- Update to 0.3.29
- replace env ruby path with native ruby path during build phase

- Update cloud-init-write-routes.patch (bsc#1180176)
  + Follow up to previous changes. Fix order of operations
    error to make gateway comparison between subnet configuration and
    route configuration valuable rather than self-comparing.
- Add cloud-init-sle12-compat.patch (jsc#PM-2335)
  - Python 3.4 compatibility in setup.py
  - Disable some test for mock version compatibility

- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
  fixes CVE-2020-15257. bsc#1178969 bsc#1180243
- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
  boo#1176708 bsc#1177598 CVE-2020-15157
- Refresh patches:
  * 0001-makefile-remove-emoji.patch
- Use Go 1.13 for build.
  bsc#1153367 bsc#1157330

- cups-2.2.7-CVE-2020-10001.patch fixes CVE-2020-10001
  access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-2.2.7-CVE-2019-8842.patch fixes CVE-2019-8842 (bsc#1170671)
  the ippReadIO function may under-read an extension field

[NOTE: This update was only ever released in SLES and Leap.]
- Update Docker to 19.03.15-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for
  bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).
- Rebase patches:
  * bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
  It appears that SLES doesn't like the patch. bsc#1180401
- Re-apply secrets fix for bsc#1065609 which appears to have been lost after it
  was fixed.
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
- Add Conflicts and Provides for kubic flavour of docker-fish-completion.
- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
  https://github.com/docker/docker-ce/releases/tag/v19.03.14
- Enable fish-completion
- Add a patch which makes Docker compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (boo#1178801, SLE-16460)
  * boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Emergency fix: %requires_eq does not work with provide symbols,
  only effective package names. Convert back to regular Requires.
- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
  spurrious errors due to Go returning -EINTR from I/O syscalls much more often
  (due to Go 1.14's pre-emptive goroutine support).
  - bsc1172377-0001-unexport-testcase.Cleanup-to-fix-Go-1.14.patch
- Add BuildRequires for all -git dependencies so that we catch missing
  dependencies much more quickly.
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1158590 bsc#1157330

- Switch to Go 1.13 for build.

- adjusted to be the same license as in factory (bsc#1180603)
- correct license statement (library itself is no GPL-3.0)

[NOTE: This update was only ever released in SLES and Leap.]
- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
  It appears that SLES doesn't like the patch. bsc#1180401
- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
  bsc#1180243
- Add patch which makes libnetwork compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (boo#1178801, SLE-16460)
  * boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to libnetwork 026aabaa6598, which is required for Docker 19.03.12-ce.

- Add 0001-make-package-build-reproducible.patch
    0002-Implement-SOURCE_DATE_EPOCH-for-reproducible-builds.patch
  to make corosync build reproducibly (bsc#1180276)

- Enable DFLTCC compression for s390x for levels 1-6 (i. e. to make
  it used by default) by adding -DDFLTCC_LEVEL_MASK=0x7e to CLFAGS.
  [jsc#SLE-13775]
- refresh gzip-1.10-ibm_dfltcc_support.patch to fix three data
  corruption issues [bsc#1145276] [jsc#SLE-5818] [jsc#SLE-8914]
- add gzip-1.10-ibm_dfltcc_support.patch [jsc#SLE-5818] [jsc#SLE-8914]
  * it adds support for DFLTCC (hardware-accelerated deflation)
    for s390x arch
  * enable it via "/--enable-dfltcc"/ option
- gzip 1.10:
  * Compressed gzip output no longer contains the current time as
    a timestamp when the input is not a regular file.  Instead, the
    output contains a null (zero) timestamp.  This makes gzip's
    behavior more reproducible when used as part of a pipeline.
  * A use of uninitialized memory on some malformed inputs has been
    fixed.
  * A few theoretical race conditions in signal handers have been
    fixed.
- drop upstreamed patches:
  * gnulib-libio.patch
  * gzip-1.8-deprecate_netstat.patch
- gnulib-libio.patch: Update gnulib for libio.h removal

- Fix a bug in rawmidi UAF fix patch (bsc#1179601, CVE-2020-27786)
  Refresh patches.suse/ALSA-rawmidi-Fix-racy-buffer-resize-under-concurrent.patch
- commit ce80dfa
- nbd: freeze the queue while we're adding connections
  (bsc#1181504 CVE-2021-3348).
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- commit 447797a
- kABI: Fix kABI for extended APIC-ID support (bsc#1181001,
  jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
  jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where
  available (bsc#1181001, jsc#ECO-3191).
- x86/ioapic: Handle Extended Destination ID field in RTE
  (bsc#1181001, jsc#ECO-3191).
- x86/msi: Only use high bits of MSI address for DMAR unit
  (bsc#1181001, jsc#ECO-3191).
- x86/apic: Fix x2apic enablement without interrupt remapping
  (bsc#1181001, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
  jsc#ECO-3191).
- iommu/vt-d: Don't dereference iommu_device if IOMMU_API is
  not built (bsc#1181001, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181001, jsc#ECO-3191).
- commit ae9e787
- Move futex fixes into the sorted section (bsc#1181349 CVE-2021-3347)
- commit c34c9df
- Update patch References tags for futex fixes (bsc#1181349 CVE-2021-3347)
- commit afd051d
- Refresh patches.suse/4.4.136-002-powerpc-64s-Clear-PCR-on-boot.patch
  Also clear PCR on POWER9 and in dt_cpu_ftrs.
- commit 56daabf
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- commit 0ba69a9
- futex: Handle faults correctly for PI futexes (bsc#1181349
  bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349
  bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state()
  (bsc#1181349 bsc#1149032).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
  (bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349
  bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349
  bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi()
  (bsc#1181349 bsc#1149032).
- futex: Don't enable IRQs unconditionally in put_pi_state()
  (bsc#1149032).
- locking/futex: Allow low-level atomic operations to return
  - EAGAIN (bsc#1149032).
- commit 058c695
- netfilter: ctnetlink: add a range check for l3/l4 protonum
  (CVE-2020-25211 bsc#1176395).
- commit 92230c0
- Update
  patches.suse/0001-xen-events-add-a-proper-barrier-to-2-level-uevent-un.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0002-xen-events-fix-race-in-evtchn_fifo_unmask.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0003-xen-events-add-a-new-late-EOI-evtchn-framework.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0004-xen-blkback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0005-xen-netback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0006-xen-scsiback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0008-xen-pciback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0009-xen-events-switch-user-event-channels-to-lateeoi-mod.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0010-xen-events-use-a-common-cpu-hotplug-hook-for-event-c.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0011-xen-events-defer-eoi-in-case-of-excessive-number-of-.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0012-xen-events-block-rogue-events-for-some-time.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/XEN-uses-irqdesc-irq_data_common-handler_data-to-sto.patch
  (CVE-2020-27673 XSA-332 bsc#1065600).
- Update
  patches.suse/xen-events-avoid-removing-an-event-channel-while-han.patch
  (CVE-2020-27675 XSA-331 bsc#1177410).
- Update
  patches.suse/xen-events-don-t-use-chip_data-for-legacy-IRQs.patch
  (CVE-2020-27673 XSA-332 bsc#1065600).
- Added CVE numbers for above patches.
- commit 77fc141
- scsi: iscsi: Fix a potential deadlock in the timeout handler
  (bsc#1178272).
- commit 05ab404
- Refresh
  patches.suse/IB-hfi1-Ensure-correct-mm-is-used-at-all-times.patch.
  Fixed backport (removed one line too much, d'oh).
- commit 6dc4356
- IB/hfi1: Ensure correct mm is used at all times (bsc#1179878
  CVE-2020-27835).
- commit 39a2b87
- xen: support having only one event pending per watch
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit d884e81
- xen: revert Allow watches discard events before queueing
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 2a4a8da
- xen: revert Add 'will_handle' callback support in
  xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6baf8b8
- xen: revert Support will_handle watch callback (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 3918801
- xen: revert Count pending messages for each watch (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 9d30f4d
- xen: revert Disallow pending watch messages (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit d039881
- xen-blkback: set ring->xenblkd to NULL after kthread_stop()
  (bsc#1179509 XSA-350 CVE-2020-29569).
- commit 1aab73c
- xenbus/xenbus_backend: Disallow pending watch messages
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 0cdf358
- xen/xenbus: Count pending messages for each watch (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit a14bb56
- xen/xenbus/xen_bus_type: Support will_handle watch callback
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 33a4600
- xen/xenbus: Add 'will_handle' callback support in
  xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 5ef1497
- xen/xenbus: Allow watches discard events before queueing
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6f7a44e
- Drop the previous drm/nouveau fix that turned out to be superfluous (CVE-2020-25639 bsc#1176846)
- commit 001c6e5
- Move upstreamed vgacon patch into sorted section
- commit 73d2a02
- drm: bail out of nouveau_channel_new if channel init fails
  (CVE-2020-25639 bsc#1176846).
- commit 55debf7
- target: fix XCOPY NAA identifier lookup (CVE-2020-28374,
  bsc#1178372).
- commit 2765e76
- mwifiex: Fix possible buffer overflows in
  mwifiex_cmd_802_11_ad_hoc_start (CVE-2020-36158 bsc#1180559).
- commit a833298
- s390/dasd: fix hanging device offline processing (bsc#1144912).
- commit deefa7f
- Move upstreamed bt fixes into sorted section
- commit adeed42
- Refresh patches.suse/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-f.patch
  Refresh to upstream version.
- commit 76e9945
- blacklist.conf: added CVE affecting only SP1+
- commit a6af6c8
- blacklist.conf: added CVE-2020-10781 to blacklist, as only SP!+ affected
  false positive in the checking script
- commit e4b1fa4
- Update
  patches.suse/media-tw5864-Fix-possible-NULL-pointer-dereference-i.patch
  (bsc#1051510 CVE-2019-20806).
  Added CVE number, which was missing
- commit ac232ce
- tracing: Fix race in trace_open and buffer resize call
  (CVE-2020-27825 bsc#1179960).
- commit 8b99744
- ring-buffer: speed up buffer resets by avoiding synchronize_rcu
  for each CPU (CVE-2020-27825 bsc#1179960).
- commit 0d53945
- ring-buffer: Make resize disable per cpu buffer instead of
  total buffer (CVE-2020-27825 bsc#1179960).
- commit 39cee5c
- fix regression in "/epoll: Keep a reference on files added to the check list"/  (bsc#1180031, git-fixes).
- commit d9c444f
- do_epoll_ctl(): clean the failure exits up a bit
  (bsc#1180031,CVE-2020-0466).
- epoll: Keep a reference on files added to the check list
  (bsc#1180031).
- commit e792e5d
- cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
  (CVE-2020-27068 bsc#1180086).
- commit 886ad61
- HID: Fix slab-out-of-bounds read in hid_field_extract
  (bsc#1180052).
- commit 5b124d9
- HID: core: Sanitize event code and type when mapping input
  (CVE-2020-0465 bsc#1180029).
- commit ebf9f0e
- audit: fix error handling in audit_data_to_entry()
  (CVE-2020-0444 bsc#1180027).
- commit f2e7691
- tty: Fix ->session locking (bsc#1179745 CVE-2020-29660).
- tty: Fix ->pgrp locking in tiocspgrp() (bsc#1179745
  CVE-2020-29661).
- commit a59c61c
- x86/traps: Simplify pagefault tracing logic (bsc#1179895).
- Refresh
  patches.suse/10-x86-xen-get-rid-of-paravirt-op-adjust_exception_frame.patch.
- commit 1fd13a5
- x86/tracing: Introduce a static key for exception tracing
  (bsc#1179895).
- commit bf5beaa
- powerpc/rtas: fix typo of ibm,open-errinjct in rtas filter
  (CVE-2020-27777 bsc#1179107 bsc#1179887 ltc#190092).
- commit 153fdda
- net/x25: prevent a couple of overflows (bsc#1178590).
- commit 3f48ad3
- media: xirlink_cit: add missing descriptor sanity checks
  (bsc#1168952 CVE-2020-11668).
- commit e978e80
- Update
  patches.suse/sched-fair-Don-t-free-p-numa_faults-with-concurrent-.patch
  (bsc#1144920, bsc#1179663, CVE-2019-20934).
- commit fad2215
- kABI workaround for snd_rawmidi buffer_ref field addition
  (CVE-2020-27786 bsc#1179601).
- commit 0e8d69d
- ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
  (CVE-2020-27786 bsc#1179601).
- commit 3c00a93
- Delete patches.suse/fs-select.c-batch-user-writes-in-do_sys_poll.patch.
  (CVE-2020-4788 bsc#1179419).
  Patch causes DLM regression. Drop for now.
- commit a422074
- Add missing RESTORE_CTR (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch.
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
  patches.suse/powerpc-64s-SLB-miss-already-has-CTR-saved-for-reloc.patch
  adds RESTORE_CTR to the SLB miss handler so
  patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch
  must now copy it in the other fork of the exit code as well.
- commit a382dc2
- romfs: fix uninitialized memory leak in romfs_dev_read()
  (CVE-2020-29371 bsc#1179429).
- commit c4cfc72
- block: Fix use-after-free in blkdev_get() (bsc#1173834
  bsc#1179141 CVE-2020-15436).
- commit 0475fee
- blk-mq: make sure that line break can be printed (bsc#1163840
  bsc#1179071).
- commit 8510786
- kABI: powerpc: Add back __clear_user (CVE-2020-4788
  bsc#1177666).
- commit 9ab0140
- kABI: powerpc: avoid including pgtable.h in kup.h (CVE-2020-4788
  bsc#1177666).
- commit 81cd22b
- make 'user_access_begin()' do 'access_ok()' (CVE-2020-4788 bsc#1177666).
- Delete patches.suse/drm-i915-CVE-2018-20669-access-check.patch.
- commit ffc3685
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
  (CVE-2020-15437 bsc#1179140).
- commit 76da61e
- powerpc/64s: SLB miss already has CTR saved for relocatable kernel
  (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
- commit 741f364
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64-Call-setup_barrier_nospec-from-setup_arch.patch
- Refresh patches.suse/powerpc-pmem-Update-ppc64-to-use-the-new-barrier-ins.patch.
- Update config files.
- commit b0085a7
- powerpc/rtas: Restrict RTAS requests from userspace
  (CVE-2020-27777 bsc#1179107).
- Update config files.
- commit 3ed445b
- vt: Disable KD_FONT_OP_COPY (CVE-2020-28974 bsc#1178589).
- commit d9af9e6
- powerpc/64s: flush L1D after user accesses (CVE-2020-4788
  bsc#1177666).
- Refresh patches.kabi/kABI-powerpc-avoid-including-pgtable.h-in-kup.h.patch.
- powerpc/uaccess: Evaluate macro arguments once, before user
  access is allowed (CVE-2020-4788 bsc#1177666).
- powerpc: Fix __clear_user() with KUAP enabled (CVE-2020-4788
  bsc#1177666).
- powerpc: Implement user_access_begin and friends (CVE-2020-4788
  bsc#1177666).
- powerpc: Add a framework for user access tracking (CVE-2020-4788
  bsc#1177666).
- powerpc/64s: flush L1D on kernel entry (CVE-2020-4788
  bsc#1177666).
- powerpc/64s: move some exception handlers out of line
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Rename slb_miss_realmode() to slb_miss_common()
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Use BRANCH_TO_COMMON() for slb_miss_realmode
  (CVE-2020-4788 bsc#1177666).
- commit f7d6c42
- fs/select.c: batch user writes in do_sys_poll (CVE-2020-4788
  bsc#1177666).
- commit 011abbd
- Fonts: Replace discarded const qualifier (CVE-2020-28915
  bsc#1178886).
- fbcon: Fix global-out-of-bounds read in fbcon_get_font()
  (CVE-2020-28915 bsc#1178886).
- Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
  (CVE-2020-28915 bsc#1178886).
- fbdev, newport_con: Move FONT_EXTRA_WORDS macros into
  linux/font.h (CVE-2020-28915 bsc#1178886).
- commit 8016c83
- Input: sunkbd - avoid use-after-free in teardown paths
  (CVE-2020-25669 bsc#1178182).
- commit e6736dd
- Refresh
  patches.suse/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch.
- commit 896b402
- blk-mq: avoid sysfs buffer overflow with too many CPU cores
  (bsc#1163840 bsc#1179071).
- commit ecf4289

- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+,
  the library is just LGPL-2.1+) (bsc#1180603)

- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
  match factory licenses (bsc#1180138)

- In selinux-ready
  * Removed check for selinux-policy package as we don't ship one
    (bsc#1136845)
  * Add check that restorecond is installed and enabled
- Set License: to correct value (bsc#1135710 bsc#1180603)

- Avoid quadratic checking of identity-constraints: [bsc#1178823]
  * key/unique/keyref schema attributes currently use qudratic loops
    to check their various constraints (that keys are unique and that
    keyrefs refer to existing keys).
  * This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch

- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
    where openldap would crash due to malformed inputs.
  * patch: 0209-ITS-9383-remove-assert-in-certificateListValidate.patch
  * patch: 0210-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
- bsc#1179503 - fix proxy retry binds to a remote server
  * patch: 0208-ITS-9400-back-ldap-fix-retry-binds.patch

- Add openssh-bsc1148566-scp-handle-quotes-while-checking-filenames-from-serv.patch,
  openssh-bsc1148566-scp-show-filename-match-patterns-in-verbose-mode.patch
  (bsc#1148566). Fixes a class of false alarms due to filename
  validation. Patches by Josef Cejka <jcejka@suse.com>.
- Add openssh-CVE-2020-14145-information-leak.patch
  (CVE-2020-14145, bsc#1173513). This partially mitigates a
  potential information leak during host key exchange that could
  be exploited by a man-in-the-middle attacker.

- Create macros.pam with definition of %_pamdir so packages which
  are commonly shared between Factory and SLE can use this macro
  [pam.spec]

- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).

- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).

- Add CVE-2020-26116-CRLF-injection.patch which raises ValueError
  if method contains control characters and thus prevents CRLF
  injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,
  gh#urllib3/urllib3#1800).
- Skip test for RECENT_DATE. It is a test purely for developers.
  To maintain reproducibility, keep upstreams possibly outdated
  RECENT_DATE in the source code. (bsc#1181571)

- readd --with-fpectl (bsc#1180377)
- Adjust sphinx-update-removed-function.patch
- (bsc#1179630) Update sphinx-update-removed-function.patch to
  work with all versions of Sphinx (not binding the Python
  documentation build to the latest verison of Sphinx). Updated
  version mentioned on gh#python/cpython#13236.
- Add CVE-2020-27619-no-eval-http-content.patch fixing
  CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
  calls eval() on content retrieved via HTTP.
- Add patch sphinx-update-removed-function.patch to no longer call
  a now removed function (gh#python/cpython#13236). As
  a consequence, no longer pin Sphinx version.
- Pin Sphinx version to fix doc subpackage
- Change setuptools and pip version numbers according to new wheels
- Add ignore_pip_deprec_warn.patch to switch of persistently
  failing test.
- Handful of changes to make python36 compatible with SLE15 and SLE12
  (jsc#ECO-2799, jsc#SLE-13738)
- Rebase bpo23395-PyErr_SetInterrupt-signal.patch
- Fix build with RPM 4.16: error: bare words are no longer
  supported, please use "/..."/:  x86 == ppc.
- Fix installing .desktop file
- Buildrequire timezone only for general flavor. It's used in this
  flavor for the test suite.
- Add faulthandler_stack_overflow_on_GCC10.patch to make build
  working even with GCC10 (bpo#38965).
- Just cleanup and reordering items to synchronize with python38
- Format with spec-cleaner
- riscv64-support.patch: bpo-33377: add triplets for mips-r6 and riscv
  (#6655)
- riscv64-ctypes.patch: bpo-35847: RISC-V needs CTYPES_PASS_BY_REF_HACK
  (GH-11694)
- Update list of tests to exclude under qemu linux-user
- Update the python keyring
- Correct libpython name
- Drop patches which are not mentioned in spec:
  * CVE-2019-5010-null-defer-x509-cert-DOS.patch
  * F00102-lib64.patch
  * F00251-change-user-install-location.patch
  * OBS_dev-shm.patch
  * SUSE-FEDORA-multilib.patch
  * bpo-31046_ensurepip_honours_prefix.patch
  * bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch
  * bpo36302-sort-module-sources.patch
  * bpo40784-Fix-sqlite3-deterministic-test.patch
  * bsc1167501-invalid-alignment.patch
  * python3-imp-returntype.patch
- Working around missing python-packaging dependency in
  python-Sphinx (bsc#1174571) is not necessary anymore.
- Update to 3.6.12 (bsc#1179193)
  * Ensure python3.dll is loaded from correct locations when Python is embedded
  * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface
    incorrectly generated constant hash values of 32 and 128 respectively. This
    resulted in always causing hash collisions. The fix uses hash() to generate
    hash values for the tuple of (address, mask length, network address).
  * Prevent http header injection by rejecting control characters in
    http.client.putrequest(…).
  * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now
    UnpicklingError instead of crashing.
  * Avoid infinite loop when reading specially crafted TAR files using the tarfile
    module
- Drop merged fixtures:
  * CVE-2020-14422-ipaddress-hash-collision.patch
  * CVE-2019-20907_tarfile-inf-loop.patch
  * recursion.tar
- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).
- Make library names internally consistent
- Disable profile optimalizations as they deadlock in test_faulthandler
- Disable lto as it causes mess and works with 3.7 onwards only
- Sync the test disablements from the python3 in sle15
- Update to 3.6.11:
  - bpo-39073: Disallow CR or LF in email.headerregistry. Address
    arguments to guard against header injection attacks.
  - bpo-38576 (bsc#1155094): Disallow control characters in
    hostnames in http.client, addressing CVE-2019-18348. Such
    potentially malicious header injection URLs now cause
    a InvalidURL to be raised.
  - bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class
    of the urllib.request module uses an inefficient regular
    expression which can be exploited by an attacker to cause
    a denial of service. Fix the regex to prevent the
    catastrophic backtracking. Vulnerability reported by Ben
    Caller and Matt Schwager.
  - bpo-39401: Avoid unsafe load of
    api-ms-win-core-path-l1-1-0.dll at startup on Windows 7.
- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch
- Fix minor issues found in the staging.
- Do not set ourselves as a primary interpreter
  - CVE-2019-16935-xmlrpc-doc-server_title.patch (and also
    bpo37614-race_test_docxmlrpc_srv_setup.patch, which was
    resolving bsc#1174701).

- 15.0.20201217 (tracked in bsc#1180184)
- Added note about Git 2.26.2 update (jsc#SLE-12396)
- Added note about removal of libjpeg-turbo (bsc#1150224)
- Added note about alternatives system & display manager (bsc#1163166)
- Updated URL for source code download (bsc#1150672)

- imfile: suppress segfault in ratelimiter (bsc#1176355)
  * add 0001-bugfix-imfile-segfault-in-ratelimiter.patch

- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
  * sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
  * sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
  CVE-2021-23240]
  * sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
  * sudo-fix-bsc-1180687.patch

- Add 0001-cgroup-actually-reset-the-cgroup-invalidation-mask-a.patch (bsc#1178775)
  It's been added in quarantine for now on.
- Import commit c720c4d784b85feab124eae39919bec59e061ff5
  bd6bedd353 udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885)
- Import commit 080062ed5f90b8a4085a89f2ad30ee320fab27c9
  80e37dcacc busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225)
  2ee6877bb3 core: make sure to restore the control command id, too
  d1b9949337 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope
  af5945c2f4 fileio: tweak write_string_stream_ts() to write out trailing n in one go even if buffering is off
  a28c165efa fileio: write_string_stream_ts: check for file errors immediately
  dc122eb771 fileio: write_string_stream_ts: return errors from fputs and fputc
  14c89b1424 fileio: make write_string_stream() accept flags parameter
  2959e7dfe6 journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824)
  08db1ac361 cgroup: drastically simplify caching of cgroups members mask (bsc#1175458)
  bb59042ab4 cgroup: extend comment on what unit_release_cgroup() is for
  ead2955f65 cgroup: document what the various masks variables are used for
  805fe8ecdf cgroup: extend cg_mask_supported() comment a bit
  305806da38 cgroup: tweak log message, so that it doesn't claim we always enable controllers when we actually disable them
  d02ce63463 cgroup-util: disable buffering for cg_enable_everywhere() when writing to cgroup attributes
  b4e9893f5d cgroup-util: fix enabling of controllers (#8816)
  e7dd277c1b cgroup: propagate errors when we cannot open cgroup.subtree_control
  7c8f19714f cgroup-util: optimization — open subtree_control file only once for all controllers
  7999763781 cgroup: add explanatory comment
  2829342e7a cgroup: units that aren't loaded properly should not result in cgroup controllers being pulled in
  48a0d85047 cgroup: make unit_get_needs_bpf_firewall() static too
  888dc39134 cgroup: make some functions static
  6c0efa2f01 cgroup: suffix settings with "/="/ in log messages where appropriate
  e69d9927c6 cgroup: use structured initialization
  5174fb9622 core: fix message about detected memory hierarchy
  3b6443e1ee core: use safe_fclose() where we can
  906dcf1f6b udev: Fix sound.target dependency (bsc#1179363)
  2c9866d55a rules: enable hardware-related targets also for user instances
  127e546608 sd-event: fix delays assert brain-o (#17790)
  b98b6d230c core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436)
  2f50b9ecf1 time-util: treat /etc/localtime missing as UTC (bsc#1141597)

- bsc#1179615: TCL_LIBS in tclConfig.sh possibly breaks build on
  newer service packs and is not needed for linking to a dynamic
  libtcl anyway, so make it empty.

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

- bsc#1176782 - L3: xl dump-core shows missing nr_pages during
  core. If maxmem and current are the same the issue doesn't happen
  5fca3b32-tools-libs-ctrl-fix-dumping-of-ballooned-guest.patch
- bsc#1179496 - VUL-0: CVE-2020-29480: xen: xenstore: watch
  notifications lacking permission checks (XSA-115)
  xsa115-1.patch
  xsa115-2.patch
  xsa115-3.patch
  xsa115-4.patch
  xsa115-5.patch
  xsa115-6.patch
  xsa115-7.patch
  xsa115-8.patch
  xsa115-9.patch
  xsa115-10.patch
- bsc#1179498 - VUL-0: CVE-2020-29481: xen: xenstore: new domains
  inheriting existing node permissions (XSA-322)
  xsa322.patch
- bsc#1179501 - VUL-0: CVE-2020-29484: xen: xenstore: guests can
  crash xenstored via watchs (XSA-324)
  xsa324.patch
- bsc#1179502 - VUL-0: CVE-2020-29483: xen: xenstore: guests can
  disturb domain cleanup (XSA-325)
  xsa325.patch
- bsc#1179506 - VUL-0: CVE-2020-29566: xen: undue recursion in x86
  HVM context switch code (XSA-348)
  xsa348.patch
- bsc#1179514 - VUL-0: CVE-2020-29570: xen: FIFO event channels
  control block related ordering (XSA-358)
  xsa358.patch
- bsc#1179516 - VUL-0: CVE-2020-29571: xen: FIFO event channels
  control structure ordering (XSA-359)
  xsa359.patch
- Upstream bug fixes (bsc#1027519)
  5f76caaf-evtchn-FIFO-use-stable-fields.patch
  5faa974f-evtchn-rework-per-channel-lock.patch
  5fbcdf2e-evtchn-FIFO-access-last.patch
  5fc4ee23-evtchn-FIFO-queue-locking.patch