suse-sles-15-sp6-chost-byos-v20250408-hvm-ssd-arm64 Package Source Changes

apparmor

- Allow dovecot-auth to execute unix_chkpwd from /sbin, not only from /usr/bin
  (bsc#1234452)
  * Update dovecot-unix_chkpwd.diff

ca-certificates-mozilla

- explit remove distruted certs, as the distrust does not get exported
  correctly and the SSL certs are still trusted. (bsc#1240343)
  - Entrust.net Premium 2048 Secure Server CA
  - Entrust Root Certification Authority
  - AffirmTrust Commercial
  - AffirmTrust Networking
  - AffirmTrust Premium
  - AffirmTrust Premium ECC
  - Entrust Root Certification Authority - G2
  - Entrust Root Certification Authority - EC1
  - GlobalSign Root E46
  - GLOBALTRUST 2020
- remove-distrusted.patch: apply to certdata.txt

- Fix awk to compare (missing a =) and give the following output:
  [#] NSS_BUILTINS_LIBRARY_VERSION "2.74"

- pass file argument to awk (bsc#1240009)

- update to 2.74 state of Mozilla SSL root CAs:
  Removed:
  * SwissSign Silver CA - G2
  Added:
  * D-TRUST BR Root CA 2 2023
  * D-TRUST EV Root CA 2 2023

- remove extensive signature printing in comments of the cert
  bundle

- Define two macros to break a build cycle with p11-kit.

- Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798)
  Removed:
  - SecureSign RootCA11
  - Security Communication RootCA3
  Added:
  - TWCA CYBER Root CA
  - TWCA Global Root CA G2
  - SecureSign Root CA12
  - SecureSign Root CA14
  - SecureSign Root CA15

cpupower

- For latest changelog entries, please look up the changelog of
  a kernel-FLAVOR or kernel-source with the exact same version and
  release build number.
  rpm -q --changelog kernel-source |grep "turbostat\|intel-speed-select|cpupower"

docker

- Don't use the new container-selinux conditional requires on SLE-12, as the
  RPM version there doesn't support it. Arguably the change itself is a bit
  suspect but we can fix that later. bsc#1237367

- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
  + 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
  + 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Refresh patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch

- Make container-selinux requirement conditional on selinux-policy
  (bsc#1237367)

dracut

- Update to version 059+suse.557.gccd6ab94:
  * fix(iscsi): make sure services are shut down when switching root (bsc#1237695)
  * fix(iscsi): don't require network setup for qedi
  * fix(network-legacy): do not require pgrep when using wicked (bsc#1236982)

gettext-runtime

- Fix crash while handling po files with malformed header and
  process them properly
  (0003-Fix-malformed-header-processing.patch, boo#1227316).

hwinfo

- merge gh#openSUSE/hwinfo#152
- avoid reporting of spurious usb storage devices (bsc#1223330)
- 21.87

- merge gh#openSUSE/hwinfo#151
- do not overdo usb device de-duplication (bsc#1239663)
- 21.86

freetype2

- Added patch:
  * CVE-2025-27363.patch
    + fixes bsc#1239465, CVE-2025-27363: out-of-bounds write when
    attempting to parse font subglyph structures related to
    TrueType GX and variable font files

xz

- Add CVE-2025-31115.patch
  * Fix heap use after free and writing to an address based on the null
    pointer plus an offset (CVE-2025-31115, bsc#1240414)

python3

- Update CVE-2024-11168-validation-IPv6-addrs.patch
  according to the Debian version
  (gh#python/cpython#103848#issuecomment-2708135083).

systemd

- Import commit 83b9060b6e4c9cdffbbed0e27467cbd2f806dc0d
  09b7477895 udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015)
- Drop 5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch
  The path has been merged into the SUSE/v254 branch.

- Import commit 2b599c7501253b0e6b7987fdb2676af21bc72ab3 (merge of v254.24)
  For a complete list of changes, visit:
  https://github.com/openSUSE/systemd/compare/b25faa18ee7ef3c2d0b16416dfa331d0013dd112...2b599c7501253b0e6b7987fdb2676af21bc72ab3

- Import commit b25faa18ee7ef3c2d0b16416dfa331d0013dd112
  b4693652f3 journald: close runtime journals before their parent directory removed
  044d051f0c journald: reset runtime seqnum data when flushing to system journal (bsc#1236886)

- Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643)
  It is likely an oversight from when systemd-userdb was migrated from the
  experimental package to the main one.

openssh

- Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2
  due to gssapi proposal not being correctly initialized
  (bsc#1236826). The problem was introduced in the rebase of
  the patch for 9.6p1:
  * openssh-8.0p1-gssapi-keyex.patch
- Rebase patch and apply it:
  * fix-memleak-in-process_server_config_line_depth.patch

python-Jinja2

- Add security patch CVE-2025-27516.patch (bsc#1238879)

suse-build-key

- changed keys to use SHA256 UIDs instead of SHA1. (bsc#1237294
  bsc#1236779 jsc#PED-12321)
  - gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc
  - gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc
  - suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted

vim

- Introduce patch to fix bsc#1235751 (regression).
  * vim-9.1.1134-revert-putty-terminal-colors.patch
- Update to 9.1.1176. Changes:
  * 9.1.1176: wrong indent when expanding multiple lines
  * 9.1.1175: inconsistent behaviour with exclusive selection and motion commands
  * 9.1.1174: tests: Test_complete_cmdline() may fail
  * 9.1.1173: filetype: ABNF files are not detected
  * 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file
  * 9.1.1171: tests: wrong arguments passed to assert_equal()
  * 9.1.1170: wildmenu highlighting in popup can be improved
  * 9.1.1169: using global variable for get_insert()/get_lambda_name()
  * 9.1.1168: wrong flags passed down to nextwild()
  * 9.1.1167: mark '] wrong after copying text object
  * 9.1.1166: command-line auto-completion hard with wildmenu
  * 9.1.1165: diff: regression with multi-file diff blocks
  * 9.1.1164: [security]: code execution with tar.vim and special crafted tar files
  * 9.1.1163: $MYVIMDIR is set too late
  * 9.1.1162: completion popup not cleared in cmdline
  * 9.1.1161: preinsert requires bot "menu" and "menuone" to be set
  * 9.1.1160: Ctrl-Y does not work well with "preinsert" when completing items
  * 9.1.1159: $MYVIMDIR may not always be set
  * 9.1.1158: :verbose set has wrong file name with :compiler!
  * 9.1.1157: command completion wrong for input()
  * 9.1.1156: tests: No test for what patch 9.1.1152 fixes
  * 9.1.1155: Mode message not cleared after :silent message
  * 9.1.1154: Vim9: not able to use autoload class accross scripts
  * 9.1.1153: build error on Haiku
  * 9.1.1152: Patch v9.1.1151 causes problems
  * 9.1.1151: too many strlen() calls in getchar.c
  * 9.1.1150: :hi completion may complete to wrong value
  * 9.1.1149: Unix Makefile does not support Brazilian lang for the installer
  * 9.1.1148: Vim9: finding imported scripts can be further improved
  * 9.1.1147: preview-window does not scroll correctly
  * 9.1.1146: Vim9: wrong context being used when evaluating class member
  * 9.1.1145: multi-line completion has wrong indentation for last line
  * 9.1.1144: no way to create raw strings from a blob
  * 9.1.1143: illegal memory access when putting a register
  * 9.1.1142: tests: test_startup fails if $HOME/$XDG_CONFIG_HOME is defined
  * 9.1.1141: Misplaced comment in readfile()
  * 9.1.1140: filetype: m17ndb files are not detected
  * 9.1.1139: [fifo] is not displayed when editing a fifo
  * 9.1.1138: cmdline completion for :hi is too simplistic
  * 9.1.1137: ins_str() is inefficient by calling STRLEN()
  * 9.1.1136: Match highlighting marks a buffer region as changed
  * 9.1.1135: 'suffixesadd' doesn't work with multiple items
  * 9.1.1134: filetype: Guile init file not recognized
  * 9.1.1133: filetype: xkb files not recognized everywhere
  * 9.1.1132: Mark positions wrong after triggering multiline completion
  * 9.1.1131: potential out-of-memory issue in search.c
  * 9.1.1130: 'listchars' "precedes" is not drawn on Tabs.
  * 9.1.1129: missing out-of-memory test in buf_write()
  * 9.1.1128: patch 9.1.1119 caused a regression with imports
  * 9.1.1127: preinsert text is not cleaned up correctly
  * 9.1.1126: patch 9.1.1121 used a wrong way to handle enter
  * 9.1.1125: cannot loop through pum menu with multiline items
  * 9.1.1124: No test for 'listchars' "precedes" with double-width char
  * 9.1.1123: popup hi groups not falling back to defaults
  * 9.1.1122: too many strlen() calls in findfile.c
  * 9.1.1121: Enter does not insert newline with "noselect"
  * 9.1.1120: tests: Test_registers fails
  * 9.1.1119: Vim9: Not able to use an autoloaded class from another autoloaded script
  * 9.1.1118: tests: test_termcodes fails
  * 9.1.1117: there are a few minor style issues
  * 9.1.1116: Vim9: super not supported in lambda expressions
  * 9.1.1115: [security]: use-after-free in str_to_reg()
  * 9.1.1114: enabling termguicolors automatically confuses users
  * 9.1.1113: tests: Test_terminal_builtin_without_gui waits 2 seconds
  * 9.1.1112: Inconsistencies in get_next_or_prev_match()
  * 9.1.1111: Vim9: variable not found in transitive import
  * 9.1.1110: Vim tests are slow and flaky
  * 9.1.1109: cmdexpand.c hard to read
  * 9.1.1108: 'smoothscroll' gets stuck with 'listchars' "eol"
  * 9.1.1107: cannot loop through completion menu with fuzzy
  * 9.1.1106: tests: Test_log_nonexistent() causes asan failure
  * 9.1.1105: Vim9: no support for protected new() method
  * 9.1.1104: CI: using Ubuntu 22.04 Github runners
  * 9.1.1103: if_perl: still some compile errors with Perl 5.38
  * 9.1.1102: tests: Test_WinScrolled_Resized_eiw() uses wrong filename