suse-sles-15-sp4-byos-v20260219-hvm-ssd-x86

curl

- Security fix: [bsc#1256105, CVE-2025-14017]
  * call ldap_init() before setting the options
  * Add patch curl-CVE-2025-14017.patch

- Security fixes:
  * [bsc#1255731, CVE-2025-14524] if redirected, require permission to use bearer
  * [bsc#1255734, CVE-2025-15224] require private key or user-agent for public key auth
  * [bsc#1255732, CVE-2025-14819] toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
  * [bsc#1255733, CVE-2025-15079] set both knownhosts options to the same file
  * Add patches:
  - curl-CVE-2025-14524.patch
  - curl-CVE-2025-15224.patch
  - curl-CVE-2025-14819.patch
  - curl-CVE-2025-15079.patch

glib2

- Add CVE fixes:
  + glib2-CVE-2026-1484.patch (bsc#1257355 CVE-2026-1484
    glgo#GNOME/glib!4979).
  + glib2-CVE-2026-1485.patch (bsc#1257354 CVE-2026-1485
    glgo#GNOME/glib!4981).
  + glib2-CVE-2026-1489.patch (bsc#1257353 CVE-2026-1489
    glgo#GNOME/glib!4984).

- Add glib2-CVE-2026-0988.patch: fix a potential integer overflow
  in g_buffered_input_stream_peek (bsc#1257049 CVE-2026-0988
  glgo#GNOME/glib#3851).

avahi

- Add avahi-CVE-2025-68276.patch:
  Backport 0c013e2 from upstream, refuse to create wide-area record
  browsers when wide-area is off.
  (CVE-2025-68276, bsc#1256498)

- Add avahi-CVE-2025-68471.patch:
  Backport 9c6eb53 from upstream, fix DoS bug by changing assert to
  return.
  (CVE-2025-68471, bsc#1256500)

- Add avahi-CVE-2025-68468.patch:
  Backport f66be13 from upstream, fix DoS bug by removing incorrect
  assertion.
  (CVE-2025-68468, bsc#1256499)

util-linux

- Fix heap buffer overread in setpwnam() when processing 256-byte
  usernames (bsc#1254666, CVE-2025-14104,
  util-linux-CVE-2025-14104-1.patch,
  util-linux-CVE-2025-14104-2.patch).

- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682,
  util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch).

openssl-1_1

- Security fixes:
  * Missing ASN1_TYPE validation in PKCS#12 parsing
  * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
  - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795], [bsc#1256840, CVE-2026-22796]
  * Missing ASN1_TYPE validation in TS_RESP_verify_response() function
  - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
  * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
  - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
  * Heap out-of-bounds write in BIO_f_linebuffer on short writes
  - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
  * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
  - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
  * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
  - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]

libpcap

- Security fix: [bsc#1255765, CVE-2025-11961]
  * Fix out-of-bound-write and out-of-bound-read in pcap_ether_aton()
    due to missing validation of provided MAC-48 address string
  * Add libpcap-CVE-2025-11961.patch

python311

- Add CVE-2025-13836-http-resp-cont-len.patch (bsc#1254400,
  CVE-2025-13836) to prevent reading an HTTP response from
  a server, if no read amount is specified, with using
  Content-Length per default as the length.
- Add CVE-2025-12084-minidom-quad-search.patch prevent quadratic
  behavior in node ID cache clearing (CVE-2025-12084,
  bsc#1254997).
- Add CVE-2025-13837-plistlib-mailicious-length.patch protect
  against OOM when loading malicious content (CVE-2025-13837,
  bsc#1254401).

sqlite3

- Sync version 3.51.2 from Factory:
  * CVE-2025-7709, bsc#1254670: Integer Overflow in FTS5 Extension
  * bsc#1248586: Fix icu-enabled build.

python-certifi

- Add python36-certifi provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-idna

- Add python36-idna provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-packaging

- Add python36-packaging provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-ply

- Add python36-ply provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-pycparser

- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-py

- Add python36-py provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-requests

- Add python36- provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

python-six

- Add python36-six provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

000release-packages:sle-module-basesystem-release

n/a

000release-packages:sle-module-containers-release

n/a

000release-packages:sle-module-desktop-applications-release

n/a

000release-packages:sle-module-development-tools-release

n/a

000release-packages:sle-module-public-cloud-release

n/a

000release-packages:sle-module-server-applications-release

n/a

supportutils

- scplugin.rc is restored in package 3.2.12.1 for continued compatibility.
  There is no furture development for scplugin.rc. Use supportconfig.rc.
  Package version 3.2.12.2 does not have scplugin.rc. Supportconfig
  itself is the same for both versions. (bsc#1256709)

- Changes to version 3.2.12
  + Optimized lsof usage and honors OPTION_OFILES (bsc#1232351, PR#274)
  + Run in containers without errors (bsc#1245667, PR#272)
  + Removed pmap PID from memory.txt (bsc#1246011, PR#263)
  + Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025, PR#264)
  + Improved database perforce with kGraft patching (bsc#1249657, PR#273)
  + Using last boot for journalctl for optimization (bsc#1250224, PR#287)
  + Fixed extraction failures (bsc#1252318, PR#275)
  + Update supportconfig.conf path in docs (bsc#1254425, PR#281)
  + drm_sub_info: Catch error when dir doesn't exist (PR#265)
  + Replace remaining `egrep` with `grep -E` (PR#261, PR#266)
  + Add process affinity to slert logs (PR#269)
  + Reintroduce cgroup statistics (and v2) (PR#270)
  + Minor changes to basic-health-check: improve information level (PR#271)
  + Collect important machine health counters (PR#276)
  + powerpc: collect hot-pluggable PCI and PHB slots (PR#278)
  + podman: collect podman disk usage (PR#279)
  + Exclude binary files in crondir (PR#282)
  + kexec/kdump: collect everything under /sys/kernel/kexec dir (PR#284)
  + Use short-iso for journalctl (PR#288)

- Changes to version 3.2.11
  + Collect rsyslog frule files (bsc#1244003, pr#257)
  + Remove proxy passwords (bsc#1244011, pr#257)
  + Missing NetworkManager information (bsc#1241284, pr#257)
  + Include agama logs bsc#1244937, pr#256)
  + Additional NFS conf files (pr#253)
  + New fadump sysfs files (pr#252)
  + Fixed change log dates

util-linux-systemd

- Fix heap buffer overread in setpwnam() when processing 256-byte
  usernames (bsc#1254666, CVE-2025-14104,
  util-linux-CVE-2025-14104-1.patch,
  util-linux-CVE-2025-14104-2.patch).

- lscpu: Add support for NVIDIA Olympus arm64 core (jsc#PED-13682,
  util-linux-lscpu-add-arm64-NVIDIA-Olympus.patch).

xen

- bsc#1256745 - VUL-0: CVE-2025-58150: xen: x86: buffer overrun
  with shadow paging + tracing (XSA-477)
  xsa477.patch
- bsc#1256747 - VUL-0: CVE-2026-23553: xen: x86: incomplete IBPB
  for vCPU isolation (XSA-479)
  xsa479.patch

- bsc#1254180 - [SLES][15-SP7][x86_64][Build41647] virtxend service
  restart. Caused by a failure to start xenstored.
  x86-have-.note.Xen-segment-contents-before-others.patch

- bsc#1252692 - VUL-0: CVE-2025-58149: xen: incorrect removal of
  permissions on PCI device unplug allows PV guests to access
  memory of devices no longer assigned to it (XSA-476)
  xsa476.patch