- xz
-
- Fix buffer overflow in lzma_index_append (bsc#1261280, CVE-2026-34743)
* CVE-2026-34743.patch
- Change SUSE-Public-Domain license to LicenseRef-SUSE-Public-Domain to
fix rpmlint errors
- python-certifi
-
- Add python36-certifi provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-idna
-
- Add python36-idna provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-packaging
-
- Add python36-packaging provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-pycparser
-
- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-py
-
- Add python36-py provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-six
-
- Add python36-six provides/obsoletes to enable SLE-12 ->
SLE-15 migration, bsc#1233012
- python-urllib3
-
- fix regression in CVE-2025-66471.patch when downloading large files
(bsc#1259829)
- rsync
-
- Security update:
- bsc#1234100, CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
- bsc#1234101, CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
- bsc#1234102, CVE-2024-12086: server leaks arbitrary client files
- bsc#1234103, CVE-2024-12087: server can make client write files outside of destination directory using symbolic links
- bsc#1234104, CVE-2024-12088: --safe-links bypass
- bsc#1235475, CVE-2024-12747: Race Condition in rsync Handling Symbolic Links
- bsc#1254441, CVE-2025-10158: Out of bounds array access via negative index
- bsc#1262223, CVE-2026-41035: Count of entries mismatch can lead to a use-after-free
- bsc#1264511, CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no)
- bsc#1264515, CVE-2026-43617: Authorization Bypass via Hostname Resolution
- bsc#1264512, CVE-2026-43618: Integer Overflow Information Disclosure
- bsc#1264514, CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls
- bsc#1264513, CVE-2026-43620: Out-of-Bounds Array Read via recv_files()
- bsc#1265296, CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing
- With the big security update above-mentioned, we received a big amount of harderning
patches that are pre-requisitoes that we added to this version:
- rsync-hardening-0001-Fix-warning-about-conflicting-lseek-lseek64-prototyp.patch
- rsync-hardening-0002-hlink-Fix-function-pointer-cast-in-qsort.patch
- rsync-hardening-0003-bool-is-a-keyword-in-C23.patch
- rsync-hardening-0004-Fix-warning-about-missing-bomb-.-prototype.patch
- rsync-hardening-0005-CVE-2024-12084-Some-checksum-buffer-fixes.patch
(replaces: rsync-CVE-2024-12084-overflow-01.patch)
- rsync-hardening-0006-CVE-2024-12084-Another-cast-when-multiplying-integers.patch
(replaces: rsync-CVE-2024-12084-overflow-02.patch)
- rsync-hardening-0007-CVE-2024-12085-prevent-information-leak-off-the-stack.patch
(replaces: rsync-CVE-2024-12085.patch)
- rsync-hardening-0008-CVE-2024-12086-refuse-fuzzy-options-when-fuzzy-not-selected.patch
(replaces: rsync-CVE-2024-12086_01.patch)
- rsync-hardening-0009-added-secure_relative_open.patch
(replaces: rsync-CVE-2024-12086_02.patch)
- rsync-hardening-0010-receiver-use-secure_relative_open-for-basis-file.patch
(replaces: rsync-CVE-2024-12086_03.patch)
- rsync-hardening-0011-disallow-.-elements-in-relpath-for-secure_relative_o.patch
(replaces: rsync-CVE-2024-12086_04.patch)
- rsync-hardening-0012-CVE-2024-12087-Refuse-a-duplicate-dirlist.patch
(replaces: rsync-CVE-2024-12087_01.patch)
- rsync-hardening-0013-CVE-2024-12087-range-check-dir_ndx-before-use.patch
(replaces:: rsync-CVE-2024-12087_02.patch)
- rsync-hardening-0014-CVE-2024-12088-make-safe-links-stricter.patch
(replaces: rsync-CVE-2024-12088.patch)
- rsync-hardening-0015-CVE-2024-12747-fixed-symlink-race-condition-in-sender.patch
(replaces: rsync-CVE-2024-12747.patch)
- rsync-hardening-0016-syscall-fix-a-Y2038-bug-by-replacing-Int32x32To64-wi.patch
- rsync-hardening-0017-options.c-Fix-segv-if-poptGetContext-returns-NULL.patch
- rsync-hardening-0018-Using-a-correct-time-in-log-file.patch
- rsync-hardening-0019-configure.ac-check-for-xattr-support-both-in-libc-an.patch
(replaces: rsync-no-libattr.patch)
- rsync-hardening-0020-util-fixed-issue-in-clean_fname.patch
- rsync-hardening-0021-testsuite-added-clean-fname-underflow-test.patch
- rsync-hardening-0022-CVE-2025-10158-fixed-an-invalid-access-to-files-array.patch
(replaces: rsync-CVE-2025-10158.patch)
- rsync-hardening-0023-fix-uninitialized-buf1-in-get_checksum2-MD4-path.patch
- rsync-hardening-0024-reject-negative-token-values-in-compressed-stream-re.patch
- rsync-hardening-0025-acl-fixed-ACL-ID-mapping-for-non-root.patch
- rsync-hardening-0026-fix-uninitialized-mul_one-in-AVX2-checksum-and-add-S.patch
- rsync-hardening-0027-Fix-glibc-2.43-constness-warnings.patch
- rsync-hardening-0029-fix-signed-integer-overflow-in-proxy-protocol-v2-hea.patch
- rsync-hardening-0030-zero-all-new-memory-from-allocations.patch
- rsync-hardening-0031-CVE-2026-41035-xattrs-fixed-count-in-qsort.patch
- rsync-hardening-0032-call-tzset-before-chroot-to-cache-timezone-data.patch
- rsync-hardening-0033-testsuite-xattrs-ignore-SUNWattr_-in-the-Solaris-xls.patch
- rsync-hardening-0034-syscall-use-openat2-RESOLVE_BENEATH-on-Linux-for-sec.patch
- rsync-hardening-0035-syscall-also-use-O_RESOLVE_BENEATH-on-FreeBSD-and-Ma.patch
- rsync-hardening-0036-testsuite-skip-symlink-dirlink-basis-on-platforms-wi.patch
- rsync-hardening-0037-CVE-2026-29518-syscall-clientserver-am_chrooted-and-use_secure_syml.patch
- rsync-hardening-0038-CVE-2026-29518-sender-fix-read-path-TOCTOU-by-opening-from-module-r.patch
- rsync-hardening-0039-CVE-2026-43619-syscall-receiver-secure-receiver-side-do_chmod-again.patch
- rsync-hardening-0040-CVE-2026-43619-util1-secure-change_dir-against-symlink-race-chdir-e.patch
- rsync-hardening-0041-CVE-2026-43619-syscall-add-symlink-race-safe-do_-_at-wrappers-and-h.patch
- rsync-hardening-0042-CVE-2026-43619-util1-syscall-secure-copy_file-source-dest-opens-bar.patch
- rsync-hardening-0043-CVE-2026-43619-testsuite-end-to-end-regression-test-for-chdir-symli.patch
- rsync-hardening-0044-CVE-2026-43618-token-harden-compressed-token-decoding-against-integ.patch
- rsync-hardening-0045-CVE-2026-43618-testsuite-cover-refuse-options-compress-for-the-daem.patch
- rsync-hardening-0046-CVE-2026-43620-receiver-add-parent_ndx-0-guard-mirroring-797e17f.patch
- rsync-hardening-0047-CVE-2026-43617-clientserver-fix-hostname-ACL-bypass-when-using-daem.patch
- rsync-hardening-0048-CVE-2026-43618-defence-in-depth-bound-wire-supplied-counts-and-leng.patch
- rsync-hardening-0049-CVE-2026-43618-defence-in-depth-guard-cumulative-snprintf-against-l.patch
- rsync-hardening-0050-CVE-2026-43620-defence-in-depth-receiver-block-index-bounds-read_de.patch
- rsync-hardening-0052-exclude-fix-crashes-with-fortified-strlcpy.patch
(replaces: rsync-fortified-strlcpy-fix.patch)
- rsync-hardening-0053-testsuite-use-integer-sleep-in-clean-fname-underflow.patch
- rsync-hardening-0055-popt-fix-poptDupArgv-strlcpy-size-argument.patch
- rsync-hardening-0056-testsuite-fixes-for-3.2.7-backport.patch
- rsync-hardening-0057-rsync.h-lower-MAX_WIRE_DEL_STAT-to-avoid-signed-int-.patch
- rsync-hardening-0058-CVE-2026-45232-socket-reject-over-long-proxy-response-line.patch
- rsync-hardening-0059-main-reject-hyphen-prefixed-remote-shell-hostnames.patch
- rsync-hardening-0060-util1-handle-out-of-range-times-in-timestring.patch
- A few hardening patches were discarded, as the don't affect SUSE distributions:
- rsync-hardening-0028-zlib-convert-K-R-function-definitions-to-ANSI-style
(we don't bundle zlib, nothing to patch)
- rsync-hardening-0051-CI-added-workflows-from-master-for-backport-testing
(fixes CI Github Actions, not present in release tarballs)
- rsync-hardening-0054-ci-update-RSYNC_EXPECT_SKIPPED-for-3.2.7-backport-ba
(fixes CI Github Actions, not present in release tarballs)
- Rename rsync-fix-FLAG_GOT_DIR_FLIST.patch to rsync-fix-duplicate.patch to align codestreams.
- Security update (CVE-2026-41035, bsc#1262223): rsync: count of
entries mismatch can lead to a use-after-free
- Add rsync-CVE-2026-41035.patch