
  developers (Sylvain Beucler <beuc@debian.org>,
  gh#python/cpython#103848#issuecomment-2708135083).

python36

- Update CVE-2024-11168-validation-IPv6-addrs.patch
  according to the Debian version
  (gh#python/cpython#103848#issuecomment-2708135083).

libzypp

- Do not double encode URL strings passed on the commandline
  (bsc#1237587)
  URLs passed on the commandline must have their special chars
  encoded already. We just want to check and encode forgotten
  unsafe chars like a blank. A '%' however must not be encoded
  again.
- version 16.22.16 (0)

grub2

- Fix zfs.mo not found message when booting on legacy BIOS (bsc#1237865)
  * 0001-autofs-Ignore-zfs-not-found.patch

amazon-ssm-agent

- Add patch to fix proxy bypass using IPv6 zone IDs in golang.org/x/net
  * CVE-2025-22870.patch (bsc#1238702, CVE-2025-22870)

pam

- pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return
  PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file
  entry.
  [passverify-always-run-the-helper-to-obtain-shadow-pwd.patch, bsc#1232234,
  CVE-2024-10041]
- Do not reject the user with a hash assuming it's non-empty.
  [pam_unix-allow-empty-passwords-with-non-empty-hashes.patch]

python-base

- Update CVE-2024-11168-validation-IPv6-addrs.patch
  according modifications by the Debian
  developers (Sylvain Beucler <beuc@debian.org>,
  gh#python/cpython#103848#issuecomment-2708135083).

pciutils

- Update to pciutils 3.5.6 from SLE-15 [jsc#PED-4587].
  The following patches are obsolete in the newer version:
  * add-decoding-of-vendor-specific-vpd-fields.patch
  * pciutils-3.1.7-fix-memory-leak-in-get_cache_name.patch
  * pciutils-3.5.1-add-support-for-32-bit-pci-domains.patch
  * pciutils-lspci-Correct-Root-Capabilities-CRS-Software-Visibil.patch
  * show-gen4-speed-properly.patch

- Add "pciutils-Add-PCIe-5.0-data-rate-32-GT-s-support.patch" and
  "pciutils-Add-PCIe-6.0-data-rate-64-GT-s-support.patch" to fix
  LnkCap speed recognition in lspci for multi PCIe ports such as
  the ML110 Gen11. [bsc#1192862]

- Fix lspci outputs few of the VPD data fields are displayed as unknown (bsc#1170554, ltc#185587).
  Added:
  * pciutils-VPD-When-printing-item-IDs-escape-non-ASCII-characte.patch
  * pciutils-VPD-Cleanup.patch
  * pciutils-Add-decoding-of-vendor-specific-VPD-fields.patch

_product:sle-sdk-release

n/a

python3

- Update CVE-2024-11168-validation-IPv6-addrs.patch
  according to the Debian version
  (gh#python/cpython#103848#issuecomment-2708135083).

apparmor

- Update profile usr.lib.dovecot.auth and add dovecot-unix_chkpwd.diff
  to allow dovecot-auth to execute unix_chkpwd, and add a profile for
  unix_chkpwd. This is needed for PAM with CVE-2024-10041 (bsc#1234452)

vim

- Introduce patch to fix bsc#1235751 (regression).
  * vim-9.1.1134-revert-putty-terminal-colors.patch
- Update to 9.1.1176. Changes:
  * 9.1.1176: wrong indent when expanding multiple lines
  * 9.1.1175: inconsistent behaviour with exclusive selection and motion commands
  * 9.1.1174: tests: Test_complete_cmdline() may fail
  * 9.1.1173: filetype: ABNF files are not detected
  * 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file
  * 9.1.1171: tests: wrong arguments passed to assert_equal()
  * 9.1.1170: wildmenu highlighting in popup can be improved
  * 9.1.1169: using global variable for get_insert()/get_lambda_name()
  * 9.1.1168: wrong flags passed down to nextwild()
  * 9.1.1167: mark '] wrong after copying text object
  * 9.1.1166: command-line auto-completion hard with wildmenu
  * 9.1.1165: diff: regression with multi-file diff blocks
  * 9.1.1164: [security]: code execution with tar.vim and special crafted tar files
  * 9.1.1163: $MYVIMDIR is set too late
  * 9.1.1162: completion popup not cleared in cmdline
  * 9.1.1161: preinsert requires bot "menu" and "menuone" to be set
  * 9.1.1160: Ctrl-Y does not work well with "preinsert" when completing items
  * 9.1.1159: $MYVIMDIR may not always be set
  * 9.1.1158: :verbose set has wrong file name with :compiler!
  * 9.1.1157: command completion wrong for input()
  * 9.1.1156: tests: No test for what patch 9.1.1152 fixes
  * 9.1.1155: Mode message not cleared after :silent message
  * 9.1.1154: Vim9: not able to use autoload class accross scripts
  * 9.1.1153: build error on Haiku
  * 9.1.1152: Patch v9.1.1151 causes problems
  * 9.1.1151: too many strlen() calls in getchar.c
  * 9.1.1150: :hi completion may complete to wrong value
  * 9.1.1149: Unix Makefile does not support Brazilian lang for the installer
  * 9.1.1148: Vim9: finding imported scripts can be further improved
  * 9.1.1147: preview-window does not scroll correctly
  * 9.1.1146: Vim9: wrong context being used when evaluating class member
  * 9.1.1145: multi-line completion has wrong indentation for last line
  * 9.1.1144: no way to create raw strings from a blob
  * 9.1.1143: illegal memory access when putting a register
  * 9.1.1142: tests: test_startup fails if $HOME/$XDG_CONFIG_HOME is defined
  * 9.1.1141: Misplaced comment in readfile()
  * 9.1.1140: filetype: m17ndb files are not detected
  * 9.1.1139: [fifo] is not displayed when editing a fifo
  * 9.1.1138: cmdline completion for :hi is too simplistic
  * 9.1.1137: ins_str() is inefficient by calling STRLEN()
  * 9.1.1136: Match highlighting marks a buffer region as changed
  * 9.1.1135: 'suffixesadd' doesn't work with multiple items
  * 9.1.1134: filetype: Guile init file not recognized
  * 9.1.1133: filetype: xkb files not recognized everywhere
  * 9.1.1132: Mark positions wrong after triggering multiline completion
  * 9.1.1131: potential out-of-memory issue in search.c
  * 9.1.1130: 'listchars' "precedes" is not drawn on Tabs.
  * 9.1.1129: missing out-of-memory test in buf_write()
  * 9.1.1128: patch 9.1.1119 caused a regression with imports
  * 9.1.1127: preinsert text is not cleaned up correctly
  * 9.1.1126: patch 9.1.1121 used a wrong way to handle enter
  * 9.1.1125: cannot loop through pum menu with multiline items
  * 9.1.1124: No test for 'listchars' "precedes" with double-width char
  * 9.1.1123: popup hi groups not falling back to defaults
  * 9.1.1122: too many strlen() calls in findfile.c
  * 9.1.1121: Enter does not insert newline with "noselect"
  * 9.1.1120: tests: Test_registers fails
  * 9.1.1119: Vim9: Not able to use an autoloaded class from another autoloaded script
  * 9.1.1118: tests: test_termcodes fails
  * 9.1.1117: there are a few minor style issues
  * 9.1.1116: Vim9: super not supported in lambda expressions
  * 9.1.1115: [security]: use-after-free in str_to_reg()
  * 9.1.1114: enabling termguicolors automatically confuses users
  * 9.1.1113: tests: Test_terminal_builtin_without_gui waits 2 seconds
  * 9.1.1112: Inconsistencies in get_next_or_prev_match()
  * 9.1.1111: Vim9: variable not found in transitive import
  * 9.1.1110: Vim tests are slow and flaky
  * 9.1.1109: cmdexpand.c hard to read
  * 9.1.1108: 'smoothscroll' gets stuck with 'listchars' "eol"
  * 9.1.1107: cannot loop through completion menu with fuzzy
  * 9.1.1106: tests: Test_log_nonexistent() causes asan failure
  * 9.1.1105: Vim9: no support for protected new() method
  * 9.1.1104: CI: using Ubuntu 22.04 Github runners
  * 9.1.1103: if_perl: still some compile errors with Perl 5.38
  * 9.1.1102: tests: Test_WinScrolled_Resized_eiw() uses wrong filename

docker

- Don't use the new container-selinux conditional requires on SLE-12, as the
  RPM version there doesn't support it. Arguably the change itself is a bit
  suspect but we can fix that later. bsc#1237367

- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
  + 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
  + 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Refresh patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch

- Make container-selinux requirement conditional on selinux-policy
  (bsc#1237367)

- Update to Docker 27.5.1-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/27/#2741> bsc#1237335
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to docker-buildx 0.20.1. See upstream changelog online at
  <https://github.com/docker/buildx/releases/tag/v0.20.1>

- Update to Docker 27.4.1-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/27/#2741>
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch

- Update to docker-buildx 0.19.3. See upstream changelog online at
  <https://github.com/docker/buildx/releases/tag/v0.19.3>

- Update to Docker 27.4.0-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/27/#274>
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
  - 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
  - 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch

freetype2

- Added patch:
  * CVE-2025-27363.patch
    + fixes bsc#1239465, CVE-2025-27363: out-of-bounds write when
    attempting to parse font subglyph structures related to
    TrueType GX and variable font files

rsync

- Fix bsc#1237187 - rsync daemon mode after protocol bump
  * Add greeting line with available digests
  * Add rsync-fix-daemon-proto-32.patch

- Bump protocl version to 32 - make it easier to show server is patched.
  * Add rsync-protocol-version-32.patch