aaa_base
- modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  to also fix the typo to set JAVA_BINDIR in the csh variant
  of the alljava profile script (bsc#1221361)

- modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  drop the stderr redirection for csh (bsc#1221361)
- add git-49-3f8f26123d91f70c644677a323134fc79318c818.patch
  drop sysctl.d/50-default-s390.conf (bsc#1211721)
- add aaa_base-preinstall.patch
  make sure the script does not exit with 1 if a file
  with content is found (bsc#1222547)

- add patch git-48-477bc3c05fcdabf9319e84278a1cba2c12c9ed5a.patch
  home and end button not working from ssh client (bsc#1221407)
- use autosetup in prep stage of specfile

- silence the output in the case of broken symlinks (bsc#1218232)
audit-secondary
- Fix plugin termination when using systemd service units (bsc#1215377)
  * add auditd.service-fix-plugin-termination.patch
ca-certificates
- Update to version 2+git20240416.98ae794 (bsc#1221184):
  * Use flock to serialize calls (boo#1188500)
  * Make certbundle.run container friendly
  * Create /var/lib/ca-certificates if needed
catatonit
- Update to catatonit v0.2.0.
  * Change license to GPL-2.0-or-later.
- Remove upstreamed patches:
  - 99bb9048f.patch
cloud-init
- Add cloud-init-no-nmcfg-needed.patch (bsc#1221726)
  + Do not require a NetworkManager config file in order to detect
    NetworkManager as the renderer

- Add cloud-init-no-openstack-guess.patch (bsc#1222113)
  + Do not guess if we are running on OpenStack or not. Only recognize
    the known markers and enable cloud-init if we know for sure.

- Add  cloud-init-ds-deterministic.patch (bsc#1221132)
  + Do not guess a data source when checking for a CloudStack
    environment

- Hardcode distribution to suse for proper cloud.cfg generation
  (bsc#1220132).

- Prepare for RPM 4.20 switch patch syntax
coreutils
- ls: avoid triggering automounts (bsc#1221632)
  - add coreutils-ls-avoid-triggering-automounts.patch

- tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)
  - add coreutils-tail-fix-tailing-sysfs-files-where-PAGE_SIZE-BUFSIZ.patch
cups
- cups-2.2.7-CVE-2024-35235.patch is derived
  from the upstream patch against master (CUPS 2.5)
  to behave backward compatible for CUPS 2.2.7
  in SLE15 and openSUSE Leap 15 to fix CVE-2024-35235
  "cupsd Listen port arbitrary chmod 0140777"
  without the more secure but backward-incompatible behaviour
  of the upstream patch for CUPS 2.5
  that ignores domain sockets specified in 'Listen' entries
  in /etc/cups/cupsd.conf when cupsd is lauched via systemd
  (in particular when launched on-demand by systemd)
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
  bsc#1225365

- cups-2.2.7-web-ui-kerberos-authentication.patch, update
  patch to handle local 'Negotiate' authentication response
  for cli clients. (bsc#1223179).

- Remove '--enable-debug-printfs' from configure options, see
  https://github.com/OpenPrinting/cups/issues/875
  (bsc#1217119).
curl
- Security fix: [bsc#1221665, CVE-2024-2004]
  * Usage of disabled protocol
  * Add curl-CVE-2024-2004.patch

- Security fix: [bsc#1221667, CVE-2024-2398]
  * curl: HTTP/2 push headers memory-leak
  * Add curl-CVE-2024-2398.patch
docker
- Add patch to fix bsc#1220339
  * 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch

- Allow to disable apparmor support (ALP supports only SELinux)
e2fsprogs
EA Inode handling fixes:
- ext2fs-avoid-re-reading-inode-multiple-times.patch: ext2fs: avoid re-reading
  inode multiple times (bsc#1223596)
- e2fsck-fix-potential-out-of-bounds-read-in-inc_ea_in.patch: e2fsck: fix
  potential out-of-bounds read in inc_ea_inode_refs() (bsc#1223596)
- e2fsck-add-more-checks-for-ea-inode-consistency.patch: e2fsck: add more
  checks for ea inode consistency (bsc#1223596)
- e2fsck-fix-golden-output-of-several-tests.patch: e2fsck: fix golden output of
  several tests (bsc#1223596)
glibc
- nscd-netgroup-cache-timeout.patch: Use time_t for return type of
  addgetnetgrentX (CVE-2024-33602, bsc#1223425)

- ulp-prologue-into-asm-functions.patch: Avoid creating ULP prologue
  for _start routine (bsc#1221940)

- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
  nscd: Stack-based buffer overflow in netgroup cache
  (CVE-2024-33599, bsc#1223423, BZ #31677)
- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
  nscd: Avoid null pointer crashes after notfound response
  (CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
  nscd: Do not send missing not-found response in addgetnetgrentX
  (CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
  netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
  CVE-2024-33602, bsc#1223425, BZ #31680)

- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
  writes when writing escape sequence (CVE-2024-2961, bsc#1222992)

- duplocale-global-locale.patch: duplocale: protect use of global locale
  (bsc#1220441, BZ #23970)

- qsort-invalid-cmp.patch: qsort: handle degenerated compare function
  (bsc#1218866)

- getaddrinfo-eai-memory.patch: getaddrinfo: translate ENOMEM to
  EAI_MEMORY (bsc#1217589, BZ #31163)

- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr
  (bsc#1217445, BZ #31113)
hwdata
- update to 0.380:
  * Update pci, usb and vendor ids

- update to 0.379:
  * Update pci, usb and vendor ids
iputils
- Backport proposed fix for regression in upstream commit 4db1de6 (bsc#1224877)
  0002-arping-Fix-unsolicited-ARP-regressions-on-c-1.patch

- Backport upstream fix for bsc#1224877
  4db1de6 ("arping: Fix 1s delay on exit for unsolicited arpings")
  0001-arping-Fix-1s-delay-on-exit-for-unsolicited-arpings.patch
kernel-default
- pstore: inode: Only d_invalidate() is needed (bsc#1223705
  CVE-2024-27389).
- commit bbe965a

- media: edia: dvbdev: fix a use-after-free (CVE-2024-27043
  bsc#1223824).
- commit e3d9ce5

- Update
  patches.suse/ext4-fix-bug-in-extents-parsing-when-eh_entries-0-an.patch
  (bsc#1206881 bsc#1223475 CVE-2022-48631).
- commit 718df1c

- md/raid5: fix atomicity violation in raid5_cache_count
  (bsc#1219169, CVE-2024-23307).
- commit d2d22f0

- kABI workaround for cec_adapter (CVE-2024-23848 bsc#1219104).
- media: cec: core: avoid confusing "transmit timed out" message
  (CVE-2024-23848 bsc#1219104).
- media: cec: core: avoid recursive cec_claim_log_addrs
  (CVE-2024-23848 bsc#1219104).
- media: cec: cec-api: add locking in cec_release()
  (CVE-2024-23848 bsc#1219104).
- media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
  (CVE-2024-23848 bsc#1219104).
- commit 5f84bce

- media: cec: abort if the current transmit was canceled
  (CVE-2024-23848 bsc#1219104).
- commit f23b730

- Update
  patches.suse/gpio-mockup-fix-NULL-pointer-dereference-when-removi.patch
  (git-fixes CVE-2022-48663 bsc#1223523).
- commit fb50f4d

- Update
  patches.suse/cgroup-cgroup_get_from_id-must-check-the-looked-up-kn-is-a-directory.patch
  (bsc#1203906 CVE-2022-48638 bsc#1223522).
- commit 1b1d545

- Update
  patches.suse/sfc-fix-TX-channel-offset-when-using-legacy-interrup.patch
  (git-fixes CVE-2022-48647 bsc#1223519).
- commit 2df3009

- Update
  patches.suse/smb3-fix-temporary-data-corruption-in-insert-range.patch
  (bsc#1193629 CVE-2022-48667 bsc#1223518).
- commit 2544640

- Update
  patches.suse/bnxt-prevent-skb-UAF-after-handing-over-to-PTP-worke.patch
  (jsc#SLE-18978 CVE-2022-48637 bsc#1223517).
- commit 8af9f52

- Update
  patches.suse/smb3-fix-temporary-data-corruption-in-collapse-range.patch
  (bsc#1193629 CVE-2022-48668 bsc#1223516).
- commit ea57df6

- drm/i915/gem: Really move i915_gem_context.link under ref
  protection (CVE-2022-48662 bsc#1223505).
- commit 1ea0422

- Update
  patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch
  (bsc#1203935 CVE-2022-48650 bsc#1223509).
- commit ecd523c

- Update
  patches.suse/sfc-fix-null-pointer-dereference-in-efx_hard_start_x.patch
  (git-fixes CVE-2022-48648 bsc#1223503).
- commit 2cd307a

- Update
  patches.suse/gpiolib-cdev-Set-lineevent_state-irq-after-IRQ-regis.patch
  (git-fixes CVE-2022-48660 bsc#1223487).
- commit 30d7811

- Update
  patches.suse/arm64-topology-fix-possible-overflow-in-amu_fie_setu.patch
  (git-fixes CVE-2022-48657 bsc#1223484).
- commit d7e1659

- Update
  patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch
  (bsc#1204614 CVE-2022-48654 bsc#1223482).
- commit a8a2952

- Update
  patches.suse/dmaengine-ti-k3-udma-private-Fix-refcount-leak-bug-i.patch
  (git-fixes CVE-2022-48656 bsc#1223479).
- commit 90546f3

- Update
  patches.suse/ice-Don-t-double-unplug-aux-on-peer-initiated-reset.patch
  (git-fixes CVE-2022-48653 bsc#1223474).
- commit dba84ad

- ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
  (bsc#1223513 CVE-2022-48651).
- commit c96a663

- Update patches.suse/firmware-arm_scmi-Harden-accesses-to-the-reset-domai.patch (git-fixes CVE-2022-48655 bsc#1223477)
- commit 2dabafb

- Call flush_delayed_fput() from nfsd main-loop (bsc#1223380).
- commit 18e662b

- Update
  patches.suse/spi-spi-zynqmp-gqspi-Handle-error-for-dma_set_mask.patch
  (git-fixes CVE-2021-47047 bsc#1220761).
- commit 1f6461d

- crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init
  (CVE-2023-52616 bsc#1221612).
- commit 6fa74bc

- x86/boot: Ignore relocations in .notes sections in walk_relocs() too (bsc#1222624 CVE-2024-26816).
- commit 9c9dbbd

- x86, relocs: Ignore relocations in .notes section (bsc#1222624 CVE-2024-26816).
- commit 9bcfc48

- Update
  patches.suse/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
  (bsc#1218562 CVE-2023-6270 CVE-2024-26898 bsc#1223016).
- commit 5a56f33

- Update
  patches.suse/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch
  (bsc#1219170 CVE-2024-22099 CVE-2024-26903 bsc#1223187).
- commit 1a4ee0a

- Update
  patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch
  (bsc#1219264 CVE-2024-0841 CVE-2024-26688 bsc#1222482).
- Update
  patches.suse/btrfs-fix-double-free-of-anonymous-device-after-snap.patch
  (bsc#1219126 CVE-2024-23850 CVE-2024-26792 bsc#1222430).
- Update
  patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
  (CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559).
- commit ac0df3e

- Update
  patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch
  (git-fixes CVE-2021-47207 bsc#1222790).
- Update
  patches.suse/ALSA-usb-audio-fix-null-pointer-dereference-on-point.patch
  (bsc#1192354 CVE-2021-47211 bsc#1222869).
- Update
  patches.suse/RDMA-core-Set-send-and-receive-CQ-before-forwarding-.patch
  (jsc#SLE-19249 CVE-2021-47196 bsc#1222773).
- Update
  patches.suse/arm64-dts-qcom-msm8998-Fix-CPU-L2-idle-state-latency.patch
  (git-fixes CVE-2021-47187 bsc#1222703).
- Update
  patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch
  (git-fixes CVE-2021-47194 bsc#1222829).
- Update
  patches.suse/clk-sunxi-ng-Unregister-clocks-resets-when-unbinding.patch
  (git-fixes CVE-2021-47205 bsc#1222888).
- Update
  patches.suse/drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch
  (git-fixes CVE-2021-47200 bsc#1222838).
- Update
  patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch
  (jsc#SLE-18378 CVE-2021-47184 bsc#1222666).
- Update
  patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch
  (jsc#SLE-18385 CVE-2021-47201 bsc#1222792).
- Update
  patches.suse/msft-hv-2480-x86-hyperv-Fix-NULL-deref-in-set_hv_tscchange_cb-if-.patch
  (git-fixes CVE-2021-47217 bsc#1222836).
- Update
  patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch
  (git-fixes CVE-2021-47204 bsc#1222787).
- Update
  patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch
  (jsc#SLE-19253 CVE-2021-47212 bsc#1222709).
- Update
  patches.suse/net-mlx5e-CT-Fix-multiple-allocations-and-memleak-of.patch
  (jsc#SLE-19253 CVE-2021-47199 bsc#1222785).
- Update
  patches.suse/net-mlx5e-kTLS-Fix-crash-in-RX-resync-flow.patch
  (jsc#SLE-19253 CVE-2021-47215 bsc#1222704).
- Update
  patches.suse/net-mlx5e-nullify-cq-dbg-pointer-in-mlx5_debug_cq_re.patch
  (jsc#SLE-19253 CVE-2021-47197 bsc#1222776).
- Update
  patches.suse/sched-fair-Prevent-dead-task-groups-from-regaining-cfs_rq-s.patch
  (bsc#1192837 CVE-2021-47209 bsc#1222796).
- Update patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch
  (git-fixes CVE-2021-47216 bsc#1222876).
- Update
  patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs
  (git-fixes CVE-2021-47192 bsc#1222867).
- Update
  patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch
  (bsc#1190576 CVE-2021-47203 bsc#1222881).
- Update
  patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch
  (bsc#1192145 CVE-2021-47198 bsc#1222883).
- Update
  patches.suse/scsi-pm80xx-Fix-memory-leak-during-rmmod.patch
  (git-fixes CVE-2021-47193 bsc#1222879).
- Update
  patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_readcap16.patch
  (git-fixes CVE-2021-47191 bsc#1222866).
- Update
  patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_report_tgtpgs.patch
  (git-fixes CVE-2021-47219 bsc#1222824).
- Update patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling
  (git-fixes CVE-2021-47188 bsc#1222671).
- Update
  patches.suse/selinux-fix-NULL-pointer-dereference-when-hashtab-al.patch
  (git-fixes CVE-2021-47218 bsc#1222791).
- Update
  patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch
  (stable-5.14.21 CVE-2021-47202 bsc#1222878).
- Update
  patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch
  (git-fixes CVE-2021-47185 bsc#1222669).
- Update
  patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch
  (git-fixes CVE-2021-47206 bsc#1222894).
- Update
  patches.suse/usb-typec-tipd-Remove-WARN_ON-in-tps6598x_block_read.patch
  (git-fixes CVE-2021-47210 bsc#1222901).
- commit 48b69db

- wifi: iwlwifi: fix a memory corruption (CVE-2024-26610
  bsc#1221299).
- commit e7967c5

- xen/events: close evtchn after mapping cleanup (CVE-2024-26687,
  bsc#1222435).
- commit eb41ab9

- Update patches.suse/arp-Prevent-overflow-in-arp_req_get.patch
- fix build warning
- commit b98055d

- ext4: regenerate buddy after block freeing failed if under fc
  replay (bsc#1220342 CVE-2024-26601).
- commit c12e20f

- blacklist.conf: Blacklist 83e80a6e3543f3
- commit 62a580e

- fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion
  (bsc#1222721 CVE-2024-26764).
- commit b81d662

- fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via
  libaio (bsc#1222721 CVE-2024-26764).
- commit 6f0ed6e

- ext4: avoid allocating blocks from corrupted group in
  ext4_mb_try_best_found() (bsc#1222618 CVE-2024-26773).
- commit 821043d

- Update patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch (stable-5.14.21 CVE-2021-47202 bsc#1222878)
- commit 9b2ed28

- Update references in
  patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch
  (bsc#1221044 bsc#1221088 CVE-2023-52591 CVE-2023-52590).
- commit 6a6852e

- Update patches.suse/spi-fix-use-after-free-of-the-add_lock-mutex.patch (git-fixes CVE-2021-47195 bsc#1222832)
- commit e8d48f1

- IB/hfi1: Fix sdma.h tx->num_descs off-by-one error (bsc#1222726 CVE-2024-26766)
- commit dc4bba0

- scsi: Update max_hw_sectors on rescan (bsc#1216223).
- ibmvfc: make 'max_sectors' a module option (bsc#1216223).
- commit af79c3f

- md/raid5: fix atomicity violation in raid5_cache_count
  (bsc#1219169, CVE-2024-23307).
- commit 7709383

- Update
  patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch
  (git-fixes CVE-2021-47189 bsc#1222706).
- commit 95bc72d

- Update
  patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch
  (git-fixes CVE-2021-47185).
- commit de9e1db

- Update
  patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch
  (bsc#1192145 CVE-2021-47183 bsc#1222664).
- commit 720685d

- Update
  patches.suse/scsi-core-Fix-scsi_mode_sense-buffer-length-handling.patch
  (git-fixes CVE-2021-47182 bsc#1222662).
- commit 641c737

- Update
  patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch
  (git-fixes CVE-2021-47181 bsc#1222660).
- commit 27da195

- ceph: prevent use-after-free in encode_cap_msg() (CVE-2024-26689
  bsc#1222503).
- commit c307f9b

- tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
  (bsc#1222619).
- commit 900d642

- arp: Prevent overflow in arp_req_get() (CVE-2024-26733
  bsc#1222585).
- commit aed9764

- net/sched: act_mirred: don't override retval if we already
  lost the skb (CVE-2024-26733 bsc#1222585).
- commit 57213f3

- Update
  patches.suse/btrfs-do-not-ASSERT-if-the-newly-created-subvolume-a.patch
  (bsc#1219126 CVE-2024-23850 CVE-2024-26727 bsc#1222536).
- commit 9619dfe

- ext4: fix double-free of blocks due to wrong extents moved_len
  (bsc#1222422 CVE-2024-26704).
- commit 4e96ad3

- fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super
  (bsc#1219264 CVE-2024-0841).
- commit aa8204a

- nfsd: Fix error cleanup path in nfsd_rename() (bsc#1221044
  CVE-2023-52591).
- commit a849be1

- scsi: pm80xx: Avoid leaking tags when processing
  OPC_INB_SET_CONTROLLER_CONFIG command (bsc#1220883
  cve-2023-52500).
- commit fc88013

- Update
  patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch
  (CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117).
- commit fd3aabc

- selinux: saner handling of policy reloads (bsc#1222230 bsc#1221044
  CVE-2023-52591).
- commit 66a189d

- bpf, sockmap: Prevent lock inversion deadlock in map delete elem
  (bsc#1209657 CVE-2023-0160).
- commit 989b8c6

- blacklist.conf: omit reverted sockmap deadlock fix
- commit 397323e

- x86/sev: Harden #VC instruction emulation somewhat (CVE-2024-25742 bsc#1221725).
- commit 2e3eba1

- netfilter: nf_tables: disallow anonymous set with timeout flag
  (CVE-2024-26642 bsc#1221830).
- commit 02a907f

- netfilter: ctnetlink: fix possible refcount leak in
  ctnetlink_create_conntrack() (CVE-2023-7192 bsc#1218479).
- commit 0b47032

- README.BRANCH: Remove copy of branch name
- commit 4834fba

- README.BRANCH: Remove copy of branch name
- commit 704bda3

- ipv6: init the accept_queue's spinlocks in inet6_create
  (bsc#1221293 CVE-2024-26614).
- commit 0ab8c0f

- tcp: make sure init the accept_queue's spinlocks once
  (bsc#1221293 CVE-2024-26614).
- commit 943f002

- powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
  (CVE-2023-52607 bsc#1221061).
- commit 36feafa

- Update
  patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch
  (git-fixes CVE-2023-52519 bsc#1220920).
- Update
  patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch
  (git-fixes CVE-2023-52529 bsc#1220929).
- Update
  patches.suse/IB-hfi1-Fix-bugs-with-non-PAGE_SIZE-end-multi-iovec-.patch
  (git-fixes CVE-2023-52474 bsc#1220445).
- Update
  patches.suse/RDMA-siw-Fix-connection-failure-handling.patch
  (git-fixes CVE-2023-52513 bsc#1221022).
- Update
  patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch
  (git-fixes CVE-2023-52515 bsc#1221048).
- Update
  patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch
  (git-fixes CVE-2023-52564 bsc#1220938).
- Update
  patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch
  (bsc#1220251 CVE-2023-52447 CVE-2023-52621 bsc#1222073).
- Update
  patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch
  (git-fixes CVE-2023-52510 bsc#1220898).
- Update
  patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch
  (git-fixes CVE-2023-52524 bsc#1220927).
- Update
  patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch
  (git-fixes CVE-2023-52528 bsc#1220843).
- Update
  patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch
  (git-fixes CVE-2023-52507 bsc#1220833).
- Update
  patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch
  (git-fixes CVE-2023-52566 bsc#1220940).
- Update
  patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch
  (bsc#1214842 CVE-2023-52508 bsc#1221015).
- Update
  patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch
  (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356 CVE-2023-52454 bsc#1220320).
- Update
  patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch
  (git-fixes CVE-2023-52520 bsc#1220921).
- Update
  patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch
  (bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836).
- Update
  patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch
  (git-fixes CVE-2023-52501 bsc#1220885).
- Update
  patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch
  (git-fixes CVE-2023-52567 bsc#1220839).
- Update
  patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch
  (git-fixes CVE-2023-52517 bsc#1221055).
- Update
  patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch
  (git-fixes CVE-2023-52511 bsc#1221012).
- Update
  patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch
  (git-fixes CVE-2023-52525 bsc#1220840).
- Update
  patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch
  (git-fixes CVE-2023-52504 bsc#1221553).
- Update
  patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch
  (git-fixes CVE-2023-52575 bsc#1220871).
- commit 5f353b0

- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487 CVE-2022-48626 bsc#1220366).
- Update
  patches.suse/crypto-qcom-rng-ensure-buffer-for-generate-is-comple.patch
  (git-fixes CVE-2022-48629 bsc#1220989).
- Update
  patches.suse/crypto-qcom-rng-fix-infinite-loop-on-requests-not-mu.patch
  (git-fixes CVE-2022-48630 bsc#1220990).
- commit f8cf886

- Update
  patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch
  (git-fixes CVE-2021-46926 bsc#1220478).
- Update
  patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch
  (git-fixes CVE-2021-47096 bsc#1220981).
- Update
  patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
  (git-fixes CVE-2021-47104 bsc#1220960).
- Update
  patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch
  (git-fixes CVE-2021-47097 bsc#1220982).
- Update
  patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch
  (git-fixes CVE-2021-47094 bsc#1221551).
- Update patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch
  (git-fixes bsc#1196346 CVE-2021-47107 bsc#1220965).
- Update
  patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch
  (git-fixes CVE-2021-47101 bsc#1220987).
- Update
  patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch
  (git-fixes CVE-2021-47108 bsc#1220986).
- Update
  patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch
  (git-fixes CVE-2021-47098 bsc#1220983).
- Update
  patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch
  (git-fixes CVE-2021-47100 bsc#1220985).
- Update
  patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch
  (bsc#1193490 CVE-2021-47095 bsc#1220979).
- Update
  patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch
  (git-fixes CVE-2021-47091 bsc#1220959).
- Update
  patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch
  (bsc#1217195 CVE-2021-46936 bsc#1220439).
- Update
  patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch
  (git-fixes CVE-2021-47102 bsc#1221009).
- Update
  patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock
  (git-fixes CVE-2021-46925 bsc#1220466).
- Update
  patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch
  (git fixes (mm/gup) CVE-2021-46927 bsc#1220443).
- Update
  patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch
  (git-fixes CVE-2021-47093 bsc#1220978).
- Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch
  (CVE-2022-20154 bsc#1200599 CVE-2021-46929 bsc#1220482).
- Update patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch
  (jsc#SLE-21844 CVE-2021-47087 bsc#1220954).
- Update
  patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch
  (bsc#1209635 CVE-2022-4744 git-fixes CVE-2021-47082
  bsc#1220969).
- Update
  patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch
  (git-fixes CVE-2021-46933 bsc#1220487).
- Update patches.suse/usb-mtu3-fix-list_head-check-warning.patch
  (git-fixes CVE-2021-46930 bsc#1220484).
- Update
  patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch
  (git-fixes CVE-2021-47099 bsc#1220955).
- commit b15f74e

- wifi: ath10k: fix NULL pointer dereference in
  ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336
  CVE-2023-7042).
- commit 1784f9f

- x86/sev: Harden #VC instruction emulation somewhat (CVE-2024-25742 bsc#1221725).
- commit 02ed75a

- dmaengine: fix NULL pointer in channel unregistration function (bsc#1221276 CVE-2023-52492)
- commit f21c2ab

- Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
  (bsc#1219170 CVE-2024-22099).
- commit ece27a6

- perf/x86/lbr: Filter vsyscall addresses (bsc#1220703,
  CVE-2023-52476).
- commit c52b506

- fs: introduce lock_rename_child() helper (bsc#1221044
  CVE-2023-52591).
  Refresh patches.suse/fs-Establish-locking-order-for-unrelated-directories.patch
- commit 86376e0

- rename(): avoid a deadlock in the case of parents having no
  common ancestor (bsc#1221044 CVE-2023-52591).
- commit 16e3098

- kill lock_two_inodes() (bsc#1221044 CVE-2023-52591).
- commit 8b8deef

- rename(): fix the locking of subdirectories (bsc#1221044
  CVE-2023-52591).
- commit 146d81f

- f2fs: Avoid reading renamed directory if parent does not change
  (bsc#1221044 CVE-2023-52591).
- commit 5344280

- ext4: don't access the source subdirectory content on
  same-directory rename (bsc#1221044 CVE-2023-52591).
- commit b2b6374

- ext2: Avoid reading renamed directory if parent does not change
  (bsc#1221044 CVE-2023-52591).
- commit 2edcc11

- udf_rename(): only access the child content on cross-directory
  rename (bsc#1221044 CVE-2023-52591).
- commit 0257614

- ocfs2: Avoid touching renamed directory if parent does not
  change (bsc#1221044 CVE-2023-52591).
- commit e786f3a

- reiserfs: Avoid touching renamed directory if parent does not
  change (git-fixes bsc#1221044 CVE-2023-52591).
  Refresh patches.suse/reiserfs-add-check-to-detect-corrupted-directory-entry.patch
  Refresh patches.suse/reiserfs-don-t-panic-on-bad-directory-entries.patch
- commit 523ddca

- fs: don't assume arguments are non-NULL (bsc#1221044
  CVE-2023-52591).
- commit 2177893

- fs: Restrict lock_two_nondirectories() to non-directory inodes
  (bsc#1221044 CVE-2023-52591).
- commit a59a7cb

- fs: ocfs2: check status values (bsc#1221044 CVE-2023-52591).
- commit 8c6576f

- perf/x86/intel/uncore: Fix NULL pointer dereference issue in
  upi_fill_topology() (bsc#1220237, CVE-2023-52450).
- commit 246b58a

- x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is  set (bsc#1213456 CVE-2023-28746).
- commit 4fed4e6

- Sort upstream patches
- Refresh
  patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch.
- Refresh
  patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch.
- Refresh
  patches.suse/x86-entry-ia32-Ensure-s32-is-sign-extended-to-s64.patch.
- Refresh
  patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch.
- commit f172e12

- Refresh patches.kabi/team-Hide-new-member-header-ops.patch.
  Fix for kABI workaround.
- commit 6ba2f5d

- ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058
  CVE-2023-52583).
- commit 1a81018

- netfs: Only call folio_start_fscache() one time for each folio
  (CVE-2023-52582 bsc#1220878).
- commit dfd082b

- Refresh
  patches.suse/mm-ima-kexec-of-use-memblock_free_late-from-ima_free.patch.
  Fix:
  * Section mismatch (function ima_free_kexec_buffer()) in modpost: vmlinux.o in ima_free_kexec_buffer()
  WARNING: modpost: vmlinux.o(.text+0xac1250): Section mismatch in reference from the function ima_free_kexec_buffer() to the function .init.text:__memblock_free_late()
- commit 5522f01

- Update
  patches.suse/usb-hub-Guard-against-accesses-to-uninitialized-BOS-.patch
  (bsc#1220790 CVE-2023-52477).
- commit d33bab7

- drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (bsc#1220413 CVE-2023-52470).
- commit 9d7d799

- drivers/amd/pm: fix a use-after-free in kv_parse_power_table (bsc#1220411 CVE-2023-52469).
- commit f4f0cf4

- group-source-files.pl: Quote filenames (boo#1221077).
  The kernel source now contains a file with a space in the name.
  Add quotes in group-source-files.pl to avoid splitting the filename.
  Also use -print0 / -0 when updating timestamps.
- commit a005e42

- mm,ima,kexec,of: use memblock_free_late from
  ima_free_kexec_buffer (bsc#1220872 CVE-2023-52576).
- commit b1b1c9a

- phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600)
- commit 78e2b4a

- erofs: fix lz4 inplace decompression (CVE-2023-52497
  bsc#1220879).
- commit ddeedf9

- ACPI: extlog: fix NULL pointer dereference check (bsc#1221039
  CVE-2023-52605).
- commit 635c481

- kernel-binary: Fix i386 build
  Fixes: 89eaf4cdce05 ("rpm templates: Move macro definitions below buildrequires")
- commit f7c6351

- btrfs: remove BUG() after failure to insert delayed dir index
  item (bsc#1220918 CVE-2023-52569).
- btrfs: improve error message after failure to add delayed dir
  index item (bsc#1220918 CVE-2023-52569).
- commit 53e1d2d

- net: nfc: fix races in nfc_llcp_sock_get() and
  nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831).
- commit 8c33586

- kabi: team: Hide new member header_ops (bsc#1220870
  CVE-2023-52574).
- commit 9f49992

- KVM: s390: fix setting of fpc register (git-fixes bsc#1220392
  bsc#1221040 CVE-2023-52597).
- commit a90b87c

- kernel-binary: vdso: fix filelist for non-usrmerged kernel
  Fixes: a6ad8af207e6 ("rpm templates: Always define usrmerged")
- commit fb3f221

- bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
  (bsc#1220926 CVE-2023-52523).
- commit 90d9f50

- aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
  (bsc#1218562 CVE-2023-6270).
- commit 57a4cd4

- efivarfs: force RO when remounting if SetVariable is not
  supported (bsc#1220328 CVE-2023-52463).
- commit eed7fb0

- iommu/vt-d: Avoid memory allocation in iommu_suspend()
  (CVE-2023-52559 bsc#1220933).
- commit c9b01ef

- Refresh patches.suse/0001-powerpc-pseries-memhp-Fix-access-beyond-end-of-drmem.patch.
  - update to upstream version
  - rename to same name as SLE15 SP5
- commit 1d2def1

- KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746).
- commit 4aebf4f

- x86/rfds: Mitigate Register File Data Sampling (RFDS)  (bsc#1213456 CVE-2023-28746).
- Update config files.
- commit 29c1c99

- Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746).
- commit 81de603

- ravb: Fix use-after-free issue in ravb_tx_timeout_work()
  (bsc#1212514 CVE-2023-35827).
- team: fix null-ptr-deref when team device type is changed
  (bsc#1220870 CVE-2023-52574).
- commit 2cc53f5

- Update
  patches.suse/ice-xsk-return-xsk-buffers-back-to-pool-when-cleanin.patch
  (jsc#SLE-18375 bsc#1220961 CVE-2021-47105).
- Update patches.suse/net-mana-Fix-TX-CQE-error-handling.patch
  (bsc#1215986 bsc#1220932 CVE-2023-52532).
- Update
  patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch
  (jsc#SLE-19253 bsc#1220486 CVE-2021-46931).
  Added CVE references.
- commit 3e396c2

- Update patches.suse/i2c-validate-user-data-in-compat-ioctl.patch
  (git-fixes bsc#1220469 CVE-2021-46934).
  Add bug and CVE references.
- commit 3a04060

- wifi: mac80211: fix potential key use-after-free (CVE-2023-52530
  bsc#1220930).
- commit 3feca94

- Update patch reference for iwlwifi fix (CVE-2023-52531 bsc#1220931)
- commit bde87cf

- Update patch reference for pinctrl fix (CVE-2021-47083 bsc#1220917)
- commit b608623

- drm/bridge: sii902x: Fix probing race issue (bsc#1220736 CVE-2024-26607).
- commit 70198c4

- Update
  patches.suse/vt-fix-memory-overlapping-when-deleting-chars-in-the.patch
  (git-fixes bsc#1220845 CVE-2022-48627).
- Update
  patches.suse/x86-srso-add-srso-mitigation-for-hygon-processors.patch
  (git-fixes bsc#1220735 CVE-2023-52482).
  Add CVE references.
- commit dcdac38

- mfd: syscon: Fix null pointer dereference in
  of_syscon_register() (bsc#1220433 CVE-2023-52467).
- commit b0262b8

- bpf: Fix re-attachment branch in bpf_tracing_prog_attach
  (bsc#1220254 CVE-2024-26591).
- commit fc948d3

- selftests/bpf: Add test for alu on PTR_TO_FLOW_KEYS (bsc#1220255
  CVE-2024-26589).
- bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS (bsc#1220255
  CVE-2024-26589).
- commit 8a833ce

- iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range (CVE-2023-52484 bsc#1220797).
- commit 2229de3

- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- commit 1306bff

- kabi: restore return type of dst_ops::gc() callback
  (CVE-2023-52340 bsc#1219295).
- ipv6: remove max_size check inline with ipv4 (CVE-2023-52340
  bsc#1219295).
- commit b8eec42

- netfilter: nf_tables: fix 64-bit load issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit e095cd0

- netfilter: nft_set_pipapo: skip inactive elements during set
  walk (CVE-2023-6817 bsc#1218195).
- commit 4032aa7

- tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825
  CVE-2024-26622).
- commit c8e5b38

- doc/README.SUSE: Update information about module support status
  (jsc#PED-5759)
  Following the code change in SLE15-SP6 to have externally supported
  modules no longer taint the kernel, update the respective documentation
  in README.SUSE:
  * Describe that support status can be obtained at runtime for each
  module from /sys/module/$MODULE/supported and for the entire system
  from /sys/kernel/supported. This provides a way how to now check that
  the kernel has any externally supported modules loaded.
  * Remove a mention that externally supported modules taint the kernel,
  but keep the information about bit 16 (X) and add a note that it is
  still tracked per module and can be read from
  /sys/module/$MODULE/taint. This per-module information also appears in
  Oopses.
- commit 9ed8107

- btrfs: fix double free of anonymous device after snapshot
  creation failure (bsc#1219126 CVE-2024-23850).
- commit 257a534

- btrfs: do not ASSERT() if the newly created subvolume already
  got read (bsc#1219126 CVE-2024-23850).
- commit a2ac581

- bpf: Minor cleanup around stack bounds (bsc#1220257
  CVE-2023-52452).
- bpf: Fix accesses to uninit stack slots (bsc#1220257
  CVE-2023-52452).
- bpf: Guard stack limits against 32bit overflow (git-fixes).
- bpf: Fix verification of indirect var-off stack access
  (git-fixes).
- commit 7d03125

- serial: 8250: omap: Don't skip resource freeing if
  pm_runtime_resume_and_get() failed (bsc#1220350 CVE-2023-52457).
- commit c82f528

- serial: imx: fix tx statemachine deadlock (bsc#1220364
  CVE-2023-52456).
- commit cd9f92c

- powerpc/pseries/memhp: Fix access beyond end of drmem array
  (bsc#1220250,CVE-2023-52451).
- commit fdc7254

- Update patch reference for input fix (CVE-2021-46932 bsc#1220444)
- commit e44e0b1

- Update patches.suse/i2c-Fix-a-potential-use-after-free.patch
  (git-fixes bsc#1220409 CVE-2019-25162).
  Add bug and CVE references.
- commit 6df4ebd

- efivarfs: force RO when remounting if SetVariable is not
  supported (bsc#1220328 CVE-2023-52463).
- commit 3cfef52

- btrfs: fix double free of anonymous device after snapshot
  creation failure (bsc#1219126 CVE-2024-23850).
- commit f8ba729

- mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
  (bsc#1220238 CVE-2023-52449).
- commit c132b67

- fs/mount_setattr: always cleanup mount_kattr (bsc#1220457
  CVE-2021-46923).
- commit 89afe2f

- kABI: bpf: map_fd_put_ptr() signature kABI workaround
  (bsc#1220251 CVE-2023-52447).
- kABI: bpf: struct bpf_map kABI workaround (bsc#1220251
  CVE-2023-52447).
- kABI: bpf: map_fd_put_ptr() signature kABI workaround
  (bsc#1220251 CVE-2023-52447).
- kABI: bpf: struct bpf_map kABI workaround (bsc#1220251
  CVE-2023-52447).
- commit bec1c61

- selftests/bpf: Test outer map update operations in syscall
  program (bsc#1220251 CVE-2023-52447).
- selftests/bpf: Add test cases for inner map (bsc#1220251
  CVE-2023-52447).
- bpf: Defer the free of inner map when necessary (bsc#1220251
  CVE-2023-52447).
- Refresh patches.suse/kABI-padding-for-bpf.patch
- bpf: Set need_defer as false when clearing fd array during
  map free (bsc#1220251 CVE-2023-52447).
- bpf: Add map and need_defer parameters to .map_fd_put_ptr()
  (bsc#1220251 CVE-2023-52447).
- bpf: Check rcu_read_lock_trace_held() before calling bpf map
  helpers (bsc#1220251 CVE-2023-52447).
- rcu-tasks: Provide rcu_trace_implies_rcu_gp() (bsc#1220251
  CVE-2023-52447).
- selftests/bpf: Test outer map update operations in syscall
  program (bsc#1220251 CVE-2023-52447).
- selftests/bpf: Add test cases for inner map (bsc#1220251
  CVE-2023-52447).
- bpf: Defer the free of inner map when necessary (bsc#1220251
  CVE-2023-52447).
- Refresh patches.suse/kABI-padding-for-bpf.patch
- bpf: Set need_defer as false when clearing fd array during
  map free (bsc#1220251 CVE-2023-52447).
- bpf: Add map and need_defer parameters to .map_fd_put_ptr()
  (bsc#1220251 CVE-2023-52447).
- bpf: Check rcu_read_lock_trace_held() before calling bpf map
  helpers (bsc#1220251 CVE-2023-52447).
- rcu-tasks: Provide rcu_trace_implies_rcu_gp() (bsc#1220251
  CVE-2023-52447).
- commit aa6db76

- Update patch reference for HID fix (CVE-2023-52478 bsc#1220796)
- commit 4aec836

- Update patch reference for input fix (CVE-2023-52475 bsc#1220649)
- commit 00a87c8

- KVM: arm64: vgic-its: Avoid potential UAF in LPI translation
  cache (bsc#1220326, CVE-2024-26598).
- commit 74fd0dd

- x86/fpu: Stop relying on userspace for info to fault in xsave buffer (bsc#1220335, CVE-2024-26603).
- commit 4cbbdbf

- Update patch reference for NFC fix (CVE-2021-46924 bsc#1220459)
- commit 8ac32a8

- media: pvrusb2: fix use after free on context disconnection
  (CVE-2023-52445 bsc#1220241).
- commit e4643a5

- uio: Fix use-after-free in uio_open (bsc#1220140
  CVE-2023-52439).
- commit fbf52b1

- apparmor: avoid crash when parsed profile name is empty
  (CVE-2023-52443 bsc#1220240).
- commit 732bc93

- btrfs: do not ASSERT() if the newly created subvolume already
  got read (bsc#1219126 CVE-2024-23850).
- commit 087f1fb

- sched/membarrier: reduce the ability to hammer on sys_membarrier
  (git-fixes, bsc#1220398, CVE-2024-26602).
- commit 6f61ce3

- i2c: i801: Fix block process call transactions (bsc#1220009
  CVE-2024-26593).
- commit 1b64da9

- mlxsw: spectrum_acl_tcam: Fix stack corruption (bsc#1220243
  CVE-2024-26586).
- mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in
  error path (bsc#1220344 CVE-2024-26595).
- commit 6e8b589

- EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330, CVE-2023-52464)
- commit 369d1fd

- Drop 2 git-fixes patches which are suspicious to introduce regression
  reported in bsc#1219073,
  - patches.suse/md-Set-MD_BROKEN-for-RAID1-and-RAID10-9631.patch.
  - patches.suse/md-raid1-free-the-r1bio-before-waiting-for-blocked-r-992d.patch.
- Refresh patches.suse/md-display-timeout-error.patch for the above
  change.
- commit 4ecd26a

- gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
  (bsc#1220253 CVE-2023-52448).
- commit 12cdab5

- rpm templates: Always define usrmerged
  usrmerged is now defined in kernel-spec-macros and not the distribution.
  Only check if it's defined in kernel-spec-macros, not everywhere where
  it's used.
- commit a6ad8af

- nvme: remove nvme_alloc_request and nvme_alloc_request_qid
  (bsc#1214064).
  Refresh:
  - patches.suse/nvme-tcp-delay-error-recovery-until-the-next-kato.patch
- commit 6fc2117

- rpm templates: Move macro definitions below buildrequires
  Many of the rpm macros defined in the kernel packages depend directly or
  indirectly on script execution. OBS cannot execute scripts which means
  values of these macros cannot be used in tags that are required for OBS
  to see such as package name, buildrequires or buildarch.
  Accumulate macro definitions that are not directly expanded by mkspec
  below buildrequires and buildarch to make this distinction clear.
- commit 89eaf4c

- rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE
  Introduced by commit 68fb3ca0e408 ("update workarounds for gcc "asm
  goto" issue").
- commit be1bdab

- net: openvswitch: limit the number of recursions from action
  sets (bsc#1219835 CVE-2024-1151).
- commit ed2fd55

- README.BRANCH: use correct mail for Roy
- commit 6f3c32f

- compute-PATCHVERSION: Do not produce output when awk fails
  compute-PATCHVERSION uses awk to produce a shell script that is
  subsequently executed to update shell variables which are then printed
  as the patchversion.
  Some versions of awk, most notably bysybox-gawk do not understand the
  awk program and fail to run. This results in no script generated as
  output, and printing the initial values of the shell variables as
  the patchversion.
  When the awk program fails to run produce 'exit 1' as the shell script
  to run instead. That prevents printing the stale values, generates no
  output, and generates invalid rpm spec file down the line. Then the
  problem is flagged early and should be easier to diagnose.
- commit 8ef8383

- nvme: move nvme_stop_keep_alive() back to original position
  (bsc#1211515).
- commit b945fa0

- x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes).
- commit 636fc4c

- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes).
- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes).
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes).
  Also add the removed mds_user_clear symbol to kABI severities as it is
  exposed just for KVM module and is generally a core kernel component so
  removing it is low risk.
- x86/entry_32: Add VERW just before userspace transition (git-fixes).
- x86/entry_64: Add VERW just before userspace transition (git-fixes).
- x86/bugs: Add asm helpers for executing VERW (git-fixes).
- commit 5b0be3c

- netfilter: nf_tables: disallow rule removal from chain binding
  (bsc#1218216 CVE-2023-5197).
- commit d7a1a4d

- netfilter: nf_tables: skip bound chain in netns release path
  (bsc#1218216 CVE-2023-5197).
- commit af879c8

- nvme: start keep-alive after admin queue setup (bsc#1211515).
- commit 13f904b

- net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
  (bsc#1219127 CVE-2024-23849).
- commit 43577c1

- kernel-binary: Move build script to the end
  All other spec templates have the build script at the end, only
  kernel-binary has it in the middle. Align with the other templates.
- commit 98cbdd0

- rpm templates: Aggregate subpackage descriptions
  While in some cases the package tags, description, scriptlets and
  filelist are located together in other cases they are all across the
  spec file. Aggregate the information related to a subpackage in one
  place.
- commit 8eeb08c

- rpm templates: sort rpm tags
  The rpm tags in kernel spec files are sorted at random.
  Make the order of rpm tags somewhat more consistent across rpm spec
  templates.
- commit 8875c35

- dm: limit the number of targets and parameter size area
  (bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851).
- commit 26dc83e

- Fix unresolved hunks in README.BRANCH
- commit 99bb861

- NFS: avoid infinite loop in pnfs_update_layout (bsc#1219633).
- commit b6a1f9a
krb5
- Fix memory leaks, add patch 0012-Fix-two-unlikely-memory-leaks.patch
  * CVE-2024-26458, bsc#1220770
  * CVE-2024-26461, bsc#1220771
less
- Fix CVE-2024-32487, mishandling of \n character in paths when
  LESSOPEN is set leads to OS command execution
  (CVE-2024-32487, bsc#1222849)
  * CVE-2024-32487.patch

- Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell
  metacharacters, bsc#1219901
  * CVE-2022-48624.patch
avahi
- Add avahi-CVE-2023-38471.patch: Extract host name using
  avahi_unescape_label (bsc#1216594, CVE-2023-38471).
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
  records (bsc#1216598, CVE-2023-38469).
util-linux
- Properly neutralize escape sequences in wall
  (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
  and its prerequisites: util-linux-fputs_careful1.patch,
  util-linux-wall-migrate-to-memstream.patch
  util-linux-fputs_careful2.patch).
c-ares
- CVE-2024-25629.patch: fix out of bounds read in ares__read_line()
  (bsc#1220279, CVE-2024-25629)
expat
- Security fix (boo#1221289, CVE-2024-28757): XML Entity Expansion
  attack when there is isolated use of external parsers.
  * Added expat-CVE-2024-28757.patch

- Security fix:
  * (CVE-2023-52425, bsc#1219559) denial of service (resource
    consumption) caused by processing large tokens.
  - Added patch expat-CVE-2023-52425-1.patch
  - Added patch expat-CVE-2023-52425-2.patch
  - Added patch expat-CVE-2023-52425-backport-parser-changes.patch
  - Added patch expat-CVE-2023-52425-fix-tests.patch
gcc13
- Add gcc13-pr111731.patch to fix unwinding for JIT code.
  [bsc#1221239]

- Revert libgccjit dependency change.  [boo#1220724]

- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.

- Use %patch -P N instead of %patchN.

- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
  crypt and crypt_r interceptors.  The crypt API change in SLE15 SP3
  breaks them.  [bsc#1219520]

- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
  - fmin-function-alignment.  [bsc#1214934]

- Use %{_target_cpu} to determine host and build.

- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
  * Includes fix for building TVM.  [boo#1218492]

- Add cross-X-newlib-devel requires to newlib cross compilers.
  [boo#1219031]

- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
  in gcc13-devel.  [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
  are linked against libstdc++6.

- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205

- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
  * Includes fix for building mariadb on i686.  [bsc#1217667]
  * Remove pr111411.patch contained in the update.

- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
  cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
  %product_libs_llvm_ver where available and adjust tool discovery
  accordingly.  This should also properly trigger re-builds when
  the patchlevel version of llvmVER changes, possibly changing
  the binary names we link to.  [bsc#1217450]
glib2
- Add patches to fix CVE-2024-34397 (boo#1224044):
  glib2-CVE-2024-34397.patch (glgo#GNOME/glib#3268).
  glib2-fix-ibus-regression.patch (glgo#GNOME/glib#3353)
gnutls
- Security fix: [bsc#1221747, CVE-2024-28835]
  * gnutls: certtool crash when verifying a certificate chain
  * Add gnutls-CVE-2024-28835.patch

- Security fix: [bsc#1221746, CVE-2024-28834]
  * gnutls: side-channel in the deterministic ECDSA
  * Add gnutls-CVE-2024-28834.patch

- jitterentropy: Release the memory of the entropy collector when
  using jitterentropy with phtreads as there is also a
  pre-intitization done in the main thread. [bsc#1221242]
  * Add gnutls-FIPS-jitterentropy-deinit-threads.patch
ncurses
- Add patch ncurses-6.1-bsc1220061.patch (bsc#1220061, CVE-2023-45918)
  * Backport from ncurses-6.4-20230615.patch
    improve checks in convert_string() for corrupt terminfo entry
nghttp2
- security update
- added patches
  fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + nghttp2-CVE-2024-28182-1.patch
  fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + nghttp2-CVE-2024-28182-2.patch
openssl-1_1
- Security fix: [bsc#1222548, CVE-2024-2511]
  * Fix unconstrained session cache growth in TLSv1.3
  * Add openssl-CVE-2024-2511.patch
protobuf
- update to 25.1:
  * Raise warnings for deprecated python syntax usages
  * Add support for extensions in CRuby, JRuby, and FFI Ruby
  * Add support for options in CRuby, JRuby and FFI (#14594)
- update to 25.0:
  * Implement proto2/proto3 with editions
  * Defines Protobuf compiler version strings as macros and
    separates out suffix string definition.
  * Add utf8_validation feature back to the global feature set.
  * Setting up version updater to prepare for poison pills and
    embedding version info into C++, Python and Java gencode.
  * Merge the protobuf and upb Bazel repos
  * Editions: Introduce functionality to protoc for generating
    edition feature set defaults.
  * Editions: Migrate edition strings to enum in C++ code.
  * Create a reflection helper for ExtensionIdentifier.
  * Editions: Provide an API for C++ generators to specify their
    features.
  * Editions: Refactor feature resolution to use an intermediate
    message.
  * Publish extension declarations with declaration
    verifications.
  * Editions: Stop propagating partially resolved feature sets to
    plugins.
  * Editions: Migrate string_field_validation to a C++ feature
  * Editions: Include defaults for any features in the generated
    pool.
  * Protoc: parser rejects explicit use of map_entry option
  * Protoc: validate that reserved range start is before end
  * Protoc: support identifiers as reserved names in addition to
    string literals (only in editions)
  * Drop support for Bazel 5.
  * Allow code generators to specify whether or not they support
    editions.
  [#] C++
  * Set `PROTOBUF_EXPORT` on
    `InternalOutOfLineDeleteMessageLite()`
  * Update stale checked-in files
  * Apply PROTOBUF_NOINLINE to declarations of some functions
    that want it.
  * Implement proto2/proto3 with editions
  * Make JSON UTF-8 boundary check inclusive of the largest
    possible UTF-8 character.
  * Reduce `Map::size_type` to 32-bits. Protobuf containers can't
    have more than that
  * Defines Protobuf compiler version strings as macros and
    separates out suffix string definition.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    oneof accessors.
  * Fix bug in reflection based Swap of map fields.
  * Add utf8_validation feature back to the global feature set.
  * Setting up version updater to prepare for poison pills and
    embedding version info into C++, Python and Java gencode.
  * Add prefetching to arena allocations.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    repeated and map field accessors.
  * Editions: Migrate edition strings to enum in C++ code.
  * Create a reflection helper for ExtensionIdentifier.
  * Editions: Provide an API for C++ generators to specify their
    features.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    string field accessors.
  * Editions: Refactor feature resolution to use an intermediate
    message.
  * Fixes for 32-bit MSVC.
  * Publish extension declarations with declaration
    verifications.
  * Export the constants in protobuf's any.h to support DLL
    builds.
  * Implement AbslStringify for the Descriptor family of types.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    message field accessors.
  * Editions: Stop propagating partially resolved feature sets to
    plugins.
  * Editions: Migrate string_field_validation to a C++ feature
  * Editions: Include defaults for any features in the generated
    pool.
  * Introduce C++ feature for UTF8 validation.
  * Protoc: validate that reserved range start is before end
  * Remove option to disable the table-driven parser in protoc.
  * Lock down ctype=CORD in proto file.
  * Support split repeated fields.
  * In OSS mode omit some extern template specializations.
  * Allow code generators to specify whether or not they support
    editions.
  [#] Java
  * Implement proto2/proto3 with editions
  * Remove synthetic oneofs from Java gencode field accessor
    tables.
  * Timestamps.parse: Add error handling for invalid
    hours/minutes in the timezone offset.
  * Defines Protobuf compiler version strings as macros and
    separates out suffix string definition.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    oneof accessors.
  * Add missing debugging version info to Protobuf Java gencode
    when multiple files are generated.
  * Fix a bad cast in putBuilderIfAbsent when already present due
    to using the result of put() directly (which is null if it
    currently has no value)
  * Setting up version updater to prepare for poison pills and
    embedding version info into C++, Python and Java gencode.
  * Fix a NPE in putBuilderIfAbsent due to using the result of
    put() directly (which is null if it currently has no value)
  * Update Kotlin compiler to escape package names
  * Add MapFieldBuilder and change codegen to generate it and the
    put{field}BuilderIfAbsent method.
  * Introduce recursion limit in Java text format parsing
  * Consider the protobuf.Any invalid if typeUrl.split("/")
    returns an empty array.
  * Mark `FieldDescriptor.hasOptionalKeyword()` as deprecated.
  * Fixed Python memory leak in map lookup.
  * Loosen upb for json name conflict check in proto2 between
    json name and field
  * Defines Protobuf compiler version strings as macros and
    separates out suffix string definition.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    oneof accessors.
  * Ensure Timestamp.ToDatetime(tz) has correct offset
  * Do not check required field for upb python MergeFrom
  * Setting up version updater to prepare for poison pills and
    embedding version info into C++, Python and Java gencode.
  * Merge the protobuf and upb Bazel repos
  * Comparing a proto message with an object of unknown returns
    NotImplemented
  * Emit __slots__ in pyi output as a tuple rather than a list
    for --pyi_out.
  * Fix a bug that strips options from descriptor.proto in
    Python.
  * Raise warings for message.UnknownFields() usages and navigate
    to the new add
  * Add protobuf python keyword support in path for stub
    generator.
  * Add tuple support to set Struct
  * ### Python C-Extension (Default)
  * Comparing a proto message with an object of unknown returns
    NotImplemented
  * Check that ffi-compiler loads before using it to define
    tasks.
  [#] UPB (Python/PHP/Ruby C-Extension)
  * Include .inc files directly instead of through a filegroup
  * Loosen upb for json name conflict check in proto2 between
    json name and field
  * Add utf8_validation feature back to the global feature set.
  * Do not check required field for upb python MergeFrom
  * Merge the protobuf and upb Bazel repos
  * Added malloc_trim() calls to Python allocator so RSS will
    decrease when memory is freed
  * Upb: fix a Python memory leak in ByteSize()
  * Support ASAN detection on clang
  * Upb: bugfix for importing a proto3 enum from within a proto2
    file
  * Expose methods needed by Ruby FFI using UPB_API
  * Fix `PyUpb_Message_MergeInternal` segfault

- build against modern python on sle15

- Build with source and target levels 8
  * fixes build with JDK21
- Install the pom file with the new %%mvn_install_pom macro
- Do not install the pom-only artifacts, since the %%mvn_install_pom
  macro resolves the variables at the install time

- update to 23.4:
  * Add dllexport_decl for generated default instance.
  * Deps: Update Guava to 32.0.1

- update to 23.3:
  C++
  * Regenerate stale files
  * Use the same ABI for static and shared libraries on non-
    Windows platforms
  * Add a workaround for GCC constexpr bug
  Objective-C
  * Regenerate stale files
  UPB (Python/PHP/Ruby C-Extension)
  * Fixed a bug in `upb_Map_Delete()` that caused crashes in
    map.delete(k) for Ruby when string-keyed maps were in use.
  Compiler
  * Add missing header to Objective-c generator
  * Add a workaround for GCC constexpr bug
  Java
  * Rollback of: Simplify protobuf Java message builder by
    removing methods that calls the super class only.
  Csharp
  * [C#] Replace regex that validates descriptor names
- drop 0001-Use-the-same-ABI-for-static-and-shared-libraries-on-.patch (upstream)

- Add patch to fix linking ThreadSafeArena:
  * 0001-Use-the-same-ABI-for-static-and-shared-libraries-on-.patch
- Drop the protobuf-source package, no longer used

- update to 22.5:
  C++
  * Add missing cstdint header
  * Fix: missing -DPROTOBUF_USE_DLLS in pkg-config (#12700)
  * Avoid using string(JOIN..., which requires cmake 3.12
  * Explicitly include GTest package in examples
  * Bump Abseil submodule to 20230125.3 (#12660)
- update to 22.4:
  C++
  * Fix libprotoc: export useful symbols from .so
  * Fix btree issue in map tests.
  Python
  * Fix bug in _internal_copy_files where the rule would fail in
    downstream repositories.
  Other
  * Bump utf8_range to version with working pkg-config (#12584)
  * Fix declared dependencies for pkg-config
  * Update abseil dependency and reorder dependencies to ensure
    we use the version specified in protobuf_deps.
  * Turn off clang::musttail on i386

- drop python2 handling
- fix version handling and package the private libs again

- Fix confusion in versions

- Mention the rpmlintrc file in the spec.

- Make possible to build on older systems, like SLE12 that miss
  some of the used macros.

- update to v22.3
  UPB (Python/PHP/Ruby C-Extension)
  * Remove src prefix from proto import
  * Fix .gitmodules to use the correct absl branch
  * Remove erroneous dependency on googletest
- update to 22.2:
  Java
  * Add version to intra proto dependencies and add kotlin stdlib
    dependency
  * Add $ back for osgi header
  * Remove $ in pom files
- update to 22.1:
  * Add visibility of plugin.proto to python directory
  * Strip "src" from file name of plugin.proto
  * Add OSGi headers to pom files.
  * Remove errorprone dependency from kotlin protos.
  * Version protoc according to the compiler version number.
- update to 22.0:
  * This version includes breaking changes to: Cpp.
    Please refer to the migration guide for information:
    https://protobuf.dev/support/migration/#compiler-22
  * [Cpp] Migrate to Abseil's logging library.
  * [Cpp] `proto2::Map::value_type` changes to `std::pair`.
  * [Cpp] Mark final ZeroCopyInputStream, ZeroCopyOutputStream,
    and DefaultFieldComparator classes.
  * [Cpp] Add a dependency on Abseil (#10416)
  * [Cpp] Remove all autotools usage (#10132)
  * [Cpp] Add C++20 reserved keywords
  * [Cpp] Dropped C++11 Support
  * [Cpp] Delete Arena::Init
  * [Cpp] Replace JSON parser with new implementation
  * [Cpp] Make RepeatedField::GetArena non-const in order to
    support split RepeatedFields.
  * long list of bindings specific fixes see
    https://github.com/protocolbuffers/protobuf/releases/tag/v22.0
- python sub packages version is set 4.22.3 as defined in
  python/google/protobuf/__init__.py to stay compatible
- skip python2 builds by default
- drop patches:
  * 10355.patch,
  * gcc12-disable-__constinit-with-c++-11.patch (merged upstream)
- added patches:
  * add-missing-stdint-header.patch   added for compile fixes

- Enable LTO (boo#1133277).

- update to v21.12:
  * Python
  * Fix broken enum ranges (#11171)
  * Stop requiring extension fields to have a sythetic oneof (#11091)
  * Python runtime 4.21.10 not works generated code can not load valid
    proto.

- update to 21.11:
  * Python
  * Add license file to pypi wheels (#10936)
  * Fix round-trip bug (#10158)

- update to 21.10:
  * Java
  * Use bit-field int values in buildPartial to skip work on unset groups of
    fields. (#10960)
  * Mark nested builder as clean after clear is called (#10984)

- update to 21.9:
  * Ruby
  * Replace libc strdup usage with internal impl to restore musl compat (#10818)
  * Auto capitalize enums name in Ruby (#10454) (#10763)
  * Other
  * Fix for grpc.tools #17995 & protobuf #7474 (handle UTF-8 paths in argumentfile) (#10721)
  * C++
  * 21.x No longer define no_threadlocal on OpenBSD (#10743)
  * Java
  * Mark default instance as immutable first to avoid race during static initialization of default instances (#10771)
  * Refactoring java full runtime to reuse sub-message builders and prepare to
    migrate parsing logic from parse constructor to builder.
  * Move proto wireformat parsing functionality from the private "parsing
    constructor" to the Builder class.
  * Change the Lite runtime to prefer merging from the wireformat into mutable
    messages rather than building up a new immutable object before merging. This
    way results in fewer allocations and copy operations.
  * Make message-type extensions merge from wire-format instead of building up
    instances and merging afterwards. This has much better performance.
  * Fix TextFormat parser to build up recurring (but supposedly not repeated)
    sub-messages directly from text rather than building a new sub-message and
    merging the fully formed message into the existing field.

- update to 21.6:
  C++:
  * Reduce memory consumption of MessageSet parsing

- update to 21.5:
  PHP
  * Added getContainingOneof and getRealContainingOneof to descriptor.
  * fix PHP readonly legacy files for nested messages
  Python
  * Fixed comparison of maps in Python.

- add 10355.patch to fix soversioning

- update to 21.4:
  * Reduce the required alignment of ArenaString from 8 to 4

- update to 21.3:
  * C++
  * Add header search paths to Protobuf-C++.podspec (#10024)
  * Fixed Visual Studio constinit errors (#10232)
  * Fix #9947: make the ABI compatible between debug and non-debug builds (#10271)
  * UPB
  * Allow empty package names (fixes behavior regression in 4.21.0)
  * Fix a SEGV bug when comparing a non-materialized sub-message (#10208)
  * Fix several bugs in descriptor mapping containers (eg. descriptor.services_by_name)
  * for x in mapping now yields keys rather than values, to match Python
    conventions and the behavior of the old library.
  * Lookup operations now correctly reject unhashable types as map keys.
  * We implement repr() to use the same format as dict.
  * Fix maps to use the ScalarMapContainer class when appropriate
  * Fix bug when parsing an unknown value in a proto2 enum extension (protocolbuffers/upb#717)
  * PHP
  * Add "readonly" as a keyword for PHP and add previous classnames to descriptor pool (#10041)
  * Python
  * Make //:protobuf_python and //:well_known_types_py_pb2 public (#10118)
  * Bazel
  * Add back a filegroup for :well_known_protos (#10061)

- Update to 21.2:
- C++
  - cmake: Call get_filename_component() with DIRECTORY mode instead of PATH mode (#9614)
  - Escape GetObject macro inside protoc-generated code (#9739)
  - Update CMake configuration to add a dependency on Abseil (#9793)
  - Fix cmake install targets (#9822)
  - Use __constinit only in GCC 12.2 and up (#9936)
- Java
  - Update protobuf_version.bzl to separate protoc and per-language java … (#9900)
- Python
  - Increment python major version to 4 in version.json for python upb (#9926)
  - The C extension module for Python has been rewritten to use the upb library.
  - This is expected to deliver significant performance benefits, especially when
    parsing large payloads. There are some minor breaking changes, but these
    should not impact most users. For more information see:
    https://developers.google.com/protocol-buffers/docs/news/2022-05-06#python-updates
- PHP
  - [PHP] fix PHP build system (#9571)
  - Fix building packaged PHP extension (#9727)
  - fix: reserve "ReadOnly" keyword for PHP 8.1 and add compatibility (#9633)
  - fix: phpdoc syntax for repeatedfield parameters (#9784)
  - fix: phpdoc for repeatedfield (#9783)
  - Change enum string name for reserved words (#9780)
  - chore: [PHP] fix phpdoc for MapField keys (#9536)
  - Fixed PHP SEGV by not writing to shared memory for zend_class_entry. (#9996)
- Ruby
  - Allow pre-compiled binaries for ruby 3.1.0 (#9566)
  - Implement respond_to? in RubyMessage (#9677)
  - [Ruby] Fix RepeatedField#last, #first inconsistencies (#9722)
  - Do not use range based UTF-8 validation in truffleruby (#9769)
  - Improve range handling logic of RepeatedField (#9799)
- Other
  - Fix invalid dependency manifest when using descriptor_set_out (#9647)
  - Remove duplicate java generated code (#9909)

- Do not use %%autosetup, but %%setup and %%patch on other line
  * Allows building on SLE-12-SP5

- Add temporary patch gcc12-disable-__constinit-with-c++-11.patch
  that addresses gh#protocolbuffers/protobuf#9916.
python3
- Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109,
  gh#python/cpython!16557) fixes syslog making default "ident"
  from sys.argv[0].

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into
  skip_SSL_tests.patch, and make them include all conditionals.
libzypp
- Don't try to refresh volatile media as long as raw metadata are
  present (bsc#1223094)
- version 17.32.5 (32)

- Fix creation of sibling cache dirs with too restrictive mode
  (bsc#1222398)
  Some install workflows in YAST may lead to too restrictive (0700)
  raw cache directories in case of newly created repos. Later
  commands running with user privileges may not be able to access
  these repos.
- version 17.32.4 (32)

- Update RepoStatus fromCookieFile according to the files mtime
  (bsc#1222086)
- TmpFile: Don't call chmod if makeSibling failed.
- version 17.32.3 (32)

- Fixup New VendorSupportOption flag VendorSupportSuperseded
  (jsc#OBS-301, jsc#PED-8014)
  Fixed the name of the keyword to "support_superseded" as it was
  agreed on in jsc#OBS-301.
- version 17.32.2 (32)

- Add resolver option 'removeUnneeded' to file weak remove jobs
  for unneeded packages (bsc#1175678)
- version 17.32.1 (32)

- Add resolver option 'removeOrphaned' for distupgrade
  (bsc#1221525)
- New VendorSupportOption flag VendorSupportSuperseded
  (jsc#OBS-301, jsc#PED-8014)
- Tests: fix vsftpd.conf where SUSE and Fedora use different
  defaults (fixes #522)
- Add default stripe minimum (#529)
- Don't expose std::optional where YAST/PK explicitly use c++11.
- Digest: Avoid using the deprecated OPENSSL_config.
- version 17.32.0 (32)

- ProblemSolution::skipsPatchesOnly overload to handout the
  patches.
- Remove https->http redirection exceptions for
  download.opensuse.org.
- version 17.31.32 (22)
shadow
- bsc#1176006: Fix chage date miscalculation
  Add shadow-bsc1176006-chage-date.patch
- bsc#1188307: Fix passwd segfault
  Add shadow-bsc1188307-passwd-segfault.patch
- bsc#1203823: Remove pam_keyinit from PAM config files
  Remove pam_keyinit from PAM configuration.
  This was introduced for bsc#1144060.
openssh
- Add patches from upstream to change the default value of
  UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled).
  This makes ssh update the known_hosts stored keys with all
  published versions by the server (after it's authenticated
  with an existing key), which will allow to identify the
  server with a different key if the existing key is considered
  insecure at some point in the future (bsc#1222831).
  * 0001-upstream-enable-UpdateHostkeys-by-default-when-the.patch
  * 0002-upstream-disable-UpdateHostkeys-by-default-if.patch

- Add patches openssh-7.7p1-seccomp_getuid.patch and
  openssh-bsc1216474-s390-leave-fds-open.patch
  (bsc#1216474, bsc#1218871)

- Fix hostbased ssh login failing occasionally with "signature
  unverified: incorrect signature" by fixing a typo in patch
  (bsc#1221123):
  * openssh-7.8p1-role-mls.patch
pam-config
- Fix pam_gnome_keyring module for AUTH.
  [pam-config-fix-pam_gnome_keyring.patch, bsc#1219767]
perl-Bootloader
- merge gh#openSUSE/perl-bootloader#166
- log grub2-install errors correctly (bsc#1221470)
- 0.947

- merge gh#openSUSE/perl-bootloader#161
- support old grub versions (<= 2.02) that used /usr/lib
  (bsc#1218842)
- create EFI boot fallback directory if necessary
- 0.946
perl
- fix space calculation issues in pp_pack.c [bnc#1082216]
  [CVE-2018-6913]
  * new patch: perl-pack-overflow.diff
- fix heap buffer overflow in regexec.c [bnc#1082233]
  [CVE-2018-6798]
  new patch: perl-regexec-heap-overflow.diff
- make Net::FTP work with TLS 1.3 [bnc#1213638]
  new patch: perl-net-ftp-tls13.diff
python-Jinja2
- Add CVE-2024-34064.patch upstream patch
  (CVE-2024-34064, bsc#1223980, gh#pallets/jinja@0668239dc6b4)
  Also fixes (CVE-2024-22195, bsc#1218722)
python-idna
- Add CVE-2024-3651.patch, backported from upstream commit
  gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
  (bsc#1222842, CVE-2024-3651)
python-requests
- Add CVE-2024-35195.patch (CVE-2024-35195, bsc#1224788)
- Add httpbin.patch to fix a test failure caused by the previous patch.
rpm-ndb
- remove imaevmsign plugin from rpm-ndb [bsc#1222259]
runc
- Add upstream patch <https://github.com/opencontainers/runc/pull/4219> to
  properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050
  + 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  + 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  + 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
sed
- 0001-sed-set-correct-umask-on-temporary-files.patch
  Fix for bsc#1221218
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-containers-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-server-applications-release
n/a
sudo
- Fix NOPASSWD issue introduced by patches for CVE-2023-42465
  [bsc#1221151, bsc#1221134]
  * Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
  * Enable running regression selftests during build time.
supportutils
- Changes in version 3.1.30
  + Added -V key:value pair option (bsc#1222021, PED-8211)
  + Avoid getting duplicate kernel verifications in boot.text (pr#193)
  + Suppress file descriptor leak warnings from lvm commands (pr#192, bsc#1220082)
  + Includes container log timestamps (pr#197)

- Changes to version 3.1.29
  + Extended scaling for performance (bsc#1214713)
  + Fixed kdumptool output error (bsc#1218632)
  + Corrected podman ID errors (bsc#1218812)
  + Duplicate non root podman entries removed (bsc#1218814)
  + Corrected get_sles_ver for SLE Micro (bsc#1219241)
  + Check nvidida-persistenced state (bsc#1219639)
suseconnect-ng
- Update to version 1.9.0
  * Fix certificate import for Yast when using a registration proxy with
    self-signed SSL certificate (bsc#1223107)

- Update to version 1.8.0
  * Allow "--rollback" flag to run on readonly filesystem (bsc#1220679)
systemd-default-settings
- Import 0.10
  5088997 SLE: Disable pids controller limit under user instances (jsc#SLE-10123)

- Import 0.9
  bb859bf user@.service: Disable controllers by default (jsc#PED-2276)

- The usage of drop-ins is now the official way for configuring systemd and its
  various daemons on Factory/ALP. Hence the early drop-ins SUSE specific
  "feature" has been abandoned.

- Import 0.8
  f34372f User priority '26' for SLE-Micro
  c8b6f0a Revert "Convert more drop-ins into early ones"

- Import commit 6b8dde1d4f867aff713af6d6830510a84fad58d2
  6b8dde1 Convert more drop-ins into early ones
systemd-presets-branding-SLE
- Enable sysctl-logger (jsc#PED-5024)
systemd-presets-common-SUSE
- Split hcn-init.service to hcn-init-NetworkManager and hcn-init-wicked
  (bsc#1200731 ltc#198485 https://github.com/ibm-power-utilities/powerpc-utils/pull/84)
  Support both the old and new service to avoid complex version interdependency.
systemd-rpm-macros
- Bump version to 15

- Order packages that requires systemd after systemd-sysvcompat when this part
  of the transaction (bsc#1217964)
  systemd-sysvcompat has been introduced recently and contains the compatibility
  scripts used to support SysV init scripts. Make sure that the packages ordered
  after systemd are also ordered after systemd-sysvcompat so theirs rpm
  scriptlets can still rely on the compat scripts.
  On distributions where systemd-sysvcompat doesn't exist, the new ordering
  constraint should be a nop.
util-linux-systemd
- Properly neutralize escape sequences in wall
  (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
  and its prerequisites: util-linux-fputs_careful1.patch,
  util-linux-wall-migrate-to-memstream.patch
  util-linux-fputs_careful2.patch).

- Add upstream patch
  more-exit-if-POLLERR-and-POLLHUP-on-stdin-is-received.patch
  bsc#1220117 - L3-Question: Processes not cleaned up after failed SSH session are using up 100% CPU

- Add upstream patch
  util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch
  bsc#1207987 gh#util-linux/util-linux@1d98827edde4
vim
- Updated to version 9.1 with patch level 0330, fixes the following problems
  * Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1
- refreshed vim-7.3-filetype_spec.patch
- refreshed vim-7.3-filetype_ftl.patch
- Update spec.skeleton to use autosetup in place of setup macro.
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330

- Updated to version 9.1 with patch level 0111, fixes the following security problems
  * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
  * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
  * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
  * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
  * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
  * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
  * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
  * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
  * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
  * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
wicked
- client: fix ifreload to pull UP ports/links again when the config
  of their master/lower changed (bsc#1224100,gh#openSUSE/wicked#1014).
  [+ 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]

- Update to version 0.6.75:
  - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings
  - cleanup: fix overflow warnings in a socket testcase on i586
  - ifcheck: report new and deleted configs as changed (bsc#1218926)
  - man: improve ARP configuration options in the wicked-config.5
  - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108)
  - cleanup: fix interface dependencies and shutdown order (bsc#1205604)
  - Remove port arrays from bond,team,bridge,ovs-bridge (redundant)
    and consistently use config and state info attached to the port
    interface as in rtnetlink(7).
  - Cleanup ifcfg parsing, schema configuration and service properties
  - Migrate ports in xml config and policies already applied in nanny
  - Remove "missed config" generation from finite state machine, which
    is completed while parsing the config or while xml config migration.
  - Issue a warning when "lower" interface (e.g. eth0) config is missed
    while parsing config depending on it (e.g. eth0.42 vlan).
  - Resolve ovs master to the effective bridge in config and wickedd
  - Implement netif-check-state require checks using system relations
    from wickedd/kernel instead of config relations for ifdown and add
    linkDown and deleteDevice checks to all master and lower references.
  - Add a `wicked <ifup|ifdown|ifreload> --dry-run …` option to show the
    system/config interface hierarchies as notice with +/- marked
    interfaces to setup and/or shutdown.
- Removed patches included in the source archive:
  [- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
  [- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
  [- 0003-move-all-attribute-definitions-to-compiler-h.patch]
  [- 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
  [- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]

- client: do not convert sec to msec twice (bsc#1222105)
  [+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]

- addrconf: fix fallback-lease drop (bsc#1220996)
  [+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
- extensions/nbft: use upstream `nvme nbft show` (bsc#1221358)
  [+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
- hide secrets in debug log (bsc#1221194)
  [+ 0003-move-all-attribute-definitions-to-compiler-h.patch]
  [+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
xen
- Update to Xen 4.16.6 security bug fix release (bsc#1027519)
  xen-4.16.6-testing-src.tar.bz2
  * No upstream changelog found in sources or webpage
- bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may
  trigger Xen bug check (XSA-454)
- bsc#1222302 - VUL-0: CVE-2024-31142: xen: x86: Incorrect logic
  for BTC/SRSO mitigations (XSA-455)
- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
  History Injection (XSA-456)
- Dropped patches contained in new tarball
  64e5b4ac-x86-AMD-extend-Zenbleed-check.patch
  64e6459b-revert-VMX-sanitize-rIP-before-reentering.patch
  64eef7e9-x86-reporting-spurious-i8259-interrupts.patch
  64f71f50-Arm-handle-cache-flush-at-top.patch
  65087000-x86-spec-ctrl-SPEC_CTRL_EXIT_TO_XEN-confusion.patch
  65087001-x86-spec-ctrl-fold-DO_SPEC_CTRL_EXIT_TO_XEN.patch
  65087002-x86-spec-ctrl-SPEC_CTRL-ENTRY-EXIT-asm-macros.patch
  65087003-x86-spec-ctrl-SPEC_CTRL-ENTER-EXIT-comments.patch
  65087004-x86-entry-restore_all_xen-stack_end.patch
  65087005-x86-entry-track-IST-ness-of-entry.patch
  65087006-x86-spec-ctrl-VERW-on-IST-exit-to-Xen.patch
  65087007-x86-AMD-Zen-1-2-predicates.patch
  65087008-x86-spec-ctrl-Zen1-DIV-leakage.patch
  650abbfe-x86-shadow-defer-PV-top-level-release.patch
  65263470-AMD-IOMMU-flush-TLB-when-flushing-DTE.patch
  65263471-libfsimage-xfs-remove-dead-code.patch
  65263472-libfsimage-xfs-amend-mask32lo.patch
  65263473-libfsimage-xfs-sanity-check-superblock.patch
  65263474-libfsimage-xfs-compile-time-check.patch
  65263475-pygrub-remove-unnecessary-hypercall.patch
  65263476-pygrub-small-refactors.patch
  65263477-pygrub-open-output-files-earlier.patch
  65263478-libfsimage-function-to-preload-plugins.patch
  65263479-pygrub-deprivilege.patch
  6526347a-libxl-allow-bootloader-restricted-mode.patch
  6526347b-libxl-limit-bootloader-when-restricted.patch
  6526347c-SVM-fix-AMD-DR-MASK-context-switch-asymmetry.patch
  6526347d-x86-PV-auditing-of-guest-breakpoints.patch
  65536847-AMD-IOMMU-correct-level-for-quarantine-pt.patch
  65536848-x86-spec-ctrl-remove-conditional-IRQs-on-ness.patch
  xsa440.patch
  xsa449.patch
  xsa451.patch
  xsa452-1.patch
  xsa452-2.patch
  xsa452-3.patch
  xsa452-4.patch
  xsa452-5.patch
  xsa452-6.patch
  xsa452-7.patch
  xsa453-1.patch
  xsa453-2.patch
  xsa453-3.patch
  xsa453-4.patch
  xsa453-5.patch
  xsa453-6.patch
  xsa453-7.patch
  xsa453-8.patch
  xsa454-1.patch
  xsa454-2.patch

- bsc#1221332 - VUL-0: CVE-2023-28746: xen: x86: Register File Data
  Sampling (XSA-452)
  xsa452-1.patch
  xsa452-2.patch
  xsa452-3.patch
  xsa452-4.patch
  xsa452-5.patch
  xsa452-6.patch
  xsa452-7.patch
- bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative
  Race Conditions (XSA-453)
  xsa453-1.patch
  xsa453-2.patch
  xsa453-3.patch
  xsa453-4.patch
  xsa453-5.patch
  xsa453-6.patch
  xsa453-7.patch
  xsa453-8.patch

- bsc#1219885 - VUL-0: CVE-2023-46841: xen: x86: shadow stack vs
  exceptions from emulation stubs (XSA-451)
  xsa451.patch
zypper
- Do not try to refresh repo metadata as non-root user
  (bsc#1222086)
  Instead show refresh stats and hint how to update them.
- man: Explain how to protect orphaned packages by collecting
  them in a plaindir repo.
- packages: Add --autoinstalled and --userinstalled options to
  list them.
- Don't print 'reboot required' message if download-only or
  dry-run (fixes #529)
  Instead point out that a reboot would be required if the option
  was not used.
- Resepect zypper.conf option `showAlias` search commands
  (bsc#1221963)
  Repository::asUserString (or Repository::label) respects the
  zypper.conf option, while name/alias return the property.
- version 1.14.71

- dup: New option --remove-orphaned to remove all orphaned
  packages in dup (bsc#1221525)
- version 1.14.70

- info,summary: Support VendorSupportOption flag
  VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014)
- BuildRequires:  libzypp-devel >= 17.32.0.
  API cleanup and changes for VendorSupportSuperseded.
- Show active dry-run/download-only at the commit propmpt.
- patch: Add --skip-not-applicable-patches option (closes #514)
- Fix printing detailed solver problem description.
  The problem description() is one rule out possibly many in
  completeProblemInfo() the solver has chosen to represent the
  problem. So either description or completeProblemInfo should be
  printed, but not both.
- Fix bash-completion to work with right adjusted numbers in the
  1st column too (closes #505)
- Set libzypp shutdown request signal on Ctrl+C (fixes #522)
- lr REPO: In the detailed view show all baseurls not just the
  first one (bsc#1218171)
- version 1.14.69