aaa_base
- Add patch git-51-fbf7ee9dc9cd970532a54eed6472d7f3b0e7f431.patch
  * If a user switches the login shell respect the already set
    PATH environment (bsc#1235481)

- add patch aaa_base-rc.status.patch (bsc#1236033)
  (no git, file is gone in factory/tumbleweed)
  update detection for systemd in rc.status, mountpoint for
  cgroup changed with cgroup2, so just check if pid 1 is systemd
apparmor
- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
  file even if it has 000 permissions. This is needed after the CVE-2024-10041
  fix in PAM.
  * unix-chkpwd-add-read-capability.path, bsc#1241678

- Allow pam_unix to execute unix_chkpwd with abi/3.0
  - remove dovecot-unix_chkpwd.diff
  - Add allow-pam_unix-to-execute-unix_chkpwd.patch
  - Add revert-abi-change-for-unix_chkpwd.patch
  (bsc#1234452, bsc#1232234)
augeas
- Add patch, fix for bsc#1239909 / CVE-2025-2588:
  * CVE-2025-2588.patch
ca-certificates-mozilla
- revert the distrusted certs for now. originally these only
  distrust "new issued" certs starting after a certain date,
  while old certs should still work. (bsc#1240343)
- remove-distrusted.patch: removed
cifs-utils
- CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong
  namespace in containerized environments while trying to get Kerberos
  credentials (bsc#1239680)
  * add New-mount-option-for-cifs.upcall-namespace-reso.patch
cloud-regionsrv-client
- Update version to 10.4.0
  + Remove repositories when the package is being removed
    We do not want to leave repositories behind refering to the plugin that
    is being removed when the package gets removed (bsc#1240310, bsc#1240311)
  + Turn docker into an optional setup (jsc#PCT-560)
    Change the Requires into a Recommends and adapt the code accordingly
  + Support flexible licenses in GCE (jsc#PCT-531)
  + Drop the azure-addon package it is geting replaced by the
    license-watcher package which has a generic implementation of the
    same functionality.
  + Handle cache inconsistencies (bsc#1218345)
  + Properly handle the zypper root target argument (bsc#1240997)
containerd
- Update to containerd v1.7.27. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.27>
  bsc#1239749 CVE-2024-40635
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.26. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.26>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.25. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.25>
  <https://github.com/containerd/containerd/releases/tag/v1.7.24>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
lvm2
- LVM filter behaves unexpectedly for MPIO devices in SLES15SP5 (bsc#1216938)
  * set lvm.conf devices.multipath_wwids_file=""
glib2
- Add glib2-CVE-2025-3360.patch:
  Backport 8d60d7dc from upstream, Fix integer overflow when
  parsing very long ISO8601 inputs. This will only happen with
  invalid (or maliciously invalid) potential ISO8601 strings,
  but `g_date_time_new_from_iso8601()` needs to be robust against
  that.
  (CVE-2025-3360, bsc#1240897)
glibc
- static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and
  debug env var for setuid for static (CVE-2025-4802, bsc#1243317)

- Add support for userspace livepatching for ppc64le (jsc#PED-11850)

- pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ
  [#25847])

- Mark functions in libc_nonshared.a as hidden (bsc#1239883)

- Bump minimal kernel version to 4.3 to enable use of direct socketcalls
  on x86-32 and s390x (bsc#1234713)
grub2
- Fix CVE-2025-4382: TPM auto-decryption data exposure (bsc#1242971)
  * 0001-kern-rescue_reader-Block-the-rescue-mode-until-the-C.patch
  * 0002-commands-search-Introduce-the-cryptodisk-only-argume.patch
  * 0003-disk-diskfilter-Introduce-the-cryptocheck-command.patch
  * 0004-commands-search-Add-the-diskfilter-support.patch
  * 0005-docs-Document-available-crypto-disks-checks.patch
  * 0006-disk-cryptodisk-Add-the-erase-secrets-function.patch
  * 0007-disk-cryptodisk-Wipe-the-passphrase-from-memory.patch
  * 0008-cryptocheck-Add-quiet-option.patch
- patch rebased
  * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
  * 0004-Key-revocation-on-out-of-bound-file-access.patch
- patch refrehed
  * 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch

- Refresh PPC NVMEoF ofpath related patches to newer revision
  * 0002-ieee1275-ofpath-enable-NVMeoF-logical-device-transla.patch
- Patch refreshed
  * 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
- Patch obsoleted
  * 0004-ofpath-controller-name-update.patch
  * 0001-squash-ieee1275-ofpath-enable-NVMeoF-logical-device-.patch
- Fix segmentation fault error in grub2-probe with target=hints_string
  (bsc#1235971) (bsc#1235958) (bsc#1239651)
  * 0001-ofpath-Add-error-check-in-NVMEoF-device-translation.patch
hwinfo
- merge gh#openSUSE/hwinfo#156
- fix network card detection on aarch64 (bsc#1240648)
- 21.88
iproute2
- avoid spurious cgroup warning (bsc#1234383):
  - ss-Tone-down-cgroup-path-resolution.patch
kbd
- Don't search for resources in the current directory. It can cause
  unwanted side effects or even infinite loop (bsc#1237230,
  kbd-ignore-working-directory-1.patch,
  kbd-ignore-working-directory-2.patch,
  kbd-ignore-working-directory-3.patch).
kernel-default
- dm: fix copying after src array boundaries (git-fixes).
- commit 10c16a9

- dm: add missing unlock on in dm_keyslot_evict() (git-fixes).
- commit a94a8c2

- codel: remove sch->q.qlen check before
  qdisc_tree_reduce_backlog() (CVE-2025-37798 bsc#1242414).
- commit 8fb5816

- Update
  patches.suse/net-smc-initialize-close_work-early-to-avoid-warning.patch
  (CVE-2024-56641 bsc#1235526 bsc#1242985).
- commit d393a0f

- mptcp: fix NULL pointer in can_accept_new_subflow
  (CVE-2025-23145 bsc#1242596).
- mptcp: relax check on MPC passive fallback (git-fixes).
- mptcp: refine opt_mp_capable determination (git-fixes).
- mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req()
  (git-fixes).
- mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
  (git-fixes CVE-2024-35840 bsc#1224597).
- mptcp: strict validation before using mp_opt->hmac (git-fixes).
- commit b0b581d

- mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN
  (git-fixes).
- blacklist.conf:
  - remove the entry for commit be1d9d9d38da which was blacklisted as not
    needed because of absence of this backport
- commit 07c39d4

- ax25: Remove broken autobind (CVE-2025-22109 bsc#1241573).
- commit 9a9abc7

- udp: Fix memory accounting leak (CVE-2025-22058 bsc#1241332).
- commit 6a0c03a

- perf: arm_cspmu: nvidia: monitor all ports by default (bsc#1242172)
- commit bf5ce56

- perf: arm_cspmu: nvidia: enable NVLINK-C2C port filtering (bsc#1242172)
- commit d976f98

- perf: arm_cspmu: nvidia: fix sysfs path in the kernel doc (bsc#1242172)
- commit bcf5e61

- perf: arm_cspmu: nvidia: remove unsupported SCF events (bsc#1242172)
- commit 4647012

- x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006 CVE-2024-28956).
- commit fac02ba

- x86/its: Align RETs in BHB clear sequence to avoid thunking (bsc#1242006 CVE-2024-28956).
- commit 909407f

- x86/its: Add support for RSB stuffing mitigation (bsc#1242006 CVE-2024-28956).
- commit 42d05af

- x86/its: Add "vmexit" option to skip mitigation on some CPUs (bsc#1242006 CVE-2024-28956).
- commit cefce67

- x86/its: Enable Indirect Target Selection mitigation (bsc#1242006 CVE-2024-28956).
- commit 6720dce

- x86/its: Add support for ITS-safe return thunk (bsc#1242006 CVE-2024-28956).
- commit b904ebb

- watch_queue: fix pipe accounting mismatch (CVE-2025-23138 bsc#1241648).
- commit 53d2fbb

- x86/its: Add support for ITS-safe indirect thunk (bsc#1242006 CVE-2024-28956).
- commit 73d0713

- x86/its: Enumerate Indirect Target Selection (ITS) bug (bsc#1242006 CVE-2024-28956).
- commit 0ceddfb

- Documentation: x86/bugs/its: Add ITS documentation (bsc#1242006 CVE-2024-28956).
- commit 8fd974a

- vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp
  (CVE-2025-37799 bsc#1242283).
- commit f53c65a

- btrfs: always fallback to buffered write if the inode  requires
  checksum (bsc#1242831 bsc#1242710).
- commit fd92bec

- x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778).
- x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778).
- x86/bpf: Call branch history clearing sequence on exit
  (bsc#1242778).
- commit 7613146

- jbd2: increase IO priority for writing revoke records
  (bsc#1242332).
- commit a27757f

- Bluetooth: btnxpuart: Fix kernel panic during FW release
  (bsc#1241456 CVE-2025-22102).
- commit 9e6b312

- Bluetooth: btnxpuart: Remove check for CTS low after FW download
  (bsc#1241456 CVE-2025-22102).
- commit 43b7feb

- firmware: arm_ffa: Skip Rx buffer ownership release if not
  acquired (git-fixes).
- firmware: arm_scmi: Balance device refcount when destroying
  devices (git-fixes).
- commit e6126fe

- ext4: goto right label 'out_mmap_sem' in ext4_setattr()
  (bsc#1242556).
- commit f73dc04

- mm: fix filemap_get_folios_contig returning batches of identical
  folios (bsc#1242327).
- commit ab60c72

- mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT
  (bsc#1242326).
- commit eefd306

- mm/readahead: fix large folio support in async readahead
  (bsc#1242321).
- commit ca8ae9b

- mm: fix oops when filemap_map_pmd() without prealloc_pte
  (bsc#1242546).
- commit d84ed9f

- udf: Fix inode_getblk() return value (bsc#1242313).
- commit 083cf55

- udf: Verify inode link counts before performing rename
  (bsc#1242314).
- commit 8e7cda1

- udf: Skip parent dir link count update if corrupted
  (bsc#1242315).
- commit 94318f0

- ext4: fix FS_IOC_GETFSMAP handling (bsc#1240557).
- commit 531b964

- ext4: make block validity check resistent to sb bh corruption
  (bsc#1242348).
- commit 12e4947

- ext4: don't treat fhandle lookup of ea_inode as FS corruption
  (bsc#1242347).
- commit 3337bde

- jbd2: add a missing data flush during file and fs
  synchronization (bsc#1242346).
- commit 0ebdf6c

- ext4: don't over-report free space or inodes in statvfs
  (bsc#1242345).
- commit c197ee4

- jbd2: fix off-by-one while erasing journal (bsc#1242344).
- commit 362ca97

- jbd2: remove wrong sb->s_sequence check (bsc#1242343).
- commit b288b9a

- ext4: add missing brelse() for bh2 in ext4_dx_add_entry()
  (bsc#1242342).
- commit 8643d9f

- ext4: protect ext4_release_dquot against freezing (bsc#1242335).
- commit 532c985

- jbd2: flush filesystem device before updating tail sequence
  (bsc#1242333).
- commit 79495ff

- ext4: partial zero eof block on unaligned inode size extension
  (bsc#1242336).
- commit 992adfb

- ext4: correct encrypted dentry name hash when not casefolded
  (bsc#1242540).
- commit 71bfc00

- ext4: treat end of range as exclusive in ext4_zero_range()
  (bsc#1242539).
- commit 8950964

- ext4: unify the type of flexbg_size to unsigned int
  (bsc#1242538).
  Refresh: patches.suse/ext4-avoid-online-resizing-failures-due-to-oversized.patch
- commit 9b599f9

- jbd2: increase the journal IO's priority (bsc#1242537).
- commit 65fd6c7

- ext4: replace the traditional ternary conditional operator
  with with max()/min() (bsc#1242536).
  Refresh patches.suse/ext4-move-setting-of-trimmed-bit-into-ext4_try_to_tr.patch
  Refresh patches.suse/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch
- commit 9de0d03

- splice: remove duplicate noinline from pipe_clear_nowait
  (bsc#1242328).
- commit 8a9c110

- fs: consistently deref the files table with
  rcu_dereference_raw() (bsc#1242535).
- commit 0f7e4fb

- fs: support relative paths with FSCONFIG_SET_STRING (git-fixes).
- commit 51930da

- vfs: don't mod negative dentry count when on shrinker list
  (bsc#1242534).
- commit 25c9c4a

- fs: better handle deep ancestor chains in is_subdir()
  (bsc#1242528).
  Refresh patches.suse/dcache-keep-dentry_hashtable-or-d_hash_shift-even-when-not.patch
- commit 42bc37f

- fs: don't allow non-init s_user_ns for filesystems without
  FS_USERNS_MOUNT (bsc#1242526).
- commit 08659e8

- isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
  (bsc#1242307).
- commit 08eabe6

- Update
  patches.suse/OPP-add-index-check-to-assert-to-avoid-buffer-overfl.patch
  (bsc#1238961 CVE-2024-57998 bsc#1238527).
- Update
  patches.suse/PCI-ASPM-Fix-link-state-exit-during-switch-upstream-.patch
  (git-fixes CVE-2024-58093 bsc#1241347).
- Update
  patches.suse/RDMA-erdma-Prevent-use-after-free-in-erdma_accept_ne.patch
  (git-fixes CVE-2025-22088 bsc#1241528).
- Update
  patches.suse/RDMA-mlx5-Fix-mlx5_poll_one-cur_qp-update-flow.patch
  (git-fixes CVE-2025-22086 bsc#1241458).
- Update
  patches.suse/acpi-nfit-fix-narrowing-conversion-in-acpi_nfit_ctl.patch
  (git-fixes CVE-2025-22044 bsc#1241424).
- Update
  patches.suse/arm64-Don-t-call-NULL-in-do_compat_alignment_fixup.patch
  (git-fixes CVE-2025-22033 bsc#1241436).
- Update
  patches.suse/bnxt_en-Mask-the-bd_cnt-field-in-the-TX-BD-properly.patch
  (git-fixes CVE-2025-22108 bsc#1241574).
- Update
  patches.suse/bpf-avoid-holding-freeze_mutex-during-mmap-operation.patch
  (git-fixes CVE-2025-21853 bsc#1239476).
- Update
  patches.suse/dlm-prevent-NPD-when-writing-a-positive-value-to-event_done.patch
  (git-fixes CVE-2025-23131 bsc#1241601).
- Update
  patches.suse/drm-amd-display-avoid-NPD-when-ASIC-does-not-support.patch
  (git-fixes CVE-2025-22093 bsc#1241545).
- Update
  patches.suse/drm-vkms-Fix-use-after-free-and-double-free-on-init-.patch
  (git-fixes CVE-2025-22097 bsc#1241541).
- Update patches.suse/fou-fix-initialization-of-grc.patch
  (CVE-2024-46763 bsc#1230764 CVE-2024-46865 bsc#1231103).
- Update
  patches.suse/idpf-check-error-for-register_netdev-on-init.patch
  (git-fixes CVE-2025-22116 bsc#1241459).
- Update
  patches.suse/idpf-fix-adapter-NULL-pointer-dereference-on-reboot.patch
  (git-fixes CVE-2025-22065 bsc#1241333).
- Update
  patches.suse/jfs-add-check-read-only-before-truncation-in-jfs_truncate_nolock.patch
  (git-fixes CVE-2024-58094 bsc#1241443).
- Update
  patches.suse/jfs-add-check-read-only-before-txBeginAnon-call.patch
  (git-fixes CVE-2024-58095 bsc#1241442).
- Update
  patches.suse/media-streamzap-fix-race-between-device-disconnectio.patch
  (git-fixes CVE-2025-22027 bsc#1241369).
- Update
  patches.suse/net-Add-rx_skb-of-kfree_skb-to-raw_tp_null_args.patch
  (bsc#1235501 CVE-2024-56702 CVE-2025-21852 bsc#1239487).
- Update
  patches.suse/netfilter-br_netfilter-skip-conntrack-input-hook-for.patch
  (CVE-2024-27415 bsc#1224757 CVE-2024-27018 bsc#1223809).
- Update
  patches.suse/nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch
  (git-fixes CVE-2025-22025 bsc#1241361).
- Update
  patches.suse/ntb_hw_switchtec-Fix-shift-out-of-bounds-in-switchte.patch
  (git-fixes CVE-2023-53034 bsc#1241341).
- Update
  patches.suse/ocfs2-handle-a-symlink-read-error-correctly.patch
  (git-fixes CVE-2024-58001 bsc#1239079).
- Update
  patches.suse/rtnetlink-Allocate-vfinfo-size-for-VF-GUIDs-when-sup.patch
  (bsc#1224013 CVE-2025-22075 bsc#1241402).
- Update
  patches.suse/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch
  (git-fixes CVE-2025-22062 bsc#1241412).
- Update
  patches.suse/tcp-fix-mptcp-DSS-corruption-due-to-large-pmtu-xmit.patch
  (git-fixes CVE-2024-50083 bsc#1232493).
- Update
  patches.suse/thermal-int340x-Add-NULL-check-for-adev.patch
  (git-fixes CVE-2025-23136 bsc#1241357).
- Update patches.suse/usbnet-fix-NPE-during-rx_complete.patch
  (git-fixes CVE-2025-22050 bsc#1241441).
- Update
  patches.suse/wifi-ath11k-Clear-affinity-hint-before-calling-ath11.patch
  (git-fixes CVE-2025-23129 bsc#1241599).
- Update
  patches.suse/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-mo.patch
  (git-fixes CVE-2024-58096 bsc#1241344).
- Update
  patches.suse/wifi-ath11k-fix-RCU-stall-while-reaping-monitor-dest.patch
  (git-fixes CVE-2024-58097 bsc#1241343).
- Update
  patches.suse/wifi-ath12k-Clear-affinity-hint-before-calling-ath12.patch
  (git-fixes CVE-2025-22128 bsc#1241598).
- commit a961a1a

- cifs: Fix integer overflow while processing actimeo mount option
  (git-fixes).
- commit 747d942

- iommu: Fix two issues in iommu_copy_struct_from_user()
  (git-fixes).
- commit 7b79fa9

- cifs: Fix integer overflow while processing acdirmax mount
  option (CVE-2025-21963 bsc#1240717).
- commit 5907e46

- cifs: Fix integer overflow while processing acregmax mount
  option (CVE-2025-21964 bsc#1240740).
- commit a723b7b

- cifs: Fix integer overflow while processing closetimeo mount
  option (CVE-2025-21962 bsc#1240655).
- commit 03a43b4

- mptcp: consolidate suboption status (CVE-2025-21707
  bsc#1238862).
- commit 18d9efe

- powerpc: Don't use --- in kernel logs (git-fixes).
- commit df3b280

- tools/hv: update route parsing in kvp daemon (git-fixes).
- commit 2e81126

- bpf: Fix bpf_sk_select_reuseport() memory leak (bsc#1236704
  CVE-2025-21683).
- commit e163503

- i2c: imx-lpi2c: Fix clock count when probe defers (git-fixes).
- ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence
  (git-fixes).
- ALSA: hda/realtek: Fix built-mic regression on other ASUS models
  (git-fixes).
- ALSA: hda/realtek - Enable speaker for HP platform (git-fixes).
- commit 5b6152a

- spi: tegra114: Don't fail set_cs_timing when delays are zero
  (git-fixes).
- drm/i915/pxp: fix undefined reference to
  `intel_pxp_gsccs_is_ready_for_sessions' (git-fixes).
- drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS
  (git-fixes).
- drm/fdinfo: Protect against driver unbind (git-fixes).
- drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()
  (git-fixes).
- drm/amd/display: Force full update in gpu reset (stable-fixes).
- ata: libata-scsi: Improve CDL control (git-fixes).
- ata: libata-scsi: Fix ata_msense_control_ata_feature()
  (git-fixes).
- ata: libata-scsi: Fix ata_mselect_control_ata_feature() return
  type (git-fixes).
- USB: serial: simple: add OWON HDS200 series oscilloscope support
  (stable-fixes).
- USB: serial: ftdi_sio: add support for Abacus Electrics Optical
  Probe (stable-fixes).
- USB: serial: option: add Sierra Wireless EM9291 (stable-fixes).
- usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash
  Drive (stable-fixes).
- USB: VLI disk crashes if LPM is used (stable-fixes).
- USB: storage: quirk for ADATA Portable HDD CH94 (stable-fixes).
- usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive
  (stable-fixes).
- USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02)
  (stable-fixes).
- mei: me: add panther lake H DID (stable-fixes).
- spi: tegra210-quad: add rate limiting and simplify timeout
  error message (stable-fixes).
- spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for
  timeouts (stable-fixes).
- ACPI: EC: Set ec_no_wakeup for Lenovo Go S (stable-fixes).
- ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls
  (stable-fixes).
- ntb_hw_amd: Add NTB PCI ID for new gen CPU (stable-fixes).
- ntb: reduce stack usage in idt_scan_mws (stable-fixes).
- rtc: pcf85063: do a SW reset if POR failed (stable-fixes).
- thunderbolt: Scan retimers after device router has been
  enumerated (stable-fixes).
- usb: host: xhci-plat: mvebu: use ->quirks instead of
  - >init_quirk() func (stable-fixes).
- usb: gadget: aspeed: Add NULL pointer check in
  ast_vhub_init_dev() (stable-fixes).
- usb: dwc3: gadget: Avoid using reserved endpoints on Intel
  Merrifield (stable-fixes).
- usb: dwc3: gadget: Refactor loop to avoid NULL endpoints
  (stable-fixes).
- usb: host: max3421-hcd: Add missing spi_device_id table
  (stable-fixes).
- sound/virtio: Fix cancel_sync warnings on uninitialized
  work_structs (stable-fixes).
- dmaengine: dmatest: Fix dmatest waiting less when interrupted
  (stable-fixes).
- iio: adc: ad7768-1: Fix conversion result sign (git-fixes).
- iio: adc: ad7768-1: Move setting of val a bit later to avoid
  unnecessary return value check (stable-fixes).
- pinctrl: renesas: rza2: Fix potential NULL pointer dereference
  (stable-fixes).
- crypto: ccp - Add support for PCI device 0x1134 (stable-fixes).
- auxdisplay: hd44780: Fix an API misuse in hd44780.c (git-fixes).
- auxdisplay: hd44780: Convert to platform remove callback
  returning void (stable-fixes).
- commit fe3cf03

- net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (CVE-2025-22107 bsc#1241575)
- commit 673084b

- ibmvnic: Use kernel helpers for hex dumps (CVE-2025-22104 bsc#1241550)
- commit 44ef4eb

- dm: always update the array size in realloc_argv on success
  (git-fixes).
- commit 80e573b

- dm-bufio: don't schedule in atomic context (git-fixes).
- commit 59b9988

- dm-ebs: fix prefetch-vs-suspend race (git-fixes).
- commit 89effad

- dm-verity: fix prefetch-vs-suspend race (git-fixes).
- commit 6899d31

- dm-integrity: set ti->error on memory allocation failure
  (git-fixes).
- commit 3c1b2c7

- netfilter: nf_tables: don't unregister hook when table is
  dormant (CVE-2025-22064 bsc#1241413).
- commit 3c82332

- net: ipv6: fix UDPv6 GSO segmentation with NAT (git-fixes).
- commit a110462

- net_sched: qfq: Fix double list add in class with netem as
  child qdisc (git-fixes).
- commit 8e1bbd0

- net_sched: ets: Fix double list add in class with netem as
  child qdisc (git-fixes).
- commit 2e9fa99

- net_sched: hfsc: Fix a UAF vulnerability in class with netem
  as child qdisc (git-fixes).
- commit 3f5a489

- net_sched: drr: Fix double list add in class with netem as
  child qdisc (git-fixes).
- commit 4947830

- ax25: Fix refcount leak caused by setting SO_BINDTODEVICE
  sockopt (CVE-2025-21792 bsc#1238745).
- commit 2ffce83

- ipv6: mcast: add RCU protection to mld_newpack() (CVE-2025-21758
  bsc#1238737).
- commit 4b8b3e5

- Bluetooth: btusb: avoid NULL pointer dereference in
  skb_dequeue() (git-fixes).
- wifi: brcm80211: fmac: Add error handling for
  brcmf_usb_dl_writeimage() (git-fixes).
- wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
  (git-fixes).
- commit 470cfc0

- net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels
  (CVE-2025-21768 bsc#1238714).
- commit ed713b9

- kABI workaround struct rcu_head and ax25_ptr (CVE-2025-21812
  bsc#1238471).
- commit 714a2d7

- btrfs: fix block group refcount race in
  btrfs_create_pending_block_groups() (bsc#1241578
  CVE-2025-22115).
- commit 1f7a10d

- Refresh
  patches.kabi/kabi-fix-for-bpf-Prevent-tailcall-infinite-loop-caus.patch.
  Piggyback kABI workaround for "struct bpf_subprog_info" for upstream
  commit 51081a3f25c7 "bpf: track changes_pkt_data property for global
  functions".
- commit bf7c4bc

- Add missing bugzilla references (CVE-2025-22105 bsc#1241548 CVE-2025-37860 bsc#1241452)
- commit 00ec2e2

- atm: Fix NULL pointer dereference (CVE-2025-22018 bsc#1241266)
- commit 8ef48c7

- bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT (CVE-2024-58070 bsc#1238983)
- commit 335e132

- iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (CVE-2025-21833, bsc#1239108).
- commit 069abee

- sfc: fix NULL dereferences in ef100_process_design_param()
  (CVE-2025-37860).
- net: mvpp2: Prevent parser TCAM memory corruption
  (CVE-2025-22060 bsc#1241526).
- bonding: check xdp prog when set bond mode (CVE-2025-22105).
- bonding: return detailed error when loading native XDP fails
  (CVE-2025-22105).
- commit 1110c2d

- ALSA: ump: Fix buffer overflow at UMP SysEx message conversion
  (bsc#1242044).
- commit 43160c9

- Correct the upsteram version numbers in the previous patches
- commit 6f72baf

- mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe
  (git-fixes).
- platform/x86/intel-uncore-freq: Fix missing uncore sysfs during
  CPU hotplug (git-fixes).
- commit f912ebf

- Require zstd in kernel-default-devel when module compression is zstd
  To use ksym-provides tool modules need to be uncompressed.
  Without zstd at least kernel-default-base does not have provides.
  Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82
- commit a3262dd

- net: ibmveth: make veth_pool_store stop hanging (CVE-2025-22053
  bsc#1241373).
- commit 509c07e

- powerpc/boot: Fix dash warning (bsc#1215199).
- commit aeb4455

- exec: fix the racy usage of fs_struct->in_exec (CVE-2025-22029
  bsc#1241378).
- commit f780e88

- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
  (CVE-2025-22045 bsc#1241433).
- commit 1e24dab

- powerpc/boot: Check for ld-option support (bsc#1215199).
- commit 333e1e5

- selftests/bpf: extend changes_pkt_data with cases w/o
  subprograms (bsc#1241590).
- bpf: fix null dereference when computing changes_pkt_data of
  prog w/o subprogs (bsc#1241590).
- selftests/bpf: validate that tail call invalidates packet
  pointers (bsc#1241590).
- bpf: consider that tail calls invalidate packet pointers
  (bsc#1241590).
- selftests/bpf: freplace tests for tracking of
  changes_packet_data (bsc#1241590).
- bpf: check changes_pkt_data property for extension programs
  (bsc#1241590).
- Refresh patches.kabi/kabi-fix-for-bpf-Prevent-tailcall-infinite-loop-caus.patch
- selftests/bpf: test for changing packet data from global
  functions (bsc#1241590).
- bpf: track changes_pkt_data property for global functions
  (bsc#1241590).
- bpf: refactor bpf_helper_changes_pkt_data to use helper number
  (bsc#1241590).
- bpf: add find_containing_subprog() utility function
  (bsc#1241590).
- commit e531d2b

- Update
  patches.suse/memstick-rtsx_usb_ms-Fix-slab-use-after-free-in-rtsx.patch
  (bsc#1241280 CVE-2025-22020).
  Added CVE reference
- commit 80d99d3

- Fixup breakage in ext2 introduced by backporting in:
  patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch.
- commit b7c808a

- cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error
  path (git-fixes).
- eth: bnxt: fix missing ring index trim on error path
  (git-fixes).
- igc: add lock preventing multiple simultaneous PTM transactions
  (git-fixes).
- igc: cleanup PTP module if probe fails (git-fixes).
- igc: handle the IGC_PTP_ENABLED flag correctly (git-fixes).
- igc: move ktime snapshot into PTM retry loop (git-fixes).
- igc: increase wait time before retrying PTM (git-fixes).
- igc: fix PTM cycle trigger logic (git-fixes).
- idpf: fix adapter NULL pointer dereference on reboot
  (git-fixes).
- e1000e: change k1 configuration on MTP and later platforms
  (git-fixes).
- gve: handle overflow when reporting TX consumed descriptors
  (git-fixes).
- net/mlx5e: SHAMPO, Make reserved size independent of page size
  (git-fixes).
- vdpa/mlx5: Fix oversized null mkey longer than 32bit
  (git-fixes).
- idpf: check error for register_netdev() on init (git-fixes).
- ice: stop truncating queue ids when checking (git-fixes).
- virtchnl: make proto and filter action count unsigned
  (git-fixes).
- ice: fix reservation of resources for RDMA when disabled
  (git-fixes).
- net/mlx5: Start health poll after enable hca (git-fixes).
- bnxt_en: Linearize TX SKB if the fragments exceed the max
  (git-fixes).
- bnxt_en: Mask the bd_cnt field in the TX BD properly
  (git-fixes).
- net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context
  (git-fixes).
- igb: reject invalid external timestamp requests for 82580-based
  HW (git-fixes).
- net/mlx5e: Prevent bridge link show failure for
  non-eswitch-allowed devices (git-fixes).
- net/mlx5: Lag, Check shared fdb before creating MultiPort
  E-Switch (git-fixes).
- net/mlx5: Fill out devlink dev info only for PFs (git-fixes).
- net/mlx5: IRQ, Fix null string in debug print (git-fixes).
- gve: set xdp redirect target only when it is available
  (git-fixes).
- ice: Add check for devm_kzalloc() (git-fixes).
- commit 8b3f5c6

- ext4: fix OOB read when checking dotdot dir (bsc#1241640
  CVE-2025-37785).
- ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
  (bsc#1241593 CVE-2025-22121).
- proc: fix UAF in proc_get_inode() (bsc#1240802 CVE-2025-21999).
- fs: relax assertions on failure to encode file handles
  (bsc#1236086 CVE-2024-57924).
- commit 0e972d0

- net: gso: fix ownership in __udp_gso_segment (CVE-2025-21926
  bsc#1240712).
- commit a0db76b

- jfs: add sanity check for agwidth in dbMount (git-fixes).
- commit 8faa28a

- jfs: Prevent copying of nlink with value 0 from disk inode
  (git-fixes).
- commit eea1d40

- fs/jfs: Prevent integer overflow in AG size calculation
  (git-fixes).
- commit fce66a4

- fs/jfs: cast inactags to s64 to prevent potential overflow
  (git-fixes).
- commit 8b1cc16

- jfs: Fix uninit-value access of imap allocated in the diMount()
  function (git-fixes).
- commit 5b527ae

- irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
  (git-fixes).
- drm/amd/display: Fix gpu reset in multidisplay config
  (git-fixes).
- Revert "drm/meson: vclk: fix calculation of 59.94 fractional
  rates" (git-fixes).
- commit 9f8b470

- block: integrity: Do not call set_page_dirty_lock() (git-fixes).
- loop: stop using vfs_iter_{read,write} for buffered I/O
  (git-fixes).
- loop: LOOP_SET_FD: send uevents for partitions (git-fixes).
- loop: properly send KOBJ_CHANGED uevent for disk device
  (git-fixes).
- block: fix resource leak in blk_register_queue() error path
  (git-fixes).
- block: make sure ->nr_integrity_segments is cloned in
  blk_rq_prep_clone (git-fixes).
- badblocks: fix missing bad blocks on retry in _badblocks_check()
  (git-fixes).
- badblocks: fix merge issue when new badblocks align with pre+1
  (git-fixes).
- badblocks: fix the using of MAX_BADBLOCKS (git-fixes).
- badblocks: return error if any badblock set fails (git-fixes).
- badblocks: return error directly when setting badblocks exceeds
  512 (git-fixes).
- badblocks: Fix error shitf ops (git-fixes).
- blk-throttle: fix lower bps rate by throtl_trim_slice()
  (git-fixes).
- block: change blk_mq_add_to_batch() third argument type to bool
  (git-fixes).
- block: fix conversion of GPT partition name to 7-bit
  (git-fixes).
- ublk: set_params: properly check if parameters can be applied
  (git-fixes).
- block: fix 'kmem_cache of name 'bio-108' already exists'
  (git-fixes).
- commit 607aa83

- drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is
  enabled (git-fixes).
- commit 03063eb

- USB: wdm: add annotation (git-fixes).
- USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context
  (git-fixes).
- USB: wdm: close race between wdm_open and wdm_wwan_port_stop
  (git-fixes).
- USB: wdm: handle IO errors in wdm_wwan_port_start (git-fixes).
- usb: dwc3: gadget: check that event count does not exceed
  event buffer length (git-fixes).
- usb: dwc3: xilinx: Prevent spike in reset signal (git-fixes).
- usb: cdns3: Fix deadlock when using NCM gadget (git-fixes).
- usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error
  handling (git-fixes).
- usb: chipidea: ci_hdrc_imx: fix call balance of regulator
  routines (git-fixes).
- serial: sifive: lock port in startup()/shutdown() callbacks
  (git-fixes).
- serial: msm: Configure correct working mode before starting
  earlycon (git-fixes).
- misc: microchip: pci1xxxx: Fix incorrect IRQ status handling
  during ack (git-fixes).
- misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler
  registration (git-fixes).
- string: Add load_unaligned_zeropad() code path to
  sized_strscpy() (git-fixes).
- kunit: qemu_configs: SH: Respect kunit cmdline (git-fixes).
- Revert "wifi: mac80211: Update skb's control block key in
  ieee80211_tx_dequeue()" (git-fixes).
- wifi: mac80211: Update skb's control block key in
  ieee80211_tx_dequeue() (git-fixes).
- selftests/mm: generate a temporary mountpoint for cgroup
  filesystem (git-fixes).
- selftests/futex: futex_waitv wouldblock test should fail
  (git-fixes).
- phy: freescale: imx8m-pcie: assert phy reset and perst in
  power off (git-fixes).
- PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type
  (stable-fixes).
- ktest: Fix Test Failures Due to Missing LOG_FILE Directories
  (stable-fixes).
- wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
  (stable-fixes).
- wifi: ath12k: Fix invalid data access in
  ath12k_dp_rx_h_undecap_nwifi (stable-fixes).
- wifi: ath12k: Fix invalid entry fetch in
  ath12k_dp_mon_srng_process (stable-fixes).
- net: usb: asix_devices: add FiberGecko DeviceID (stable-fixes).
- media: uvcvideo: Add quirk for Actions UVC05 (stable-fixes).
- mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two
  halves (stable-fixes).
- pm: cpupower: bench: Prevent NULL dereference on malloc failure
  (stable-fixes).
- commit b154b2c

- drm/tests: probe-helper: Fix drm_display_mode memory leak
  (git-fixes).
- drm/tests: modes: Fix drm_display_mode memory leak (git-fixes).
- drm/tests: cmdline: Fix drm_display_mode memory leak
  (git-fixes).
- drm/tests: helpers: Create kunit helper to destroy a
  drm_display_mode (stable-fixes).
- drm/i915/gvt: fix unterminated-string-initialization warning
  (stable-fixes).
- drm/i915: Disable RPG during live selftest (git-fixes).
- gpio: zynq: Fix wakeup source leaks on device unbind
  (stable-fixes).
- drm/amd: Handle being compiled without SI or CIK support better
  (stable-fixes).
- drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power
  on/off (stable-fixes).
- drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data
  (stable-fixes).
- drm/amdgpu: handle amdgpu_cgs_create_device() errors in
  amd_powerplay_create() (stable-fixes).
- drm/amdkfd: debugfs hang_hws skip GPU with MES (stable-fixes).
- drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
  (stable-fixes).
- drm/amdkfd: Fix mode1 reset crash issue (stable-fixes).
- drm/amdkfd: clamp queue size to minimum (stable-fixes).
- drm/amd/display: add workaround flag to link to force FFE preset
  (stable-fixes).
- drm/bridge: panel: forbid initializing a panel with unknown
  connector type (stable-fixes).
- drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini
  (Intel) (stable-fixes).
- drm: panel-orientation-quirks: Add new quirk for GPD Win 2
  (stable-fixes).
- drm: panel-orientation-quirks: Add quirk for AYA NEO Slide
  (stable-fixes).
- drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS
  and KB (stable-fixes).
- drm: panel-orientation-quirks: Add support for AYANEO 2S
  (stable-fixes).
- drm: allow encoder mode_set even when connectors change for crtc
  (stable-fixes).
- fbdev: omapfb: Add 'plane' value check (stable-fixes).
- drm/tests: helpers: Fix compiler warning (git-fixes).
- drm/tests: helpers: Add helper for
  drm_display_mode_from_cea_vic() (stable-fixes).
- drm/i915/dg2: wait for HuC load completion before running
  selftests (stable-fixes).
- drm/tests: Add helper to create mock crtc (stable-fixes).
- commit a0a41da

- char: misc: register chrdev region with all possible minors
  (git-fixes).
- Revert "drivers: core: synchronize really_probe() and
  dev_uevent()" (stable-fixes).
- Bluetooth: l2cap: Process valid commands in too long frame
  (stable-fixes).
- drivers: base: devres: Allow to release group on device release
  (stable-fixes).
- Bluetooth: hci_uart: Fix another race during initialization
  (git-fixes).
- Bluetooth: hci_uart: fix race during initialization
  (stable-fixes).
- cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk
  (stable-fixes).
- ahci: add PCI ID for Marvell 88SE9215 SATA Controller
  (stable-fixes).
- ASoC: amd: yc: update quirk data for new Lenovo model
  (stable-fixes).
- ASoC: fsl_audmix: register card device depends on 'dais'
  property (stable-fixes).
- ASoC: SOF: topology: Use krealloc_array() to replace krealloc()
  (stable-fixes).
- ASoC: amd: Add DMI quirk for ACP6X mic support (stable-fixes).
- ALSA: usb-audio: Fix CME quirk for UF series keyboards
  (stable-fixes).
- ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist
  (stable-fixes).
- ALSA: hda: intel: Fix Optimus when GPU has no sound
  (stable-fixes).
- drm/tests: Add helper to create mock plane (stable-fixes).
- drm/tests: helpers: Add atomic helpers (stable-fixes).
- drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+
  (stable-fixes).
- commit 58c19a1

- Update
  patches.suse/vmxnet3-unregister-xdp-rxq-info-in-the-reset-path.patch
  (bsc#1241394 CVE-2025-22106 bsc#1241547).
- commit a998629

- mm: (un)track_pfn_copy() fix + doc improvements (CVE-2025-22090
  bsc#1241537).
- commit 1ccdfdd

- x86/mm/pat: Fix VM_PAT handling when fork() fails in
  copy_page_range() (CVE-2025-22090 bsc#1241537).
- commit f0ac623

- exfat: fix random stack corruption after get_block (bsc#1241426
  CVE-2025-22036).
- commit 1f685c3

- exfat: do not fallback to buffered write (git-fixes).
- commit f7d2bc8

- exfat: drop ->i_size_ondisk (git-fixes).
- commit 9420be9

- fs/ntfs3: Prevent integer overflow in hdr_first_de()
  (bsc#1241416 CVE-2025-22080).
- commit 401237e

- clk: samsung: Fix UBSAN panic in samsung_clk_init()
  (CVE-2025-39728 bsc#1241626).
- commit 146debe

- net: phy: leds: fix memory leak (git-fixes).
- net: phy: microchip: force IRQ polling mode for lan88xx
  (git-fixes).
- crypto: atmel-sha204a - Set hwrng quality to lowest possible
  (git-fixes).
- commit 007e98d

- net: ethtool: Don't call .cleanup_data when prepare_data fails
  (git-fixes).
- ethtool: Fix set RXNFC command with symmetric RSS hash
  (git-fixes).
- ethtool: Fix wrong mod state in case of verbose and no_mask
  bitset (git-fixes).
- ethtool: Fix context creation with no parameters (git-fixes).
- ethtool: fix setting key and resetting indir at once
  (git-fixes).
- ethtool: rss: echo the context number back (git-fixes).
- net: ethtool: Fix RSS setting (git-fixes).
- ethtool: netlink: do not return SQI value if link is down
  (git-fixes).
- ethtool: netlink: Add missing ethnl_ops_begin/complete
  (git-fixes).
- ethtool: don't propagate EOPNOTSUPP from dumps (git-fixes).
- ethtool: plca: fix plca enable data type while parsing the value
  (git-fixes).
- commit 6a09a48

- OPP: add index check to assert to avoid buffer overflow in _read_freq() (bsc#1238961)
- commit 2e43a01

- Test the correct macro to detect RT kernel build
  Fixes: 470cd1a41502 ("kernel-binary: Support livepatch_rt with merged RT branch")
- commit 50e863e

- mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111
  CVE-2025-21696).
  Refreshed:
  patches.suse/mm-hugetlb-Add-huge-page-size-param-to-huge_ptep_get_and_clear.patch
- commit e18d57e

- bpf: Make sure internal and UAPI bpf_redirect flags don't
  overlap (bsc#1233098 CVE-2024-50163).
- commit f73adfb

- bpf: selftests: send packet to devmap redirect XDP (bsc#1233075
  CVE-2024-50162).
- bpf: devmap: provide rxq after redirect (bsc#1233075
  CVE-2024-50162).
- commit efb272f

- mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111
  CVE-2025-21696).
  Refreshed:
  patches.suse/mm-hugetlb-Add-huge-page-size-param-to-huge_ptep_get_and_clear.patch
- commit 559ab65

- mm/migrate: fix shmem xarray update during migration
  (CVE-2025-22015 bsc#1240944).
- commit 18f748b

- fou: fix initialization of grc (CVE-2024-46763 bsc#1230764).
- commit c144530

- kernel-source: Also update the search to match bin/env
  Fixes: dc2037cd8f94 ("kernel-source: Also replace bin/env"
- commit bae6b69

- rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN
- commit 816118c

- fou: Fix null-ptr-deref in GRO (CVE-2024-46763 bsc#1230764).
- commit 759f2a9

- hwpoison, memory_hotplug: lock folio before unmap hwpoisoned
  folio (CVE-2025-21931 bsc#1240709).
- commit 1ece281

- net: fix geneve_opt length integer overflow (CVE-2025-22055
  bsc#1241371).
- commit 45017c8

- PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads
  (git-fixes).
- irqchip/davinci: Remove leftover header (git-fixes).
- tty: n_tty: use uint for space returned by tty_write_room()
  (git-fixes).
- commit 2e047cb

- kABI fix for sctp: detect and prevent references to a freed
  transport in sendmsg (git-fixes).
- commit ce43999

- wifi: ath11k: update channel list in reg notifier instead reg
  worker (CVE-2025-23133 bsc#1241451).
- commit dfc599a

- exfat: short-circuit zero-byte writes in exfat_file_write_iter
  (git-fixes).
- commit c31ee51

- exfat: fix soft lockup in exfat_clear_bitmap (git-fixes).
- commit 527ed08

- nfsd: decrease sc_count directly if fail to queue dl_recall
  (git-fixes).
- commit 91b68ee

- nfs: add missing selections of CONFIG_CRC32 (git-fixes).
- commit f409d6e

- nvmet-fcloop: swap list_add_tail arguments (git-fixes).
- nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes).
- nvme/ioctl: don't warn on vectorized uring_cmd with fixed buffer
  (git-fixes).
- nvme-pci: fix stuck reset on concurrent DPC and HP (git-fixes).
- nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
  (git-fixes).
- nvme-pci: clean up CMBMSC when registering CMB fails
  (git-fixes).
- nvme-tcp: fix possible UAF in nvme_tcp_poll (git-fixes).
- commit bf9d0e5

- Move upstreamed smb patch into sorted section
  Also move other out-of-tree patches into the proper section
- commit ba77adc

- rpm/kernel-binary.spec.in: revert the revert change with OrderWithRequires
  The recent change using OrderWithRequires addresses the known issues,
  but also caused regressions for the existing image or package builds.
  For SLE15-SPx, better to be conservative and stick with the older way.
- commit bbe05e4

- Refresh
  patches.suse/kernel-add-product-identifying-information-to-kernel-build.patch.
  scripts/gen-suse_version_h.sh requires bash, yet in Makefile
  CONFIG_SHELL is defined to 'sh'. In openSUSE and SUSE products 'sh' is a
  symbolic link to 'bash', hence this isn't a problem. However
  distributions like Debian and Ubuntu 'sh' is symbolically linked to
  'dash' instead, and gen-suse_version_h.sh will fail to run with
  ./scripts/gen-suse_version_h.sh: 3: Syntax error: "(" unexpected
  make[1]: *** [/home/runner/work/libbpf/libbpf/.kernel/Makefile:1135: include/generated/uapi/linux/suse_version.h] Error 2
  make: *** [Makefile:224: __sub-make] Error 2
  Explicitly use bash to run scripts/gen-suse_version_h.sh to make sure
  it will always work.
- commit 2be3c0f

- scsi: iscsi: Fix missing scsi_host_put() in error path
  (git-fixes).
- scsi: hisi_sas: Enable force phy when SATA disk directly
  connected (git-fixes).
- scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag
  (git-fixes).
- scsi: scsi_debug: Remove a reference to in_use_bm (git-fixes).
- scsi: mpt3sas: Fix a locking bug in an error path (git-fixes).
- scsi: mpi3mr: Fix locking in an error path (git-fixes).
- scsi: mpt3sas: Reduce log level of ignore_delay_remove message
  to KERN_INFO (git-fixes).
- scsi: core: Use GFP_NOIO to avoid circular locking dependency
  (git-fixes).
- commit c9f2a96

- net: annotate data-races around sk->sk_tx_queue_mapping
  (git-fixes).
- commit 39ebbf2

- sctp: detect and prevent references to a freed transport in
  sendmsg (git-fixes).
- commit 1334236

- sctp: add mutual exclusion in proc_sctp_do_udp_port()
  (git-fixes).
- commit 711cff2

- sctp: Fix undefined behavior in left shift operation
  (git-fixes).
- commit a1edf61

- netpoll: Use rcu_access_pointer() in netpoll_poll_lock
  (git-fixes).
- commit 4965a27

- tcp: fix mptcp DSS corruption due to large pmtu xmit
  (git-fixes).
- commit ba5be47

- sctp: ensure sk_state is set to CLOSED if hashing fails in
  sctp_listen_start (git-fixes).
- commit a7b311d

- sctp: fix association labeling in the duplicate COOKIE-ECHO case
  (git-fixes).
- commit f2ab0aa

- sctp: prefer struct_size over open coded arithmetic (git-fixes).
- commit e26aab9

- net: blackhole_dev: fix build warning for ethh set but not used
  (git-fixes).
- commit 9f9bf2f

- net: sctp: fix skb leak in sctp_inq_free() (git-fixes).
- commit ef140e3

- sctp: fix busy polling (git-fixes).
- commit 533e122

- sctp: support MSG_ERRQUEUE flag in recvmsg() (git-fixes).
- commit 1e9a8f7

- i2c: cros-ec-tunnel: defer probe if parent EC is not present
  (git-fixes).
- commit 68f8146

- vmxnet3: unregister xdp rxq info in the reset path
  (bsc#1241394).
- vmxnet3: Fix tx queue race condition with XDP (bsc#1241394).
- commit d09ed0e

- ALSA: hda/realtek - Fixed ASUS platform headset Mic issue
  (git-fixes).
- commit 53f07fb

- Refresh patches.suse/ALSA-hda-realtek-Workaround-for-resume-on-Dell-Venue.patch
  The patch was applied incorrectly to a wrong device
- commit cf41ba6

- Bluetooth: vhci: Avoid needless snprintf() calls (git-fixes).
- wifi: wl1251: fix memory leak in wl1251_tx_work (git-fixes).
- wifi: mac80211: Purge vif txq in ieee80211_do_stop()
  (git-fixes).
- wifi: at76c50x: fix use after free access in at76_disconnect
  (git-fixes).
- Bluetooth: l2cap: Check encryption key size on incoming
  connection (git-fixes).
- Bluetooth: btrtl: Prevent potential NULL dereference
  (git-fixes).
- Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for
  invalid address (git-fixes).
- ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels
  (git-fixes).
- ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (git-fixes).
- ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()
  (git-fixes).
- ASoC: qcom: Fix sc7280 lpass potential buffer overflow
  (git-fixes).
- asus-laptop: Fix an uninitialized variable (git-fixes).
- ata: libata-sata: Save all fields from sense data descriptor
  (git-fixes).
- commit b064ee6

- smb: client: fix folio leaks and perf improvements (bsc#1239997,
  bsc1241265).
- commit 3640faf

- net: mark racy access on sk->sk_rcvbuf (git-fixes).
- commit c7df85a

- net: set SOCK_RCU_FREE before inserting socket into hashtable
  (git-fixes).
- commit 469342f

- net: annotate data-races around sk->sk_dst_pending_confirm
  (git-fixes).
- commit ddac370

- Refresh patches.suse/x86-paravirt-Move-halt-paravirt-calls-under-CONFIG_PARAVIR.patch.
  This fixes a build error
- commit 885e121

- ipv4: fib: annotate races around nh->nh_saddr_genid and
  nh->nh_saddr (git-fixes).
- commit 42e44b7

- rpm/kernel-binary.spec.in: Also order against update-bootloader
  (boo#1228659, boo#1240785, boo#1241038).
- commit fe0a8c9

- crypto: caam/qi - Fix drv_ctx refcount bug (git-fixes).
- commit 004010d

- selftests/bpf: Add a few tests to cover (git-fixes).
- bpf: Add missed var_off setting in coerce_subreg_to_size_sx()
  (git-fixes).
- bpf: Add missed var_off setting in set_sext32_default_val()
  (git-fixes).
- commit 07fae33

- Drop PCI patch that caused a regression (bsc#1241123)
  The patch patches.suse/PCI-Avoid-reset-when-disabled-via-sysfs.patch
  seems causing a regression about missing device passthrough on VM.
  Drop it to address the regression.
- commit 5845d87

- bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()
  (bsc#1240181 CVE-2025-21867).
- commit 82a6d4f

- Revert commit (bsc#1241051)
  Delete
  patches.suse/mm-various-give-up-if-pte_offset_map-_lock-fails.patch.
- commit c63b737

- rpm/package-descriptions: Add rt and rt_debug descriptions
- commit 09573c0

- fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
  (bsc#1241250).
- commit a11e79b

- x86/microcode/AMD: Split load_microcode_amd() (git-fixes).
- Refresh
  patches.suse/x86-microcode-AMD-Fix-out-of-bounds-on-systems-with-.patch.
- commit e4a11da

- x86/microcode/AMD: Pay attention to the stepping dynamically (git-fixes).
- commit 581b74c

- x86/microcode/intel: Set new revision only after a successful update (git-fixes).
- commit 7ef0614

- x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (git-fixes).
- commit 0584d8b

- btrfs: fix hole expansion when writing at an offset beyond EOF
  (bsc#1241151).
- btrfs: fix swap file activation failure due to extents that
  used to be shared (bsc#1241204).
- btrfs: fix race with memory mapped writes when activating swap
  file (bsc#1241204).
- btrfs: fix missing snapshot drew unlock when root is dead
  during swap activation (bsc#1241204).
- btrfs: add and use helper to verify the calling task has locked
  the inode (bsc#1241204).
- commit d9b6443

- sched: address a potential NULL pointer dereference in the
  GRED scheduler (CVE-2025-21980 bsc#1240809).
- commit ce44194

- net: atm: fix use after free in lec_send() (CVE-2025-22004
  bsc#1240835).
- commit 0623761

- llc: do not use skb_get() before dev_queue_xmit()
  (CVE-2025-21925 bsc#1240713).
- commit 79eced9

- tools/power turbostat: report CoreThr per measurement interval
  (git-fixes).
- commit d3776d1

- x86/microcode/AMD: Use the family,model,stepping encoded in the patch  ID (git-fixes).
- Refresh
  patches.suse/x86-microcode-AMD-Flush-patch-buffer-mapping-after-applica.patch.
- commit 88521da

- x86/microcode: Rework early revisions reporting (git-fixes).
- Refresh
  patches.suse/x86-microcode-AMD-Flush-patch-buffer-mapping-after-applica.patch.
- commit 4d17d9e

- ax25: rcu protect dev->ax25_ptr (CVE-2025-21812 bsc#1238471).
- commit 5fd1fff

- x86/microcode: Remove the driver announcement and version (git-fixes).
- commit 46995b1

- x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes).
- commit d56cfaf

- x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes).
- commit d95d976

- Refresh
  patches.suse/ipv6-remove-hard-coded-limitation-on-ipv6_pinfo.patch.
- commit 0200f55

- hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
  (git-fixes).
- commit 6eab8d6

- x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes).
- commit df4a06f

- x86/microcode/AMD: Flush patch buffer mapping after application (git-fixes).
- commit 3abf82a

- x86/dumpstack: Fix inaccurate unwinding from exception stacks due to  misplaced assignment (git-fixes).
- commit 9a5f9b4

- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes).
- commit a987e8f

- x86/uaccess: Improve performance by aligning writes to 8 bytes in  copy_user_generic(), on non-FSRM/ERMS CPUs (git-fixes).
- commit b668be3

- x86/bugs: Add RSB mitigation document (git-fixes).
- commit b8dad0f

- x86/bugs: Don't fill RSB on context switch with eIBRS (git-fixes).
- commit 187dbce

- x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline (git-fixes).
- commit 4f16d88

- x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes).
- commit fb3ed54

- x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes).
- commit 4702713

- x86/bugs: Rename entry_ibpb() to write_ibpb() (git-fixes).
- commit 05f7f50

- selftest/bpf: Add vsock test for sockmap rejecting unconnected
  (bsc#1239470 CVE-2025-21854).
- selftest/bpf: Adapt vsock_delete_on_close to sockmap rejecting
  unconnected (bsc#1239470 CVE-2025-21854).
- vsock/bpf: Warn on socket without transport (bsc#1239470
  CVE-2025-21854).
- commit 9aa107b

- tools/power turbostat: Increase CPU_SUBSET_MAXCPUS to 8192
  (bsc#1241175).
- commit b06e876

- sockmap, vsock: For connectible sockets allow only connected
  (bsc#1239470 CVE-2025-21854).
- bpf: sockmap, test for unconnected af_unix sock (bsc#1239470
  CVE-2025-21854).
- Refresh patches.suse/selftest-bpf-Add-test-for-af_vsock-poll.patch
- bpf: syzkaller found null ptr deref in unix_bpf proto add
  (bsc#1239470 CVE-2025-21854).
- Refresh patches.suse/udp-fix-busy-polling.patch
- Refresh
  patches.suse/bpf-sockmap-SK_DROP-on-attempted-redirects-of-unsupported-.patch
- commit 62e8475

- bpf, vsock: Invoke proto::close on close() (bsc#1239470 CVE-2025-21854).
- Refresh
  patches.suse/vsock-Keep-the-binding-until-socket-destruction.patch.
- Refresh patches.suse/vsock-Orphan-socket-after-transport-release.patch
- commit a88600e

- selftest/bpf: Add test for vsock removal from sockmap on close()
  (bsc#1239470 CVE-2025-21854).
- selftest/bpf: Add test for af_vsock poll() (bsc#1239470
  CVE-2025-21854).
- bpf, vsock: Fix poll() missing a queue (bsc#1239470
  CVE-2025-21854).
- commit 43f792d

- RDMA/core: Silence oversized kvmalloc() warning (git-fixes)
- commit 0801938

- RDMA/cma: Fix workqueue crash in cma_netevent_work_handler (git-fixes)
- commit 8be4a6f

- RDMA/hns: Fix wrong maximum DMA segment size (git-fixes)
- commit 9a0c549

- RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (git-fixes)
- commit 7bf895d

- net: xdp: Disallow attaching device-bound programs in generic
  mode (bsc#1238742 CVE-2025-21808).
- commit c2feb9e

- md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb (bsc#1238212)
  Also reenable patches.suse/md-md-bitmap-fix-writing-non-bitmap-pages-ab99.patch
- commit 22ce219

- bpf: Fix deadlock when freeing cgroup storage (CVE-2024-58088 bsc#1239510)
- commit a5b985f

- dpll: fix xa_alloc_cyclic() error handling (CVE-2025-22016 bsc#1240934)
- commit 2521b46

- devlink: fix xa_alloc_cyclic() error handling (CVE-2025-22017 bsc#1240936)
- commit 6e391e8

- zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with
  TIF_SIGPENDING (bsc#1241167).
- commit 2fe69fb

- caif_virtio: fix wrong pointer check in cfv_probe()
  (CVE-2025-21904 bsc#1240576).
- commit 9a83e3e

- Refresh
  patches.kabi/kABI-fix-for-ipv6-remove-hard-coded-limitation-on-ip.patch.
- commit 81847b0

- xfs: flush inodegc before swapon (git-fixes).
- commit c599968

- net: mana: Switch to page pool for jumbo frames (git-fixes).
- RDMA/mana_ib: Ensure variable err is initialized (git-fixes).
- x86/hyperv: Fix check of return value from snp_set_vmsa()
  (git-fixes).
- commit 2b709c0

- pwm: fsl-ftm: Handle clk_get_rate() returning 0 (git-fixes).
- pwm: rcar: Improve register calculation (git-fixes).
- pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()
  (git-fixes).
- commit 9d83cd0

- ata: sata_sx4: Add error handling in pdc20621_i2c_read()
  (git-fixes).
- ata: pata_pxa: Fix potential NULL pointer dereference in
  pxa_ata_probe() (git-fixes).
- commit dcc1d06

- kABI workaround for powercap update (bsc#1241010).
- commit 6da4ad4

- drm/amd/display: Fix out-of-bound accesses (bsc#1240811 CVE-2025-21985)
- commit f9ae89c

- Revert "tcp: Fix bind() regression for v6-only wildcard and"
  This reverts commit 10a8fd3005bd56ac305a4a4e9bf53cfc50aad28f.
  This patch is part of a bigger series [0] and AFAIU can't be applied
  individually. Applying the entire series would result in kABI breakage.
  [0]
  https://lore.kernel.org/all/20231213082029.35149-1-kuniyu@amazon.com/
- commit 9692530

- Update
  patches.suse/Bluetooth-Add-check-for-mgmt_alloc_skb-in-mgmt_devic.patch
  (git-fixes CVE-2025-21936 bsc#1240716).
- Update
  patches.suse/Bluetooth-Add-check-for-mgmt_alloc_skb-in-mgmt_remot.patch
  (git-fixes CVE-2025-21937 bsc#1240643).
- Update
  patches.suse/Bluetooth-Fix-error-code-in-chan_alloc_skb_cb.patch
  (git-fixes CVE-2025-22007 bsc#1240829).
- Update
  patches.suse/HID-appleir-Fix-potential-NULL-dereference-at-raw-ev.patch
  (git-fixes CVE-2025-21948 bsc#1240703).
- Update
  patches.suse/HID-hid-steam-Fix-use-after-free-when-detaching-devi.patch
  (git-fixes CVE-2025-21923 bsc#1240691).
- Update
  patches.suse/HID-ignore-non-functional-sensor-in-HP-5MP-Camera.patch
  (stable-fixes CVE-2025-21992 bsc#1240796).
- Update
  patches.suse/HID-intel-ish-hid-Fix-use-after-free-issue-in-ishtp_.patch
  (git-fixes CVE-2025-21928 bsc#1240722).
- Update
  patches.suse/KVM-arm64-Unconditionally-save-flush-host-FPSIMD-SVE-SME-state.patch
  (git-fixes CVE-2025-22013 bsc#1240938).
- Update
  patches.suse/RDMA-hns-Fix-soft-lockup-during-bt-pages-loop.patch
  (git-fixes CVE-2025-22010 bsc#1240943).
- Update
  patches.suse/accel-qaic-Fix-integer-overflow-in-qaic_validate_req.patch
  (git-fixes CVE-2025-22001 bsc#1240873).
- Update
  patches.suse/bus-mhi-host-pci_generic-Use-pci_try_reset_function-.patch
  (git-fixes CVE-2025-21951 bsc#1240718).
- Update
  patches.suse/can-ucan-fix-out-of-bound-read-in-strscpy-source.patch
  (git-fixes CVE-2025-22003 bsc#1240825).
- Update
  patches.suse/cdx-Fix-possible-UAF-error-in-driver_override_show.patch
  (git-fixes CVE-2025-21915 bsc#1240594).
- Update
  patches.suse/dm-flakey-Fix-memory-corruption-in-optional-corrupt_.patch
  (git-fixes CVE-2025-21966 bsc#1240779).
- Update
  patches.suse/drivers-virt-acrn-hsm-Use-kzalloc-to-avoid-info-leak.patch
  (git-fixes CVE-2025-21950 bsc#1240719).
- Update
  patches.suse/drm-amd-display-Assign-normalized_pix_clk-when-color.patch
  (stable-fixes CVE-2025-21956 bsc#1240739).
- Update
  patches.suse/drm-amd-display-Fix-null-check-for-pipe_ctx-plane_st-374c9fa.patch
  (git-fixes CVE-2025-21941 bsc#1240701).
- Update
  patches.suse/drm-amd-display-Fix-slab-use-after-free-on-hdcp_work.patch
  (git-fixes CVE-2025-21968 bsc#1240783).
- Update
  patches.suse/drm-hyperv-Fix-address-space-leak-when-Hyper-V-DRM-d.patch
  (git-fixes CVE-2025-21978 bsc#1240806).
- Update
  patches.suse/drm-radeon-fix-uninitialized-size-issue-in-radeon_vc.patch
  (git-fixes CVE-2025-21996 bsc#1240801).
- Update
  patches.suse/drm-sched-Fix-fence-reference-count-leak.patch
  (git-fixes CVE-2025-21995 bsc#1240821).
- Update
  patches.suse/gpio-aggregator-protect-driver-attr-handlers-against.patch
  (git-fixes CVE-2025-21943 bsc#1240647).
- Update
  patches.suse/gpio-rcar-Use-raw_spinlock-to-protect-register-acces.patch
  (stable-fixes CVE-2025-21912 bsc#1240584).
- Update
  patches.suse/msft-hv-3170-net-mana-cleanup-mana-struct-after-debugfs_remove.patch
  (git-fixes CVE-2025-21953 bsc#1240727).
- Update
  patches.suse/net_sched-Prevent-creation-of-classes-with-TC_H_ROOT.patch
  (git-fixes CVE-2025-21971 bsc#1240799).
- Update
  patches.suse/nvme-tcp-fix-potential-memory-corruption-in-nvme_tcp.patch
  (git-fixes CVE-2025-21927 bsc#1240714).
- Update
  patches.suse/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_.patch
  (git-fixes CVE-2025-21935 bsc#1240700).
- Update
  patches.suse/rapidio-fix-an-API-misues-when-rio_add_net-fails.patch
  (git-fixes CVE-2025-21934 bsc#1240708).
- Update
  patches.suse/regulator-check-that-dummy-regulator-has-been-probed.patch
  (stable-fixes CVE-2025-22008 bsc#1240942).
- Update
  patches.suse/regulator-dummy-force-synchronous-probing.patch
  (git-fixes CVE-2025-22009 bsc#1240940).
- Update
  patches.suse/slimbus-messaging-Free-transaction-ID-in-delayed-int.patch
  (git-fixes CVE-2025-21914 bsc#1240595).
- Update
  patches.suse/soc-qcom-pdr-Fix-the-potential-deadlock.patch
  (git-fixes CVE-2025-22014 bsc#1240937).
- Update
  patches.suse/usb-atm-cxacru-fix-a-flaw-in-existing-endpoint-check.patch
  (git-fixes CVE-2025-21916 bsc#1240582).
- Update
  patches.suse/usb-renesas_usbhs-Flush-the-notify_hotplug_work.patch
  (git-fixes CVE-2025-21917 bsc#1240596).
- Update patches.suse/usb-typec-ucsi-Fix-NULL-pointer-access.patch
  (git-fixes CVE-2025-21918 bsc#1240592).
- Update
  patches.suse/wifi-cfg80211-cancel-wiphy_work-before-freeing-wiphy.patch
  (git-fixes CVE-2025-21979 bsc#1240808).
- Update
  patches.suse/wifi-cfg80211-regulatory-improve-invalid-hints-check.patch
  (git-fixes CVE-2025-21910 bsc#1240583).
- Update
  patches.suse/wifi-iwlwifi-limit-printed-string-from-FW-file.patch
  (git-fixes CVE-2025-21905 bsc#1240575).
- Update
  patches.suse/wifi-iwlwifi-mvm-don-t-try-to-talk-to-a-dead-firmwar.patch
  (git-fixes CVE-2025-21930 bsc#1240715).
- Update
  patches.suse/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-w.patch
  (git-fixes CVE-2025-21909 bsc#1240590).
- commit a467018

- affs: don't write overlarge OFS data block size fields
  (git-fixes).
- commit 334bc15

- affs: generate OFS sequence numbers starting at 1 (git-fixes).
- commit f93c833

- nfsd: put dl_stid if fail to queue dl_recall (git-fixes).
- commit 4b6b673

- security, lsm: Introduce security_mptcp_add_subflow()
  (bsc#1240375).
- Refresh
  patches.suse/net-better-track-kernel-sockets-lifetime.patch.
- commit bd8699b

- selinux: Implement mptcp_add_subflow hook (bsc#1240375).
- commit c784a67

- powercap: intel_rapl_tpmi: Enable PMU support (bsc#1241010).
- commit 2a705e9

- powercap: intel_rapl: Introduce APIs for PMU support
  (bsc#1241010).
- commit b0e2847

- drm/amd: Keep display off while going into S4 (stable-fixes).
- Refresh
  patches.suse/drm-amd-display-Restore-correct-backlight-brightness.patch.
- commit e9996bf

- drm/sti: remove duplicate object names (git-fixes).
- drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes).
- drm/amd/pm/smu11: Prevent division by zero (git-fixes).
- drm/amdgpu/dma_buf: fix page_link check (git-fixes).
- drm/i915/huc: Fix fence not released on early probe errors
  (git-fixes).
- gpio: tegra186: fix resource handling in ACPI probe path
  (git-fixes).
- mtd: rawnand: Add status chack in r852_ready() (git-fixes).
- mtd: inftlcore: Add error check for inftl_read_oob()
  (git-fixes).
- ntb: use 64-bit arithmetic for the MSI doorbell mask
  (git-fixes).
- ntb_hw_switchtec: Fix shift-out-of-bounds in
  switchtec_ntb_mw_set_trans (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
  (stable-fixes).
- mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes).
- hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
  (stable-fixes).
- wifi: mac80211: flush the station before moving it to
  UN-AUTHORIZED state (stable-fixes).
- platform/x86/intel/vsec: Add Diamond Rapids support
  (stable-fixes).
- platform/x86: intel-hid: fix volume buttons on Microsoft
  Surface Go 4 tablet (stable-fixes).
- wifi: brcmfmac: keep power during suspend if board requires it
  (stable-fixes).
- wifi: iwlwifi: mvm: use the right version of the rate API
  (stable-fixes).
- wifi: iwlwifi: fw: allocate chained SG tables for dump
  (stable-fixes).
- HID: i2c-hid: improve i2c_hid_get_report error message
  (stable-fixes).
- ntb: Force physically contiguous allocation of rx ring buffers
  (git-fixes).
- ntb_perf: Fix printk format (git-fixes).
- commit a733ec5

- netfilter: br_netfilter: skip conntrack input hook for promisc
  packets (CVE-2024-27415 bsc#1224757).
- commit 01cefc0

- kabi: restore layout of struct nf_ct_hook after backport of
  commit 62e7151ae3eb (CVE-2024-27415 bsc#1224757).
- netfilter: bridge: confirm multicast packets before passing
  them up the stack (CVE-2024-27415 bsc#1224757).
- commit 69425e5

- netfilter: xtables: fix typo causing some targets not to load
  on IPv6 (CVE-2024-50038 bsc#1231910).
- netfilter: xtables: avoid NFPROTO_UNSPEC where needed
  (CVE-2024-50038 bsc#1231910).
- commit 9ec5161

- net: mctp: unshare packets when reassembling (CVE-2025-21972
  bsc#1240813).
- commit 5878b19

- Reapply "Merge remote-tracking branch 'origin/users/sjaeckel/SLE15-SP6/for-next' into SLE15-SP6"
  This reverts commit 9b78ca60e10c64a737b9db2b85fdd944daac6ae6.
- commit 157dbaf

- net/tcp: refactor tcp_inet6_sk() (git-fixes).
- commit 459f538

- ntb_perf: Delete duplicate dmaengine_unmap_put() call in
  perf_copy_chunk() (git-fixes).
- commit eeb7f74

- ntb: intel: Fix using link status DB's (git-fixes).
- commit a988a90

- s390/cio: Fix CHPID "configure" attribute caching (git-fixes
  bsc#1240979).
- commit a947a32

- s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes
  bsc#1240978).
- commit 610fa90

- wifi: ath11k: fix memory leak in ath11k_xxx_remove()
  (git-fixes).
- Refresh
  patches.suse/wifi-ath11k-choose-default-PM-policy-for-hibernation.patch.
- Refresh
  patches.suse/wifi-ath11k-support-non-WoWLAN-mode-suspend-as-well.patch.
- commit 5ef71a9

- Update upstream status for ath11k patches
- commit 42fd2e8

- rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE
  We now have LD_CAN_USE_KEEP_IN_OVERLAY since commit:
  e7607f7d6d81 ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE
- commit 7b55ff2

- perf tools: annotate asm_pure_loop.S (bsc#1239906).
- commit a3afe13

- perf/core: Order the PMU list to fix warning about unordered
  pmu_ctx_list (bsc#1240585 CVE-2025-21895).
- commit c393384

- io_uring/kbuf: reallocate buf lists on upgrade (CVE-2025-21836
  bsc#1239066).
- commit 1c3b3b4

- rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038).
  OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow
  a package to inform the order of installation of other package without
  hard requiring that package. This means our kernel-binary packages no
  longer need to hard require perl-Bootloader or dracut, resolving the
  long-commented issue there. This is also needed for udev & systemd-boot
  to ensure those packages are installed before being called by dracut
  (boo#1228659)
- commit 634be2c

- usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes).
- commit 88d79df

- bpf: avoid holding freeze_mutex during mmap operation
  (git-fixes).
- bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic
  (git-fixes).
- selftests/bpf: Add test for narrow ctx load for pointer args
  (git-fixes).
- bpf: Check size for BTF-based ctx access of pointer members
  (git-fixes).
- bpf: Fix theoretical prog_array UAF in __uprobe_perf_func()
  (git-fixes).
- bpf: fix potential error return (git-fixes).
- commit 59fa8cd

- tty: serial: 8250: Add Brainboxes XC devices (stable-fixes).
- tty: serial: 8250: Add some more device IDs (stable-fixes).
- net: usb: qmi_wwan: add Telit Cinterion FE990B composition
  (stable-fixes).
- net: usb: qmi_wwan: add Telit Cinterion FN990B composition
  (stable-fixes).
- HID: hid-plantronics: Add mic mute mapping and generalize quirks
  (stable-fixes).
- drm/dp_mst: Add a helper to queue a topology probe
  (stable-fixes).
- drm/dp_mst: Factor out function to queue a topology probe work
  (stable-fixes).
- commit dcc0903

- scsi: qla1280: Fix kernel oops when debug level > 2 (CVE-2025-21957 bsc#1240742)
- commit bd3922a

- io_uring: prevent opcode speculation (CVE-2025-21863
  bsc#1239475).
- commit cf2b4a4

- wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (CVE-2025-21729 bsc#1237874)
- commit dfb7d10

- OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (CVE-2024-58068 bsc#1238961)
- commit b424f57

- net: let net.core.dev_weight always be non-zero (CVE-2025-21806 bsc#1238746)
- commit c6ce075

- Refresh patches.suse/Bluetooth-L2CAP-Fix-corrupted-list-in-hci_chan_del.patch
  Drop redundant mutex lock that was forgotten
- commit 8253168

- net/mlx5: Bridge, fix the crash caused by LAG state check
  (CVE-2025-21970 bsc#1240819).
- eth: bnxt: do not update checksum in bnxt_xdp_build_skb()
  (CVE-2025-21960 bsc#1240815).
- eth: bnxt: fix truesize for mb-xdp-pass case (CVE-2025-21961
  bsc#1240816).
- net/mlx5: handle errors in mlx5_chains_create_table()
  (CVE-2025-21975 bsc#1240812).
- commit 5bfb0f9

- x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less
  NUMA nodes (CVE-2025-21991 bsc#1240795).
- x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()
  (CVE-2025-21913 bsc#1240591).
- commit 718ae0d

- NFS: fix nfs_release_folio() to not deadlock via kcompactd
  writeback (CVE-2025-21908 bsc#1240600).
- commit a2db92f

- kABI workaround for l2cap_conn changes (CVE-2025-21969
  bsc#1240784).
- commit 0c8af58

- Bluetooth: L2CAP: Fix corrupted list in hci_chan_del
  (CVE-2025-21969 bsc#1240784).
- commit 730e49a

- Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
  (CVE-2025-21969 bsc#1240784).
- iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in
  ibft_attr_show_nic() (CVE-2025-21993 bsc#1240797).
- commit 80da9db

- drm/amdgpu/gfx11: fix num_mec (git-fixes).
- drm/amd/pm: Prevent division by zero (git-fixes).
- Input: pm8941-pwrkey - fix dev_dbg() output in
  pm8941_pwrkey_irq() (git-fixes).
- Input: synaptics - hide unused smbus_pnp_ids[] array
  (git-fixes).
- commit d5f05d8

- powercap: intel_rapl_tpmi: Fix bogus register reading
  (git-fixes).
- commit 4482ca3

- powercap: intel_rapl_tpmi: Ignore minor version change
  (git-fixes).
- commit 8f97ff8

- powercap: dtpm_devfreq: Fix error check against
  dev_pm_qos_add_request() (git-fixes).
- commit 5af8777

- powercap: intel_rapl_tpmi: Fix System Domain probing
  (git-fixes).
- commit cb855f9

- usbnet:fix NPE during rx_complete (git-fixes).
- platform/x86: ISST: Correct command storage data length
  (git-fixes).
- ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes).
- ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns
  (git-fixes).
- ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment
  (git-fixes).
- ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error
  path (git-fixes).
- firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on
  success (git-fixes).
- ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook
  model (git-fixes).
- ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook
  X515JA (git-fixes).
- commit e1c84cd

- vsock: Orphan socket after transport release (CVE-2025-21755 bsc#1237882)
- commit 6317d55

- tpm_tis: Use responseRetry to recover from data transfer errors
  (bsc#1235870).
- commit 6e4dc96

- tpm_tis: Move CRC check to generic send routine (bsc#1235870).
- Refresh patches.suse/tpm_tis-Resend-command-to-recover-from-data-transfer.patch
- commit 66fe063

- Delete patches.suse/tpm-send_data-Wait-longer-for-the-TPM-to-become-read.patch.
  To be replaced with upstream fix.
- commit d0fcf25

- rtnetlink: Allocate vfinfo size for VF GUIDs when supported
  (bsc#1224013).
- commit 34e3f46

- kernel-binary: Support livepatch_rt with merged RT branch
- commit 470cd1a

- arm64: Don't call NULL in do_compat_alignment_fixup() (git-fixes)
- commit 249080a

- arm64: mm: Correct the update of max_pfn (git-fixes)
- commit b6d4b51

- tpm: tis: Double the timeout B to 4s (bsc#1235870).
- commit 2ecc734

- tpm, tpm_tis: Workaround failed command reception on Infineon
  devices (bsc#1235870).
- commit cc21438

- ice: fix memory leak in aRFS after reset (CVE-2025-21981
  bsc#1240612).
- ppp: Fix KMSAN uninit-value warning with bpf (CVE-2025-21922
  bsc#1240639).
- net: hns3: make sure ptp clock is unregister and freed
  if hclge_ptp_get_cycle returns an error (CVE-2025-21924
  bsc#1240720).
- net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC
  (CVE-2025-21894 bsc#1240581).
- net: enetc: Replace ifdef with IS_ENABLED (CVE-2025-21894
  bsc#1240581).
- commit e9dce38

- wifi: iwlwifi: mvm: clean up ROC on failure (CVE-2025-21906
  bsc#1240587).
- commit 887f91d

- lib: scatterlist: fix sg_split_phys to preserve original
  scatterlist offsets (git-fixes).
- acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
  (git-fixes).
- commit ea68f49

- smb: client: fix open_cached_dir retries with 'hard' mount
  option (bsc#1240616).
- commit 504723c

- exfat: fix the infinite loop in exfat_find_last_cluster()
  (git-fixes).
- commit 8b30c73

- rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML
  This option is dynamically enabled to build-test different configurations.
  This makes run_oldconfig.sh complain sporadically for arm64.
- commit 8fbe8b1

- net: fix data-races around sk->sk_forward_alloc (CVE-2024-53124
  bsc#1234074).
- commit ea48905

- sctp: fix possible UAF in sctp_v6_available() (CVE-2024-53139
  bsc#1234157).
- commit 779dfcf

- usb: xhci: correct debug message page size calculation
  (git-fixes).
- ucsi_ccg: Don't show failed to get FW build information error
  (git-fixes).
- serial: 8250_dma: terminate correct DMA in tx_dma_flush()
  (git-fixes).
- tty: serial: fsl_lpuart: disable transmitter before changing
  RS485 related registers (git-fixes).
- staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes).
- counter: microchip-tcb-capture: Fix undefined counter channel
  state on probe (git-fixes).
- counter: stm32-lptimer-cnt: fix error handling when enabling
  (git-fixes).
- ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO
  event-handlers (git-fixes).
- objtool: Fix segfault in ignore_unreachable_insn() (git-fixes).
- objtool, media: dib8000: Prevent divide-by-zero in
  dib8000_set_dds() (git-fixes).
- objtool, spi: amd: Fix out-of-bounds stack access in
  amd_set_spi_freq() (git-fixes).
- counter: fix privdata alignment (git-fixes).
- commit 8ea2563

- Move upstreamed ACPI patch into sorted section
- commit 871d0d6

- tty: serial: lpuart: only disable CTS instead of overwriting
  the whole UARTMODIR register (git-fixes).
- PCI: histb: Fix an error handling path in histb_pcie_probe()
  (git-fixes).
- PCI: Fix BAR resizing when VF BARs are assigned (git-fixes).
- PCI: Fix reference leak in pci_register_host_bridge()
  (git-fixes).
- commit 808a9df

- net: better track kernel sockets lifetime (CVE-2025-21884
  bsc#1240171).
- net: Add net_passive_inc() and net_passive_dec() (CVE-2025-21884
  bsc#1240171).
- commit 741fa11

- Update
  patches.suse/RDMA-core-Don-t-expose-hw_counters-outside-of-init-n.patch
  (git-fixes bsc#1239925).
- Update
  patches.suse/kABI-fix-for-RDMA-core-Don-t-expose-hw_counters-outs.patch
  (git-fixes bsc#1239925).
  Add bug reference.
- commit 8eef29b
expat
- version update to 2.7.1
    Bug fixes:
    [#980] #989  Restore event pointer behavior from Expat 2.6.4
    (that the fix to CVE-2024-8176 changed in 2.7.0);
    affected API functions are:
  - XML_GetCurrentByteCount
  - XML_GetCurrentByteIndex
  - XML_GetCurrentColumnNumber
  - XML_GetCurrentLineNumber
  - XML_GetInputContext
    Other changes:
    [#976] #977  Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
    with Automake that were missing from 2.7.0 release tarballs
    [#983] #984  Fix printf format specifiers for 32bit Emscripten
    [#992]  docs: Promote OpenSSF Best Practices self-certification
    [#978]  tests/benchmark: Resolve mistaken double close
    [#986]  Address compiler warnings
    [#990] #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
    to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
    for what these numbers do
    Infrastructure:
    [#982]  CI: Start running Perl XML::Parser integration tests
    [#987]  CI: Enforce Clang Static Analyzer clean code
    [#991]  CI: Re-enable warning clang-analyzer-valist.Uninitialized
    for clang-tidy
    [#981]  CI: Cover compilation with musl
    [#983] #984  CI: Cover compilation with 32bit Emscripten
    [#976] #977  CI: Protect against fuzzer files missing from future
    release archives

- version update to 2.7.0 for SLE-15-SP4
- deleted patches
  - expat-CVE-2022-25235.patch (upstreamed)
  - expat-CVE-2022-25236-relax-fix.patch (upstreamed)
  - expat-CVE-2022-25236.patch (upstreamed)
  - expat-CVE-2022-25313-fix-regression.patch (upstreamed)
  - expat-CVE-2022-25313.patch (upstreamed)
  - expat-CVE-2022-25314.patch (upstreamed)
  - expat-CVE-2022-25315.patch (upstreamed)
  - expat-CVE-2022-40674.patch (upstreamed)
  - expat-CVE-2022-43680.patch (upstreamed)
  - expat-CVE-2023-52425-1.patch (upstreamed)
  - expat-CVE-2023-52425-2.patch (upstreamed)
  - expat-CVE-2023-52425-backport-parser-changes.patch (upstreamed)
  - expat-CVE-2023-52425-fix-tests.patch (upstreamed)
  - expat-CVE-2024-28757.patch (upstreamed)
  - expat-CVE-2024-45490.patch (upstreamed)
  - expat-CVE-2024-45491.patch (upstreamed)
  - expat-CVE-2024-45492.patch (upstreamed)
  - expat-CVE-2024-50602.patch (upstreamed)

- version update to 2.7.0 (CVE-2024-8176 [bsc#1239618])
  * Security fixes:
    [#893] #973  CVE-2024-8176 -- Fix crash from chaining a large number
    of entities caused by stack overflow by resolving use of
    recursion, for all three uses of entities:
  - general entities in character data ("<e>&g1;</e>")
  - general entities in attribute values ("<e k1='&g1;'/>")
  - parameter entities ("%p1;")
    Known impact is (reliable and easy) denial of service:
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
    (Base Score: 7.5, Temporal Score: 7.2)
    Please note that a layer of compression around XML can
    significantly reduce the minimum attack payload size.
  * Other changes:
    [#935] #937  Autotools: Make generated CMake files look for
    libexpat.@SO_MAJOR@.dylib on macOS
    [#925]  Autotools: Sync CMake templates with CMake 3.29
  [#945] #962 #966  CMake: Drop support for CMake <3.13
    [#942]  CMake: Small fuzzing related improvements
    [#921]  docs: Add missing documentation of error code
    XML_ERROR_NOT_STARTED that was introduced with 2.6.4
    [#941]  docs: Document need for C++11 compiler for use from C++
    [#959]  tests/benchmark: Fix a (harmless) TOCTTOU
    [#944]  Windows: Fix installer target location of file xmlwf.xml
    for CMake
    [#953]  Windows: Address warning -Wunknown-warning-option
    about -Wno-pedantic-ms-format from LLVM MinGW
    [#971]  Address Cppcheck warnings
    [#969] #970  Mass-migrate links from http:// to https://
    [#947] #958 ..
    [#974] #975  Document changes since the previous release
    [#974] #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
    to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
    for what these numbers do

- no source changes, just adding jira reference: jsc#SLE-21253
freetype2
- enable brotli support (jsc#PED-12258)
libgcrypt
- FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605]
  * Add libgcrypt-FIPS-sha3-asn.patch
ncurses
- Modify patch ncurses-5.9-ibm327x.dif
  * Backport sclp terminfo description entry if for s390 sclp terminal lines
  * Add a further sclp entry for qemu s390 based systems
  * Make use of dumb
openssl-3
- Security fix: [bsc#1240366]
  * Minerva side channel vulnerability in P-384 on PPC arch
  * Add openssl-3-p384-minerva-ppc.patch
  * Add openssl-3-p384-minerva-ppc-p9.patch

- Security fix: [bsc#1240607]
  * Check ssl/ssl3_read_internal null pointer [from commit 38b051a]
  * Add openssl-check-ssl_read_internal-nullptr.patch

- FIPS: Fix EMS in crypto-policies FIPS:NO-ENFORCE-EMS
  * [bsc#1230959, bsc#1232326, bsc#1231748]
  * Add patch openssl-FIPS-fix-EMS-support.patch
librdkafka
- 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch:
  avoid endless loops (bsc#1242842)
ruby2.5
- update suse.patch to 736ea75f25d52fdebb88ed6583468bd7c21190f6
  - fix ReDoS in CGI::Util#escapeElement
    bsc#1237806 CVE-2025-27220
  - fix denial of service in CGI::Cookie.parse
    bsc#1237804 CVE-2025-27219

- update suse.patch to 6bf78da1fc4048a11a8612741216ebc47d9ebb41
  - move the request smuggling patch to the correct place
    actually fixes bsc#1230930 CVE-2024-47220 and now boo#1235773
libsolv
- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32

- Provide a symbol specific for the ruby-version
  so yast does not break across updates (boo#1235598)
sqlite3
- Sync version 3.49.1 from Factory (jsc#SLE-16032):
  * CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws()
    function, introduced in version 3.44.0, that could lead to a
    memory error if the separator string is very large (hundreds
    of megabytes).
  * CVE-2025-29088, bsc#1241078: Enhanced the
    SQLITE_DBCONFIG_LOOKASIDE interface to make it  more robust
    against misuse.
  * Obsoletes sqlite3-rtree-i686.patch
libxml2
- security update
- added patches
  CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API
  + libxml2-CVE-2025-32414.patch
  CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read
  + libxml2-CVE-2025-32415.patch
libzypp
- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
  libxml2 2.14 potentially reads the complete stream, so it may
  have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
  service may set.
  Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
  keeppackages, gpgkey, mirrorlist, and metalink with the same
  semantic as in a .repo file.
- version 17.36.7 (35)

- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires:  %{libsolv_devel_package} >= 0.7.32.
  Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
  unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
  default (false).
  The default was true in Code12 (libzypp-16.x) and changed to
  false with Code15 (libzypp-17.x). Unfortunately this was done by
  shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)

- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
  (bsc#1238315)
  Ftp actually differs between absolute and relative URL paths.
  Absolute path names begin with a double slash encoded as '/%2F'.
  This must be preserved when manipulating the path.
- version 17.36.5 (35)

- Add a transaction package preloader (fixes openSUSE/zypper#104)
  This patch adds a preloader that concurrently downloads files
  during a transaction commit. It's not yet enabled per default.
  To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
  in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
  (fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)
openssh
- Enable --with-logind to call the SetTTY dbus method in systemd.
  This allows "wall" to print messages in ssh ttys (bsc#1239671)
- Small fixes to unref the dbus session when any error occurs:
  * logind_set_tty.patch

- Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728).
  This fixes an upstream logic error handling the DisableForwarding
  option.
pam
- pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return
  PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file
  entry.
  [passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234,
  CVE-2024-10041]
- Do not reject the user with a hash assuming it's non-empty.
  [pam_unix-allow-empty-passwords-with-non-empty-hashes.patch]
patterns-base
- add bpftool to patterns enhanced base. jsc#PED-8375
salt
- Fix aptpkg 'NoneType object has no attribute split' error
- Detect openEuler as RedHat family OS
- Ensure the correct crypt module is loaded
- Implement multiple inventory for ansible.targets
- Make x509 module compatible with M2Crypto 0.44.0
- Remove deprecated code from x509.certificate_managed test mode
- Move logrotate config to /usr/etc/logrotate.d where possible
- Add DEB822 apt repository format support
- Make Salt-SSH work with all SSH passwords (bsc#1215484)
- Fix issue of using update-alternatives with alts (#105)
- Fix virt_query outputter and add support for block devices
- Make _auth calls visible with master stats
- Repair mount.fstab_present always returning pending changes
- Set virtual grain in Podman systemd container
- Fix crash due wrong client reference on `SaltMakoTemplateLookup`
- Enhace batch async and fix some detected issues
- Enhacement of Salt packaging
  * Use update-alternatives for all salt scripts
  * Use flexible dependencies for the subpackages
  * Make salt-minion to require flavored zypp-plugin
  * Make zyppnotify to use update-alternatives
  * Drop unused yumnotify plugin
  * Add dependency to python3-dnf-plugins-core for RHEL based
- Fix tests failures after "repo.saltproject.io" deprecation
- Fix error to stat '/root/.gitconfig' on gitfs
  (bsc#1230944) (bsc#1234881) (bsc#1220905)
- Adapt to removal of hex attribute in pygit2 v1.15.0 (bsc#1230642)
- Enhance smart JSON parsing when garbage is present (bsc#1231605)
- Fix virtual grains for VMs running on Nutanix AHV (bsc#1234022)
- Fix issues running on Python 3.12 and 3.13
- Added:
  * fix-deb822-nonetype-object-has-no-attribute-split-71.patch
  * detect-openeuler-as-redhat-family-os.patch
  * ensure-the-correct-crypt-module-is-loaded.patch
  * implement-multiple-inventory-for-ansible.targets.patch
  * make-x509-module-compatible-with-m2crypto-0.44.0.patch
  * remove-deprecated-code-from-x509.certificate_managed.patch
  * add-deb822-apt-source-format-support-692.patch
  * remove-password-from-shell-after-functional-text-mat.patch
  * repair-virt_query-outputter-655.patch
  * make-_auth-calls-visible-with-master-stats-696.patch
  * repair-fstab_present-test-mode-702.patch
  * set-virtual-grain-in-podman-systemd-container-703.patch
  * fixed-file-client-private-attribute-reference-on-sal.patch
  * backport-batch-async-fixes-and-improvements-701.patch
  * fix-tests-failures-after-repo.saltproject.io-depreca.patch
  * fix-failed-to-stat-root-.gitconfig-issue-on-gitfs-bs.patch
  * update-for-deprecation-of-hex-in-pygit2-1.15.0-and-a.patch
  * enhance-find_json-garbage-filtering-bsc-1231605-688.patch
  * fix-virtual-grains-for-vms-running-on-nutanix-ahv-bs.patch
  * fix-issues-that-break-salt-in-python-3.12-and-3.13-6.patch
python-cryptography
- Update vendor tarball to fix CVE-2025-3416 (bsc#1242631)
samba
- Fix Samba printers reporting invalid sid during print jobs;
  (bsc#1234210); (bso#15792).
supportutils
- Changes to version 3.2.10
  + network.txt collect all firewalld zones (pr#233)
  + Collects gfs2 info (PED-11853, pr#235, pr#236)
  + Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237)
  + Added openldap2_5 support for SLES (pr#238)
  + Collects additional hawk details (pr#239)
  + Optimized filtering D/Z processes (pr#241)
  + Collect firewalld permanent configuration (pr#243)
  + ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247)
  + Added dbus_info for dbus.txt (bsc#1222650, pr#248)

- Changes to version 3.2.9
  + Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221)
  + Supportconfig available in current distro (PED-7131)
  + Corrected display issues (bsc#1231396)
  + NFS takes too long, showmount times out (bsc#1231423)
  + Merged sle15 and master branches (bsc#1233726, PED-11669)
timezone
- Update to 2025b:
  * New zone for Aysén Region in Chile (America/Coyhaique) which
    moves from -04/-03 to -03
- Refresh patches
  * revert-philippines-historical-data.patch
  * tzdata-china.diff
xen
- Update to Xen 4.18.5 security bug fix release (bsc#1027519)
  xen-4.18.5-testing-src.tar.bz2
- Dropped patches contained in new tarball
  658190ea-x86-non-BIGMEM-on-16Tb-systems.patch
  66dedebf-x86-HVM-recursion-in-linear-rw.patch
  67645902-libxg-increase-LZMA_BLOCK_SIZE.patch
  6776dea1-x86-spec-ctrl-SRSO_U-S_NO-and-SRSO_MSR_FIX.patch
  677bcb65-x86-traps-rework-LER-init-and.patch
  677c1a7c-x86-AMD-misc-setup-for-Fam1A.patch
  67921698-x86-HVM-MMIO-emul-cache-bounds-check.patch
  67935a31-x86-HVM-dyn-alloc-emul-cache-ents.patch
  67935a4c-x86-HVM-rw-split-at-page.patch
  67977673-x86-IOMMU-check-CMPXCHG16B-when-enabling.patch
  67977677-AMD-IOMMU-atomically-update-IRTE.patch
  679796ff-x86-PV-further-harden-guest-mem-access.patch
  67a5cb5f-radix-tree-purge-node-alloc-hooks.patch
  67a5cb94-radix-tree-introduce-RADIX_TREE_INIT.patch
  67acb684-x86-offline-APs-with-IRQs-disabled.patch
  67acb685-x86-SMP-disable-IRQs-ahead-of-AP-shutdown.patch
  67acb686-x86-PCI-disable-MSI-at-shutdown.patch
  67acb687-x86-IOMMU-disable-IRQs-at-shutdown.patch
  67b4961e-console-dont-truncate-panic-messages.patch
  67b49d86-memory-resource_max_frames-retval.patch
  67b5d27c-SVM-separate-STI-from-VMRUN.patch
  67c06178-x86-IOMMU-bus-to-bridge-lock-acquired-IRQ-safe.patch
  67c818d6-x86-PVH-dom0-correct-iomem_caps-bound.patch
  67c818d8-x86-Dom0-relax-Interrupt-Address-Range.patch
  67c86fc1-xl-fix-channel-configuration-setting.patch
  67cb03e0-x86-vlapic-ESR-write-handling.patch
  67d17edd-x86-expose-MSR_FAM10H_MMIO_CONF_BASE-on-AMD.patch
  67d17ede-VT-x-PI-usage-of-msi_desc-msg-field.patch
  67d2a3fe-libxl-avoid-infinite-loop-in-libxl__remove_directory.patch
  67dada68-x86-mm-IS_ALIGNED-in-IS_LnE_ALIGNED.patch
  67ea4268-x86-P2M-sync-fast-slow-p2m_get_page_from_gfn.patch
  6800b54f-x86-HVM-update-repeat-count-upon.patch
  68076044-x86emul-clip-rep-count-for-STOS.patch
  6808f549-x86-Intel-work-around-MONITOR-MWAIT-errata.patch
  68221f20-x86-alternative-when-feature-not-present.patch
  68221f21-x86-guest-remove-Xen-hypercall_page.patch
  68221f22-x86-misalign-__x86_indirect_thunk.patch
  68221f23-x86-misalign-RETs-in-clear_bhb_loops.patch
  68221f24-x86-stubs-introduce-place_ret.patch
  68221f25-x86-build-with-Return-Thunks.patch
  68221f26-x86-spec-ctrl-synthesise-ITS_NO.patch

- Failed to boot with XEN kernel on DL580 Gen12 (bsc#1242490)
  658190ea-x86-non-BIGMEM-on-16Tb-systems.patch
- bsc#1243117 - VUL-0: CVE-2024-28956: xen: Intel CPU: Indirect
  Target Selection (ITS) (XSA-469)
  68221f20-x86-alternative-when-feature-not-present.patch
  68221f21-x86-guest-remove-Xen-hypercall_page.patch
  68221f22-x86-misalign-__x86_indirect_thunk.patch
  68221f23-x86-misalign-RETs-in-clear_bhb_loops.patch
  68221f24-x86-stubs-introduce-place_ret.patch
  68221f25-x86-build-with-Return-Thunks.patch
  68221f26-x86-spec-ctrl-synthesise-ITS_NO.patch

- Upstream bug fixes (bsc#1027519)
  67c818d6-x86-PVH-dom0-correct-iomem_caps-bound.patch
  67c818d8-x86-Dom0-relax-Interrupt-Address-Range.patch
  67dada68-x86-mm-IS_ALIGNED-in-IS_LnE_ALIGNED.patch
  67ea4268-x86-P2M-sync-fast-slow-p2m_get_page_from_gfn.patch
  67f8ecda-rangeset-incorrect-subtraction.patch
  6800b54f-x86-HVM-update-repeat-count-upon.patch
  68076044-x86emul-clip-rep-count-for-STOS.patch
  6808f549-x86-Intel-work-around-MONITOR-MWAIT-errata.patch
zypper
- Updated translations (bsc#1230267)
- version 1.14.89

- Do not double encode URL strings passed on the commandline
  (bsc#1237587)
  URLs passed on the commandline must have their special chars
  encoded already. We just want to check and encode forgotten
  unsafe chars like a blank. A '%' however must not be encoded
  again.
- version 1.14.88

- Package preloader that concurrently downloads files. It's not yet
  enabled per default. To enable the preview set ZYPP_CURL2=1 and
  ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires:  libzypp-devel >= 17.36.4.
- version 1.14.87

- refresh: add --include-all-archs (fixes #598)
  Future multi-arch repos may allow to download only those metadata
  which refer to packages actually compatible with the systems
  architecture. Some tools however want zypp to provide the full
  metadata of a repository without filtering incompatible
  architectures.
- info,search: add option to search and list Enhances
  (bsc#1237949)
- version 1.14.86