- cifs-utils
-
- Add patches:
* 0001-cifs.upcall-correctly-treat-UPTARGET_UNSPECIFIED-as-.patch
(bsc#1243488)
* 0001-mount.cifs-retry-mount-on-EINPROGRESS.patch
- docker
-
[ This update is a no-op, only needed to work around unfortunate automated
packaging script behaviour on SLES. ]
- The following patches were removed in openSUSE in the Docker 28.1.1-ce
update, but the patch names were later renamed in a SLES-only update before
Docker 28.1.1-ce was submitted to SLES.
This causes the SLES build scripts to refuse the update because the patches
are not referenced in the changelog. There is no obvious place to put the
patch removals (the 28.1.1-ce update removing the patches chronologically
predates their renaming in SLES), so they are included here a dummy changelog
entry to work around the issue.
- 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to docker-buildx v0.25.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.25.0>
- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
Docker does not have permission to access the host zypper credentials in this
mode (and unprivileged users cannot disable the feature using
/etc/docker/suse-secrets-enable.) bsc#1240150
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Rebase patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+ 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+ 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to Docker 28.2.2-ce. See upstream changelog online at
<https://github.com/moby/moby/releases/tag/v28.2.2>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to Docker 28.2.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2820> bsc#1243833
<https://github.com/moby/moby/releases/tag/v28.2.1>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Update to docker-buildx v0.24.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.24.0>
- Update to Docker 28.1.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2811> bsc#1242114
Includes upstream fixes:
- CVE-2025-22872 bsc#1241830
- Remove long-outdated build handling for deprecated and unsupported
devicemapper and AUFS storage drivers. AUFS was removed in v24, and
devicemapper was removed in v25.
<https://docs.docker.com/engine/deprecated/#aufs-storage-driver>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Remove upstreamed patches:
- 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to docker-buildx v0.23.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.23.0>
- Update to docker-buildx v0.22.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.22.0>
* Includes fixes for CVE-2025-0495. bsc#1239765
- Disable transparent SUSEConnect support for SLE-16. PED-12534
When this patchset was first added in 2013 (and rewritten over the years),
there was no upstream way to easily provide SLE customers with a way to build
container images based on SLE using the host subscription. However, with
docker-buildx you can now define secrets for builds (this is not entirely
transparent, but we can easily document this new requirement for SLE-16).
Users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Now that the only blocker for docker-buildx support was removed for SLE-16,
enable docker-buildx for SLE-16 as well. PED-8905
- glib2
-
- Add glib2-CVE-2025-6052.patch: fix overflow check when expanding
a GString (bsc#1244596 CVE-2025-6052).
- Add glib2-CVE-2025-4373.patch: carefully handle gssize parameters
(bsc#1242844 CVE-2025-4373 glgo#GNOME/glib#3677).
- gpg2
-
- Security fix: [bsc#1236931, bsc#1239119, CVE-2025-30258]
* gpg: Fix regression for the recent malicious subkey DoS fix.
* gpg: Fix another regression due to the T7547 fix.
* gpg: Allow the use of an ADSK subkey as ADSK subkey.
* Add patches:
- gnupg-gpg-Fix-regression-for-the-recent-malicious-subkey-D.patch
- gnupg-gpg-Fix-another-regression-due-to-the-T7547-fix.patch
- gnupg-gpg-Allow-the-use-of-an-ADSK-subkey-as-ADSK-subkey.patch
- Don't install expired sks certificate [bsc#1243069]
* Add patch gnupg-dirmngr-Don-t-install-expired-sks-certificate.patch
- Fix a verification DoS due to a malicious subkey in the keyring: [bsc#1239119]
* Add patch gnupg-gpg-Fix-a-verification-DoS-due-to-a-malicious-subkey-in-the-keyring.patch
- kernel-default
-
- smb: client: fix hang in wait_for_response() for negproto
(bsc#1242709).
- commit 709cb2e
- Update
patches.suse/ALSA-ump-Fix-buffer-overflow-at-UMP-SysEx-message-co.patch
(bsc#1242044 CVE-2025-37891 bsc#1243589).
- Update
patches.suse/ASoC-Intel-avs-Fix-null-ptr-deref-in-avs_component_p.patch
(git-fixes CVE-2025-37793 bsc#1242584).
- Update
patches.suse/ASoC-imx-card-Add-NULL-check-in-imx_card_probe.patch
(git-fixes CVE-2025-22066 bsc#1241340).
- Update
patches.suse/ASoC-ops-Consistently-treat-platform_max-as-control-.patch
(git-fixes CVE-2025-37889 bsc#1242945).
- Update
patches.suse/ASoC-qcom-Fix-sc7280-lpass-potential-buffer-overflow.patch
(git-fixes CVE-2025-37979 bsc#1243545).
- Update
patches.suse/Bluetooth-btrtl-Prevent-potential-NULL-dereference.patch
(git-fixes CVE-2025-37792 bsc#1242591).
- Update
patches.suse/Bluetooth-btusb-avoid-NULL-pointer-dereference-in-sk.patch
(git-fixes CVE-2025-37918 bsc#1243476).
- Update
patches.suse/Input-mtk-pmic-keys-fix-possible-null-pointer-derefe.patch
(git-fixes CVE-2025-37972 bsc#1243573).
- Update
patches.suse/KVM-arm64-Tear-down-vGIC-on-failed-vCPU-creation.patch
(git-fixes CVE-2025-37849 bsc#1243000).
- Update
patches.suse/KVM-x86-Acquire-SRCU-in-KVM_GET_MP_STATE-to-protect-.patch
(git-fixes CVE-2025-23141 bsc#1242782).
- Update
patches.suse/PCI-Fix-reference-leak-in-pci_register_host_bridge.patch
(git-fixes CVE-2025-37836 bsc#1242957).
- Update
patches.suse/PCI-brcmstb-Fix-error-path-after-a-call-to-regulator.patch
(git-fixes CVE-2025-22095 bsc#1241519).
- Update
patches.suse/PCI-vmd-Make-vmd_dev-cfg_lock-a-raw_spinlock_t-type.patch
(stable-fixes CVE-2025-23161 bsc#1242792).
- Update
patches.suse/RDMA-cma-Fix-workqueue-crash-in-cma_netevent_work_ha.patch
(git-fixes CVE-2025-37772 bsc#1242563).
- Update
patches.suse/RDMA-core-Don-t-expose-hw_counters-outside-of-init-n.patch
(git-fixes bsc#1239925 CVE-2025-22089 bsc#1241538).
- Update
patches.suse/RDMA-core-Silence-oversized-kvmalloc-warning.patch
(git-fixes CVE-2025-37867 bsc#1242948).
- Update
patches.suse/USB-wdm-close-race-between-wdm_open-and-wdm_wwan_por.patch
(git-fixes CVE-2025-37985 bsc#1243529).
- Update
patches.suse/arm64-bpf-Add-BHB-mitigation-to-the-epilogue-for-cBPF-prog.patch
(git-fixes CVE-2025-37948 bsc#1243649).
- Update
patches.suse/arm64-bpf-Only-mitigate-cBPF-programs-loaded-by-unprivileg.patch
(git-fixes CVE-2025-37963 bsc#1243660).
- Update
patches.suse/arm64-errata-Add-missing-sentinels-to-Spectre-BHB-MIDR-arr.patch
(git-fixes CVE-2025-37929 bsc#1243624).
- Update
patches.suse/ata-pata_pxa-Fix-potential-NULL-pointer-dereference-.patch
(git-fixes CVE-2025-37758 bsc#1242514).
- Update
patches.suse/backlight-led_bl-Hold-led_access-lock-when-calling-l.patch
(git-fixes CVE-2025-23144 bsc#1242568).
- Update
patches.suse/block-fix-resource-leak-in-blk_register_queue-error-path.patch
(git-fixes CVE-2025-37980 bsc#1243522).
- Update
patches.suse/block-integrity-Do-not-call-set_page_dirty_lock.patch
(git-fixes CVE-2025-37978 bsc#1243516).
- Update
patches.suse/bnxt_en-Fix-out-of-bound-memcpy-during-ethtool-w.patch
(git-fixes CVE-2025-37911 bsc#1243469).
- Update patches.suse/bpf-Scrub-packet-on-bpf_redirect_peer.patch
(git-fixes CVE-2025-37959 bsc#1243517).
- Update
patches.suse/bpf-check-changes_pkt_data-property-for-extension-pr.patch
(bsc#1241590 CVE-2024-58100 bsc#1242564).
- Update
patches.suse/bpf-consider-that-tail-calls-invalidate-packet-point.patch
(bsc#1241590 CVE-2024-58237 bsc#1242574).
- Update
patches.suse/bpf-track-changes_pkt_data-property-for-global-funct.patch
(bsc#1241590 CVE-2024-58098 bsc#1242565).
- Update
patches.suse/btrfs-adjust-subpage-bit-start-based-on-sectorsize.patch
(bsc#1241492 CVE-2025-37931 bsc#1243626).
- Update
patches.suse/bus-mhi-host-Fix-race-between-unprepare-and-queue_bu.patch
(git-fixes CVE-2025-23151 bsc#1242512).
- Update
patches.suse/cxgb4-fix-memory-leak-in-cxgb4_init_ethtool_filters-.patch
(git-fixes CVE-2025-37788 bsc#1242766).
- Update
patches.suse/dm-bufio-don-t-schedule-in-atomic-context.patch
(git-fixes CVE-2025-37928 bsc#1243621).
- Update
patches.suse/drm-amd-display-Fix-slab-use-after-free-in-hdcp.patch
(git-fixes CVE-2025-37903 bsc#1243562).
- Update
patches.suse/drm-amd-pm-Prevent-division-by-zero-4b8c3c0.patch
(git-fixes CVE-2025-37770 bsc#1242764).
- Update
patches.suse/drm-amd-pm-Prevent-division-by-zero-4e3d950.patch
(git-fixes CVE-2025-37766 bsc#1242785).
- Update
patches.suse/drm-amd-pm-Prevent-division-by-zero-7c246a0.patch
(git-fixes CVE-2025-37768 bsc#1242567).
- Update
patches.suse/drm-amd-pm-Prevent-division-by-zero-7d641c2.patch
(git-fixes CVE-2025-37771 bsc#1242781).
- Update patches.suse/drm-amd-pm-Prevent-division-by-zero.patch
(git-fixes CVE-2025-37767 bsc#1242501).
- Update
patches.suse/drm-amd-pm-smu11-Prevent-division-by-zero.patch
(git-fixes CVE-2025-37769 bsc#1242587).
- Update
patches.suse/drm-amdgpu-Replace-Mutex-with-Spinlock-for-RLCG-regi.patch
(git-fixes CVE-2025-38104 bsc#1241635).
- Update
patches.suse/drm-amdgpu-handle-amdgpu_cgs_create_device-errors-in.patch
(stable-fixes CVE-2025-37852 bsc#1243074).
- Update patches.suse/drm-amdkfd-Fix-mode1-reset-crash-issue.patch
(stable-fixes CVE-2025-37854 bsc#1243082).
- Update
patches.suse/drm-amdkfd-debugfs-hang_hws-skip-GPU-with-MES.patch
(stable-fixes CVE-2025-37853 bsc#1243076).
- Update
patches.suse/drm-i915-huc-Fix-fence-not-released-on-early-probe-e.patch
(git-fixes CVE-2025-37754 bsc#1242524).
- Update
patches.suse/drm-mediatek-dp-drm_err-dev_err-in-HPD-path-to-avoid.patch
(git-fixes CVE-2025-38240 bsc#1241457).
- Update
patches.suse/drm-nouveau-Fix-WARN_ON-in-nouveau_fence_context_kil.patch
(git-fixes CVE-2025-37930 bsc#1243625).
- Update
patches.suse/drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch
(git-fixes CVE-2025-37765 bsc#1242761).
- Update
patches.suse/drm-v3d-Add-job-to-pending-list-if-the-reset-was-ski.patch
(stable-fixes CVE-2025-37951 bsc#1243659).
- Update
patches.suse/eth-bnxt-fix-missing-ring-index-trim-on-error-path.patch
(git-fixes CVE-2025-37873 bsc#1242961).
- Update patches.suse/fbdev-omapfb-Add-plane-value-check.patch
(stable-fixes CVE-2025-37851 bsc#1242977).
- Update
patches.suse/firmware-arm_scmi-Balance-device-refcount-when-destr.patch
(git-fixes CVE-2025-37905 bsc#1243456).
- Update
patches.suse/fs-jfs-Prevent-integer-overflow-in-AG-size-calculation.patch
(git-fixes CVE-2025-37858 bsc#1243049).
- Update
patches.suse/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch
(git-fixes CVE-2025-37782 bsc#1242770).
- Update
patches.suse/i2c-cros-ec-tunnel-defer-probe-if-parent-EC-is-not-p.patch
(git-fixes CVE-2025-37781 bsc#1242575).
- Update
patches.suse/i3c-Add-NULL-pointer-check-in-i3c_master_queue_ibi.patch
(git-fixes CVE-2025-23147 bsc#1242530).
- Update
patches.suse/ice-Check-VF-VSI-Pointer-Value-in-ice_vc_add_fdir_fl.patch
(git-fixes CVE-2025-37912 bsc#1243470).
- Update patches.suse/igc-fix-PTM-cycle-trigger-logic.patch
(git-fixes CVE-2025-37875 bsc#1242959).
- Update
patches.suse/iio-imu-st_lsm6dsx-fix-possible-lockup-in-st_lsm6dsx-8114ef8.patch
(git-fixes CVE-2025-37969 bsc#1243574).
- Update
patches.suse/iio-imu-st_lsm6dsx-fix-possible-lockup-in-st_lsm6dsx.patch
(git-fixes CVE-2025-37970 bsc#1243575).
- Update
patches.suse/iommu-Fix-two-issues-in-iommu_copy_struct_from_user.patch
(git-fixes CVE-2025-37900 bsc#1243560).
- Update
patches.suse/ipv6-Fix-memleak-of-nhc_pcpu_rth_output-in-fib_check_nh_v6_gw.patch
(git-fixes CVE-2025-22005 bsc#1240866).
- Update
patches.suse/irqchip-gic-v2m-Prevent-use-after-free-of-gicv2m_get.patch
(git-fixes CVE-2025-37819 bsc#1242873).
- Update
patches.suse/irqchip-qcom-mpm-Prevent-crash-when-trying-to-handle.patch
(git-fixes CVE-2025-37901 bsc#1243559).
- Update patches.suse/jbd2-remove-wrong-sb-s_sequence-check.patch
(bsc#1242343 CVE-2025-37839 bsc#1242990).
- Update
patches.suse/jfs-Fix-uninit-value-access-of-imap-allocated-in-the-diMount-function.patch
(git-fixes CVE-2025-37742 bsc#1243011).
- Update
patches.suse/jfs-Prevent-copying-of-nlink-with-value-0-from-disk-inode.patch
(git-fixes CVE-2025-37741 bsc#1243015).
- Update
patches.suse/jfs-add-sanity-check-for-agwidth-in-dbMount.patch
(git-fixes CVE-2025-37740 bsc#1243006).
- Update
patches.suse/jfs-fix-slab-out-of-bounds-read-in-ea_get.patch
(git-fixes CVE-2025-39735 bsc#1241625).
- Update
patches.suse/jfs-reject-on-disk-inodes-of-an-unsupported-type.patch
(git-fixes CVE-2025-37925 bsc#1241654).
- Update
patches.suse/md-md-bitmap-fix-wrong-bitmap_limit-for-clustermd-wh.patch
(bsc#1238212 CVE-2025-22124 bsc#1241595).
- Update
patches.suse/media-dw2102-Fix-null-ptr-deref-in-dw2102_i2c_transf.patch
(git-fixes CVE-2023-53146 bsc#1220112).
- Update
patches.suse/media-venus-hfi-add-a-check-to-handle-OOB-in-sfr-reg.patch
(git-fixes CVE-2025-23159 bsc#1242529).
- Update
patches.suse/media-venus-hfi-add-check-to-handle-incorrect-queue-.patch
(git-fixes CVE-2025-23158 bsc#1242531).
- Update
patches.suse/media-venus-hfi_parser-add-check-to-avoid-out-of-bou.patch
(git-fixes CVE-2025-23157 bsc#1242532).
- Update
patches.suse/media-venus-hfi_parser-refactor-hfi-packet-parsing-l.patch
(git-fixes CVE-2025-23156 bsc#1242569).
- Update
patches.suse/mfd-ene-kb3930-Fix-a-potential-NULL-pointer-derefere.patch
(git-fixes CVE-2025-23146 bsc#1242559).
- Update
patches.suse/misc-microchip-pci1xxxx-Fix-Kernel-panic-during-IRQ-.patch
(git-fixes CVE-2025-37815 bsc#1242871).
- Update
patches.suse/mtd-inftlcore-Add-error-check-for-inftl_read_oob.patch
(git-fixes CVE-2025-37892 bsc#1243536).
- Update
patches.suse/mtd-rawnand-brcmnand-fix-PM-resume-warning.patch
(git-fixes CVE-2025-37840 bsc#1242953).
- Update patches.suse/net-phy-leds-fix-memory-leak.patch
(git-fixes CVE-2025-37989 bsc#1243511).
- Update
patches.suse/net-reenable-NETIF_F_IPV6_CSUM-offload-for-BIG-TCP-p.patch
(git-fixes CVE-2025-21629 bsc#1235968).
- Update
patches.suse/net_sched-drr-Fix-double-list-add-in-class-with-nete.patch
(git-fixes CVE-2025-37915 bsc#1243473).
- Update
patches.suse/net_sched-ets-Fix-double-list-add-in-class-with-nete.patch
(git-fixes CVE-2025-37914 bsc#1243472).
- Update
patches.suse/net_sched-hfsc-Fix-a-UAF-vulnerability-in-class-with.patch
(git-fixes CVE-2025-37890 bsc#1243330).
- Update
patches.suse/net_sched-qfq-Fix-double-list-add-in-class-with-nete.patch
(git-fixes CVE-2025-37913 bsc#1243471).
- Update
patches.suse/nfsd-decrease-sc_count-directly-if-fail-to-queue-dl_recall.patch
(git-fixes CVE-2025-37871 bsc#1242949).
- Update
patches.suse/objtool-media-dib8000-Prevent-divide-by-zero-in-dib8.patch
(git-fixes CVE-2025-37937 bsc#1243540).
- Update
patches.suse/objtool-spi-amd-Fix-out-of-bounds-stack-access-in-am.patch
(git-fixes CVE-2025-40014 bsc#1241644).
- Update
patches.suse/perf-Fix-hang-while-freeing-sigtrap-event.patch
(bsc#1229491 CVE-2024-43869 CVE-2025-37747 bsc#1242520).
- Update
patches.suse/pm-cpupower-bench-Prevent-NULL-dereference-on-malloc.patch
(stable-fixes CVE-2025-37841 bsc#1242974).
- Update
patches.suse/pwm-mediatek-Prevent-divide-by-zero-in-pwm_mediatek_.patch
(git-fixes CVE-2025-37850 bsc#1242955).
- Update patches.suse/qibfs-fix-_another_-leak.patch (git-fixes
CVE-2025-37983 bsc#1243567).
- Update patches.suse/sch_htb-make-htb_deactivate-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-37953 bsc#1243543).
- Update
patches.suse/sch_htb-make-htb_qlen_notify-idempotent.patch
(CVE-2025-37798 bsc#1242414 CVE-2025-37932 bsc#1243627).
- Update
patches.suse/sctp-detect-and-prevent-references-to-a-freed-transp.patch
(git-fixes CVE-2025-23142 bsc#1242760).
- Update
patches.suse/soc-samsung-exynos-chipid-Add-NULL-pointer-check-in-.patch
(git-fixes CVE-2025-23148 bsc#1242578).
- Update
patches.suse/sound-virtio-Fix-cancel_sync-warnings-on-uninitializ.patch
(stable-fixes CVE-2025-37805 bsc#1242930).
- Update patches.suse/tpm-do-not-start-chip-while-suspended.patch
(git-fixes CVE-2025-23149 bsc#1242758).
- Update
patches.suse/usb-cdns3-Fix-deadlock-when-using-NCM-gadget.patch
(git-fixes CVE-2025-37812 bsc#1242908).
- Update
patches.suse/usb-dwc3-gadget-check-that-event-count-does-not-exce.patch
(git-fixes CVE-2025-37810 bsc#1242906).
- Update
patches.suse/usb-gadget-aspeed-Add-NULL-pointer-check-in-ast_vhub.patch
(stable-fixes CVE-2025-37881 bsc#1242973).
- Update
patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch
(git-fixes CVE-2025-37986 bsc#1243515).
- Update
patches.suse/vmxnet3-Fix-packet-corruption-in-vmxnet3_xdp_xmit_fr.patch
(bsc#1226498 CVE-2024-58099 bsc#1242035).
- Update
patches.suse/wifi-at76c50x-fix-use-after-free-access-in-at76_disc.patch
(git-fixes CVE-2025-37796 bsc#1242727).
- Update
patches.suse/wifi-ath12k-Fix-invalid-data-access-in-ath12k_dp_rx_.patch
(stable-fixes CVE-2025-37943 bsc#1243509).
- Update
patches.suse/wifi-ath12k-Fix-invalid-entry-fetch-in-ath12k_dp_mon.patch
(stable-fixes CVE-2025-37944 bsc#1243530).
- Update
patches.suse/wifi-brcm80211-fmac-Add-error-handling-for-brcmf_usb.patch
(git-fixes CVE-2025-37990 bsc#1243528).
- Update
patches.suse/wifi-cfg80211-init-wiphy_work-before-allocating-rfki.patch
(git-fixes CVE-2025-22119 bsc#1241576).
- Update
patches.suse/wifi-mac80211-Purge-vif-txq-in-ieee80211_do_stop.patch
(git-fixes CVE-2025-37794 bsc#1242566).
- Update
patches.suse/wifi-plfxlc-Remove-erroneous-assert-in-plfxlc_mac_re.patch
(git-fixes CVE-2025-37897 bsc#1243534).
- Update
patches.suse/wifi-wl1251-fix-memory-leak-in-wl1251_tx_work.patch
(git-fixes CVE-2025-37982 bsc#1243524).
- commit 4bd69e5
- blacklist.conf: add 75ad02318af2 ("Xen/swiotlb: mark xen_swiotlb_fixup() __init")
- Delete patches.suse/Xen-swiotlb-mark-xen_swiotlb_fixup-__init.patch.
- commit c256f05
- smb: client: Avoid race in open_cached_dir with lease breaks
(CVE-2025-37954 bsc#1243664).
- commit 366c4d0
- smb: client: change return value in open_cached_dir_by_dentry()
if !cfids (git-fixes).
- commit ec272a8
- smb: client: remove unnecessary checks in open_cached_dir()
(git-fixes).
- commit 31b534b
- Delete
patches.suse/smb-client-fix-open_cached_dir-retries-with-hard.patch.
- Delete
patches.suse/smb-client-properly-close-cfids-on-umount.patch.
[hcarvalho: these were SUSE-only fixes and now we have more suitable
fixes upstream for the same issues]
- commit fb12426
- smb3: fix Open files on server counter going negative
(git-fixes).
- commit 6a0a87a
- memblock: Accept allocated memory before use in
memblock_double_array() (CVE-2025-37960 bsc#1243519).
- commit 7257498
- mm/huge_memory: fix dereferencing invalid pmd migration entry
(CVE-2025-37958 bsc#1243539).
- commit 49bf8b8
- objtool, panic: Disable SMAP in __stack_chk_fail()
(bsc#1243963).
- commit 3d95273
- Refresh
patches.kabi/icmp-prevent-possible-NULL-dereferences-from-icmp_bu.patch.
It turns out we don't need the kABI workaround for
patches.suse/ipv4-icmp-Unmask-upper-DSCP-bits-in-icmp_route_looku.patch,
just need to simply refresh the patch context. Thus we take
> #include <net/inet_dscp.h>
out of the __GENKSYMS__ ifndef.
- Refresh
patches.kabi/icmp-prevent-possible-NULL-dereferences-from-icmp_bu.patch.
- commit b6ed857
- nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable
(git-fixes bsc#1223096).
- nvme-pci: make nvme_pci_npages_prp() __always_inline
(git-fixes).
- commit 71f2996
- nilfs2: do not propagate ENOENT error from
nilfs_btree_propagate() (git-fixes).
- commit 5591e0d
- nilfs2: add pointer check for nilfs_direct_propagate()
(git-fixes).
- commit eac8f96
- afs: Fix the server_list to unuse a displaced server rather
than putting it (git-fixes).
- commit d3c390a
- afs: Make it possible to find the volumes that are using a
server (git-fixes).
- commit 7d8a054
- Squashfs: check return result of sb_min_blocksize (git-fixes).
- commit 6d6e8d7
- xenbus: Use kref to track req lifetime (bsc#1243541
CVE-2025-37949).
- commit 0928f39
- 9p/net: fix improper handling of bogus negative read/write
replies (bsc#1243077 CVE-2025-37879).
- commit ac0ef56
- RDMA/rxe: Fix "trying to register non-static key in rxe_qp_do_cleanup" bug (git-fixes)
- commit 40421b4
- RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work (git-fixes)
- commit 5748d8f
- RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (git-fixes)
- commit 0defb73
- RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (git-fixes)
- commit af712e0
- RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h (git-fixes)
- commit fe91579
- IB/cm: use rwlock for MAD agent lock (git-fixes)
- commit 7a0e4f4
- loop: don't require ->write_iter for writable files in
loop_configure (git-fixes).
- commit 7e4c4c7
- iommu/mediatek: Fix NULL pointer deference in
mtk_iommu_device_group (CVE-2025-37748 bsc#1242523).
- commit 4d05234
- loop: Add sanity check for read/write_iter (git-fixes).
- scsi: Improve CDL control (git-fixes).
- md/raid1: Add check for missing source disk in process_checks()
(git-fixes).
- loop: Add sanity check for read/write_iter (git-fixes).
- scsi: Improve CDL control (git-fixes).
- md/raid1: Add check for missing source disk in process_checks()
(git-fixes).
- commit 494aacb
- cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()
(bsc#1242875 CVE-2025-37829).
- commit e728de0
- cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()
(bsc#1242860 CVE-2025-37830).
- commit 8f43c34
- loop: aio inherit the ioprio of original request (git-fixes).
- Refresh
patches.suse/loop-stop-using-vfs_iter_-read-write-for-buffered-I-O.patch.
- commit ff7ab20
- io_uring: always do atomic put from iowq (CVE-2025-37804
bsc#1242854).
- commit 06f910a
- s390/bpf: Store backchain even for leaf progs (git-fixes
bsc#1243805).
- commit ded8083
- cpufreq: apple-soc: Fix null-ptr-deref in
apple_soc_cpufreq_get_rate() (bsc#1242861 CVE-2025-37831).
- commit ce0d3b2
- kabi: fix kABI for ITS (bsc#1242006 CVE-2024-28956).
- commit 1a3ff17
- mtd: phram: Add the kernel lock down check (bsc#1232649).
- commit 0294b02
- scsi: megaraid_sas: Block zero-length ATA VPD inquiry
(git-fixes).
- scsi: pm80xx: Set phy_attached to zero when device is gone
(git-fixes).
- scsi: hisi_sas: Fix I/O errors caused by hardware port ID
changes (git-fixes).
- scsi: megaraid_sas: Block zero-length ATA VPD inquiry
(git-fixes).
- scsi: pm80xx: Set phy_attached to zero when device is gone
(git-fixes).
- scsi: hisi_sas: Fix I/O errors caused by hardware port ID
changes (git-fixes).
- commit 2f69ac7
- isofs: Prevent the use of too small fid (CVE-2025-37780 bsc#1242786)
- commit 2176e55
- ext4: fix off-by-one error in do_split (CVE-2025-23150 bsc#1242513)
- commit 06dc18f
- net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (CVE-2025-37787 bsc#1242585)
- commit 91a15e6
- Refresh fixes for cBPF issue (bsc#1242778)
- Update metadata and put them into the sorted part of the series
- Refresh
patches.suse/x86-bhi-do-not-set-BHI_DIS_S-in-32-bit-mode.patch.
- Refresh
patches.suse/x86-bpf-add-IBHF-call-at-end-of-classic-BPF.patch.
- Refresh
patches.suse/x86-bpf-call-branch-history-clearing-sequence-on-exit.patch.
- commit d024c0d
- media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization (CVE-2025-23160 bsc#1242507)
- commit ec39280
- net: libwx: handle page_pool_dev_alloc_pages error (CVE-2025-37755 bsc#1242506)
- commit 218edf9
- virtiofs: add filesystem context source name check (CVE-2025-37773 bsc#1242502)
- commit c58895d
- remoteproc: core: Clear table_sz when rproc_shutdown (CVE-2025-38152 bsc#1241627)
- commit a7f4be3
- net_sched: skbprio: Remove overly strict queue assertions (CVE-2025-38637 bsc#1241657)
- commit 6c0dd03
- fs/9p: fix NULL pointer dereference on mkdir (CVE-2025-22070 bsc#1241305)
- commit 7cd6fd1
- KVM: VMX: Bury Intel PT virtualization (guest/host mode)
behind CONFIG_BROKEN (CVE-2024-53135 bsc#1234154).
- commit 09b2398
- KVM: x86: Make x2APIC ID 100% readonly (git-fixes).
- Refresh
patches.suse/KVM-x86-Re-split-x2APIC-ICR-into-ICR-ICR2-for-AMD-x2.patch.
- commit d85d7a2
- net: fix NULL pointer dereference in l3mdev_l3_rcv (CVE-2025-22103 bsc#1241448)
- commit da134b6
- udmabuf: fix a buf size overflow issue during udmabuf creation (CVE-2025-37803 bsc#1242852)
- commit 34e7f3d
- add bug reference for an existing hv_netvsc change (bsc#1243737).
- commit e38784d
- kabi fix for perf/aux: Fix AUX buffer serialization
(bsc#1230581, CVE-2024-46713).
- perf/aux: Fix AUX buffer serialization (bsc#1230581,
CVE-2024-46713).
- commit 1405e0e
- Update
patches.suse/NFSv3-only-use-NFS-timeout-for-MOUNT-when-protocols-.patch
(bsc#1231016).
Remove the reference to CVE-2024-50106 bsc#1232882, this was added
automatically by 8258b9d331fb as it matched the Git-commit 8dd91e8d31fe
which was erroneously added in 4b11aedcc3c0, and later corrected in
a5cceab88022 (which did not also take care of removing the erroneous
references).
- commit 4e82942
- usb: typec: class: Unlocked on error in typec_register_partner()
(bsc#1242856 CVE-2025-37809).
- commit 8ae2608
- struct typec_port: move nre mutex to end (bsc#1242856
CVE-2025-37809).
- commit b5f6426
- usb: typec: class: Fix NULL pointer access (bsc#1242856
CVE-2025-37809).
- Refresh
patches.suse/usb-typec-class-Invalidate-USB-device-pointers-on-pa.patch.
- commit 3add668
- team: better TEAM_OPTION_TYPE_STRING validation (CVE-2025-21787 bsc#1238774)
- commit bda544d
- scsi: ufs: bsg: Set bsg_queue to NULL after removal (CVE-2024-54458 bsc#1238992)
- commit 0e36a45
- xen-netfront: handle NULL returned by
xdp_convert_buff_to_frame() (bsc#1242866 CVE-2025-37820).
- commit 39f3e10
- xen: Change xen-acpi-processor dom0 dependency (git-fixes).
- commit 0babbb9
- xenfs/xensyms: respect hypervisor's "next" indication
(git-fixes).
- commit 911043b
- xen/mcelog: Add __nonstring annotations for unterminated strings
(git-fixes).
- commit 29addb9
- Xen/swiotlb: mark xen_swiotlb_fixup() __init (git-fixes).
- commit 8db2d18
- x86/xen: move xen_reserve_extra_memory() (git-fixes).
- commit 46ca212
- virtio_console: fix missing byte order handling for cols and
rows (git-fixes).
- commit 241fde6
- vhost-scsi: Fix handling of multiple calls to
vhost_scsi_set_endpoint (git-fixes).
- commit b42c56f
- KVM: SVM: Update dump_ghcb() to use the GHCB snapshot fields
(git-fixes).
- commit 38764b5
- KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception
(bsc#1243513 CVE-2025-37957).
- commit d959965
- KVM: x86: Explicitly treat routing entry type changes as changes
(git-fixes).
- commit 3d9ce0f
- dm-integrity: fix a warning on invalid table line (git-fixes).
- commit d3c6b81
- KVM: SVM: Allocate IR data using atomic allocation (git-fixes).
- commit b2174da
- KVM: x86: Explicitly zero-initialize on-stack CPUID unions
(git-fixes).
- commit 70f24b1
- KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest
memory accesses (git-fixes).
- commit 6edee17
- KVM: x86/xen: Use guest's copy of pvclock when starting timer
(git-fixes).
- commit b26e547
- KVM: x86: Don't take kvm->lock when iterating over vCPUs in
suspend notifier (git-fixes).
- commit c3ff5ce
- pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702 bsc#1237312)
- commit 9693f33
- KVM: VMX: Don't modify guest XFD_ERR if CR0.TS=1 (git-fixes).
- commit 7004205
- KVM: x86: Remove the unreachable case for 0x80000022 leaf in
__do_cpuid_func() (git-fixes).
- commit 61712af
- KVM: nVMX: Allow emulating RDPID on behalf of L2 (git-fixes).
- commit c1930b5
- KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit
on emulation (git-fixes).
- commit 8202eda
- ptp: Ensure info->enable callback is always set (CVE-2025-21814 bsc#1238473)
- commit f7aafc6
- KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on
PAUSE emulation (git-fixes).
- commit e0c3862
- KVM: x86: Wake vCPU for PIC interrupt injection iff a valid
IRQ was found (git-fixes).
- commit a4e6b2d
- KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't
supported by KVM (git-fixes).
- commit 224ac97
- KVM: SVM: Suppress DEBUGCTL.BTF on AMD (git-fixes).
- commit cbffadd
- KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value
(git-fixes).
- commit 7de7eaf
- KVM: x86: Reject disabling of MWAIT/HLT interception when not
allowed (git-fixes).
- commit 6f261b9
- KVM: arm64: Tear down vGIC on failed vCPU creation (git-fixes).
- commit a8fc9b5
- xhci: Add helper to set an interrupters interrupt moderation
interval (git-fixes).
- commit 552ff9a
- xhci: split free interrupter into separate remove and free parts
(git-fixes).
- commit b6b40d2
- KVM: arm64: vgic-v4: Fall back to software irqbypass if LPI
not found (git-fixes).
- commit 30abdad
- KVM: arm64: vgic-v4: Only attempt vLPI mapping for actual MSIs
(git-fixes).
- commit fa068c2
- rcu/tasks-trace: Handle new PF_IDLE semantics (git-fixes)
- commit 9e674eb
- rcu/tasks: Handle new PF_IDLE semantics (git-fixes)
- commit dc44560
- rcu: Introduce rcu_cpu_online() (git-fixes)
- commit 1b93211
- rcu: Break rcu_node_0 --> &rq->__lock order (git-fixes)
- commit 37d6fe5
- KVM: arm64: Mark some header functions as inline (git-fixes).
- commit 1cf34cd
- KVM: arm64: timer: Always evaluate the need for a soft timer
(git-fixes).
- commit 2c68f44
- KVM: arm64: Fix RAS trapping in pKVM for protected VMs
(git-fixes).
- commit 4af64c7
- KVM: s390: Don't use %pK through debug printing (git-fixes
bsc#1243657).
- KVM: s390: Don't use %pK through tracepoints (git-fixes
bsc#1243658).
- commit 784e519
- s390/pci: Fix missing check for zpci_create_device() error
return (git-fixes CVE-2025-37974 bsc#1243547).
- commit fe0123d
- KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow
status (git-fixes).
- commit 861b970
- KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE
(git-fixes).
- commit cae4119
- KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device
(git-fixes).
- commit c87dcd2
- KVM: arm64: vgic-its: Add a data length check in vgic_its_save_*
(git-fixes).
- commit fb99ec6
- drm/amd/display: prevent hang on link training fail (bsc#1243056 CVE-2025-37870)
- commit 368bb8e
- Input: synaptics-rmi - fix crash with unsupported versions of
F34 (git-fixes).
- spi: spi-fsl-dspi: Reset SR flags before sending a new message
(git-fixes).
- spi: spi-fsl-dspi: Halt the module after a new message transfer
(git-fixes).
- spi: spi-fsl-dspi: restrict register range for regmap access
(git-fixes).
- commit b0b7b4d
- Revert "drm/amd: Keep display off while going into S4"
(git-fixes).
- drm/edid: fixed the bug that hdr metadata was not reset
(git-fixes).
- thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature
(git-fixes).
- platform/x86: dell-wmi-sysman: Avoid buffer overflow in
current_password_store() (git-fixes).
- commit 2a12a0d
- x86/speculation: Remove the extra #ifdef around CALL_NOSPEC (bsc#1242006 CVE-2024-28956).
- commit 02d5249
- x86/speculation: Add a conditional CS prefix to CALL_NOSPEC (bsc#1242006 CVE-2024-28956).
- commit e6e328e
- x86/speculation: Simplify and make CALL_NOSPEC consistent (bsc#1242006 CVE-2024-28956).
- commit 4f55697
- drm/amd: Add Suspend/Hibernate notification callback support
(stable-fixes).
- Refresh
patches.suse/drm-amd-Keep-display-off-while-going-into-S4.patch.
- commit 8fc5efa
- can: slcan: allow reception of short error messages (git-fixes).
- can: bcm: add missing rcu read protection for procfs content
(git-fixes).
- can: bcm: add locking for bcm_op runtime updates (git-fixes).
- Bluetooth: btusb: use skb_pull to avoid unsafe access in QCA
dump handling (git-fixes).
- Bluetooth: L2CAP: Fix not checking l2cap_chan security level
(git-fixes).
- ASoc: SOF: topology: connect DAI to a single DAI link
(git-fixes).
- ASoC: SOF: ipc4-pcm: Delay reporting is only supported for
playback direction (git-fixes).
- ASoC: SOF: ipc4-control: Use SOF_CTRL_CMD_BINARY as numid for
bytes_ext (git-fixes).
- drm/amd/display: Avoid flooding unnecessary info messages
(git-fixes).
- drm/amd/display: Correct the reply value when AUX write
incomplete (git-fixes).
- ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB
Camera (stable-fixes).
- HID: uclogic: Add NULL check in uclogic_input_configured()
(git-fixes).
- HID: thrustmaster: fix memory leak in thrustmaster_interrupts()
(git-fixes).
- wifi: mt76: disable napi on driver removal (git-fixes).
- wifi: mac80211: Set n_channels after allocating struct
cfg80211_scan_request (git-fixes).
- Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags
(git-fixes).
- drm/amdgpu: fix pm notifier handling (git-fixes).
- Revert "drm/amd: Stop evicting resources on APUs in suspend"
(stable-fixes).
- drm/amdgpu: Queue KFD reset workitem in VF FED (stable-fixes).
- drm/amdgpu: trigger flr_work if reading pf2vf data failed
(stable-fixes).
- commit 26616bd
- net/niu: Niu requires MSIX ENTRY_DATA fields touch before
entry reads (CVE-2025-37833 bsc#1242868).
- commit 6ef582b
- smb: client: fix potential race in cifs_put_tcon() (git-fixes).
- commit 19f09de
- smb: client: don't retry DFS targets on server shutdown
(git-fixes).
- commit 1f292e5
- smb: client: fix return value of parse_dfs_referrals()
(git-fixes).
- commit 4a3af29
- smb: client: parse DNS domain name from domain= option
(git-fixes).
- commit a71bddc
- smb: client: parse av pair type 4 in CHALLENGE_MESSAGE
(git-fixes).
- commit 06ad34c
- smb: client: introduce av_for_each_entry() helper (git-fixes).
- commit b221e20
- smb: client: get rid of kstrdup() in get_ses_refpath()
(git-fixes).
- commit 820766b
- smb: client: don't trust DFSREF_STORAGE_SERVER bit (git-fixes).
- commit e375375
- smb: client: get rid of TCP_Server_Info::refpath_lock
(git-fixes).
- commit a1e1a18
- smb: client: optimize referral walk on failed link targets
(git-fixes).
- commit dc0ea15
- smb: client: provide dns_resolve_{unc,name} helpers (git-fixes).
- commit 823244a
- smb: client: fix DFS mount against old servers with NTLMSSP
(git-fixes).
- commit 9bdc840
- smb: client: don't try following DFS links in
cifs_tree_connect() (git-fixes).
- commit faa5ddf
- btrfs: fix a leaked chunk map issue in read_one_chunk()
(git-fixes).
- btrfs: avoid monopolizing a core when activating a swap file
(git-fixes).
- btrfs: don't loop for nowait writes when checking for cross
references (git-fixes).
- commit 55fbee8
- smb: client: get rid of @nlsc param in cifs_tree_connect()
(git-fixes).
- commit a37d55b
- smb: client: allow more DFS referrals to be cached (git-fixes).
- commit 0672bc5
- smb: client: Use str_yes_no() helper function (git-fixes).
- commit 45cd31b
- smb: client: fix DFS interlink failover (git-fixes).
- commit 0e64ad0
- smb: client: improve purging of cached referrals (git-fixes).
- commit 91096d5
- smb: client: avoid unnecessary reconnects when refreshing
referrals (git-fixes).
- commit f39d027
- smb: client: refresh referral without acquiring refpath_lock
(git-fixes).
- commit a3174a3
- cifs: change tcon status when need_reconnect is set on it
(git-fixes).
- commit 3ba9ec1
- perf: Fix hang while freeing sigtrap event (bsc#1229491 CVE-2024-43869)
- commit ea46d36
- perf: Fix event leak upon exec and file release (bsc#1229491 CVE-2024-43869)
- commit 2306ed7
- task_work: Introduce task_work_cancel() again (bsc#1229491 CVE-2024-43869)
- commit fcc1a13
- task_work: s/task_work_cancel()/task_work_cancel_func()/ (bsc#1229491 CVE-2024-43869)
- commit 737f43d
- sched/numa: Fix the potential null pointer dereference in (bsc#1233192 CVE-2024-50223)
- commit 00ab70f
- arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (git-fixes)
- commit 7e8bd78
- arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (git-fixes)
- commit 19938ce
- arm64: proton-pack: Add new CPUs 'k' values for branch mitigation (git-fixes)
- commit 9d5f7df
- arm64: proton-pack: Expose whether the branchy loop k value (git-fixes)
- commit ae499ae
- arm64: proton-pack: Expose whether the platform is mitigated by (git-fixes)
- commit 204dc95
- arm64: insn: Add support for encoding DSB (git-fixes)
- commit 6b6fa36
- crypto: algif_hash - fix double free in hash_accept (git-fixes).
- padata: do not leak refcount in reorder_work (git-fixes).
- commit 891cb3d
- btrfs: fix non-empty delayed iputs list on unmount due to
compressed write workers (git-fixes).
- commit f1d5e24
- btrfs: fix discard worker infinite loop after disabling discard
(bsc#1242012).
- commit 37021c3
- exfat: fix potential wrong error return from get_block
(git-fixes).
- commit 7a3ae68
- hv_netvsc: Remove rmsg_pgcnt (git-fixes).
- hv_netvsc: Preserve contiguous PFN grouping in the page buffer array (git-fixes).
- hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages (git-fixes).
- Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges (git-fixes).
- commit cc27aab
- Refresh
patches.suse/NFSv3-only-use-NFS-timeout-for-MOUNT-when-protocols-.patch.
- commit a5cceab
- nfsd: add list_head nf_gc to struct nfsd_file (git-fixes).
- commit 619e51a
- NFSv4: Don't trigger uneccessary scans for return-on-close
delegations (git-fixes).
- commit 7a38fa2
- NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
(git-fixes).
- commit ab2a57c
- NFS: O_DIRECT writes must check and adjust the file length
(git-fixes).
- commit f49be34
- btrfs: avoid NULL pointer dereference if no valid csum tree
(bsc#1243342).
- commit 4a016a5
- btrfs: avoid NULL pointer dereference if no valid extent tree
(bsc#1236208).
- commit 3a3390f
- btrfs: adjust subpage bit start based on sectorsize
(bsc#1241492).
- commit b1923a6
- nfs: handle failure of nfs_get_lock_context in unlock path
(git-fixes).
- commit fc76265
- NFSv4/pnfs: Reset the layout state after a layoutreturn
(git-fixes).
- commit bfc4dcb
- Input: xpad - fix Share button on Xbox One controllers
(stable-fixes).
- Input: synaptics - enable InterTouch on Dell Precision M3800
(stable-fixes).
- Input: synaptics - enable InterTouch on TUXEDO InfinityBook
Pro 14 v5 (stable-fixes).
- Input: synaptics - enable InterTouch on Dynabook Portege X30L-G
(stable-fixes).
- Input: synaptics - enable InterTouch on Dynabook Portege X30-D
(stable-fixes).
- Input: synaptics - enable SMBus for HP Elitebook 850 G1
(stable-fixes).
- Input: xpad - add support for 8BitDo Ultimate 2 Wireless
Controller (stable-fixes).
- drm/amd/display: Fix the checking condition in dmub aux handling
(stable-fixes).
- drm/amd/display: more liberal vmin/vmax update for freesync
(stable-fixes).
- drm/v3d: Add job to pending list if the reset was skipped
(stable-fixes).
- commit 9301e6f
- update metatdata
- Update
patches.suse/nvme-fixup-scan-failure-for-non-ANA-multipath-contro.patch
(git-fixes bsc#1235149).
- Update
patches.suse/nvme-re-read-ANA-log-page-after-ns-scan-completes.patch
(git-fixes bsc#1235149).
- commit 34602b4
- net/handshake: Fix handshake_req_destroy_test1 (git-fixes).
- commit 2e22868
- net/mlx5e: Disable MACsec offload for uplink representor profile
(git-fixes).
- net: qede: Initialize qede_ll_ops with designated initializer
(git-fixes).
- igc: fix lock order in igc_ptp_reset (git-fixes).
- idpf: protect shutdown from reset (git-fixes).
- idpf: fix potential memory leak on kcalloc() failure
(git-fixes).
- bnxt_en: Fix ethtool -d byte order for 32-bit values
(git-fixes).
- bnxt_en: Fix out-of-bound memcpy() during ethtool -w
(git-fixes).
- bnxt_en: Fix coredump logic to free allocated buffer
(git-fixes).
- bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan()
(git-fixes).
- idpf: fix offloads support for encapsulated packets (git-fixes).
- ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()
(git-fixes).
- net/mlx5: E-switch, Fix error handling for enabling roce
(git-fixes).
- net/mlx5: E-Switch, Initialize MAC Address for Default GID
(git-fixes).
- pds_core: make wait_context part of q_info (CVE-2025-37886
bsc#1242944).
- pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result
(CVE-2025-37887 bsc#1242962).
- octeontx2-pf: qos: fix VF root node parent queue index
(git-fixes).
- devlink: fix port new reply cmd type (git-fixes).
- netlink: annotate data-races around sk->sk_err (git-fixes).
- net/handshake: Fix memory leak in __sock_create() and
sock_alloc_file() (git-fixes).
- commit d6dfca7
- net: ppp: Add bound checking for skb data on ppp_sync_txmung (CVE-2025-37749 bsc#1242859)
- commit be85fb7
- netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (CVE-2025-22063 bsc#1241351)
- commit 9ad0b9d
- kernel-obs-qa: Use srchash for dependency as well
- commit 485ae1d
- x86/its: Fix build errors when CONFIG_MODULES=n (git-fixes).
- commit 2ced030
- ocfs2: fix the issue with discontiguous allocation in the
global_bitmap (git-fixes).
- commit 3a6d567
- dmaengine: mediatek: drop unused variable (git-fixes).
- dmaengine: idxd: Fix ->poll() return value (git-fixes).
- phy: tegra: xusb: remove a stray unlock (git-fixes).
- commit 78d9bf4
- dmaengine: mediatek: Fix a possible deadlock error in
mtk_cqdma_tx_status() (git-fixes).
- dmaengine: idxd: Refactor remove call with idxd_cleanup()
helper (git-fixes).
- dmaengine: idxd: Add missing idxd cleanup to fix memory leak
in remove call (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_pci_probe (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_alloc (git-fixes).
- dmaengine: idxd: Add missing cleanups in cleanup internals
(git-fixes).
- dmaengine: idxd: Add missing cleanup for early error out in
idxd_setup_internals (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_groups (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_engines (git-fixes).
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_wqs (git-fixes).
- dmaengine: idxd: Fix allowing write() from different address
spaces (git-fixes).
- dmaengine: ti: k3-udma: Add missing locking (git-fixes).
- dmaengine: ti: k3-udma: Use cap_mask directly from dma_device
structure instead of a local copy (git-fixes).
- dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting
less when interrupted" (git-fixes).
- phy: Fix error handling in tegra_xusb_port_init (git-fixes).
- phy: renesas: rcar-gen3-usb2: Set timing registers only once
(git-fixes).
- phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind
(git-fixes).
- phy: tegra: xusb: Use a bitmask for UTMI pad power state
tracking (git-fixes).
- i2c: designware: Fix an error handling path in
i2c_dw_pci_probe() (git-fixes).
- commit d7f3f88
- spi: tegra114: Use value to check for invalid delays
(git-fixes).
- spi: loopback-test: Do not split 1024-byte hexdumps (git-fixes).
- commit 455317d
- dma-buf: insert memory barrier before updating num_fences
(git-fixes).
- ACPI: PPTT: Fix processor subtable walk (git-fixes).
- regulator: max20086: fix invalid memory access (git-fixes).
- ALSA: es1968: Add error handling for
snd_pcm_hw_constraint_pow2() (git-fixes).
- ALSA: sh: SND_AICA should depend on SH_DMA_API (git-fixes).
- ALSA: usb-audio: Add sample rate quirk for Audioengine D1
(git-fixes).
- ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info
(git-fixes).
- ALSA: seq: Fix delivery of UMP events to group ports
(git-fixes).
- commit 6d9d893
- net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
(CVE-2025-37823 bsc#1242924).
- commit 1471c72
- spi: fsl-qspi: Fix double cleanup in probe error path
(CVE-2025-37842 bsc#1242951).
- commit 24f6262
- spi: fsl-qspi: use devm function instead of driver remove
(CVE-2025-37842 bsc#1242951).
- commit d11d0a5
- tipc: fix NULL pointer dereference in tipc_mon_reinit_self()
(CVE-2025-37824 bsc#1242867).
- commit b6204ae
- RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem (git-fixes)
- commit cf0fc91
- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (git-fixes)
- commit 2431d70
- qibfs: fix _another_ leak (git-fixes)
- commit 8fd1fde
- Update
patches.suse/md-raid10-wait-barrier-before-returning-discard-request-wi.patch
(git-fixes CVE-2025-40325 bsc#1241638).
Updated meta-data, adding CVE# and bsc#
- commit 7913a06
- Update
patches.suse/md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch
(git-fixes CVE-2025-22126 bsc#1241597).
Updated meta-data, adding CVE# and bsc#
- commit f259b1e
- Update patches.suse/md-raid1-raid10-don-t-ignore-IO-flags.patch
(git-fixes CVE-2025-22125 bsc#1241596).
Updated meta-data, adding CVE# and bsc#
- commit e5ab0f8
- Move upstreamed tpm patch into sorted section
- commit 4c354fe
- misc: pci_endpoint_test: Avoid issue of interrupts remaining
after request_irq error (CVE-2025-23140 bsc#1242763).
- commit 7ef87ac
- Refresh patches.suse/tpm-tis-Double-the-timeout-B-to-4s.patch.
- commit a661a1f
- Sort ITS patches
- Refresh
patches.suse/Documentation-x86-bugs-its-Add-ITS-documentation.patch.
- Refresh
patches.suse/x86-ibt-Keep-IBT-disabled-during-alternative-patching.patch.
- Refresh
patches.suse/x86-its-Add-support-for-ITS-safe-indirect-thunk.patch.
- Refresh
patches.suse/x86-its-Add-support-for-ITS-safe-return-thunk.patch.
- Refresh
patches.suse/x86-its-Add-support-for-RSB-stuffing-mitigation.patch.
- Refresh
patches.suse/x86-its-Add-vmexit-option-to-skip-mitigation-on-some-CPUs.patch.
- Refresh
patches.suse/x86-its-Align-RETs-in-BHB-clear-sequence-to-avoid-thunking.patch.
- Refresh
patches.suse/x86-its-Enable-Indirect-Target-Selection-mitigation.patch.
- Refresh
patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch.
- Refresh
patches.suse/x86-its-Use-dynamic-thunks-for-indirect-branches.patch.
- commit c6710c7
- arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 (git-fixes)
- commit 1edd6ab
- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (git-fixes)
- commit 182f118
- arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (git-fixes)
- commit 0b208b9
- netfilter: conntrack: clamp maximum hashtable size to INT_MAX (CVE-2025-21648 bsc#1236142)
- commit 4d49a39
- smb: client: fix UAF in decryption with multichannel
(bsc#1242510, CVE-2025-37750).
- commit dcd21e8
- cifs: reduce warning log level for server not advertising
interfaces (git-fixes).
- commit d059ffc
- sch_htb: make htb_deactivate() idempotent (CVE-2025-37798
bsc#1242414).
- sch_ets: make est_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_qfq: make qfq_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_drr: make drr_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- sch_htb: make htb_qlen_notify() idempotent (CVE-2025-37798
bsc#1242414).
- commit ca3d2dc
- KVM: arm64: Change kvm_handle_mmio_return() return polarity
(git-fixes).
- Refresh
patches.suse/KVM-arm64-Don-t-retire-aborted-MMIO-instruction.patch.
- commit 265ba62
- net: openvswitch: fix nested key length validation in the set()
action (CVE-2025-37789 bsc#1242762).
- commit aa0d4ee
- netfilter: nft_tunnel: fix geneve_opt type confusion addition
(CVE-2025-22056 bsc#1241525).
- commit bfce6d7
- nvme-pci: add quirk for Samsung PM173x/PM173xa disk
(bsc#1241148).
- nvme: Add warning when a partiually unique NID is detected
(bsc#1241148).
- nvme: Add 'partial_nid' quirk (bsc#1241148).
- commit 242af03
- x86/its: Use dynamic thunks for indirect branches (bsc#1242006 CVE-2024-28956).
- commit 428e9a8
- selftests/mm: fix incorrect buffer->mirror size in hmm2
double_map test (bsc#1242203).
- commit a065dfc
- mm: zswap: fix crypto_free_acomp() deadlock in
zswap_cpu_comp_dead() (CVE-2025-22030 bsc#1241376).
- commit f3d5b08
- nvme: fixup scan failure for non-ANA multipath controllers
(git-fixes).
- commit fbd0910
- platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection
(git-fixes).
- platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO
Wujie 14XA (GX4HRXL) (git-fixes).
- commit fe36676
- scsi: core: Clear flags for scsi_cmnd that did not complete
(git-fixes).
- commit 3615a18
- nvme: unblock ctrl state transition for firmware update
(git-fixes).
- nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS
(git-fixes).
- nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS
(git-fixes).
- nvme-tcp: fix premature queue removal and I/O failover
(git-fixes).
- nvme-pci: fix queue unquiesce check on slot_reset (git-fixes).
- nvmet-fc: put ref when assoc->del_work is already scheduled
(git-fixes).
- nvmet-fc: take tgtport reference only once (git-fixes).
- nvmet-fc: update tgtport ref per assoc (git-fixes).
- nvmet-fc: inline nvmet_fc_free_hostport (git-fixes).
- nvmet-fc: inline nvmet_fc_delete_assoc (git-fixes).
- nvmet-fcloop: add ref counting to lport (git-fixes).
- nvmet-fcloop: replace kref with refcount (git-fixes).
- nvme: multipath: fix return value of nvme_available_path
(git-fixes).
- nvme: re-read ANA log page after ns scan completes (git-fixes).
- nvme: requeue namespace scan on missed AENs (git-fixes).
- nvmet-fcloop: Remove remote port from list when unlinking
(git-fixes).
- commit c20709a
- md/raid10: fix missing discard IO accounting (git-fixes).
- md/raid10: wait barrier before returning discard request with
REQ_NOWAIT (git-fixes).
- md/raid1,raid10: don't ignore IO flags (git-fixes).
- md: fix mddev uaf while iterating all_mddevs list (git-fixes).
- md/raid1: fix memory leak in raid1_run() if no active rdev
(git-fixes).
- md: ensure resync is prioritized over recovery (git-fixes).
- md/raid5: implement pers->bitmap_sector() (git-fixes).
- commit ffbc738
- scsi: qla2xxx: Remove duplicate struct crb_addr_pair
(bsc#1243090).
- scsi: qla2xxx: Remove unused module parameters (bsc#1243090).
- scsi: qla2xxx: Remove unused qla2x00_gpsc() (bsc#1243090).
- scsi: qla2xxx: Remove unused ql_log_qp (bsc#1243090).
- scsi: qla2xxx: Remove unused qla82xx_wait_for_state_change()
(bsc#1243090).
- scsi: qla2xxx: Remove unused qla82xx_pci_region_offset()
(bsc#1243090).
- scsi: qla2xxx: Remove unused qlt_83xx_iospace_config()
(bsc#1243090).
- scsi: qla2xxx: Remove unused qlt_fc_port_deleted()
(bsc#1243090).
- scsi: qla2xxx: Remove unused qlt_free_qfull_cmds()
(bsc#1243090).
- scsi: qla2xxx: Fix typos in a comment (bsc#1243090).
- scsi: qla2xxx: Mark device strings as nonstring (bsc#1243090).
- commit c83a90b
- md: preserve KABI in struct md_personality v2 (git-fixes).
Added to mitigate md-add-a-new-callback-pers-bitmap_sector.patch,
which was a git-fix.
- commit f999b84
- scsi: lpfc: Copyright updates for 14.4.0.9 patches
(bsc#1242993).
- scsi: lpfc: Update lpfc version to 14.4.0.9 (bsc#1242993).
- scsi: lpfc: Create lpfc_vmid_info sysfs entry (bsc#1242993).
- scsi: lpfc: Avoid potential ndlp use-after-free in
dev_loss_tmo_callbk (bsc#1242993).
- scsi: lpfc: Prevent failure to reregister with NVMe transport
after PRLI retry (bsc#1242993).
- scsi: lpfc: Restart eratt_poll timer if HBA_SETUP flag still
unset (bsc#1242993).
- scsi: lpfc: Notify FC transport of rport disappearance during
PCI fcn reset (bsc#1242993).
- scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64
commands (bsc#1242993).
- scsi: lpfc: Fix spelling mistake 'Toplogy' -> 'Topology'
(bsc#1242993).
- scsi: lpfc: Convert timeouts to secs_to_jiffies() (bsc#1242993).
- jiffies: Cast to unsigned long in secs_to_jiffies() conversion
(bsc#1242993).
- scsi: lpfc: convert timeouts to secs_to_jiffies() (bsc#1242993).
- jiffies: Define secs_to_jiffies() (bsc#1242993).
- commit 25c902e
- bpf: Scrub packet on bpf_redirect_peer (git-fixes).
- commit b9aeef5
- powercap: intel_rapl: Fix locking in TPMI RAPL (git-fixes).
- Refresh patches.kabi/power-cap-kabi-workaround.patch.
- Refresh
patches.suse/powercap-intel_rapl-Introduce-APIs-for-PMU-support.patch.
- commit 7773e64
- tcp_bpf: Charge receive socket buffer in bpf_tcp_ingress()
(git-fixes).
- commit 813fc9a
- xsk: Don't assume metadata is always requested in TX completion
(git-fixes).
- commit dda0558
- media: videobuf2: Add missing doc comment for waiting_in_dqbuf
(git-fixes).
- commit 75cff49
- scsi: lpfc: Use memcpy() for BIOS version (bsc#1240966).
- commit 55b4352
- check-for-config-changes: Fix flag name typo
- commit 1046b16
- usb: typec: class: Invalidate USB device pointers on partner
unregistration (git-fixes).
- commit 205050a
- Revert "rndis_host: Flag RNDIS modems as WWAN devices"
(git-fixes).
- commit 01b3feb
- netfilter: socket: Lookup orig tuple for IPv6 SNAT
(CVE-2025-22021 bsc#1241282).
- commit 31e1ce9
- sched/fair: Fix potential memory corruption in
child_cfs_rq_on_list (CVE-2025-21919 bsc#1240593).
- commit d264620
- Input: xpad - fix two controller table values (git-fixes).
- Input: mtk-pmic-keys - fix possible null pointer dereference
(git-fixes).
- Input: cyttsp5 - ensure minimum reset pulse width (git-fixes).
- commit bd45eeb
- md: add a new callback pers->bitmap_sector() (git-fixes).
- Refresh patches.kabi/md-md_personality-workaround.patch.
- commit a7e1668
- Move upstreamed sound patch into sorted section
- commit 3442d03
- usb: usbtmc: Fix erroneous generic_read ioctl return
(git-fixes).
- usb: usbtmc: Fix erroneous wait_srq ioctl return (git-fixes).
- usb: usbtmc: Fix erroneous get_stb ioctl error returns
(git-fixes).
- usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT
transition (git-fixes).
- USB: usbtmc: use interruptible sleep in usbtmc_read (git-fixes).
- usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version
(git-fixes).
- usb: typec: ucsi: displayport: Fix NULL pointer access
(git-fixes).
- usb: uhci-platform: Make the clock really optional (git-fixes).
- usb: gadget: Use get_status callback to set remote wakeup
capability (git-fixes).
- usb: gadget: f_ecm: Add get_status callback (git-fixes).
- usb: host: tegra: Prevent host controller crash when OTG port
is used (git-fixes).
- usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN
(git-fixes).
- staging: axis-fifo: Remove hardware resets for user errors
(git-fixes).
- staging: axis-fifo: Correct handling of tx_fifo_depth for size
validation (git-fixes).
- iio: adis16201: Correct inclinometer channel resolution
(git-fixes).
- iio: adc: ad7606: fix serial register access (git-fixes).
- staging: iio: adc: ad7816: Correct conditional logic for store
mode (git-fixes).
- iio: temp: maxim-thermocouple: Fix potential lack of DMA safe
buffer (git-fixes).
- iio: imu: st_lsm6dsx: fix possible lockup in
st_lsm6dsx_read_tagged_fifo (git-fixes).
- iio: imu: st_lsm6dsx: fix possible lockup in
st_lsm6dsx_read_fifo (git-fixes).
- iio: accel: adxl367: fix setting odr for activity time update
(git-fixes).
- drm/amdgpu/hdp5.2: use memcfg register to post the write for
HDP flush (git-fixes).
- drm/amd/display: Fix wrong handling for AUX_DEFER case
(git-fixes).
- drm/amd/display: Copy AUX read reply data whenever length >
0 (git-fixes).
- drm/amd/display: Remove incorrect checking in dmub aux handler
(git-fixes).
- drm/amd/display: Shift DMUB AUX reply command if necessary
(git-fixes).
- drm/panel: simple: Update timings for AUO G101EVN010
(git-fixes).
- wifi: cfg80211: fix out-of-bounds access during multi-link
element defragmentation (git-fixes).
- can: gw: fix RCU/BH usage in cgw_create_job() (git-fixes).
- can: mcan: m_can_class_unregister(): fix order of unregistration
calls (git-fixes).
- can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration
calls (git-fixes).
- can: mcp251xfd: fix TDC setting for low data bit rates
(git-fixes).
- irqchip/qcom-mpm: Prevent crash when trying to handle non-wake
GPIOs (git-fixes).
- ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset
(stable-fixes).
- ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()
(stable-fixes).
- drm/amd/display: Fix slab-use-after-free in hdcp (git-fixes).
- platform/x86/amd: pmc: Require at least 2.5 seconds between
HW sleep cycles (stable-fixes).
- drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp
(stable-fixes).
- ASoC: soc-core: Stop using of_property_read_bool() for
non-boolean properties (stable-fixes).
- ASoC: Use of_property_read_bool() (stable-fixes).
- xhci: Clean up stale comment on ERST_SIZE macro (stable-fixes).
- commit 9628f1b
- libbpf
-
- Workaround kernel module size increase due to BTF deduplication
issue since the introduction of TYPEOF_UNQUAL (poo#183503 bsc#1244135)
* add 0001-libbpf-Add-identical-pointer-detection-to-btf_dedup_.patch
- nfs-utils
-
- gssd: add support for an "allowed-enctypes" option in nfs.conf
(bsc#1240899)
- add 0008-gssd-add-support-for-an-allowed-enctypes-option-in-n.patch
- openssl-3
-
- Backport mdless cms signing support [jsc#PED-12895]
* Add openssl-3-support-mdless-cms.patch
- libssh
-
- Fix CVE-2025-5318: Likely read beyond bounds in sftp server handle management (bsc#1245311)
* Add patch libssh-CVE-2025-5318.patch
- Fix CVE-2025-4877: Write beyond bounds in binary to base64 conversion functions (bsc#1245309)
* Add patch libssh-CVE-2025-4877.patch
- Fix CVE-2025-4878: Use of uninitialized variable in privatekey_from_file() (bsc#1245310)
* Add patches:
- libssh-CVE-2025-4878-1.patch
- libssh-CVE-2025-4878-2.patch
- Fix CVE-2025-5372: ssh_kdf() returns a success code on certain failures (bsc#1245314)
* Add patch libssh-CVE-2025-5372.patch
- systemd
-
- Import commit 278fb676146e35a7b4057f52f34a7bbaf1b82369
aa12f501ae logs-show: get timestamp and boot ID only when necessary (bsc#1242827)
e8b17d11bc sd-journal: drop to use Hashmap to manage journal files per boot ID
ea80273738 tree-wide: set SD_JOURNAL_ASSUME_IMMUTABLE where appropriate
a5b3b5344f sd-journal: introduce SD_JOURNAL_ASSUME_IMMUTABLE flag
5fa0600b34 sd-journal: make journal_file_read_tail_timestamp() notify to the caller that some new journal entries added
737e8193e7 sd-journal: cache last entry offset and journal file state
057dca426f sd-journal: fix typo in function name
- Start the systemd-coredump.socket unit on systemd-coredump package
installation.
- Restore the kernel default values of the coredump sysctl settings on
systemd-coredump package removal.
- Import commit e08f49f2432509787abfb7f3fc0b2f2c459def04 (merge of v254.25)
This merge includes the following fix:
7fc7aa5a4d coredump: use %d in kernel core pattern (bsc#1243935 CVE-2025-4598)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/b0ae3b6e85b6a4030cf2adb88519a6ca0ffc1343...e08f49f2432509787abfb7f3fc0b2f2c459def04
- Drop 1021-Revert-macro-terminate-the-temporary-VA_ARGS_FOREACH.patch
The SUSE specific patch has been integrated into the SUSE/v254 git
branch. Some of the imported commits from the stable tree rely on the macro
now.
- Import commit b0ae3b6e85b6a4030cf2adb88519a6ca0ffc1343
41d2be2fb5 Revert "macro: terminate the temporary VA_ARGS_FOREACH() array with a sentinel" (SUSE specific)
- libzypp
-
- Fix credential handling in HEAD requests (bsc#1244105)
- version 17.37.5 (35)
- RepoInfo: use pathNameSetTrailingSlash (fixes #643)
- Fix wrong userdata parameter type when running zypp with debug
verbosity (bsc#1239012)
- version 17.37.4 (35)
- Do not warn about no mirrors if mirrorlist was switched on
automatically. (bsc#1243901)
- Relax permission of cached packages to 0644 & ~umask
(bsc#1243887)
- version 17.37.3 (35)
- Add a note to service maintained .repo file entries (fixes #638)
- Support using %{url} variable in a RIS service's repo section.
- version 17.37.2 (35)
- Use a cookie file to validate mirrorlist cache.
This patch extends the mirrorlist code to use a cookie file to
validate the contents of the cache against the source URL, making
sure that we do not accidentially use a old cache when the
mirrorlist url was changed. For example when migrating a system
from one release to the next where the same repo alias might just
have a different URL.
- Let Service define and update gpgkey, mirrorlist and metalink.
- Preserve a mirrorlist file in the raw cache during refresh.
- version 17.37.1 (35)
- Code16: Enable curl2 backend and parallel package download by
default. In Code15 it's optional.
Environment variables ZYPP_CURL2=<0|1> and ZYPP_PCK_PRELOAD=<0|1>
can be used to turn the features on or off.
- Make gpgKeyUrl the default source for gpg keys.
When refreshing zypp now primarily uses gpgKeyUrl information
from the repo files and only falls back to a automatically
generated key Url if a gpgKeyUrl was not specified.
- Introduce mirrors into the Media backends (bsc#1240132)
- Drop MediaMultiCurl backend.
- Throttle progress updates when preloading packages (bsc#1239543)
- Check if request is in valid state in CURL callbacks (fixes
openSUSE/zypper#605)
- spec/CMake: add conditional build
'--with[out] classic_rpmtrans_as_default'.
classic_rpmtrans is the current builtin default for SUSE,
otherwise it's single_rpmtrans.
The `enable_preview_single_rpmtrans_as_default_for_zypper` switch
was removed from the spec file. Accordingly the CMake option
ENABLE_PREVIEW_SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER was removed.
- version 17.37.0 (35)
- openssh
-
- Add openssh-scp-umask-preserve-permissions.patch (bsc#1241667).
- pam-config
-
- Stop adding pam_env in AUTH stack, and be sure to put this module at the
really end of the SESSION stack.
[bsc#1243226, CVE-2025-6018, remove-pam_env-from-auth-stack.patch]
- pam
-
- pam_namespace: convert functions that may operate on a user-controlled path
to operate on file descriptors instead of absolute path. And keep the
bind-mount protection from protect_mount() as a defense in depthmeasure.
[bsc#1244509
pam_inline-introduce-pam_asprintf-pam_snprintf-and-p.patch,
pam_namespace-fix-potential-privilege-escalation.patch,
pam_namespace-add-flags-to-indicate-path-safety.patch,
pam_namespace-secure_opendir-do-not-look-at-the-grou.patch]
- pam_namespace-fix-potential-privilege-escalation.patch adapted and includes
changes from upstream commits: ds6242a, bc856cd.
* pam_namespace fix logic in return value handling
* pam_namespace move functions around
- pam_env: Change the default to not read the user .pam_environment file
[bsc#1243226, CVE-2025-6018,
pam_env-change-the-default-to-not-read-the-user-env.patch]
- perl
-
- do not change the current directory when cloning an open
directory handle [bnc#1244079] [CVE-2025-40909]
new patch: perl-dirdup.diff
- python-requests
-
- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
(gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)
- runc
-
- Update to runc v1.2.6. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.6>.
- Update to runc v1.2.5. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.5>.
- Update to runc v1.2.4. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.4>.
- Update runc.keyring to match upstream.
- Update to runc v1.2.3. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.3>.
- Update to runc v1.2.2. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.2>.
- Update to runc v1.2.1. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.1>.
- Update to runc v1.2.0. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.0>.
- Remove upstreamed patches.
- 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
- 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
- 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
- 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
- Update to runc v1.2.0~rc3. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.3>.
Includes the patch for CVE-2024-45310. bsc#1230092
- sudo
-
- Fix a possible local privilege escalation via the --host option
[bsc#1245274, CVE-2025-32462]
- Fix a possible local privilege Escalation via chroot option
[bsc#1245275, CVE-2025-32463]
- vim
-
- Fix bsc#1228776 / CVE-2024-41965.
- Fix bsc#1239602 / CVE-2025-29768.
- Refresh patch:
vim-7.3-sh_is_bash.patch
- Update to 9.1.1406:
9.1.1406: crash when importing invalid tuple
9.1.1405: tests: no test for mapping with special keys in session file
9.1.1404: wrong link to Chapter 2 in new-tutor
9.1.1403: expansion of 'tabpanelopt' value adds wrong values
9.1.1402: multi-byte mappings not properly stored in session file
9.1.1401: list not materialized in prop_list()
9.1.1400: [security]: use-after-free when evaluating tuple fails
9.1.1399: tests: test_codestyle fails for auto-generated files
9.1.1398: completion: trunc does not follow Pmenu highlighting attributes
9.1.1397: tabpanel not correctly updated on :tabonly
9.1.1396: 'errorformat' is a global option
9.1.1395: search_stat not reset when pattern differs in case
9.1.1394: tabpanel not correctly redrawn on tabonly
9.1.1393: missing test for switching buffers and reusing curbuf
9.1.1392: missing patch number
9.1.1391: Vim does not have a vertical tabpanel
9.1.1390: style: more wrong indentation
9.1.1389: completion: still some issue when 'isexpand' contains a space
9.1.1388: Scrolling one line too far with 'nosmoothscroll' page scrolling
9.1.1387: memory leak when buflist_new() fails to reuse curbuf
9.1.1386: MS-Windows: some minor problems building on AARCH64
9.1.1385: inefficient loop for 'nosmoothscroll' scrolling
9.1.1384: still some problem with the new tutors filetype plugin
9.1.1383: completion: 'isexpand' option does not handle space char correct
9.1.1382: if_ruby: unused compiler warnings from ruby internals
9.1.1381: completion: cannot return to original text
9.1.1380: 'eventignorewin' only checked for current buffer
9.1.1379: MS-Windows: error when running evim when space in path
9.1.1378: sign without text overwrites number option
9.1.1377: patch v9.1.1370 causes some GTK warning messages
9.1.1376: quickfix dummy buffer may remain as dummy buffer
9.1.1375: [security]: possible heap UAF with quickfix dummy buffer
9.1.1374: completion: 'smartcase' not respected when filtering matches
9.1.1373: 'completeopt' checking logic can be simplified
9.1.1372: style: braces issues in various files
9.1.1371: style: indentation and brace issues in insexpand.c
9.1.1370: CI Tests favor GTK2 over GTK3
9.1.1369: configure still using autoconf 2.71
9.1.1368: GTK3 and GTK4 will drop numeric cursor support.
9.1.1367: too many strlen() calls in gui.c
9.1.1366: v9.1.1364 unintentionally changed sign.c and sound.c
9.1.1365: MS-Windows: compile warnings and too many strlen() calls
9.1.1364: style: more indentation issues
9.1.1363: style: inconsistent indentation in various files
9.1.1362: Vim9: type ignored when adding tuple to instance list var
9.1.1361: [security]: possible use-after-free when closing a buffer
9.1.1360: filetype: GNU Radio companion files are not recognized
9.1.1359: filetype: GNU Radio config files are not recognized
9.1.1358: if_lua: compile warnings with gcc15
9.1.1357: Vim incorrectly escapes tags with "[" in a help buffer
9.1.1356: Vim9: crash when unletting variable
9.1.1355: The pum_redraw() function is too complex
9.1.1354: tests: Test_terminalwinscroll_topline() fails on Windows
9.1.1353: missing change from v9.1.1350
9.1.1352: style: inconsistent indent in insexpand.c
9.1.1351: Return value of getcmdline() inconsistent in CmdlineLeavePre
9.1.1350: tests: typo in Test_CmdlineLeavePre_cabbr()
9.1.1349: CmdlineLeavePre may trigger twice
9.1.1348: still E315 with the terminal feature
9.1.1347: small problems with gui_w32.c
9.1.1346: missing out-of-memory check in textformat.c
9.1.1345: tests: Test_xxd_color2() test failure dump diff is misleading
9.1.1344: double free in f_complete_match() (after v9.1.1341)
9.1.1343: filetype: IPython files are not recognized
9.1.1342: Shebang filetype detection can be improved
9.1.1341: cannot define completion triggers
9.1.1340: cannot complete :filetype arguments
9.1.1339: missing out-of-memory checks for enc_to_utf16()/utf16_to_enc()
9.1.1338: Calling expand() interferes with cmdcomplete_info()
9.1.1337: Undo corrupted with 'completeopt' "preinsert" when switching buffer
9.1.1336: comment plugin does not support case-insensitive 'commentstring'
9.1.1335: Coverity complains about Null pointer dereferences
9.1.1334: Coverity complains about unchecked return value
9.1.1333: Coverity: complains about unutilized variable
9.1.1332: Vim9: segfault when using super within a lambda
9.1.1331: Leaking memory with cmdcomplete()
9.1.1330: may receive E315 in terminal
9.1.1329: cannot get information about command line completion
9.1.1328: too many strlen() calls in indent.c
9.1.1327: filetype: nroff detection can be improved
9.1.1326: invalid cursor position after 'tagfunc'
9.1.1325: tests: not checking error numbers properly
9.1.1324: undefined behaviour if X11 connection dies
9.1.1323: b:undo_ftplugin not executed when re-using buffer
9.1.1322: small delete register cannot paste multi-line correctly
9.1.1321: filetype: MS ixx and mpp files are not recognized
9.1.1320: filetype: alsoft config files are not recognized
9.1.1319: Various typos in the code, issue with test_inst_complete.vim
9.1.1318: tests: test_format fails
9.1.1317: noisy error when restoring folds from session fails
9.1.1316: missing memory allocation failure in os_mswin.c
9.1.1315: completion: issue with fuzzy completion and 'completefuzzycollect'
9.1.1314: max allowed string width too small
9.1.1313: compile warning about uninitialized value
9.1.1312: tests: Test_backupskip() fails when HOME is defined
9.1.1311: completion: not possible to limit number of matches
9.1.1310: completion: redundant check for preinsert effect
9.1.1309: tests: no test for 'pummaxwidth' with non-truncated "kind"
9.1.1308: completion: cannot order matches by distance to cursor
9.1.1307: make syntax does not reliably detect different flavors
9.1.1306: completion menu rendering can be improved
9.1.1305: completion menu active after switching windows/tabs
9.1.1304: filetype: some man files are not recognized
9.1.1303: missing out-of-memory check in linematch.c
9.1.1302: Coverity warns about using uninitialized value
9.1.1301: completion: cannot configure completion functions with 'complete'
9.1.1300: wrong detection of -inf
9.1.1299: filetype: mbsyncrc files are not recognized
9.1.1298: define_function() is too long
9.1.1297: Ctrl-D scrolling can get stuck
9.1.1296: completion: incorrect truncation logic
9.1.1295: clientserver: does not handle :stopinsert correctly
9.1.1294: gui tabline menu does not use confirm when closing tabs
9.1.1293: comment plugin does not handle 'exclusive' selection for comment object
9.1.1292: statusline not correctly evaluated
9.1.1291: too many strlen() calls in buffer.c
9.1.1290: tests: missing cleanup in test_filetype.vim
9.1.1289: tests: no test for matchparen plugin with WinScrolled event
9.1.1288: Using wrong window in ll_resize_stack()
9.1.1287: quickfix code can be further improved
9.1.1286: filetype: help files not detected when 'iskeyword' includes ":"
9.1.1285: Vim9: no error message for missing method after "super."
9.1.1284: not possible to configure pum truncation char
9.1.1283: quickfix stack is limited to 10 items
9.1.1282: Build and test failure without job feature
9.1.1281: extra newline output when editing stdin
9.1.1280: trailing additional semicolon in get_matches_in_str()
9.1.1279: Vim9: null_object and null_class are no reserved names
9.1.1278: Vim9: too long functions in vim9type.c
9.1.1277: tests: trailing comment char in test_popupwin
9.1.1276: inline word diff treats multibyte chars as word char
9.1.1275: MS-Windows: Not possible to pass additional flags to Make_mvc
9.1.1274: Vim9: no support for object<type> as variable type
9.1.1273: Coverity warns about using uninitialized value
9.1.1272: completion: in keyword completion Ctrl_P cannot go back after Ctrl_N
9.1.1271: filetype: Power Query files are not recognized
9.1.1270: missing out-of-memory checks in buffer.c
9.1.1269: completion: compl_shown_match is updated when starting keyword completion
9.1.1268: filetype: dax files are not recognized
9.1.1267: Vim9: no support for type list/dict<object<any>>
9.1.1266: MS-Windows: type conversion warnings
9.1.1265: tests: no tests for typing normal char during completion
9.1.1264: Vim9: error when comparing objects
9.1.1263: string length wrong in get_last_inserted_save()
9.1.1262: heap-buffer-overflow with narrow 'pummaxwidth' value
9.1.1261: No test for 'pummaxwidth' non-truncated items
9.1.1260: Hang when filtering buffer with NUL bytes
9.1.1259: some issues with comment package and tailing spaces
9.1.1258: regexp: max \U and \%U value is limited by INT_MAX
9.1.1257: Mixing vim_strsize() with mb_ptr2cells() in pum_redraw()
9.1.1256: if_python: duplicate tuple data entries
9.1.1255: missing test condition for 'pummaxwidth' setting
9.1.1254: need more tests for the comment plugin
9.1.1253: abort when closing window with attached quickfix data
9.1.1252: typos in code and docs related to 'diffopt' "inline:"
9.1.1251: if_python: build error with tuples and dynamic python
9.1.1250: cannot set the maximum popup menu width
9.1.1249: tests: no test that 'listchars' "eol" doesn't affect "gM"
9.1.1248: compile error when building without FEAT_QUICKFIX
9.1.1247: fragile setup to get (preferred) keys from key_name_entry
9.1.1246: coverity complains about some changes in v9.1.1243
9.1.1245: need some more tests for curly braces evaluation
9.1.1244: part of patch v9.1.1242 was wrong
9.1.1243: diff mode is lacking for changes within lines
9.1.1242: Crash when evaluating variable name
9.1.1241: wrong preprocessort indentation in term.c
9.1.1240: Regression with ic/ac text objects and comment plugin
9.1.1239: if_python: no tuple data type support
9.1.1238: wrong cursor column with 'set splitkeep=screen'
9.1.1237: Compile error with C89 compiler in term.c
9.1.1236: tests: test_comments leaves swapfiles around
9.1.1235: cproto files are outdated
9.1.1234: Compile error when SIZE_MAX is not defined
9.1.1233: Coverity warns about NULL pointer when triggering WinResized
9.1.1232: Vim script is missing the tuple data type
9.1.1231: filetype: SPA JSON files are not recognized
9.1.1230: inconsistent CTRL-C behaviour for popup windows
9.1.1229: the comment plugin can be improved
9.1.1228: completion: current position column wrong after got a match
9.1.1227: no tests for the comment package
9.1.1226: "shellcmdline" completion doesn't work with input()
9.1.1225: extra NULL check in VIM_CLEAR()
9.1.1224: cannot :put while keeping indent
9.1.1223: wrong translation used for encoding failures
9.1.1222: using wrong length for last inserted string
9.1.1221: Wrong cursor pos when leaving Insert mode just after 'autoindent'
9.1.1220: filetype: uv.lock file not recognized
9.1.1219: Strange error with wrong type for matchfuzzy() "camelcase"
9.1.1218: missing out-of-memory check in filepath.c
9.1.1217: tests: typos in test_matchfuzzy.vim
9.1.1216: Pasting the '.' register multiple times may not work
9.1.1215: Patch 9.1.1213 has some issues
9.1.1214: matchfuzzy() can be improved for camel case matches
9.1.1213: cannot :put while keeping indent
9.1.1212: too many strlen() calls in edit.c
9.1.1212: filetype: logrotate'd pacmanlogs are not recognized
9.1.1211: TabClosedPre is triggered just before the tab is being freed
9.1.1210: translation(ru): missing Russian translation for the new tutor
9.1.1209: colorcolumn not drawn after virtual text lines
9.1.1208: MS-Windows: not correctly restoring alternate screen on Win 10
9.1.1207: MS-Windows: build warning in filepath.c
9.1.1206: tests: test_filetype fails when a file is a directory
9.1.1205: completion: preinserted text not removed when closing pum
9.1.1204: MS-Windows: crash when passing long string to expand()
9.1.1203: matchparen keeps cursor on case label in sh filetype
9.1.1202: Missing TabClosedPre autocommand
9.1.1201: 'completefuzzycollect' does not handle dictionary correctly
9.1.1200: cmdline pum not cleared for input() completion
9.1.1199: gvim uses hardcoded xpm icon file
9.1.1198: [security]: potential data loss with zip.vim
9.1.1197: process_next_cpt_value() uses wrong condition
9.1.1196: filetype: config files for container tools are not recognized
9.1.1195: inside try-block: fn body executed with default arg undefined
9.1.1194: filetype: false positive help filetype detection
9.1.1193: Unnecessary use of STRCAT() in au_event_disable()
9.1.1192: Vim crashes with term response debug logging enabled
9.1.1191: tests: test for patch 9.1.1186 doesn't fail without the patch
9.1.1190: C indentation does not detect multibyte labels
9.1.1189: if_python: build error due to incompatible pointer types
9.1.1188: runtime(tera): tera support can be improved
9.1.1187: matchparen plugin wrong highlights shell case statement
9.1.1186: filetype: help files in git repos are not detected
9.1.1185: endless loop with completefuzzycollect and no match found
9.1.1184: Unnecessary use of vim_tolower() in vim_strnicmp_asc()
9.1.1083: "above" virtual text breaks cursorlineopt=number
9.1.1182: No cmdline completion for 'completefuzzycollect'
9.1.1181: Unnecessary STRLEN() calls in insexpand.c
9.1.1180: short-description
9.1.1179: too many strlen() calls in misc2.c
9.1.1178: not possible to generate completion candidates using fuzzy matching
9.1.1177: filetype: tera files not detected
- zypper
-
- BuildRequires: libzypp-devel >= 17.37.0.
- Use libzypp improvements for preload and mirror handling.
- xmlout.rnc: Update repo-element (bsc#1241463)
Add the "metalink" attribute and reflect that the "url" elements
list may in fact be empty, if no baseurls are defined in the
.repo files.
- man: update --allow-unsigned-rpm description.
Explain how to achieve the same for packages provided by
repositories.
- version 1.14.90