apparmor
- add update-samba-abstractions-ldb2.diff: Cater for changes to ldb
  packaging to allow parallel installation with libldb;
  (bsc#1192684).
- add add-samba-bgqd.diff: add profile for samba-bgqd;
  (bsc#1191532).
autoyast2
- Fix handling of add-on signature settings, introduced when fixing
  bsc#1192437 (bsc#1194881).
- 4.3.96
- Properly merge the autoupgrade workflow when using the online
  medium (bsc#1192437, bsc#1194440).
- 4.3.95
blog
- Update to version 2.26
  * On s390/x and PPC64 gcc misses unused arg0
- Remove patch fcb9e0c2.patch as now part of tar ball
- Add upstream patch fcb9e0c2.patch
  * On s390/x and PPC64 gcc misses unused arg0
- Update to version 2.24
  * Avoid install errror due missed directory
- Update to version 2.22
  * Avoid KillMode=none for newer systemd version as well as rework
    the systemd unit files of blog (boo#1186506)
- Move to /usr for UsrMerge (boo#1191057)
- Update to version 2.21
  * Merge pull request #4 from samueldr/fix/makefile
    Fixup Makefile for better build system support
  * Silent new gcc compiler
cloud-regionsrv-client
- Update -addon-azure to 1.0.2 (bsc#1196305)
  + The is-registered() function expects a string of the update server FQDN.
    The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
    in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
  + Lower case the region hint to reduce issues with Azure region name
    case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
  + Refactor removes check_registration() function in utils implementation
  + Only start the registration service for PAYG images
  - addon-azure sub-package to version 1.0.1
containerd
- Add patch for CVE-2022-23648. bsc#1196441
  + CVE-2022-23648.patch
- Update to containerd v1.4.12 for Docker 20.10.11-ce. bsc#1192814
  bsc#1193273 CVE-2021-41190
- Update to containerd v1.4.11, to fix CVE-2021-41103. bsc#1191355
- Switch to Go 1.16.x compiler, in line with upstream.
coreutils
- coreutils-df-fuse-portal-dummy.patch:
  df: Add "/fuse.portal"/ as a dummy file system (used in flatpak
  implementations). (bsc#1189152)
cyrus-sasl
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
- postfix: sasl authentication with password fails (bsc#1194265)
  Add config parameter --with-dblib=gdbm
- Avoid converting of /etc/sasldb2 by every update. Convert
  /etc/sasldb2 only if it is a Berkeley DB
cyrus-sasl-saslauthd
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
- postfix: sasl authentication with password fails (bsc#1194265)
  Add config parameter --with-dblib=gdbm
docker
- Update to Docker 20.10.12-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201012>.
- Remove CHANGELOG.md. It hasn't been maintained since 2017, and all of the
  changelogs are currently only available online.
- Update to Docker 20.10.11-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201011>. bsc#1192814
  bsc#1193273 CVE-2021-41190
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
  - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Update to Docker 20.10.9-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20109>. bsc#1191355
  CVE-2021-41089 bsc#1191015 CVE-2021-41091 bsc#1191434
  CVE-2021-41092 bsc#1191334 CVE-2021-41103 bsc#1191121
- Update to Docker 20.10.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20106>. bsc#1184768
- Update to Docker 20.10.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20105>. bsc#1182947
dracut
- Update to version 049.1+suse.228.g07676562:
  * fix(network): consistent use of "/$gw"/ for gateway (bsc#1192685)
  * fix(install): handle builtin modules (bsc#1194716)
expat
- Security fixes:
  * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
    attackers to insert namespace-separator characters into
    namespace URIs
  - Added expat-CVE-2022-25236.patch
  * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
    2.4.5 does not check whether a UTF-8 character is valid in a
    certain context.
  - Added expat-CVE-2022-25235.patch
  * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
    build_model() via uncontrolled recursion
  - Added expat-CVE-2022-25313.patch
  - The fix upstream introduced a regression that was later
    amended in 2.4.6 version
    + Added expat-CVE-2022-25313-fix-regression.patch
  * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
  - Added expat-CVE-2022-25314.patch
  * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
  - Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
  * Expat (aka libexpat) before 2.4.4 has a signed integer overflow
    in XML_GetBuffer, for configurations with a nonzero
    XML_CONTEXT_BYTES
  * Add tests for CVE-2022-23852.
  * Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
  * Fix unsigned integer overflow in function doProlog triggered
    by large content in element type declarations when there is
    an element declaration handler present (from a prior call to
    XML_SetElementDeclHandler).
  * Add expat-CVE-2022-23990.patch
  * Added expat-CVE-2022-22827.patch
glibc
- getcwd-erange.patch: getcwd: Set errno to ERANGE for size == 1
  (CVE-2021-3999, bsc#1194640, BZ #28769)
- 0001-powerpc-Optimized-strcpy-for-POWER9.patch,
  0002-powerpc-Optimized-stpcpy-for-POWER9.patch,
  0003-powerpc-Optimized-rawmemchr-for-POWER9.patch,
  0004-powerpc64le-add-optimized-strlen-for-P9.patch,
  0005-powerpc-fix-ifunc-implementation-list-for-POWER9-str.patch,
  0006-powerpc-Add-optimized-strncpy-for-POWER9.patch,
  0007-powerpc-Add-optimized-stpncpy-for-POWER9.patch,
  0008-powerpc-Add-optimized-ilogb-for-POWER9.patch,
  0009-powerpc-Add-optimized-llogb-for-POWER9.patch,
  0010-powerpc-Add-optimized-strlen-for-POWER10.patch,
  0011-powerpc64le-Optimized-memmove-for-POWER10.patch,
  0012-powerpc64le-Optimize-memcpy-for-POWER10.patch,
  0013-powerpc64le-Optimize-memset-for-POWER10.patch,
  0014-powerpc64le-Fix-ifunc-selection-for-memset-memmove-b.patch,
  0015-powerpc-Add-optimized-rawmemchr-for-POWER10.patch: ppc64le ifunc
  improvements (bsc#1194785, jsc#SLE-18195)
- clnt-create-unix-overflow.patch: Buffer overflow in sunrpc clnt_create
  for "/unix"/ (CVE-2022-23219, bsc#1194768, BZ #22542)
- svcunix-create-overflow.patch: Buffer overflow in sunrpc svcunix_create
  (CVE-2022-23218, bsc#1194770, BZ #28768)
- Add support for livepatches (jsc#SLE-20049).
- Enable livepatching on x86_64.
- Generate ipa-clones tarball artifact when livepatching is enabled.
gnutls
- Security fix: [bsc#1196167, CVE-2021-4209]
  * Null pointer dereference in MD_UPDATE
  * Add gnutls-CVE-2021-4209.patch
grub2
- Fix wrong default entry when booting snapshot (bsc#1159205)
  * grub2-btrfs-08-workaround-snapshot-menu-default-entry.patch
- Improve support for SLE Micro 5.1 on s390x.  (bsc#1190395)
  * grub2-s390x-04-grub2-install.patch
- Patch refreshed
  * grub2-s390x-11-secureboot.patch
kernel-default
- Revert PCI MSI-X patch that caused a regression on network devices (bsc#1196403)
  Deleted:
  patches.suse/PCI-MSI-Mask-MSI-X-vectors-only-on-success.patch
- commit 0c68bb9
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 1dafeb6
- arm64: Use the clearbhb instruction in mitigations (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- arm64: add ID_AA64ISAR2_EL1 sys register (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered
  and migrated (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit b546cd9
- arm64: Mitigate spectre style branch history side channels
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Update config files.
- commit d035616
- KVM: arm64: Add templates for BHB mitigation sequences
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch.
- commit 8c9b0c2
- arm64: Add Cortex-X2 CPU part definition (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit c3c4a06
- arm64: Add Neoverse-N2, Cortex-A710 CPU part definition
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: Add part number for Arm Cortex-A77 (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- arm64: proton-pack: Report Spectre-BHB vulnerabilities as part
  of Spectre-v2 (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: Add percpu vectors for EL1 (bsc#1191580 CVE-2022-0001
  CVE-2022-0002).
- arm64: entry: Add macro for reading symbol addresses from the
  trampoline (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Add vectors that have the bhb mitigation sequences
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Add non-kpti __bp_harden_el1_vectors for
  mitigations (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Allow the trampoline text to occupy multiple pages
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Make the kpti trampoline's kpti sequence optional
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Move trampoline macros out of ifdef'd section
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Don't assume tramp_vectors is the start of the
  vectors (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Allow tramp_alias to access symbols after the
  4K boundary (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Move the trampoline data page before the text page
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Free up another register on kpti's tramp_exit path
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- arm64: entry: Make the trampoline cleanup optional (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- arm64: entry.S: Add ventry overflow sanity checks (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit 284cd49
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
  (bsc#1196584).
- commit 4f3bbf5
- x86/speculation: Use generic retpoline by default on AMD
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit bed48b1
- ibmvnic: Allow queueing resets during probe (bsc#1196516
  ltc#196391).
- ibmvnic: clear fop when retrying probe (bsc#1196516 ltc#196391).
- ibmvnic: init init_done_rc earlier (bsc#1196516 ltc#196391).
- ibmvnic: register netdev after init of adapter (bsc#1196516
  ltc#196391).
- ibmvnic: complete init_done on transport events (bsc#1196516
  ltc#196391).
- ibmvnic: define flush_reset_queue helper (bsc#1196516
  ltc#196391).
- ibmvnic: initialize rc before completing wait (bsc#1196516
  ltc#196391).
- ibmvnic: free reset-work-item when flushing (bsc#1196516
  ltc#196391).
- commit 1cc99d0
- tracing: Have traceon and traceoff trigger honor the instance
  (git-fixes).
- commit 92ab7ec
- tracing: Dump stacktrace trigger to the corresponding instance
  (git-fixes).
- commit a3c85e9
- nvme: also mark passthrough-only namespaces ready in
  nvme_update_ns_info (git-fixes).
- nvme: don't return an error from nvme_configure_metadata
  (git-fixes).
- nvme: let namespace probing continue for unsupported features
  (git-fixes).
- commit a5b2a87
- blk-mq: avoid to iterate over stale request (bsc#1193787).
- blk-mq: fix is_flush_rq (bsc#1193787 git-fixes).
- blk-mq: fix kernel panic during iterating over flush request
  (bsc#1193787 git-fixes).
- blk-mq: don't grab rq's refcount in blk_mq_check_expired()
  (bsc#1193787 git-fixes).
- blk-mq: always allow reserved allocation in hctx_may_queue
  (bsc#1193787).
- commit cc53802
- drm/i915: Fix bw atomic check when switching between SAGV
  vs. no SAGV (git-fixes).
- commit 209cee8
- drm/i915: Correctly populate use_sagv_wm for all pipes
  (git-fixes).
- commit 5d7b5fe
- kABI fixup after adding vcpu_idx to struct kvm_cpu (bsc#1190972
  LTC#194674).
- KVM: remember position in kvm->vcpus array (bsc#1190972
  LTC#194674).
- commit 81f3dbb
- s390/cpumf: Support for CPU Measurement Sampling Facility LS
  bit (bsc#1195081 LTC#196088).
- s390/cpumf: Support for CPU Measurement Facility CSVN 7
  (bsc#1195081 LTC#196088).
- commit 0ce3482
- s390/cio: verify the driver availability for path_event call
  (bsc#1195928 LTC#196418).
- commit 4741f1a
- scsi: zfcp: Fix failed recovery on gone remote port with
  non-NPIV FCP devices (bsc#1195378 LTC#196244).
- commit 6fb3d19
- s390/pci: add s390_iommu_aperture kernel parameter (bsc#1193233
  LTC#195540).
- commit 79f1350
- s390/pci: move pseudo-MMIO to prevent MIO overlap (bsc#1194967
  LTC#196028).
- commit 512e596
- s390/cio: make ccw_device_dma_* more robust (bsc#1193243
  LTC#195549).
- commit 6f84bff
- block: do not send a rezise udev event for hidden block device
  (bsc#1193096).
- commit c3addda
- s390/bpf: Fix optimizing out zero-extensions (git-fixes).
- commit 542287e
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant
  (git-fixes).
- commit 774f927
- ibmvnic: schedule failover only if vioctl fails (bsc#1196400
  ltc#195815).
- commit 7099d61
- ext4: prevent partial update of the extent blocks (bsc#1194163
  bsc#1196339).
- commit 9b7f6a6
- ext4: check for inconsistent extents between index and leaf
  block (bsc#1194163 bsc#1196339).
- commit 8a25180
- ext4: check for out-of-order index extents in
  ext4_valid_extent_entries() (bsc#1194163 bsc#1196339).
- commit b72afd9
- i2c: brcmstb: fix support for DSL and CM variants (git-fixes).
- mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status
  (git-fixes).
- mtd: rawnand: gpmi: don't leak PM reference in error path
  (git-fixes).
- mtd: rawnand: qcom: Fix clock sequencing in qcom_nandc_probe()
  (git-fixes).
- ASoC: Revert "/ASoC: mediatek: Check for error clk pointer"/
  (git-fixes).
- ASoC: ops: Fix stereo change notifications in
  snd_soc_put_volsw_range() (git-fixes).
- ASoC: ops: Fix stereo change notifications in
  snd_soc_put_volsw() (git-fixes).
- ALSA: hda: Fix missing codec probe on Shenker Dock 15
  (git-fixes).
- ALSA: hda: Fix regression on forced probe mask option
  (git-fixes).
- drm/radeon: Fix backlight control on iMac 12,1 (git-fixes).
- HID:Add support for UGTABLET WP5540 (git-fixes).
- ata: libata-core: Disable TRIM on M88V29 (git-fixes).
- drm/rockchip: dw_hdmi: Do not leave clock enabled in error case
  (git-fixes).
- net: macb: Align the dma and coherent dma masks (git-fixes).
- net: usb: qmi_wwan: Add support for Dell DW5829e (git-fixes).
- drm/amdgpu: fix logic inversion in check (git-fixes).
- ax25: improve the incomplete fix to avoid UAF and NPD bugs
  (git-fixes).
- commit ea7f847
- blk-tag: Hide spin_lock (bsc#1193787).
- commit 78741a7
- blk-mq: clearing flush request reference in tags->rqs
  (bsc#1193787).
- blk-mq: clear stale request in tags->rq before freeing one
  request pool (bsc#1193787).
- blk-mq: grab rq->refcount before calling ->fn in
  blk_mq_tagset_busy_iter (bsc#1193787).
- block: avoid double io accounting for flush request
  (bsc#1193787).
- block: mark flush request as IDLE when it is really finished
  (bsc#1193787).
- blk-mq: mark flush request as IDLE in flush_end_io()
  (bsc#1193787).
- commit 2d33352
- btrfs: do not do preemptive flushing if the majority is global rsv (bsc#1196195).
- commit 445785b
- btrfs: handle preemptive delalloc flushing slightly differently (bsc#1196195).
- commit 436acc9
- btrfs: only ignore delalloc if delalloc is much smaller than ordered (bsc#1196195).
- commit a9ec6c0
- btrfs: don't include the global rsv size in the preemptive used amount (bsc#1196195).
- commit ace9b16
- btrfs: use the global rsv size in the preemptive thresh calculation (bsc#1196195).
- commit 4beb0b0
- btrfs: take into account global rsv in need_preemptive_reclaim (bsc#1196195).
- Refresh patches.suse/btrfs-reduce-the-preemptive-flushing-threshold-to-90.patch.
- commit 41c6188
- btrfs: only clamp the first time we have to start flushing (bsc#1196195).
- commit b25996b
- btrfs: check worker before need_preemptive_reclaim (bsc#1196195).
- commit f36b423
- btrfs: reduce the preemptive flushing threshold to 90% (bsc#1196195).
- commit ef6e83a
- x86/speculation: Include unprivileged eBPF status in Spectre v2
  mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit d42fa20
- Documentation/hw-vuln: Update spectre doc (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit a48cfcc
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit 1a20a7e
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 80f47a3
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 1f9dd65
- kABI: Fix kABI for AMD IOMMU driver (git-fixes).
- commit 718c631
- blacklist.conf: Add 2cbc61a1b166 iommu/dma: Account for min_align_mask w/swiotlb
- commit 142c6ac
- iommu/amd: Fix loop timeout issue in iommu_ga_log_enable()
  (git-fixes).
- iommu/vt-d: Fix potential memory leak in
  intel_setup_irq_remapping() (git-fixes).
- iommu/iova: Fix race between FQ timeout and teardown
  (git-fixes).
- iommu/io-pgtable-arm: Fix table descriptor paddr formatting
  (git-fixes).
- iommu/amd: Remove useless irq affinity notifier (git-fixes).
- iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume
  (git-fixes).
- iommu/amd: X2apic mode: setup the INTX registers on mask/unmask
  (git-fixes).
- iommu/amd: X2apic mode: re-enable after resume (git-fixes).
- iommu/amd: Restore GA log/tail pointer on host resume
  (git-fixes).
- iommu/io-pgtable-arm-v7s: Add error handle for page table
  allocation failure (git-fixes).
- commit 50e60e3
- Update patch reference for USB gadget fix (CVE-2022-25375 bsc#1196235)
- commit b7dc18b
- net/ibmvnic: Cleanup workaround doing an EOI after partition
  migration (bsc#1089644 ltc#166495 ltc#165544 git-fixes).
- commit 0dfd4da
- drm/i915/opregion: check port number bounds for SWSCI display
  power state (git-fixes).
- drm/i915/gvt: Make DRM_I915_GVT depend on X86 (git-fixes).
- drm/i915/gvt: clean up kernel-doc in gtt.c (git-fixes).
- iwlwifi: fix use-after-free (git-fixes).
- iwlwifi: pcie: gen2: fix locking when "/HW not ready"/
  (git-fixes).
- iwlwifi: pcie: fix locking when "/HW not ready"/ (git-fixes).
- libsubcmd: Fix use-after-free for realloc(..., 0) (git-fixes).
- USB: serial: cp210x: add CPI Bulk Coin Recycler id (git-fixes).
- USB: serial: cp210x: add NCR Retail IO box id (git-fixes).
- USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320
  (git-fixes).
- USB: serial: option: add ZTE MF286D modem (git-fixes).
- USB: serial: ch341: add support for GW Instek USB2.0-Serial
  devices (git-fixes).
- usb: gadget: rndis: check size of RNDIS_MSG_SET command
  (git-fixes).
- usb: gadget: f_uac2: Define specific wTerminalType (git-fixes).
- ACPI/IORT: Check node revision for PMCG resources (git-fixes).
- net: phy: marvell: Fix RGMII Tx/Rx delays setting in
  88e1121-compatible PHYs (git-fixes).
- net: phy: marvell: Fix MDI-x polarity setting in
  88e1118-compatible PHYs (git-fixes).
- usb: dwc2: gadget: don't try to disable ep0 in
  dwc2_hsotg_suspend (git-fixes).
- PM: hibernate: Remove register_nosave_region_late() (git-fixes).
- drm: panel-orientation-quirks: Add quirk for the 1Netbook
  OneXPlayer (git-fixes).
- net: phy: marvell: configure RGMII delays for 88E1118
  (git-fixes).
- commit cc7a24c
- NFSD: Fix the behavior of READ near OFFSET_MAX (bsc#1195957).
- commit 9af94a7
- Drop PCI xgene patch that caused a regression for mxl4 (bsc#1195352)
  Delete patches.suse/PCI-xgene-Fix-IB-window-setup.patch
  Also update blacklist
- commit 4f68062
- gve: Recording rx queue before sending to napi (bsc#1191655).
- gve: Add consumed counts to ethtool stats (bsc#1191655).
- gve: Implement suspend/resume/shutdown (bsc#1191655).
- gve: Add optional metadata descriptor type GVE_TXD_MTD
  (bsc#1191655).
- gve: remove memory barrier around seqno (bsc#1191655).
- gve: Update gve_free_queue_page_list signature (bsc#1191655).
- gve: Move the irq db indexes out of the ntfy block struct
  (bsc#1191655).
- gve: Correct order of processing device options (bsc#1191655).
- gve: fix for null pointer dereference (bsc#1191655).
- gve: fix unmatched u64_stats_update_end() (bsc#1191655).
- gve: Fix off by one in gve_tx_timeout() (bsc#1191655).
- gve: Add a jumbo-frame device option (bsc#1191655).
- gve: Implement packet continuation for RX (bsc#1191655).
- gve: Add RX context (bsc#1191655).
- gve: Recover from queue stall due to missed IRQ (bsc#1191655).
- gve: Use kvcalloc() instead of kvzalloc() (bsc#1191655).
- commit 4a8e1e2
- scsi_transport_fc: kabi fix blank out FC_PORTSTATE_MARGINAL
  (bsc#1195506).
- commit c74c330
- scsi: kABI fix for 'eh_should_retry_cmd' (bsc#1195506).
- commit 8ef8f22
- md/raid5: fix oops during stripe resizing (bsc#1181588).
- commit bcd3697
- powerpc/pseries: read the lpar name from the firmware
  (bsc#1187716 ltc#193451).
- commit 181541b
- Refresh patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch
- commit c964381
- powerpc: add link stack flush mitigation status in debugfs
  (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
- powerpc/64s: Fix debugfs_simple_attr.cocci warnings (bsc#1157038
  bsc#1157923 ltc#182612 git-fixes).
- commit 5862a79
- powerpc: Set crashkernel offset to mid of RMA region
  (bsc#1190812).
- powerpc/64: Move paca allocation later in boot (bsc#1190812).
- commit 11e3668
- nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts()
  (bsc#1195012).
- commit 4d29ac4
- scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
- commit 73dbd5c
- scsi: qla2xxx: Remove unused qla_sess_op_cmd_list from
  scsi_qla_host_t (bsc#1195823).
- scsi: qla2xxx: Add qla2x00_async_done() for async routines
  (bsc#1195823).
- scsi: qla2xxx: Update version to 10.02.07.300-k (bsc#1195823).
- scsi: qla2xxx: Check for firmware dump already collected
  (bsc#1195823).
- scsi: qla2xxx: Add devids and conditionals for 28xx
  (bsc#1195823).
- scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
  (bsc#1195823).
- scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for
  28XX adapters (bsc#1195823).
- scsi: qla2xxx: edif: Fix clang warning (bsc#1195823).
- scsi: qla2xxx: Fix warning for missing error code (bsc#1195823).
- scsi: qla2xxx: Fix device reconnect in loop topology
  (bsc#1195823).
- scsi: qla2xxx: Add ql2xnvme_queues module param to configure
  number of NVMe queues (bsc#1195823).
- scsi: qla2xxx: Fix wrong FDMI data for 64G adapter
  (bsc#1195823).
- scsi: qla2xxx: Add retry for exec firmware (bsc#1195823).
- scsi: qla2xxx: Fix scheduling while atomic (bsc#1195823).
- scsi: qla2xxx: Fix premature hw access after PCI error
  (bsc#1195823).
- scsi: qla2xxx: Fix warning message due to adisc being flushed
  (bsc#1195823).
- scsi: qla2xxx: Fix stuck session in gpdb (bsc#1195823).
- scsi: qla2xxx: Implement ref count for SRB (bsc#1195823).
- scsi: qla2xxx: Refactor asynchronous command initialization
  (bsc#1195823).
- scsi: qla2xxx: Update version to 10.02.07.200-k (bsc#1195823).
- scsi: qla2xxx: edif: Fix inconsistent check of db_flags
  (bsc#1195823).
- scsi: qla2xxx: edif: Reduce connection thrash (bsc#1195823).
- scsi: qla2xxx: edif: Tweak trace message (bsc#1195823).
- scsi: qla2xxx: edif: Replace list_for_each_safe with
  list_for_each_entry_safe (bsc#1195823).
- scsi: qla2xxx: Remove a declaration (bsc#1195823).
- scsi: qla2xxx: Fix unmap of already freed sgl (bsc#1195823).
- scsi: qla2xxx: Return -ENOMEM if kzalloc() fails (bsc#1195823).
- commit c358f38
- ice: fix IPIP and SIT TSO offload (git-fixes).
- ice: fix an error code in ice_cfg_phy_fec() (jsc#SLE-12878).
- net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE
  (bsc#1176447).
- nfp: flower: fix ida_idx not being released (bsc#1154353).
- bonding: pair enable_port with slave_arr_updates (git-fixes).
- ixgbevf: Require large buffers for build_skb on 82599VF
  (git-fixes).
- RDMA/cma: Use correct address when leaving multicast group
  (bsc#1181147).
- IB/cma: Do not send IGMP leaves for sendonly Multicast groups
  (git-fixes).
- commit 679175c
- USB: serial: mos7840: remove duplicated 0xac24 device ID
  (git-fixes).
- commit 546d043
- tracing: Don't inc err_log entry count if entry allocation fails
  (git-fixes).
- commit 5c45742
- tracing: Propagate is_signed to expression (git-fixes).
- commit a834cba
- blacklist.conf: b59f2f2b865c ("/tracing: Fix smatch warning for do while check in event_hist_trigger_parse()"/)
  Cosmetic only.
- commit f0fcec9
- tracing: Fix smatch warning for null glob in
  event_hist_trigger_parse() (git-fixes).
- commit 329e4ac
- powerpc/pseries/ddw: Revert "/Extend upper limit for huge DMA
  window for persistent memory"/ (bsc#1195995 ltc#196394).
- commit 877b9c1
- misc: fastrpc: avoid double fput() on failed usercopy
  (git-fixes).
- staging: fbtft: Fix error path in fbtft_driver_module_init()
  (git-fixes).
- usb: dwc3: gadget: Prevent core from processing stale TRBs
  (git-fixes).
- usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE
  transition (git-fixes).
- usb: ulpi: Call of_node_put correctly (git-fixes).
- usb: ulpi: Move of_node_put to ulpi_dev_release (git-fixes).
- usb: f_fs: Fix use-after-free for epfile (git-fixes).
- PM: s2idle: ACPI: Fix wakeup interrupts handling (git-fixes).
- drm/rockchip: vop: Correct RK3399 VOP register fields
  (git-fixes).
- drm/panel: simple: Assign data from panel_dpi_probe() correctly
  (git-fixes).
- drm/vc4: hdmi: Allow DBLCLK modes even if horz timing is odd
  (git-fixes).
- ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx()
  (git-fixes).
- ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx()
  (git-fixes).
- ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()
  (git-fixes).
- ALSA: hda/realtek: Add quirk for ASUS GU603 (git-fixes).
- ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus
  Xtreme after reboot from Windows (git-fixes).
- ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus
  Master (newer chipset) (git-fixes).
- ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte
  X570 ALC1220 quirks (git-fixes).
- staging/fbtft: Fix backlight (git-fixes).
- commit 033cee4
- usb: dwc2: Fix NULL qh in dwc2_queue_transaction (git-fixes).
- commit 7b9eed7
- blacklist.conf: misattributed upstream
- commit f62cf37
- usb: gadget: s3c: remove unused 'udc' variable (git-fixes).
- commit a103972
- tipc: improve size validations for received domain records
  (bsc#1195254, CVE-2022-0435).
- commit 48911da
- scsi: target: iscsi: Fix cmd abort fabric stop race
  (bsc#1195286).
- commit 52d26b6
- kabi: Hide changes to s390/AP structures (jsc#SLE-20807).
- commit 3d90f3c
- nfsd: don't admin-revoke NSv4.0 state ids (bsc#1192483).
- nfsd: allow delegation state ids to be revoked and then freed (bsc#1192483).
- nfsd: allow lock state ids to be revoked and then freed (bsc#1192483).
- nfsd: allow open state ids to be revoked and then freed (bsc#1192483).
- nfsd: prepare for supporting admin-revocation of state (bsc#1192483).
- commit c0baca0
- EDAC/xgene: Fix deferred probing (bsc#1178134).
- commit 9308a14
- s390/protvirt: fix error return code in uv_info_init()
  (jsc#SLE-22135).
- commit 7f8b088
- s390/AP: support new dynamic AP bus size limit (jsc#SLE-20807).
- commit 004f3c6
- KVM: s390: Return error on SIDA memop on normal guest
  (bsc#1195516 CVE-2022-0516).
- commit d46602b
- ceph: set pool_ns in new inode layout for async creates
  (bsc#1195799).
- ceph: properly put ceph_string reference after async create
  attempt (bsc#1195798).
- commit 8f44ef0
- btrfs: make sure SB_I_VERSION doesn't get unset by remount (bsc#1192210).
- commit 9acc804
- s390/uv: fix prot virt host indication compilation
  (jsc#SLE-22135).
- s390/uv: add prot virt guest/host indication files
  (jsc#SLE-22135).
- commit f479d35
- ibmvnic: don't release napi in __ibmvnic_open() (bsc#1195668
  ltc#195811).
- commit 902d854
- btrfs: check for missing device in btrfs_trim_fs (bsc#1195701).
- commit ccd41ed
- cgroup-v1: Require capabilities to set release_agent
  (bsc#1195543 CVE-2022-0492).
- commit 413d689
- RDMA/ucma: Protect mc during concurrent multicast leaves
  (bsc#1181147).
- IB/hfi1: Fix AIP early init panic (jsc#SLE-13208).
- net/mlx5e: Fix handling of wrong devices during bond netevent
  (jsc#SLE-15172).
- gve: fix the wrong AdminQ buffer queue index check
  (bsc#1176940).
- gve: Fix GFP flags when allocing pages (git-fixes).
- i40e: fix unsigned stat widths (git-fixes).
- i40e: Fix for failed to init adminq while VF reset (git-fixes).
- i40e: Fix queues reservation for XDP (git-fixes).
- i40e: Fix issue when maximum queues is exceeded (git-fixes).
- i40e: Increase delay to 1 s after global EMP reset (git-fixes).
- commit 6aa87c4
- Update patch reference for HD-audio fix (bsc#1183872)
- commit 1e16eaa
- usb: host: ehci-tegra: Fix error handling in tegra_ehci_probe()
  (git-fixes).
- commit 2492c7d
- mmc: sdhci-of-esdhc: Check for error num after setting mask
  (git-fixes).
- ima: Do not print policy rule with inactive LSM labels
  (git-fixes).
- ima: Allow template selection with ima_template[_fmt]= after
  ima_hash= (git-fixes).
- ima: Remove ima_policy file before directory (git-fixes).
- integrity: check the return value of audit_log_start()
  (git-fixes).
- integrity: double check iint_cache was initialized (git-fixes).
- integrity: Make function integrity_add_key() static (git-fixes).
- commit a8bf0cb
- RDMA/core: Always release restrack object (git-fixes)
- commit a4c74f1
- RDMA/siw: Release xarray entry (git-fixes)
- commit cfa201c
- RDMA/cxgb4: check for ipv6 address properly while destroying listener (git-fixes)
- commit 06f1504
- blacklist.conf: blacklist a672b2e36a64 bpf: Fix ringbuf memory type confusion when passing to helpers
- commit 2bfec1b
- bpf: Disallow BPF_LOG_KERNEL log level for bpf(BPF_BTF_LOAD)
  (git-fixes).
- bpf: Adjust BTF log size limit (git-fixes).
- commit 5e3ed1a
- s390/sclp: fix Secure-IPL facility detection (bsc#1191741
  LTC#194816).
- commit 5aa085e
- usb: dwc3: don't set gadget->is_otg flag (git-fixes).
- commit 5b20187
- powerpc/perf: Fix power_pmu_disable to call
  clear_pmi_irq_pending only if PMI is pending (bsc#1156395).
- commit a08ca77
- RDMA/uverbs: Fix a NULL vs IS_ERR() bug (git-fixes)
- commit 82ce09e
- RDMA/mlx5: Fix query DCT via DEVX (git-fixes)
- commit 4b56cb2
- RDMA/core: Don't access cm_id after its destruction (git-fixes)
- commit 4a117e6
- RDMA/mlx5: Recover from fatal event in dual port mode (git-fixes)
- commit 875e0ed
- RDMA/rxe: Clear all QP fields if creation failed (git-fixes)
- commit 07c8b4d
- RDMA/siw: Properly check send and receive CQ pointers (git-fixes)
- commit d84b45b
- RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res (git-fixes)
- commit 8c226d5
- RDMA/siw: Fix a use after free in siw_alloc_mr (git-fixes)
- commit a7eff62
- RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails (git-fixes)
- commit 2db1c84
- RDMA/cxgb4: add missing qpid increment (git-fixes)
- commit 591cdce
- RDMA/core: Unify RoCE check and re-factor code (git-fixes)
- commit e5e3d6f
- RDMA/bnxt_re: Fix error return code in bnxt_qplib_cq_process_terminal() (git-fixes)
- commit 76267d4
- IB/hfi1: Fix error return code in parse_platform_config() (git-fixes)
- commit 270bb46
- IB/hfi1: Use kzalloc() for mmu_rb_handler allocation (git-fixes)
- commit 05c0e16
- RDMA/core: Fix corrupted SL on passive side (git-fixes)
- commit d86d9cb
- IB/isert: Fix a use after free in isert_connect_request (git-fixes)
- commit fa7abfc
- RDMA/addr: Be strict with gid size (git-fixes)
- commit 0b96850
- RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server (git-fixes)
- commit 0f86491
- IB/mlx5: Add missing error code (git-fixes)
- commit 06919f0
- RDMA/rxe: Fix missing kconfig dependency on CRYPTO (git-fixes)
- commit 1cb9b27
- RDMA/siw: Fix calculation of tx_valid_cpus size (git-fixes)
- commit 35656e8
- RDMA/rxe: Correct skb on loopback path (git-fixes)
- commit 328cd44
- RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt (git-fixes)
- commit ad066a1
- RDMA/rxe: Remove useless code in rxe_recv.c (git-fixes)
- commit 6a7743e
- RDMA/rxe: Fix coding error in rxe_recv.c (git-fixes)
- commit 671cb83
- IB/cm: Avoid a loop when device has 255 ports (git-fixes)
- commit 2186e0a
- IB/mlx5: Return appropriate error code instead of ENOMEM (git-fixes)
- commit ba2e4e5
- IB/umad: Return EPOLLERR in case of when device disassociated (git-fixes)
- commit 0fc8532
- IB/umad: Return EIO in case of when device disassociated (git-fixes)
- commit 1beb1a9
- IB/mlx5: Add mutex destroy call to cap_mask_mutex mutex (git-fixes)
- commit b747600
- RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (git-fixes)
- commit d209b75
- RDMA/siw: Fix handling of zero-sized Read and Receive Queues. (git-fixes)
- commit 1bcb139
- RDMA/cxgb4: Fix the reported max_recv_sge value (git-fixes)
- commit 000358b
- RDMA/mlx5: Fix wrong free of blue flame register on error (git-fixes)
- commit a95b8b5
- IB/mlx5: Fix error unwinding when set_has_smi_cap fails (git-fixes)
- commit c125ce0
- RDMA/ocrdma: Fix use after free in ocrdma_dealloc_ucontext_pd() (git-fixes)
- commit 717d46c
- RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp (git-fixes)
- commit e2b003d
- Input: wm97xx: Simplify resource management (git-fixes).
- ASoC: fsl: Add missing error handling in pcm030_fabric_probe
  (git-fixes).
- ASoC: max9759: fix underflow in speaker_gain_control_put()
  (git-fixes).
- ASoC: cpcap: Check for NULL pointer after calling
  of_get_child_by_name (git-fixes).
- ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple
  of period bytes (git-fixes).
- ALSA: usb-audio: Correct quirk for VF0770 (git-fixes).
- ALSA: usb-audio: initialize variables that could ignore errors
  (git-fixes).
- drm/i915/overlay: Prevent divide by zero bugs in scaling
  (git-fixes).
- dma-buf: heaps: Fix potential spectre v1 gadget (git-fixes).
- drm/nouveau: fix off by one in BIOS boundary checking
  (git-fixes).
- pinctrl: intel: Fix a glitch when updating IRQ flags on a
  preconfigured line (git-fixes).
- pinctrl: intel: fix unexpected interrupt (git-fixes).
- commit 78392e2
- nvme: fix use after free when disconnecting a reconnecting ctrl
  (git-fixes).
- commit 6b18639
- nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t() (git-fixes).
- nvme-tcp: fix data digest pointer calculation (git-fixes).
- nvme-tcp: fix incorrect h2cdata pdu offset accounting
  (git-fixes).
- commit 64fba5e
- nvme-tcp: fix possible use-after-completion (git-fixes).
- commit 656adbf
- nvme-fabrics: avoid double completions in
  nvmf_fail_nonready_command (git-fixes).
- nvme: introduce a nvme_host_path_error helper (git-fixes).
- blk-mq: introduce blk_mq_set_request_complete (git-fixes).
- nvme: refactor ns->ctrl by request (git-fixes).
- nvme-core: use list_add_tail_rcu instead of list_add_tail for
  nvme_init_ns_head (git-fixes).
- commit 35ee4c2
- Refresh patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch.
  Update upstream info
- commit 7228799
- NFSv4: nfs_atomic_open() can race when looking up a non-regular
  file (git-fixes).
- NFSv4: Handle case where the lookup of a directory fails
  (git-fixes).
- NFS: Ensure the server has an up to date ctime before renaming
  (git-fixes).
- commit 1b23644
- scsi: qla2xxx: Add marginal path handling support (bsc#1195506).
- scsi: lpfc: Add support for eh_should_retry_cmd() (bsc#1195506).
- scsi: scsi_transport_fc: Add store capability to rport port_state in sysfs (bsc#1195506).
- scsi: scsi_transport_fc: Add a new rport state FC_PORTSTATE_MARGINAL (bsc#1195506).
- scsi: core: No retries on abort success (bsc#1195506).
- scsi: core: Add a new error code DID_TRANSPORT_MARGINAL in scsi.h (bsc#1195506).
- scsi: core: Add limitless cmd retry support (bsc#1195506).
- commit af99987
- blk-cgroup: fix missing put device in error path from
  blkg_conf_pref() (bsc#1195481).
- commit 1d9f7ed
- ext4: fix an use-after-free issue about data=journal writeback
  mode (bsc#1195482).
- commit dec4e3b
- ext4: make sure quota gets properly shutdown on error
  (bsc#1195480).
- commit 37600f0
- blacklist.conf: blacklist 4013d47a5307
- commit 3d0f1d1
- fsnotify: fix fsnotify hooks in pseudo filesystems
  (bsc#1195479).
- commit 3ed7ace
- fsnotify: invalidate dcache before IN_DELETE event
  (bsc#1195478).
- commit 776f92d
- udf: Restore i_lenAlloc when inode expansion fails
  (bsc#1195477).
- commit fa5618c
- udf: Fix NULL ptr deref when converting from inline format
  (bsc#1195476).
- commit 26d7db1
- blacklist.conf: Blacklist ee12595147ac
- commit 1e354ac
- USB: serial: mos7840: fix probe error handling (git-fixes).
- commit 3875819
- xhci-pci: Allow host runtime PM as default for Intel Alpine
  Ridge LP (git-fixes).
- commit 7bdac2d
- Update patch reference for radeon regression fix (bsc#1195142)
- commit 3e139f1
- spi: mediatek: Avoid NULL pointer crash in interrupt
  (git-fixes).
- spi: bcm-qspi: check for valid cs before applying chip select
  (git-fixes).
- spi: meson-spicc: add IRQ check in meson_spicc_probe
  (git-fixes).
- tty: Add support for Brainboxes UC cards (git-fixes).
- USB: core: Fix hang in usb_kill_urb by adding memory barriers
  (git-fixes).
- usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge
  (git-fixes).
- PM: wakeup: simplify the output logic of pm_show_wakelocks()
  (git-fixes).
- drm/msm/dsi: Fix missing put_device() call in dsi_get_phy
  (git-fixes).
- rpmsg: char: Fix race between the release of rpmsg_eptdev and
  cdev (git-fixes).
- rpmsg: char: Fix race between the release of rpmsg_ctrldev
  and cdev (git-fixes).
- Bluetooth: refactor malicious adv data check (git-fixes).
- commit 0420ac4
- Update
  patches.suse/bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch
  (bsc#1176447 bsc#1195371 CVE-2022-0286).
  Added CVE reference.
- commit e1eaedd
- net: bridge: vlan: fix memory leak in __allowed_ingress
  (bsc#1176447).
- net: bridge: vlan: fix single net device option dumping
  (bsc#1176447).
- net: sfp: fix high power modules without diagnostic monitoring
  (bsc#1154353).
- net: bonding: fix bond_xmit_broadcast return value error bug
  (bsc#1176447).
- RDMA/rxe: Remove the unnecessary variable (jsc#SLE-15176).
- Revert "/net/mlx5e: Block offload of outer header csum for GRE
  tunnel"/ (git-fixes).
- Revert "/net/mlx5e: Block offload of outer header csum for UDP
  tunnels"/ (git-fixes).
- igc: Fix TX timestamp support for non-MSI-X platforms
  (bsc#1160634).
- net/mlx5: E-Switch, fix changing vf VLANID (jsc#SLE-15172).
- RDMA/core: Clean up cq pool mechanism (jsc#SLE-15176).
- net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW
  steering (jsc#SLE-8464).
- vxlan: fix error return code in __vxlan_dev_create()
  (bsc#1154353).
- netdevsim: set .owner to THIS_MODULE (bsc#1154353).
- net/mlx5e: Protect encap route dev from concurrent release
  (jsc#SLE-8464).
- mlxsw: Only advertise link modes supported by both driver and
  device (bsc#1154488).
- commit 8d79e55
- Refresh patches.suse/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch.
  Remove duplicated tag.
- commit 6c506e7
- scripts/dtc: only append to HOST_EXTRACFLAGS instead of
  overwriting (git-fixes).
- commit 644966c
- drm/etnaviv: relax submit size limits (git-fixes).
- commit de0ae66
- usb: common: ulpi: Fix crash in ulpi_match() (git-fixes).
- usb: gadget: f_sourcesink: Fix isoc transfer for
  USB_SPEED_SUPER_PLUS (git-fixes).
- usb: typec: tcpm: Do not disconnect while receiving VBUS off
  (git-fixes).
- usb: roles: fix include/linux/usb/role.h compile issue
  (git-fixes).
- phylib: fix potential use-after-free (git-fixes).
- x86/gpu: Reserve stolen memory for first integrated Intel GPU
  (git-fixes).
- PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA
  controller (git-fixes).
- phy: uniphier-usb3ss: fix unintended writing zeros to PHY
  register (git-fixes).
- usb: hub: Add delay for SuperSpeed hub resume to let links
  transit to U0 (git-fixes).
- usb: uhci: add aspeed ast2600 uhci support (git-fixes).
- usb: gadget: f_fs: Use stream_open() for endpoint files
  (git-fixes).
- serial: core: Keep mctrl register state and cached copy in sync
  (git-fixes).
- serial: pl010: Drop CR register reset on set_termios
  (git-fixes).
- serial: Fix incorrect rs485 polarity on uart open (git-fixes).
- serial: amba-pl011: do not request memory region twice
  (git-fixes).
- mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO
  (git-fixes).
- regulator: qcom_smd: Align probe function with rpmh-regulator
  (git-fixes).
- mtd: rawnand: gpmi: Add ERR007117 protection for
  nfc_apply_timings (git-fixes).
- mtd: rawnand: gpmi: Remove explicit default gpmi clock setting
  for i.MX6 (git-fixes).
- rsi: Fix use-after-free in rsi_rx_done_handler() (git-fixes).
- media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes
  (git-fixes).
- mtd: nand: bbt: Fix corner case in bad block table handling
  (git-fixes).
- commit ceccaf4
- lib82596: Fix IRQ check in sni_82596_probe (git-fixes).
- i2c: designware-pci: Fix to change data types of hcnt and lcnt
  parameters (git-fixes).
- i2c: mpc: Correct I2C reset procedure (git-fixes).
- i2c: i801: Don't silently correct invalid transfer size
  (git-fixes).
- gpiolib: acpi: Do not set the IRQ type if the IRQ is already
  in use (git-fixes).
- HID: apple: Do not reset quirks when the Fn key is not found
  (git-fixes).
- HID: quirks: Allow inverting the absolute X/Y values
  (git-fixes).
- mac80211: allow non-standard VHT MCS-10/11 (git-fixes).
- iwlwifi: mvm: Fix calculation of frame length (git-fixes).
- iwlwifi: remove module loading failure message (git-fixes).
- iwlwifi: fix leaks/bad data after failed firmware load
  (git-fixes).
- iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
  (git-fixes).
- iwlwifi: mvm: synchronize with FW after multicast commands
  (git-fixes).
- media: saa7146: hexium_gemini: Fix a NULL pointer dereference
  in hexium_attach() (git-fixes).
- media: igorplugusb: receiver overflow should be reported
  (git-fixes).
- media: m920x: don't use stack on USB reads (git-fixes).
- media: saa7146: hexium_orion: Fix a NULL pointer dereference
  in hexium_attach() (git-fixes).
- media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds
  (git-fixes).
- media: b2c2: Add missing check in flexcop_pci_isr: (git-fixes).
- commit a86fa77
- floppy: Add max size check for user space request (git-fixes).
- gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock
  (git-fixes).
- Bluetooth: Fix debugfs entry leak in hci_register_dev()
  (git-fixes).
- drm/amdgpu: fixup bad vram size on gmc v8 (git-fixes).
- drm/etnaviv: limit submit sizes (git-fixes).
- drm/bridge: megachips: Ensure both bridges are probed before
  registration (git-fixes).
- drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga
  Book X91F/L (git-fixes).
- drm/nouveau/kms/nv04: use vzalloc for nv04_display (git-fixes).
- drm/nouveau/pmu/gm200-: avoid touching PMU outside of
  DEVINIT/PREOS/ACR (git-fixes).
- drm/lima: fix warning when CONFIG_DEBUG_SG=y &
  CONFIG_DMA_API_DEBUG=y (git-fixes).
- commit d637736
- ASoC: mediatek: mt8173: fix device_node leak (git-fixes).
- ALSA: seq: Set upper limit of processed events (git-fixes).
- ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5
  (git-fixes).
- ACPICA: Fix wrong interpretation of PCC address (git-fixes).
- ACPICA: Executer: Fix the REFCLASS_REFOF case in
  acpi_ex_opcode_1A_0T_1R() (git-fixes).
- ACPICA: Utilities: Avoid deleting the same object twice in a
  row (git-fixes).
- batman-adv: allow netlink usage in unprivileged containers
  (git-fixes).
- ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
  (git-fixes).
- ath10k: Fix tx hanging (git-fixes).
- ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START
  reply (git-fixes).
- commit b090e4d
- hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649
  (git-fixes).
- hwmon: (lm90) Mark alert as broken for MAX6680 (git-fixes).
- hwmon: (lm90) Mark alert as broken for MAX6654 (git-fixes).
- hwmon: (lm90) Reduce maximum conversion rate for G781
  (git-fixes).
- drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable
  (git-fixes).
- drm/msm: Fix wrong size calculation (git-fixes).
- drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc
  (git-fixes).
- ACPI: battery: Add the ThinkPad "/Not Charging"/ quirk
  (git-fixes).
- ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions
  (git-fixes).
- hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681
  (git-fixes).
- commit e06c812
- serial: stm32: fix software flow control transfer (git-fixes).
- tty: n_gsm: fix SW flow control encoding/handling (git-fixes).
- serial: 8250: of: Fix mapped region size when using reg-offset
  property (git-fixes).
- ucsi_ccg: Check DEV_INT bit only when starting CCG4 (git-fixes).
- ata: pata_platform: Fix a NULL pointer dereference in
  __pata_platform_probe() (git-fixes).
- drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy
  (git-fixes).
- pinctrl: bcm2835: Add support for wake-up interrupts
  (git-fixes).
- pinctrl: bcm2835: Match BCM7211 compatible string (git-fixes).
- commit 34e1762
- Update patch reference for vgacon patch (CVE-2020-28097 bsc#1187723 jsc#SLE-23485)
- commit 589ca07
- video: hyperv_fb: Fix validation of screen resolution
  (git-fixes).
- commit c92ca58
- net: tipc: validate domain record count on input (bsc#1195254).
- commit 5e4e31e
- blacklist.conf: Add e1fbbd073137 prctl: allow to setup brk for et_dyn executables
- commit d38c68f
- ibmvnic: remove unused defines (bsc#1195293 ltc#196198).
- ibmvnic: Update driver return codes (bsc#1195293 ltc#196198).
- commit 2e27858
- RDMA/hns: Remove unnecessary access right set during INIT2INIT (git-fixes)
- commit 4f52905
- RDMA/core: Do not indicate device ready when device enablement fails (git-fixes)
- commit 8c078d4
- RDMA/uverbs: Tidy input validation of ib_uverbs_rereg_mr() (git-fixes)
- commit b76b1bf
- RDMA/hns: Remove the portn field in UD SQ WQE (git-fixes)
- commit 6b9c3b4
- RDMA/cxgb4: Validate the number of CQEs (git-fixes)
- commit 2d78782
- RDMA/mlx5: Fix corruption of reg_pages in mlx5_ib_rereg_user_mr() (git-fixes)
- commit 555e8b8
- RDMA/rxe: Compute PSN windows correctly (git-fixes)
- commit 6546545
- RDMA/bnxt_re: Set queue pair state when being queried (git-fixes)
- commit 68f6d87
- RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait (git-fixes)
- commit 64a081e
- RDMA/i40iw: Address an mmap handler exploit in i40iw (git-fixes)
- commit 1f8fac6
- RMDA/sw: Don't allow drivers using dma_virt_ops on highmem configs (git-fixes)
- commit 09fe3b5
- RDMA/mlx5: Fix type warning of sizeof in __mlx5_ib_alloc_counters() (git-fixes)
- commit e969537
- i40iw: Add support to make destroy QP synchronous (git-fixes)
- commit 1d9fde7
- RDMA/mlx5: Issue FW command to destroy SRQ on reentry (git-fixes)
- commit 7b4149b
- RDMA/mlx5: Fix potential race between destroy and CQE poll (git-fixes)
- commit a2e5b72
- RDMA/hns: Add a check for current state before modifying QP (git-fixes)
- commit 8117a96
- IB/mlx4: Separate tunnel and wire bufs parameters (git-fixes)
- commit 780f173
- update
- commit 8000467
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
  CVE-2021-45095).
- commit 98c27cb
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- Delete
  patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch.
  which caused a regression (bsc#1194048).
- fix patches.kabi/revert-xfrm-xfrm_state_mtu-should-return-at-least-1280.patch
  fixes the resulting KABI change
- Replace with an alternative fix for bsc#1185377
- commit ccdfbb9
- Refresh
  patches.suse/ibmvnic-Allow-extra-failures-before-disabling.patch.
- Refresh patches.suse/ibmvnic-don-t-spin-in-tasklet.patch.
- Refresh patches.suse/ibmvnic-init-running_cap_crqs-early.patch.
- Refresh
  patches.suse/ibmvnic-remove-unused-wait_capability.patch.
- commit 6439146
- ext4: set csum seed in tmp inode while migrating to extents
  (bsc#1195267).
- commit 22e9600
- drm/vmwgfx: Fix stale file descriptors on failed usercopy
  (CVE-2022-22942 bsc#1195065).
- commit b93c2a4
- nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
- commit 552f664
- bpf: Verifer, adjust_scalar_min_max_vals to always call
  update_reg_bounds() (bsc#1194227).
- commit bf95985
- net/packet: rx_owner_map depends on pg_vec (bsc#1195184
  CVE-2021-22600).
- commit ef975a8
- powerpc/book3s64/radix: make tlb_single_page_flush_ceiling a
  debugfs entry (bsc#1195183 ltc#193865).
- commit a3b42d2
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit 74b4241
- lightnvm: Remove lightnvm implemenation (bsc#1191881).
- commit e978276
- supported.conf: mark rtw88 modules as supported (jsc#SLE-22690)
- commit 0d3c7d0
- Update
  patches.suse/usb-gadget-configfs-Fix-use-after-free-issue-with-ud.patch
  (bsc#1193861 CVE-2021-39648).
  updated references for a CVE that became known after the fix
  had been applied for other reasons
- commit f7fa182
- Update
  patches.suse/USB-gadget-detect-too-big-endpoint-0-requests.patch
  (bsc#1193802 CVE-2021-39685).
  Updated references to a CVE that became known after the fix had
  been applied for other reasons
- commit eeaa33a
- crypto: qat - fix undetected PFVF timeout in ACK loop
  (git-fixes).
- commit 3cc9984
- asix: fix wrong return value in asix_check_host_enable()
  (git-fixes).
- commit 9e94c23
- net: mana: Add RX fencing (bsc#1193506).
- commit aa896c0
- net: mana: Add XDP support (bsc#1193506).
- commit d5e53a9
- hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
- commit f4f411e
- net, xdp: Introduce xdp_prepare_buff utility routine
  (bsc#1193506).
- commit aca9d96
- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
- commit 9770783
- ibmvnic: remove unused ->wait_capability (bsc#1195073
  ltc#195713).
- ibmvnic: don't spin in tasklet (bsc#1195073 ltc#195713).
- ibmvnic: init ->running_cap_crqs early (bsc#1195073 ltc#195713).
- ibmvnic: Allow extra failures before disabling (bsc#1195073
  ltc#195713).
- commit e820667
- sched/fair: Fix detection of per-CPU kthreads waking a task
  (git fixes (sched/fair)).
- sched/numa: Fix is_core_idle() (git fixes (sched/numa)).
- commit 8f3f43a
- blacklist.conf: !SMP configs are not supported
- commit c80ad41
- scripts/dtc: dtx_diff: remove broken example from help text
  (git-fixes).
- Documentation: fix firewire.rst ABI file path error (git-fixes).
- HID: wacom: Reset expected and received contact counts at the
  same time (git-fixes).
- HID: uhid: Fix worker destroying device without any protection
  (git-fixes).
- drm/radeon: fix error handling in radeon_driver_open_kms
  (git-fixes).
- clk: si5341: Fix clock HW provider cleanup (git-fixes).
- vfio/iommu_type1: replace kfree with kvfree (git-fixes).
- nfc: llcp: fix NULL error pointer dereference on sendmsg()
  after failed bind() (git-fixes).
- commit 8163787
- btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being  set improperly (bsc#1195009).
- commit dad9348
- btrfs: tree-checker: annotate all error branches as unlikely (bsc#1195009).
- commit f9364fe
- btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check (bsc#1195009).
- commit 58912c3
- blacklist.conf: test_stackinit module is not built
- commit 79fa675
- blacklist.conf: bug: clean up; compiler likely does the same optimization
- commit 0f2e872
- workqueue: Fix unbind_workers() VS wq_worker_running() race
  (bsc#1195062).
- commit 4a6e4c5
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit 9eddfd3
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit 34a8919
- kabi/severities: Add a kabi exception for drivers/tee/tee
  According to the partner modules database, the structs of this driver
  are not used by anything external so make a kABI exception for them.
  Do that on purpose so that any external module using this fails to load
  instead of causing a potential memory corruption due to a kabi
  workaround which would use the same offset but for a different thing:
  - struct dma_buf *dmabuf;
  +	refcount_t refcount;
  See upstream commit
  dfd0743f1d9e ("/tee: handle lookup of shm with reference count 0"/)
- commit c1b7aec
- Update config files.
- commit eae3c71
- net: allow retransmitting a TCP packet if original is still
  in queue (bsc#1188605 bsc#1187428).
- commit 372a9a4
- tee: handle lookup of shm with reference count 0 (bsc#1193767
  CVE-2021-44733).
- commit be75d82
- nvme-fabrics: ignore invalid fast_io_fail_tmo values
  (git-fixes).
- nvme-tcp: fix memory leak when freeing a queue (git-fixes).
- nvme-multipath: fix ANA state updates when a namespace is not
  present (git-fixes).
- nvme-fabrics: remove superfluous nvmf_host_put in
  nvmf_parse_options (git-fixes).
- commit 51e4a5d
- arm64: Kconfig: add a choice for endianness (jsc#SLE-23432).
- commit 51a5c79
- tee: don't assign shm id for private shms (bsc#1193767
  CVE-2021-44733).
- commit 9ab9ee2
- tee: remove linked list of struct tee_shm (bsc#1193767
  CVE-2021-44733).
- commit a3c7739
- cgroup/cpuset: Fix a partition bug with hotplug (bsc#1194291).
- commit 9a89323
- blacklist.conf: Add 7ee285395b21 cgroup: Make rebind_subsystems() disable v2 controllers all at once
- commit 11abfa4
- blacklist.conf: Add 6ba34d3c7367 cgroup/cpuset: Fix violation of cpuset locking rule
- commit a116f42
- Revert "/net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)"/
  This reverts commit 3aa0c01fad38360cc9cd840d49bdfdc565e2e718.
  With the backport of the upstream fix for bsc#1183405 race, this workaround
  is no longer needed.
- commit 282cec9
- net: sched: add barrier to ensure correct ordering for lockless
  qdisc (bsc#1183405).
- net: sched: avoid unnecessary seqcount operation for lockless
  qdisc (bsc#1183405).
- net: sched: fix tx action reschedule issue with stopped queue
  (bsc#1183405).
- net: sched: fix tx action rescheduling issue during deactivation
  (bsc#1183405).
- net: sched: fix packet stuck problem for lockless qdisc
  (bsc#1183405).
- net: sched: replaced invalid qdisc tree flush helper in
  qdisc_replace (bsc#1183405).
- net: sch_generic: aviod concurrent reset and enqueue op for
  lockless qdisc (bsc#1183405).
- commit 60ecee5
- Align s390 NVME target options with other architectures
  (bsc#1188404, jsc#SLE-22494).
  CONFIG_NVME_TARGET=m
  CONFIG_NVME_TARGET_PASSTHRU=y
  CONFIG_NVME_TARGET_LOOP=m
  CONFIG_NVME_TARGET_RDMA=m
  CONFIG_NVME_TARGET_FC=m
  CONFIG_NVME_TARGET_FCLOOP=m
  CONFIG_NVME_TARGET_TCP=m
- commit 5b2b9f6
krb5
- Update to 1.19.2; (jsc#SLE-23329);
  * Fix a denial of service attack against the KDC encrypted challenge
    code; (CVE-2021-36222);
  * Fix a memory leak when gss_inquire_cred() is called without a
    credential handle.
- Changes from 1.19.1
  * Fix a linking issue with Samba.
  * Better support multiple pkinit_identities values by checking whether
    certificates can be loaded for each value.
- Changes from 1.19
  Administrator experience
  * When a client keytab is present, the GSSAPI krb5 mech will refresh
    credentials even if the current credentials were acquired manually.
  * It is now harder to accidentally delete the K/M entry from a KDB.
  Developer experience
  * gss_acquire_cred_from() now supports the "/password"/ and "/verify"/
    options, allowing credentials to be acquired via password and
    verified using a keytab key.
  * When an application accepts a GSS security context, the new
    GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
    both provided matching channel bindings.
  * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
    to identify the desired client principal by certificate.
  * PKINIT certauth modules can now cause the hw-authent flag to be set
    in issued tickets.
  * The krb5_init_creds_step() API will now issue the same password
    expiration warnings as krb5_get_init_creds_password().
  Protocol evolution
  * Added client and KDC support for Microsoft's Resource-Based Constrained
    Delegation, which allows cross-realm S4U2Proxy requests. A third-party
    database module is required for KDC support.
  * kadmin/admin is now the preferred server principal name for kadmin
    connections, and the host-based form is no longer created by default.
    The client will still try the host-based form as a fallback.
  * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
    extension, which causes channel bindings to be required for the
    initiator if the acceptor provided them. The client will send this
    option if the client_aware_gss_bindings profile option is set.
  User experience
  * kinit will now issue a warning if the des3-cbc-sha1 encryption type is
    used in the reply. This encryption type will be deprecated and removed
    in future releases.
  * Added kvno flags --out-cache, --no-store, and --cached-only
    (inspired by Heimdal's kgetcred).
- Changes from 1.18.3
  * Fix a denial of service vulnerability when decoding Kerberos
    protocol messages.
  * Fix a locking issue with the LMDB KDB module which could cause
    KDC and kadmind processes to lose access to the database.
  * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
    and unloaded while libkrb5support remains loaded.
- Changes from 1.18.2
  * Fix a SPNEGO regression where an acceptor using the default credential
    would improperly filter mechanisms, causing a negotiation failure.
  * Fix a bug where the KDC would fail to issue tickets if the local krbtgt
    principal's first key has a single-DES enctype.
  * Add stub functions to allow old versions of OpenSSL libcrypto to link
    against libkrb5.
  * Fix a NegoEx bug where the client name and delegated credential might
    not be reported.
- Changes from 1.18.1
  * Fix a crash when qualifying short hostnames when the system has
    no primary DNS domain.
  * Fix a regression when an application imports "/service@"/ as a GSS
    host-based name for its acceptor credential handle.
  * Fix KDC enforcement of auth indicators when they are modified by
    the KDB module.
  * Fix removal of require_auth string attributes when the LDAP KDB
    module is used.
  * Fix a compile error when building with musl libc on Linux.
  * Fix a compile error when building with gcc 4.x.
  * Change the KDC constrained delegation precedence order for consistency
    with Windows KDCs.
- Changes from 1.18
  Administrator experience:
  * Remove support for single-DES encryption types.
  * Change the replay cache format to be more efficient and robust.
    Replay cache filenames using the new format end with "/.rcache2"/
    by default.
  * setuid programs will automatically ignore environment variables
    that normally affect krb5 API functions, even if the caller does
    not use krb5_init_secure_context().
  * Add an "/enforce_ok_as_delegate"/ krb5.conf relation to disable
    credential forwarding during GSSAPI authentication unless the KDC
    sets the ok-as-delegate bit in the service ticket.
  * Use the permitted_enctypes krb5.conf setting as the default value
    for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
  * Implement krb5_cc_remove_cred() for all credential cache types.
  * Add the krb5_pac_get_client_info() API to get the client account
    name from a PAC.
  Protocol evolution:
  * Add KDC support for S4U2Self requests where the user is identified
    by X.509 certificate. (Requires support for certificate lookup from
    a third-party KDB module.)
  * Remove support for an old ("/draft 9"/) variant of PKINIT.
  * Add support for Microsoft NegoEx. (Requires one or more third-party
    GSS modules implementing NegoEx mechanisms.)
  User experience:
  * Add support for "/dns_canonicalize_hostname=fallback"/, causing
    host-based principal names to be tried first without DNS
    canonicalization, and again with DNS canonicalization if the
    un-canonicalized server is not found.
  * Expand single-component hostnames in host-based principal names
    when DNS canonicalization is not used, adding the system's first DNS
    search path as a suffix. Add a "/qualify_shortname"/ krb5.conf relation
    to override this suffix or disable expansion.
  * Honor the transited-policy-checked ticket flag on application servers,
    eliminating the requirement to configure capaths on servers in some
    scenarios.
  Code quality:
  * The libkrb5 serialization code (used to export and import krb5 GSS
    security contexts) has been simplified and made type-safe.
  * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
    messages has been revised to conform to current coding practices.
  * The test suite has been modified to work with macOS System Integrity
    Protection enabled.
  * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
    can always be tested.
- Changes from 1.17.1
  * Fix a bug preventing "/addprinc -randkey -kvno"/ from working in kadmin.
  * Fix a bug preventing time skew correction from working when a KCM
    credential cache is used.
- Changes from 1.17:
  Administrator experience:
  * A new Kerberos database module using the Lightning Memory-Mapped
    Database library (LMDB) has been added.  The LMDB KDB module should
    be more performant and more robust than the DB2 module, and may
    become the default module for new databases in a future release.
  * "/kdb5_util dump"/ will no longer dump policy entries when specific
    principal names are requested.
  Developer experience:
  * The new krb5_get_etype_info() API can be used to retrieve enctype,
    salt, and string-to-key parameters from the KDC for a client
    principal.
  * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
    principal names to be used with GSS-API functions.
  * KDC and kadmind modules which call com_err() will now write to the
    log file in a format more consistent with other log messages.
  * Programs which use large numbers of memory credential caches should
    perform better.
  Protocol evolution:
  * The SPAKE pre-authentication mechanism is now supported.  This
    mechanism protects against password dictionary attacks without
    requiring any additional infrastructure such as certificates.  SPAKE
    is enabled by default on clients, but must be manually enabled on
    the KDC for this release.
  * PKINIT freshness tokens are now supported.  Freshness tokens can
    protect against scenarios where an attacker uses temporary access to
    a smart card to generate authentication requests for the future.
  * Password change operations now prefer TCP over UDP, to avoid
    spurious error messages about replays when a response packet is
    dropped.
  * The KDC now supports cross-realm S4U2Self requests when used with a
    third-party KDB module such as Samba's.  The client code for
    cross-realm S4U2Self requests is also now more robust.
  User experience:
  * The new ktutil addent -f flag can be used to fetch salt information
    from the KDC for password-based keys.
  * The new kdestroy -p option can be used to destroy a credential cache
    within a collection by client principal name.
  * The Kerberos man page has been restored, and documents the
    environment variables that affect programs using the Kerberos
    library.
  Code quality:
  * Python test scripts now use Python 3.
  * Python test scripts now display markers in verbose output, making it
    easier to find where a failure occurred within the scripts.
  * The Windows build system has been simplified and updated to work
    with more recent versions of Visual Studio.  A large volume of
    unused Windows-specific code has been removed.  Visual Studio 2013
    or later is now required.
- Replace old $RPM_* shell vars
- Removal of SuSEfirewall2 service since SuSEfirewall2 has been replaced
  by firewalld
- Remove cruft to support distributions older than SLE 12
- Use macros where applicable
- Switch to pkgconfig style dependencies
- Use %_tmpfilesdir instead of the wrong %_libexecdir/tmpfiles.d
  notation: libexecdir is likely changing away from /usr/lib to
  /usr/libexec
- Build with full Cyrus SASL support. Negotiating SASL credentials with
  an EXTERNAL bind mechanism requires interaction. Kerberos provides its
  own interaction function that skips all interaction, thus preventing the
  mechanism from working.
- Removed patches:
  * 0007-krb5-1.12-ksu-path.patch
  * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
  * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
  * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch =>
    0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
ldb
- Modify packaging to allow parallel installation with libldb1
  (bsc#1192684):
  + Private libraries are installed in %{_libdir}/ldb2/
  + Modules are installed in %{_libdir}/ldb2/modules
- Update to version 2.4.1; (jsc#SLE-23329);
  - Release 2.4.1
    + Corrected python behaviour for 'in' for LDAP attributes
    contained as part of ldb.Message; (bso#14845);
    + Fix memory handling in ldb.msg_diff; (bso#14836);
    + Corrected python docstrings
  - Release 2.4.0
    + Improve calculate_popt_array_length()
    + Use C99 initializers for builtin_popt_options[]
    + pyldb: Fix Message.items() for a message containing elements
    + pyldb: Add test for Message.items()
    + tests: Use ldbsearch '--scope instead of '-s'
    + pyldb: fix a typo
    + Change page size of guidindexpackv1.ldb
    + Use a 1MiB lmdb so the test also passes on aarch64 CentOS stream
    + attrib_handler casefold: simplify space dropping
    + fix ldb_comparison_fold off-by-one overrun
    + CVE-2020-27840: pytests: move Dn.validate test to ldb
    + CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
    + CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
    + CVE-2021-20277 ldb tests: ldb_match tests with extra spaces
    + improve comments for ldb_module_connect_backend()
    + test/ldb_tdb: correct introductory comments
    + ldb.h: remove undefined async_ctx function signatures
    + correct comments in attrib_handers val_to_int64
    + dn tests use cmocka print functions
    + ldb_match: remove redundant check
    + add tests for ldb_wildcard_compare
    + ldb_match: trailing chunk must match end of string
    + pyldb: catch potential overflow error in py_timestring
    + ldb: remove some 'if PY3's in tests
    + Add missing break in switch statement
- Drop obsolete patch CVE-2020-25718-lib-Add-hex_byte-to-replace.h.patch
- Drop obsolete patch ldb-cve-2020-25718.patch
libseccomp
- buildrequire python-rpm-macros
- reenable python bindings at least for the distro default python3
  package:
  - adds make-python-build.patch
- Update to release 2.5.3
  * Update the syscall table for Linux v5.15
  * Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2
  * Document that seccomp_rule_add() may return -EACCES
- Skip 11-basic-basic_errors test on qemu linux-user emulation
- Update to release 2.5.2
  * Update the syscall table for Linux v5.14-rc7
  * Add a function, get_notify_fd(), to the Python bindings to
    get the nofication file descriptor.
  * Consolidate multiplexed syscall handling for all
    architectures into one location.
  * Add multiplexed syscall support to PPC and MIPS
  * The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within
    the kernel. libseccomp's fd notification logic was modified
    to support the kernel's previous and new usage of
    SECCOMP_IOCTL_NOTIF_ID_VALID.
- update to 2.5.1:
  * Fix a bug where seccomp_load() could only be called once
  * Change the notification fd handling to only request a notification fd if
  * the filter has a _NOTIFY action
  * Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage
  * Clarify the maintainers' GPG keys
- remove testsuite-riscv64-missing-syscalls.patch
- Do not rely on gperf: pass GPERF=/bin/true to configure and
  remove gperf BuildRequires. The syscalls.perf file it would
  generate is part of the tarball already.
- testsuite-riscv64-missing-syscalls.patch: Fix testsuite failure on
  riscv64
- Ignore failure of tests/52-basic-load on qemu linux-user emulation
- Update to release 2.5.0
  * Add support for the seccomp user notifications, see the
    seccomp_notify_alloc(3), seccomp_notify_receive(3),
    seccomp_notify_respond(3) manpages for more information
  * Add support for new filter optimization approaches, including a balanced
    tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for
    more information
  * Add support for the 64-bit RISC-V architecture
  * Performance improvements when adding new rules to a filter thanks to the
    use of internal shadow transactions and improved syscall lookup tables
  * Properly document the libseccomp API return values and include them in the
    stable API promise
  * Improvements to the s390 and s390x multiplexed syscall handling
  * Multiple fixes and improvements to the libseccomp manpages
  * Moved from manually maintained syscall tables to an automatically generated
    syscall table in CSV format
  * Update the syscall tables to Linux v5.8.0-rc5
  * Python bindings and build now default to Python 3.x
  * Improvements to the tests have boosted code coverage to over 93%
- libseccomp.keyring: replaced by Paul Moore <pmoore@redhat.com> key.
- Update to release 2.4.3
  * Add list of authorized release signatures to README.md
  * Fix multiplexing issue with s390/s390x shm* syscalls
  * Remove the static flag from libseccomp tools compilation
  * Add define for __SNR_ppoll
  * Fix potential memory leak identified by clang in the
    scmp_bpf_sim tool
- Drop no-static.diff, libseccomp-fix_aarch64-test.patch,
  SNR_ppoll.patch (merged)
- Add patch to fix ntpsec and others build (accidental drop of symbols):
  * SNR_ppoll.patch
- Tests are passing on all architectures
- Backport patch to fix test on aarch64:
  * libseccomp-fix_aarch64-test.patch
- Update to release 2.4.2
  * Add support for io-uring related system calls
libzypp
- Public header files on older distros must use c++11
  (bsc#1194597)
- Fix exception handling when reading or writing credentials
  (bsc#1194898)
- version 17.29.3 (22)
- Fix Legacy include (bsc#1194597)
- version 17.29.2 (22)
- Fix broken install path for parser compat headers (fixes #372,
  bsc#1194597)
- RepoManager: remember exec errors in exception history
  (bsc#1193007)
- version 17.29.1 (22)
- Use the default zypp.conf settings if no zypp.conf exists
  (bsc#1193488)
- Fix wrong encoding of iso: URL components (bsc#954813)
- Handle armv8l as armv7hl compatible userland.
- Introduce zypp-curl a sublibrary for CURL related code.
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set.
- Save all signatures associated with a public key in its
  PublicKeyData.
- version 17.29.0 (22)
nfs-utils
- Add 0020-mountd-Initialize-logging-early.patch
  If an error or warning message is produced before
  closeall() is called, mountd gets confused and doesn't work.
  (bsc#1194661)
polkit
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
  added CVE-2021-4115.patch
psmisc
  * Determine the namespace of a process only once to speed
    up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
release-notes-sles
- 15.3.20220202 (tracked in bsc#933411)
- Added kernel parameter changes (bsc#1195107)
- Added note about IBM Power10 support (bsc#1192121)
- Added note about deprecating XFS V4 (jsc#SLE-22663)
- Updated note about unixODBC drivers in production (jsc#SLE-20555)
- Added note about RTL8821CE support (jsc#SLE-22690)
- Updated KillMode=none note (bsc#1193843)
rsyslog
- add service dependencies for remote logging (bsc#1194669)
- update config example in remote.conf to match upstream documentation
salt
- Fix inspector module export function (bsc#1097531)
- Add all ssh kwargs to sanitize_kwargs method
- Wipe NOTIFY_SOCKET from env in cmdmod (bsc#1193357)
- Don't check for cached pillar errors on state.apply (bsc#1190781)
- Simplify "/transactional_update"/ module to not use SSH wrapper and allow more flexible execution
- Add "/--no-return-event"/ option to salt-call to prevent sending return event back to master.
- Make "/state.highstate"/ to acts on concurrent flag.
- Added:
  * state.apply-don-t-check-for-cached-pillar-errors.patch
  * add-all-ssh-kwargs-to-sanitize_kwargs-method-3002.2-.patch
  * wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
  * vendor-stateresult.patch
  * fix-inspector-module-export-function-bsc-1097531-480.patch
  * refactor-and-improvements-for-transactional-updates-.patch
samba
- CVE-2021-44141: Information leak via symlinks of existance of
  files or directories outside of the exported share; (bso#14911);
  (bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
  in VFS module vfs_fruit allows code execution; (bso#14914);
  (bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
  account can impersonate arbitrary services; (bso#14950);
  (bsc#1195048);
- Update to 4.15.4
  * Duplicate SMB file_ids leading to Windows client cache
    poisoning; (bso#14928);
  * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
    NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
  * kill_tcp_connections does not work; (bso#14934);
  * Can't connect to Windows shares not requiring authentication
    using KDE/Gnome; (bso#14935);
  * smbclient -L doesn't set "/client max protocol"/ to NT1 before
    calling the "/Reconnecting with SMB1 for workgroup listing"/
    path; (bso#14939);
  * Cross device copy of the crossrename module always fails;
    (bso#14940);
  * symlinkat function from VFS cap module always fails with an
    error; (bso#14941);
  * Fix possible fsp pointer deference; (bso#14942);
  * Missing pop_sec_ctx() in error path inside close_directory();
    (bso#14944);
  * "/smbd --build-options"/ no longer works without an smb.conf file;
    (bso#14945);
- Use pkgconfig(krb5) as dependency for the -devel package: allow
  OBS to pick the right flavor of krb5-devel (full vs mini).
- Do not require the 'krb5' symbol by samba-client-libs: this
  package has an automatic dependency due to linkage on
  libgssapi_krb5.so.2. Automatic deps are always better.
- Do not require the 'krb5' symbol from samba-libs: samba-libs
  requires samba-client-libs, which in turn requires krb5
  libraries. Samba-libs itself has no need for krb5 (but get it
  indirectly anyway).
- Update to version 4.15.3; (jsc#SLE-23329);
  + CVE-2021-43566: Symlink race error can allow directory creation
    outside of the exported share; (bso#13979); (bsc#1139519);
  + CVE-2021-20316: Symlink race error can allow metadata read and
    modify outside of the exported share; (bso#14842); (bsc#1191227);
- Reorganize libs packages. Split samba-libs into samba-client-libs,
  samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
  public libraries depending on internal samba libraries into these
  packages as there were dependency problems everytime one of these
  public libraries changed its version (bsc#1192684). The devel
  packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Add python-rpm-macros to build requirements
- Update the symlink create by samba-dsdb-modules to private samba
  ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
  /usr/lib64/ldb2/modules/ldb/samba
shadow
- The legacy code does not support /etc/login.defs.d used by YaST.
  Enable libeconf to read it (bsc#1192954).
sudo
- Add support in the LDAP filter for negated users, patch taken
  from upstream (jsc#20068)
  * Adds sudo-feature-negated-LDAP-users.patch
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)
  * feature-upstream-restrict-sudo-U-other-l.patch
supportutils-plugin-suse-public-cloud
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
  + Include cloud-init logs whenever they are present
  + Update the packages we track in AWS, Azure, and Google
  + Include the ecs logs for AWS ECS instances
systemd
- Import commit 773652879446a81689c39aea23a486627992409b
  a76263ced9 meson: allow extra net naming schemes to be defined during configuration
  301bf4f1bf meson: drop the list of valid net naming schemes
  b89924793d netif-naming: inline one iterator variable
  da4a4df29c udev: fix potential memleak
  d60486bf1b udev: allow onboard index up to 65535
  ac2baecc84 udev: use snprintf_ok()
  8aad315c7c udev: fix potential infinite loop
  471ea73eb0 udev: make dev_pci_slot() return earlier when PCI bridge is found
  69b7c9a6bd udev: use uint32_t for hotplug_slot
  cdd0e89c0e udev: split out logic of parsing s390 PCI slots
  84e1a91baa udev: it is not necessary that the path is readable
  03548e8d0e udev: add missing initialization to fix freeing invalid address
  772f964bf6 udev: fix slot based network names on s390
  c5071cf699 tree-wide: fix typo
  06640d06df net_id: fix newly added naming scheme name
  58f9592f1f udev/net_id: don't generate slot based names if multiple devices might claim the same slot (bsc#1192637)
  df9e240c92 udev/net_id: parse _SUN ACPI index as a signed integer
  cfcaddfa74 localectl: don't omit keymaps files that are symlinks (bsc#1191826)
- Add 6000-udev-net_id-add-debug-logging-for-construction-of-de.patch
- Import commit 6a96632f26f20a68578f9d620a593ceab2a0e3b6
  c4aa40982c shared/rm-rf: loop over nested directories instead of instead of recursing (CVE-2021-3997 bsc#1194178)
  ae13ea6511 shared/rm_rf: refactor rm_rf() to shorten code a bit
  3266d7f5c8 shared/rm_rf: refactor rm_rf_children_inner() to shorten code a bit
- Drop 5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch
  Drop 5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch
  Drop 5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch
  They have been merged into 'SUSE/v246' branch.
- resolved: disable DNSSEC until the following issue is solved:
  https://github.com/systemd/systemd/issues/10579
- resolved: disable fallback DNS servers and fail when no DNS server info could
  be obtained from the links. It's better to let the sysadmin know that
  something is likely misconfigured rather than silently handing over the DNS
  queries to Google or Cloudflare.
- resolved: DNSSEC support (build) requires openssl therefore document this
  build dependency in systemd-network sub-package.
- Add 1009-drop-or-soften-deprecation-warnings.patch (bsc#1193086)
talloc
- Update to 2.3.3; (jsc#SLE-23329);
  + python: Ensure reference counts are properly incremented
  + Change pytalloc source to LGPL;(bso#9931);
- Update to 2.3.2
- Fix build with RPM 4.16:
  bad %if condition:  01550 != 1110 || "/x86_64"/ == x86_64
  no bare word support, x86_64 needs to be quoted
tdb
- Update to version 1.4.4; (jsc#SLE-23329);
  + Fix a memory leak on error
  + python: remove all 'from __future__ import print_function'
  + Fix CID 1471761 String not null terminated
  + Use hex_byte() in parse_hex()
  + Use hex_byte() in read_data()
  + fix studio compiler build
  + Fix some signed/unsigned comparisons
  + also use __has_attribute macro to check for attribute support
  + Fix clang 9 missing-field-initializer warnings
  + pytdb tests: add test for storev()
  + pytdb: add python binding for storev()
  + tdbtorture: Use ARRAY_DEL_ELEMENT()
  + py3: Remove #define PyInt_FromLong PyLong_FromLong
  + py3: Remove #define PyInt_AsLong PyLong_AsLong
  + py3: Remove #define PyInt_Check PyLong_Check
  + tdb: Align integer types
- Drop obsolete patch ignore-tdb1-run-transaction-expand.diff
- Fix header file using undefined function visibility macro;
  Add patch 0001-tdb-Fix-invalid-syntax-in-tdb.h.patch; (bso#14762);
tevent
- Adust tevent spec to export bundled libcmocka-tevent needed
  by ldb; (jsc#SLE-23329);
- Update to version 0.11.0
  + Other minor build fixes; (bso#14526);
  + Add custom tag to events
  + Add event trace api
util-linux
- Fix unauthorized umount (CVE-2021-3995, CVE-2021-3996,
  bsc#1194976,
  util-linux-libmount-check-fuse-umount-CVE-2021-3995.patch,
  util-linux-libmount-fix-deleted-suffix-CVE-2021-3996.patch).
- blockdev: Remove NBSP character in values (bsc#1188507#c31,
  blockdev-remove-nbsp.patch).
- The legacy code does not support /etc/login.defs.d used by YaST.
  Enable libeconf to read it (bsc#1192954).
- blockdev: allow for larger values for start sector (bsc#1188507)
  blockdev-allow-for-larger-values-for-start-sector.patch
util-linux-systemd
- Fix unauthorized umount (CVE-2021-3995, CVE-2021-3996,
  bsc#1194976,
  util-linux-libmount-check-fuse-umount-CVE-2021-3995.patch,
  util-linux-libmount-fix-deleted-suffix-CVE-2021-3996.patch).
- blockdev: Remove NBSP character in values (bsc#1188507#c31,
  blockdev-remove-nbsp.patch).
- The legacy code does not support /etc/login.defs.d used by YaST.
  Enable libeconf to read it (bsc#1192954).
- blockdev: allow for larger values for start sector (bsc#1188507)
  blockdev-allow-for-larger-values-for-start-sector.patch
vim
- Minimal fix for Bug 1195004 - (CVE-2022-0318) VUL-0: CVE-2022-0318: vim:
  Heap-based Buffer Overflow in vim prior to 8.2.
  / vim-8.0.1568-CVE-2022-0413.patch
- Fixing bsc#1190570 CVE-2021-3796: vim: use-after-free in nv_replace() in
  normal.c / vim-8.0.1568-CVE-2021-3796.patch
- Fixing bsc#1191893 CVE-2021-3872: vim: heap-based buffer overflow in
  win_redr_status() drawscreen.c / vim-8.0.1568-CVE-2021-3872.patch
- Fixing bsc#1192481 CVE-2021-3927: vim: vim is vulnerable to
  Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-3927.patch
- Fixing bsc#1192478 CVE-2021-3928: vim: vim is vulnerable to
  Stack-based Buffer Overflow / vim-8.0.1568-CVE-2021-3928.patch
- Fixing bsc#1193294 CVE-2021-4019: vim: vim is vulnerable to
  Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-4019.patch
- Fixing bsc#1193298 CVE-2021-3984: vim: illegal memory access when C-indenting
  could lead to Heap Buffer Overflow / vim-8.0.1568-CVE-2021-3984.patch
- Fixing bsc#1190533 CVE-2021-3778: vim: Heap-based Buffer Overflow in regexp_nfa.c
  / vim-8.0.1568-CVE-2021-3778.patch
- Fixing bsc#1194216 CVE-2021-4193: vim: vulnerable to Out-of-bounds Read
  / vim-8.0.1568-CVE-2021-4193.patch
- Fixing bsc#1194556 CVE-2021-46059: vim: A Pointer Dereference vulnerability
  exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which
  causes a denial of service. / vim-8.0.1568-CVE-2021-46059.patch
- Fixing bsc#1195066 CVE-2022-0319: vim: Out-of-bounds Read in vim/vim
  prior to 8.2. / vim-8.0.1568-CVE-2022-0319.patch
- Fixing bsc#1195126 CVE-2022-0351: vim: uncontrolled recursion in eval7()
  / vim-8.0.1568-CVE-2022-0351.patch
- Fixing bsc#1195202 CVE-2022-0361: vim: Heap-based Buffer Overflow in vim
  prior to 8.2. / vim-8.0.1568-CVE-2022-0361.patch
- Fixing bsc#1195356 CVE-2022-0413: vim: use after free in src/ex_cmds.c
  / vim-8.0.1568-CVE-2022-0413.patch
wicked
- fsm: fix device rename via yast (bsc#1194392)
  Reset worker config instead to reject a NULL/empty config
  xml node -- introduced in wicked 0.6.67 by commit c2a0385.
  [+ 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
- version 0.6.68
- sysctl: process sysctl.d directories as in sysctl --system
- sysctl: fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- dhcp4: add option to set route pref-src to dhcp IP (bsc#1192353)
- cleanup: warnings, time calculations and dhcp fixes (bsc#1188019)
- wireless: reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- tuntap: avoid sysfs attr read error (bsc#1192311)
- ifstatus: fix warning of unexpected interface flag combination (bsc#1192164)
- dbus: config files in /usr shouldn't be marked as config in spec
- version 0.6.67
- dbus: install bus config in /usr (bsc#1183407,jsc#SLE-9750)
- logging: log reaped sub-process command and as debug, not error
- ifstatus: Don't show link as "/up"/ without RUNNING flag set
- firewalld: Make the zone assignment permanent (boo#1189560)
- fsm: cleanup and improve ifconfig and ifpolicy access utils
- dbus: cleanup the dbus-service.h file and unused property makros
- cleanup: applied code-spell run typo corrections
- dracut: initial fixes and improved option handling (boo#1182227)
- version 0.6.66
- wireless: migrate to wpa-supplicant v1 DBus interface (bsc#1156920)
  - support multiple networks configurations per interface
  - show connection status and scan-results (bsc#1160654)
  - corrected eap-tls,ttls cetificate handling and open vs. shared
    wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
  - cleanups and several other improvements, see changes
  - updated man ifcfg-wireless manual pages
- nanny: fix identify node owner exit condition
- schema: several xml-schema and dbus/property improvements
- utils: format/parse bitmap to array and string alternatives
- client: expose ethtool --get-permanent-address option
- removed sle15-sp3 patches included in the master sources (bsc#1181812)
  [- 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
  [- 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
xen
- bsc#1194576 - VUL-0: CVE-2022-23033: xen: arm:
  guest_physmap_remove_page not removing the p2m mappings (XSA-393)
  xsa393.patch
- bsc#1194581 - VUL-0: CVE-2022-23034: xen: a PV guest could DoS
  Xen while unmapping a grant (XSA-394)
  xsa394.patch
- bsc#1194588 - VUL-0: CVE-2022-23035: xen: insufficient cleanup of
  passed-through device IRQs (XSA-395)
  xsa395.patch
- bsc#1191668 - L3: issue around xl and virsh operation - virsh
  list not giving any output
  libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch
  libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch
- bsc#1193447 - Slow execution of hvmloader+ovmf when VM contains an sriov device
  61bc429f-revert-hvmloader-PA-range-should-be-UC.patch
- Upstream bug fixes (bsc#1027519)
  61b31d5c-x86-restrict-all-but-self-IPI.patch
  61b88e78-x86-CPUID-TSXLDTRK-definition.patch
  61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch
- Collect active VM config files in the supportconfig plugin
  xen-supportconfig
- Upstream bug fixes (bsc#1027519)
  61655b5a-AMD-IOMMU-hidden-devices-flush.patch
  616d66bd-x86-HVM-cleanup-after-failed-viridian_vcpu_init.patch
  616e7cfe-x86-paging-restrict-paddr-width-reported.patch
  618289da-x86-shstk-fix-with-XPTI-active.patch
  619b7ac9-harden-assign_pages.patch
  619b8cb0-x86-PoD-misaligned-GFNs.patch
  619b8cb1-x86-PoD-intermediate-page-orders.patch
  619b8cb2-x86-P2M-set-partial-success.patch
- Drop xsa patches in favor of upstream versions
  xsa385.patch
  xsa388-1.patch
  xsa388-2.patch
  xsa389.patch
yast2
- do not strip surrounding white space in CDATA XML elements (bsc#1195910)
- 4.3.68
- do not strip trailing white space in XML elements (bsc#1195910)
- 4.3.67
yast2-add-on
- Restore the repo unexpanded URL to get it properly saved in
  the /etc/zypp/repos.d file (bsc#972046, bsc#1194851).
- 4.3.10
yast2-dhcp-server
- Fix DNS zone creation by fixing a maintained DNS zone check.
  Reported and fixed by Daniel Pätzold <obel1x@web.de>
  See github#yast/yast-dhcp-server#59.
- 4.3.2
- Fix URL in .spec file
zsh
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
  unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
  could be exploited through e.g.  VCS_Info to execute arbitrary shell
  commands (CVE-2021-45444 bsc#1196435)
zypper
- Singletrans: handle fatal and non-fatal script errors properly.
- Add SingleTransReportReceiver.
- Immediately write out additional rpm output.
- BuildRequires:  libzypp-devel >= 17.29.0.
  Need SingleTransReport and immediate rpm script output reports.
- version 1.14.51