- curl
-
- Security fix: [bsc#1253757, CVE-2025-11563]
* curl: wcurl path traversal with percent-encoded slashes
* Add curl-CVE-2025-11563.patch
- tool_operate: fix return code when --retry is used but not
triggered [bsc#1249367]
* Add curl-tool_operate-fix-return-code-when-retry-is-used.patch
- Security fixes:
* [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path
* [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask
* Add patches:
- curl-CVE-2025-9086.patch
- curl-CVE-2025-10148.patch
- dracut
-
- Update to version 059+suse.700.g40f7c5c4:
Additional fixes for PXE boot with filled-in NBFT (bsc#1238848):
* fix(74nvmf): make sure autoconnect script is run at least once
* fix(74nvmf): only set netroot if it's yet empty
- python-kiwi
-
- Bump version: 10.2.32 → 10.2.33
- Run grub mkconfig with os-prober disabled
Set GRUB_DISABLE_OS_PROBER=true to the caller environment
such that it gets consumed via /etc/grub.d/30_os-prober
This Fixes #2883
- Fixed typo in documentation
Invalid XML syntax, missing end tag. This Fixes #2882
- References #2474 and #2475 poweroff instead of halt on oem shutdown
- Fix rawhide integration test
The package shim-ia32 got dropped
- Add test for profiled overlays
kiwi supports overlay files per profile, but we didn't had a
proper integration test for it. This commit adds one
- Mount proc when needed
Using cp -a might lookup in proc/self/.. under certain conditions.
Make sure to mount proc for config/function that might trigger
this condition. This Fixes #2876
- Update test-image-custom-partitions test build
Fix patch files to match with new dracut module dirs
- Update dracut version compat runtime check
Update check_dracut_module_versions_compatible_to_kiwi to match
with new dracut module dirs which have changed due to recommended
dracut module ordering for out-of-tree modules.
- Fix dracut Makefile install target
module dir names have changed due to recommended dracut
module ordering for out-of-tree modules.
- Update pacman spec to dract changed module dirs
Follow up change for the fix of the recommended dracut
module ordering for out-of-tree modules.
- Update spec file due to dract changed module dirs
Follow up change for the fix of the recommended dracut
module ordering for out-of-tree modules.
- Follow the recommended dracut module ordering for out-of-tree modules
In dracut release v108 or later the recommended ordering
for out out of tree modules is 50-59 range. The following is a section from dracut documentation:
> Not using the 50-59 range for out of tree dracut modules will likely
> lead to unintended errors in the initramfs generation process as your
> dracut module will either run too early or too late in the generation process.
> You have been warned.
- Fix agama integration test
Disable no longer existing agama-auto.service
- Fixed agama integration test
nothing provides agama-auto anymore
- Update SLFO integration test
Make sure ps tool is installed
- Fix exclude list for live image builds
When specifying a filesystem attribute for a live image build,
the rootfs gets build directly into this filesystem instead of
being a squashfs wraped ext4 which is the default layout for
compatibility reasons. In this direct filesystem mode the
exclude list was not passed along to the filesystem creation
and causes unwanted metadata to be part of the final image.
This Fixes #2873
- Fix test-image-custom-partitions integration test
Same fix as for the Tumbleweed test now also applied
to the Leap test. Patching of the new root device did
no longer apply
- Fix test-image-custom-partitions integration test
Patching of the new root device did no longer apply
- Bump version: 10.2.31 → 10.2.32
- fix: resize for raid device, ensure vars like kiwi_RaidDev are loaded before setting disk variable
- Do not clobber initialize method
There was a method named initialize defined and implemented
differently in the dracut modules kiwi-lib and kiwi-repart.
kiwi-lib is expected to be shared code across all kiwi dracut
modules. However if one module redefines a method of the
same name which is used in another module and expected to
work differently there, this is evil. This commit cleans
up the name conflict and names the kiwi library init function
as lib_initialize. All dracut code that is expected to make
use of this method has been adopted too.
- Skip kiwi-repart module in install ISOs
In case the kiwi-repart module is explicitly requested in a
dracut.conf file and the image is also configured to build an
install ISO image this leads the install ISO to contain the
kiwi-repart module as well which is unwanted. This commit
explicitly omits the kiwi-repart when creating the initrd
for the install image
- Skip repart when booting install/live iso
- Update leap test-image-disk integration test
Add test for alternative volume ID in install ISO
- Bump version: 10.2.30 → 10.2.31
- Consolidate device lock into its own method
Add set_device_lock method which uses udevadm lock preferable
but also supports an flock fallback in case there is no lock
command provided via systemd/udev
- Fix bug in shell condition
The shell code test ... || warn A; warn B will always
print the warning for B despite the test result. This lead
to the warning message "Settings from the kiwi description will be ignored"
to be printed always. This commit fixes it with a clean if/then
condition
- Fix documentation rendering
There was an indentation bug which caused the docs to
render wrong. This commit fixes it
- solver/repository: Handle zstd-compressed metadata files
`_create_solvables` assumes metadata files are gzip-compressed,
but modern Fedora ones are not, they are zstd-compressed.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
- uri: If we fail to resolve the metalink URI, log it
It's rather useful to know *what* the URI is when something goes
wrong, after all.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
- Bump version: 10.2.29 → 10.2.30
- Fix repartitioning with parted
parted does locking itself already. Wrapping it in udevadm lock results
in a deadlock, breaking boot.
- Update test-image-disk-simple integration test
Update slfo/test-image-disk-simple. Add more space for
flake testing and add a user to test flakes for non root
- Catch potential exceptions from pathlib.Path.mkdir
Creating a directory can fail, we should catch this error
instead of ending up in a stack trace
- kernel-source:kernel-default
-
- mm/ksm: fix flag-dropping behavior in ksm_madvise
(CVE-2025-40040 bsc#1252780).
- commit 095dc3d
- cpuset: Use new excpus for nocpu error check when enabling
root partition (bsc#1241166).
- cgroup/cpuset: Remove remote_partition_check() & make
update_cpumasks_hier() handle remote partition (bsc#1241166).
- commit d4c3a1b
- cpuset: fix failure to enable isolated partition when containing
isolcpus (bsc#1241166).
- commit 9093c25
- nbd: restrict sockets to TCP and UDP (bsc#1252774
CVE-2025-40080).
- commit 3fbbb49
- kernel-subpackage-spec: Do not doubly-sign modules (bsc#1251930).
- commit 0f034b6
- RDMA/hns: Fix wrong WQE data when QP wraps around (git-fixes)
- commit 6ea0097
- RDMA/hns: Fix the modification of max_send_sge (git-fixes)
- commit f143d8d
- RDMA/hns: Fix recv CQ and QP cache affinity (git-fixes)
- commit 61f6ae6
- RDMA/irdma: Set irdma_cq cq_num field during CQ create (git-fixes)
- commit be2c8f8
- RDMA/irdma: Fix SD index calculation (git-fixes)
- commit 0aad166
- RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp (git-fixes)
- commit 0f46cf0
- Revert "e1000e: fix heap overflow in e1000_set_eeprom (CVE-2025-39898"
This reverts commit c8a67ee47d80a407b3a0277b35ca59f2d01f3488.
- commit 379dc19
- vhost: vringh: Modify the return value check (CVE-2025-40051
bsc#1252858).
- commit 0f5b967
- btrfs: fix the incorrect max_bytes value for
find_lock_delalloc_range() (git-fixes).
- commit 6669879
- Update
patches.suse/ALSA-usb-audio-Fix-NULL-pointer-deference-in-try_to_.patch
(git-fixes CVE-2025-40085 bsc#1252873).
- Update
patches.suse/ALSA-usb-audio-fix-race-condition-to-UAF-in-snd_usbm.patch
(git-fixes CVE-2025-39997 bsc#1252056).
- Update
patches.suse/ASoC-qcom-audioreach-fix-potential-null-pointer-dere.patch
(git-fixes CVE-2025-40013 bsc#1252348).
- Update patches.suse/Bluetooth-MGMT-Fix-possible-UAFs.patch
(git-fixes CVE-2025-39981 bsc#1252060).
- Update
patches.suse/Bluetooth-hci_event-Fix-UAF-in-hci_acl_create_conn_s.patch
(git-fixes CVE-2025-39982 bsc#1252083).
- Update
patches.suse/Input-uinput-zero-initialize-uinput_ff_upload_compat.patch
(git-fixes CVE-2025-40035 bsc#1252866).
- Update
patches.suse/NFSD-Define-a-proc_layoutcommit-for-the-FlexFiles-layout-type.patch
(git-fixes CVE-2025-40087 bsc#1252909).
- Update
patches.suse/PCI-endpoint-pci-epf-test-Add-NULL-check-for-DMA-cha.patch
(git-fixes CVE-2025-40032 bsc#1252841).
- Update
patches.suse/RDMA-rxe-Fix-race-in-do_task-when-draining.patch
(git-fixes CVE-2025-40061 bsc#1252849).
- Update
patches.suse/Squashfs-fix-uninit-value-in-squashfs_get_parent.patch
(git-fixes CVE-2025-40049 bsc#1252822).
- Update
patches.suse/bus-fsl-mc-Check-return-value-of-platform_get_resour.patch
(git-fixes CVE-2025-40029 bsc#1252772).
- Update
patches.suse/can-etas_es58x-populate-ndo_change_mtu-to-prevent-bu.patch
(git-fixes CVE-2025-39988 bsc#1252074).
- Update
patches.suse/can-hi311x-populate-ndo_change_mtu-to-prevent-buffer.patch
(git-fixes CVE-2025-39987 bsc#1252079).
- Update
patches.suse/can-mcba_usb-populate-ndo_change_mtu-to-prevent-buff.patch
(git-fixes CVE-2025-39985 bsc#1252082).
- Update
patches.suse/can-peak_usb-fix-shift-out-of-bounds-issue.patch
(git-fixes CVE-2025-40020 bsc#1252679).
- Update
patches.suse/can-sun4i_can-populate-ndo_change_mtu-to-prevent-buf.patch
(git-fixes CVE-2025-39986 bsc#1252078).
- Update
patches.suse/crypto-essiv-Check-ssize-for-decryption-and-in-place.patch
(git-fixes CVE-2025-40019 bsc#1252678).
- Update
patches.suse/crypto-hisilicon-qm-set-NULL-to-qm-debug.qm_diff_reg.patch
(git-fixes CVE-2025-40062 bsc#1252850).
- Update
patches.suse/drm-gma500-Fix-null-dereference-in-hdmi-teardown.patch
(git-fixes CVE-2025-40011 bsc#1252336).
- Update
patches.suse/drm-sched-Fix-potential-double-free-in-drm_sched_job.patch
(git-fixes CVE-2025-40096 bsc#1252902).
- Update
patches.suse/fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch
(git-fixes CVE-2025-39967 bsc#1252033).
- Update
patches.suse/fbdev-simplefb-Fix-use-after-free-in-simplefb_detach.patch
(git-fixes CVE-2025-40037 bsc#1252819).
- Update
patches.suse/fs-proc-task_mmu-check-p-vec_buf-for-NULL.patch
(git-fixes CVE-2025-40009 bsc#1252333).
- Update
patches.suse/fs-udf-fix-OOB-read-in-lengthAllocDescs-handling.patch
(git-fixes CVE-2025-40044 bsc#1252785).
- Update
patches.suse/io_uring-fix-multishots-with-selected-buffers.patch
(git-fixes CVE-2025-40364 bsc#1241637).
- Update
patches.suse/iommu-vt-d-Disallow-dirty-tracking-if-incoherent-pag.patch
(git-fixes CVE-2025-40058 bsc#1252854).
- Update
patches.suse/ixgbe-fix-too-early-devlink_free-in-ixgbe_remove.patch
(git-fixes CVE-2025-40091 bsc#1252915).
- Update
patches.suse/ixgbevf-fix-mailbox-API-compatibility-by-negotiating.patch
(bsc#1247222 CVE-2025-40104 bsc#1252921).
- Update
patches.suse/media-b2c2-Fix-use-after-free-causing-by-irq_check_w.patch
(git-fixes CVE-2025-39996 bsc#1252065).
- Update
patches.suse/media-i2c-tc358743-Fix-use-after-free-bugs-caused-by.patch
(git-fixes CVE-2025-39995 bsc#1252064).
- Update
patches.suse/media-rc-fix-races-with-imon_disconnect.patch
(git-fixes CVE-2025-39993 bsc#1252070).
- Update
patches.suse/media-tuner-xc5000-Fix-use-after-free-in-xc5000_rele.patch
(git-fixes CVE-2025-39994 bsc#1252072).
- Update
patches.suse/media-uvcvideo-Mark-invalid-entities-with-id-UVC_INV.patch
(git-fixes CVE-2025-40016 bsc#1252346).
- Update
patches.suse/misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_ar.patch
(git-fixes CVE-2025-40036 bsc#1252865).
- Update
patches.suse/msft-hv-3336-uio_hv_generic-Let-userspace-take-care-of-interrupt-.patch
(git-fixes CVE-2025-40048 bsc#1252862).
- Update
patches.suse/net-nfc-nci-Add-parameter-validation-for-packet-data.patch
(git-fixes CVE-2025-40043 bsc#1252787).
- Update
patches.suse/smb-client-fix-crypto-buffers-in-non-linear-memory.patch
(bsc#1250491 boo#1239206 CVE-2025-40052 bsc#1252851).
- Update
patches.suse/tty-n_gsm-Don-t-block-input-queue-by-waiting-MSC.patch
(git-fixes CVE-2025-40071 bsc#1252797).
- Update
patches.suse/wifi-ath11k-fix-NULL-dereference-in-ath11k_qmi_m3_lo.patch
(git-fixes CVE-2025-39991 bsc#1252075).
- Update
patches.suse/xfrm-xfrm_alloc_spi-shouldn-t-use-0-as-SPI.patch
(CVE-2025-39797 bsc#1249608 CVE-2025-39965 bsc#1251967).
- commit 0209f26
- coresight: trbe: Return NULL pointer for allocation failures
(CVE-2025-40060 bsc#1252848).
- commit f6a5f19
- Delete
patches.suse/cpuidle-menu-Avoid-discarding-useful-information.patch.
- commit 8ddc500
- regulator: bd718x7: Fix voltages scaled by resistor divider
(git-fixes).
- regmap: slimbus: fix bus_context pointer in regmap init calls
(git-fixes).
- commit 8599172
- drm/ast: Clear preserved bits from register output value
(git-fixes).
- drm/panel: kingdisplay-kd097d04: Disable EoTp (git-fixes).
- drm/panel: sitronix-st7789v: fix sync flags for t28cp45tn89
(git-fixes).
- drm/etnaviv: fix flush sequence logic (git-fixes).
- drm/nouveau: Fix race in nouveau_sched_fini() (git-fixes).
- drm/sysfb: Do not dereference NULL pointer in plane reset
(git-fixes).
- drm/msm/dpu: Require linear modifier for writeback framebuffers
(git-fixes).
- drm/msm/dpu: Fix pixel extension sub-sampling (git-fixes).
- drm/msm/a6xx: Fix GMU firmware parser (git-fixes).
- drm/amdgpu: fix SPDX header on cyan_skillfish_reg_init.c
(git-fixes).
- drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on
Iceland (git-fixes).
- drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
(git-fixes).
- drm/amd/pm: fix smu table id bound check issue in
smu_cmn_update_table() (git-fixes).
- drm/radeon: Remove calls to drm_put_dev() (git-fixes).
- drm/radeon: Do not kfree() devres managed rdev (git-fixes).
- drm/mediatek: Fix device use-after-free on unbind (git-fixes).
- ASoC: fsl_sai: Fix sync error in consumer mode (git-fixes).
- ASoC: fsl_sai: fix bit order for DSD format (git-fixes).
- ASoC: Intel: avs: Disable periods-elapsed work when closing PCM
(git-fixes).
- ASoC: Intel: avs: Unprepare a stream when XRUN occurs
(git-fixes).
- ASoC: mediatek: Fix double pm_runtime_disable in remove
functions (git-fixes).
- ASoC: qdsp6: q6asm: do not sleep while atomic (git-fixes).
- ALSA: usb-audio: fix control pipe direction (git-fixes).
- crypto: aspeed - fix double free caused by devm (git-fixes).
- commit cd0d1a8
- smb: client: fix potential cfid UAF in smb2_query_info_compound
(git-fixes).
- commit ae8c7ce
- vhost: vringh: Fix copy_to_iter return value check (CVE-2025-40056 bsc#1252826)
- commit 2460f9a
- net: tun: Update napi->skb after XDP process (CVE-2025-39984 bsc#1252081)
- commit e3933a9
- btrfs: don't allow adding block device of less than 1 MB
(git-fixes).
- commit 568a3e3
- btrfs: directly free partially initialized fs_info in
btrfs_check_leaked_roots() (git-fixes).
- commit 348f92c
- btrfs: do not assert we found block group item when creating
free space tree (bsc#1252918 CVE-2025-40100).
- commit ec19be1
- btrfs: fix memory leak on duplicated memory in the qgroup
assign ioctl (git-fixes).
- commit 84fb697
- btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation
already running (git-fixes).
- commit 2ab85fb
- btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
(git-fixes).
- commit 754a7d0
- Bluetooth: hci_core: Fix tracking of periodic advertisement
(git-fixes).
- commit e160131
- mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP
remap (git-fixes).
- commit a874d3d
- tmpfs: preserve SB_I_VERSION on remount (git-fixes).
- commit 16a0fb3
- mm: shmem: fix the shmem large folio allocation for the i915
driver (git-fixes).
- commit 3b07e73
- mm: fix finish_fault() handling for large folios (git-fixes).
- commit 1f5c347
- mm: don't skip arch_sync_kernel_mappings() in error paths
(git-fixes).
- commit aab904b
- coredump: Only sort VMAs when core_sort_vma sysctl is set
(git-fixes).
- commit 2a877a6
- net: sctp: fix KMSAN uninit-value in sctp_inq_pop (git-fixes).
- commit 3c3210d
- sctp: avoid NULL dereference when chunk data buffer is missing
(git-fixes).
- commit de09ec4
- net/sctp: fix a null dereference in sctp_disposition
sctp_sf_do_5_1D_ce() (git-fixes).
- commit 0da23a3
- inet: ping: check sock_net() in ping_get_port() and
ping_lookup() (git-fixes).
- commit acb0bb7
- sctp: Fix MAC comparison to be constant-time (git-fixes).
- commit 2363529
- ipv4: Fix NULL vs error pointer check in
inet_blackhole_dev_init() (git-fixes).
- commit 9c6ff53
- sctp: Do not wake readers in __sctp_write_space() (git-fixes).
- commit 9974f7a
- ACPI: video: Fix use-after-free in
acpi_video_switch_brightness() (git-fixes).
- ACPI: button: Call input_free_device() on failing input device
registration (git-fixes).
- fbdev: atyfb: Check if pll_ops->init_pll failed (git-fixes).
- fbdev: valkyriefb: Fix reference count leak in valkyriefb_init
(git-fixes).
- net: phy: dp83869: fix STRAP_OPMODE bitmask (git-fixes).
- net: usb: asix_devices: Check return value of
usbnet_get_endpoints (git-fixes).
- Bluetooth: rfcomm: fix modem control handling (git-fixes).
- Bluetooth: btintel_pcie: Fix event packet loss issue
(git-fixes).
- Bluetooth: ISO: Fix another instance of dst_type handling
(git-fixes).
- Revert "Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()"
(git-fixes).
- Bluetooth: btmtksdio: Add pmctrl handling for BT closed state
during reset (git-fixes).
- Bluetooth: ISO: Fix BIS connection dst_type handling
(git-fixes).
- Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
(git-fixes).
- usbnet: Prevents free active kevent (git-fixes).
- wifi: brcmfmac: fix crash while sending Action Frames in
standalone AP Mode (git-fixes).
- wifi: ath12k: free skb during idr cleanup callback (git-fixes).
- wifi: ath11k: Add missing platform IDs for quirk table
(git-fixes).
- wifi: ath10k: Fix memory leak on unsupported WMI command
(git-fixes).
- wifi: mac80211: reset FILS discovery and unsol probe resp
intervals (git-fixes).
- usbnet: Fix using smp_processor_id() in preemptible code
warnings (git-fixes).
- commit 02b30ff
- bpf: Explicitly check accesses to bpf_sock_addr (CVE-2025-40078
bsc#1252789).
- commit 3153aa7
- mm: swap: check for stable address space before operating on
the VMA (CVE-2025-39992 bsc#1252076).
- commit cb5a00c
- kdb: Replace deprecated strcpy() with memmove() in vkdb_printf()
(bsc#1252939).
- commit 2f5c813
- Refresh patches.suse/perf-hwmon_pmu-Fix-uninitialized-variable-warning.patch.
- commit 88b2431
- ipvs: Defer ip_vs_ftp unregister during netns cleanup
(CVE-2025-40018 bsc#1252688).
- commit 64026d5
- NFSD: Fix crash in nfsd4_read_release() (git-fixes).
- commit e00ae91
- x86/microcode/AMD: Limit Entrysign signature checking to known generations (bsc#1252725).
- commit 8983a77
- KVM: x86: Don't load/put vCPU when unloading its MMU during
teardown (git-fixes).
- commit 625c23b
- md/raid1: fix data lost for writemostly rdev (git-fixes).
- commit 9711ae3
- timers: Add missing READ_ONCE() in __run_timer_base()
(git-fixes).
- commit 01edf7f
- x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID (bsc#1252734).
- commit bcfb9ac
- x86/resctrl: Refactor resctrl_arch_rmid_read() (bsc#1252734).
- commit 47cb871
- Update patches.suse/nvme-auth-update-bi_directional-flag.patch
(git-fixes bsc#1249735).
- Update
patches.suse/nvme-tcp-send-only-permitted-commands-for-secure-con.patch
(git-fixes bsc#1249397 bsc#1249398).
- commit a032b7d
- net/smc: fix warning in smc_rx_splice() when calling get_page()
(CVE-2025-40012 bsc#1252330).
- commit 75584c2
- KVM: x86: move vm_destroy callback at end of kvm_arch_destroy_vm
(git-fixes).
- commit e564cdc
- Update patches.suse/nvme-auth-update-bi_directional-flag.patch
(git-fixes bsc#1249735).
- Update
patches.suse/nvme-tcp-send-only-permitted-commands-for-secure-con.patch
(git-fixes bsc#1249397).
- commit b5375ad
- nvme/tcp: handle tls partially sent records in write_space()
(git-fixes).
- nvme-auth: update sc_c in host response (git-fixes bsc#1249397).
- nvme-multipath: Skip nr_active increments in RETRY disposition
(git-fixes).
- nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
(git-fixes).
- commit 988d439
- i40e: add max boundary check for VF filters (CVE-2025-39968
bsc#1252047).
- i40e: fix validation of VF state in get resources
(CVE-2025-39969 bsc#1252044).
- i40e: fix idx validation in i40e_validate_queue_map
(CVE-2025-39972 bsc#1252039).
- i40e: add validation for ring_len param (CVE-2025-39973
bsc#1252035).
- igc: don't fail igc_probe() on LED setup error (CVE-2025-39956
bsc#1251809).
- ice: fix Rx page leak on multi-buffer frames (CVE-2025-39948
bsc#1251233).
- qed: Don't collect too many protection override GRC elements
(CVE-2025-39949 bsc#1251177).
- commit fd8c4e7
- drm/xe/guc_submit: fix race around pending_disable (git-fixes).
- commit 4c4892e
- drm/xe/guc: Adding steering info support for GuC register lists
(git-fixes).
- commit 3d70978
- drm/xe/guc: Prepare GuC register list and update ADS size for
error capture (stable-fixes).
- Refresh
patches.suse/drm-xe-Set-LRC-addresses-before-guc-load.patch.
- commit b0f889f
- Remove unnecessary firmware version check for gc v9_4_2
(stable-fixes).
- commit f08b376
- KVM: TDX: Fix uninitialized error code for __tdx_bringup() (git-fixes).
- commit 91d2e64
- KVM: TDX: Remove redundant __GFP_ZERO (git-fixes).
- commit d028109
- x86/tdx: Skip clearing reclaimed pages unless X86_BUG_TDX_PW_MCE is present (git-fixes).
- commit 99576da
- x86/tdx: Tidy reset_pamt functions (git-fixes).
- commit 39b4875
- x86/tdx: Eliminate duplicate code in tdx_clear_page() (git-fixes).
- commit b1d3c98
- KVM: TDX: Move TDX hardware setup from main.c to tdx.c (git-fixes).
- commit f5a7c5b
- cpufreq/amd-pstate: Avoid shadowing ret in
amd_pstate_ut_check_driver() (git-fixes).
- commit f494d60
- scsi: libfc: Prevent integer overflow in fc_fcp_recv_data()
(git-fixes).
- md: fix mssing blktrace bio split events (git-fixes).
- commit 8af9b0e
- scsi: storvsc: Prefer returning channel with the same CPU as on the I/O issuing CPU (bsc#1252267).
- hyperv: Remove the spurious null directive line (git-fixes).
- Drivers: hv: vmbus: Fix typos in vmbus_drv.c (git-fixes).
- Drivers: hv: vmbus: Fix sysfs output format for ring buffer index (git-fixes).
- Drivers: hv: vmbus: Clean up sscanf format specifier in target_cpu_store() (git-fixes).
- mshv: Handle NEED_RESCHED_LAZY before transferring to guest (git-fixes).
- x86/hyperv: Add kexec/kdump support on Azure CVMs (git-fixes).
- Drivers: hv: util: Cosmetic changes for hv_utils_transport.c (git-fixes).
- clocksource: hyper-v: Skip unnecessary checks for the root partition (git-fixes).
- hyperv: Add missing field to hv_output_map_device_interrupt (git-fixes).
- uio_hv_generic: Let userspace take care of interrupt mask (git-fixes).
- scsi: storvsc: Remove redundant ternary operators (git-fixes).
- net: mana: Reduce waiting time if HWC not responding (git-fixes).
- commit dc5fea5
- amd-pstate-ut: Reset amd-pstate driver mode after running
selftests (bsc#1249226).
- commit 62def1a
- cpufreq/amd-pstate: Fix a regression leading to EPP 0 after
hibernate (git-fixes).
- commit 60d54b4
- ACPI: platform-profile: Fix CFI violation when accessing sysfs
files (git-fixes).
- commit 6a68087
- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request()
(git-fixes).
- commit 9b6914d
- octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()
(CVE-2025-39978 bsc#1252069).
- tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect()
(CVE-2025-39955 bsc#1251804).
- commit 63120f8
- wifi: rtw89: fix use-after-free in
rtw89_core_tx_kick_off_and_wait() (CVE-2025-40000 bsc#1252062).
- commit 247f800
- most: usb: hdm_probe: Fix calling put_device() before device
initialization (git-fixes).
- most: usb: Fix use-after-free in hdm_disconnect (git-fixes).
- misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup
(git-fixes).
- serial: 8250_mtk: Enable baud clock and manage in runtime PM
(git-fixes).
- serial: 8250_dw: handle reset control deassert error
(git-fixes).
- serial: sc16is7xx: remove useless enable of enhanced features
(git-fixes).
- xhci: dbc: enable back DbC in resume if it was enabled before
suspend (git-fixes).
- xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races
with stall event (git-fixes).
- spi: airoha: fix reading/writing of flashes with more than
one plane per lun (git-fixes).
- spi: airoha: add support of dual/quad wires spi modes to
exec_op() handler (git-fixes).
- spi: airoha: return an error for continuous mode dirmap creation
cases (git-fixes).
- spi: spi-nxp-fspi: add extra delay after dll locked (git-fixes).
- net: usb: rtl8150: Fix frame padding (git-fixes).
- net: usb: lan78xx: fix use of improperly initialized dev->chipid
in lan78xx_reset (git-fixes).
- r8152: add error handling in rtl8152_driver_init (git-fixes).
- r8169: fix packet truncation after S4 resume on
RTL8168H/RTL8111H (git-fixes).
- rtc: interface: Ensure alarm irq is enabled when UIE is enabled
(stable-fixes).
- rtc: interface: Fix long-standing race when setting alarm
(stable-fixes).
- PCI: endpoint: pci-epf-test: Add NULL check for DMA channels
before release (git-fixes).
- PCI/AER: Support errors introduced by PCIe r6.0 (stable-fixes).
- phy: cadence: cdns-dphy: Update calibration wait time for
startup state machine (git-fixes).
- phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling
(git-fixes).
- phy: cdns-dphy: Store hs_clk_rate and return it (stable-fixes).
- mtd: rawnand: fsmc: Default to autodetect buswidth
(stable-fixes).
- wifi: mt76: mt7921u: Add VID/PID for Netgear A7500
(stable-fixes).
- wifi: mt76: mt7925u: Add VID/PID for Netgear A9000
(stable-fixes).
- media: vivid: fix disappearing <Vendor Command With ID> messages
(git-fixes).
- media: nxp: imx8-isi: Drop unused argument to
mxc_isi_channel_chain() (stable-fixes).
- mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config
flag (git-fixes).
- mmc: mmc_spi: multiple block read remove read crc ack
(stable-fixes).
- mmc: core: SPI mode remove cmd7 (stable-fixes).
- lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and
older (stable-fixes).
- PM: runtime: Add new devm functions (stable-fixes).
- mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for
cache_type (stable-fixes).
- mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config
max_register value (stable-fixes).
- net: usb: lan78xx: Add error handling to
lan78xx_init_mac_address (stable-fixes).
- PCI: endpoint: Remove surplus return statement from
pci_epf_test_clean_dma_chan() (stable-fixes).
- commit 7cc4d1c
- drm/panic: Fix qr_code, ensure vmargin is positive (git-fixes).
- firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing
in raw mode (git-fixes).
- firmware: arm_scmi: Account for failed debug initialization
(git-fixes).
- hwmon: (sht3x) Fix error handling (git-fixes).
- gpio: ljca: Fix duplicated IRQ mapping (git-fixes).
- gpio: pci-idio-16: Define maximum valid register address offset
(git-fixes).
- gpio: 104-idio-16: Define maximum valid register address offset
(git-fixes).
- HID: multitouch: fix name of Stylus input devices (git-fixes).
- HID: hid-input: only ignore 0 battery events for digitizers
(git-fixes).
- commit 07ce516
- ASoC: SOF: ipc4-pcm: Enable delay reporting for ChainDMA streams
(stable-fixes).
- Refresh
patches.suse/ASoC-SOF-ipc4-topology-Correct-the-minimum-host-DMA-.patch.
- commit fc33a6f
- drm/panic: Fix drawing the logo on a small narrow screen
(git-fixes).
- drm/panthor: Fix kernel panic on partial unmap of a GPU VA
region (git-fixes).
- drm/amd/display: use GFP_NOWAIT for allocation in interrupt
handler (git-fixes).
- can: netlink: can_changelink(): allow disabling of automatic
restart (git-fixes).
- can: rockchip-canfd: rkcanfd_start_xmit(): use
can_dev_dropped_skb() instead of can_dropped_invalid_skb()
(git-fixes).
- can: esd: acc_start_xmit(): use can_dev_dropped_skb() instead
of can_dropped_invalid_skb() (git-fixes).
- can: bxcan: bxcan_start_xmit(): use can_dev_dropped_skb()
instead of can_dropped_invalid_skb() (git-fixes).
- ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit
(git-fixes).
- ASoC: nau8821: Generalize helper to clear IRQ status
(git-fixes).
- ASoC: nau8821: Cancel jdet_work before handling jack ejection
(git-fixes).
- ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf()
fails (git-fixes).
- ASoC: codecs: Fix gain setting ranges for Renesas IDT821034
codec (git-fixes).
- ALSA: usb-audio: Fix NULL pointer deference in
try_to_register_card (git-fixes).
- ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings
(git-fixes).
- drm/xe/guc: Check GuC running state before deregistering exec
queue (git-fixes).
- drm/sched: Fix potential double free in
drm_sched_job_add_resv_dependencies (git-fixes).
- accel/qaic: Synchronize access to DBC request queue head &
tail pointer (git-fixes).
- accel/qaic: Treat remaining == 0 as error in
find_and_map_user_pages() (git-fixes).
- accel/qaic: Fix bootlog initialization ordering (git-fixes).
- drm/rockchip: vop2: use correct destination rectangle height
check (git-fixes).
- drm/bridge: lt9211: Drop check for last nibble of version
register (git-fixes).
- drm/panthor: Ensure MCU is disabled on suspend (git-fixes).
- drm/amdgpu: fix gfx12 mes packet status return check
(stable-fixes).
- drm/amd/powerplay: Fix CIK shutdown temperature (git-fixes).
- drm/amdgpu: use atomic functions with memory barriers for vm
fault info (git-fixes).
- drm/amdgpu: fix handling of harvesting for ip_discovery firmware
(git-fixes).
- drm/i915/guc: Skip communication warning on reset in progress
(git-fixes).
- can: m_can: m_can_chip_config(): bring up interface in correct
state (git-fixes).
- can: m_can: m_can_handle_state_errors(): fix CAN state
transition to Error Active (git-fixes).
- can: m_can: m_can_plat_remove(): add missing
pm_runtime_disable() (git-fixes).
- can: gs_usb: gs_make_candev(): populate net_device->dev_port
(git-fixes).
- can: gs_usb: increase max interface to U8_MAX (git-fixes).
- ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA
(git-fixes).
- ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples
(git-fixes).
- clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
(git-fixes).
- clk: nxp: lpc18xx-cgu: convert from round_rate() to
determine_rate() (stable-fixes).
- drm/amdgpu: add support for cyan skillfish without IP discovery
(stable-fixes).
- drm/amdgpu: add ip offset support for cyan skillfish
(stable-fixes).
- ACPI: property: Do not pass NULL handles to acpi_attach_data()
(git-fixes).
- ACPI: property: Add code comments explaining what is going on
(stable-fixes).
- ACPI: property: Disregard references in data-only subnode lists
(stable-fixes).
- ACPICA: Allow to skip Global Lock initialization (stable-fixes).
- drm/exynos: exynos7_drm_decon: properly clear channels during
bind (stable-fixes).
- drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference
in functions (stable-fixes).
- commit fba5dbc
- spi: cadence-quadspi: Implement refcount to handle unbind
during busy (CVE-2025-40005 bsc#1252349).
- commit 3246504
- i40e: fix idx validation in config queues msg (CVE-2025-39971 bsc#1252052)
- commit 61648b1
- i40e: fix input validation logic for action_meta (CVE-2025-39970 bsc#1252051)
- commit 333e729
- scsi: mpt3sas: Fix crash in transport port remove by using
ioc_info() (git-fixes).
- scsi: hpsa: Fix potential memory leak in
hpsa_big_passthru_ioctl() (git-fixes).
- scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using
an expander (git-fixes).
- scsi: pm80xx: Add helper function to get the local phy id
(git-fixes).
- scsi: pm80xx: Use dev_parent_is_expander() helper (git-fixes).
- scsi: libsas: Add dev_parent_is_expander() helper (git-fixes).
- scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
(git-fixes).
- scsi: core: sysfs: Correct sysfs attributes access rights
(git-fixes).
- scsi: Fix sas_user_scan() to handle wildcard and multi-channel
scans (git-fixes).
- scsi: aacraid: Stop using PCI_IRQ_AFFINITY (git-fixes).
- commit 3570466
- arm64, mm: avoid always making PTE dirty in pte_mkwrite() (git-fixes)
- commit da7d611
- arm64: errata: Apply workarounds for Neoverse-V3AE (git-fixes)
- commit 986e15f
- arm64: cputype: Add Neoverse-V3AE definitions (git-fixes)
- commit 47240ca
- scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers
(git-fixes).
- Refresh
patches.suse/scsi-mpi3mr-Serialize-admin-queue-BAR-writes-on-32-bit-sys.patch.
- commit 51bb9bc
- scsi: mpt3sas: Correctly handle ATA device errors (git-fixes).
- scsi: mpi3mr: Correctly handle ATA device errors (git-fixes).
- commit 38e545b
- kABI: fix for struct hrtimer_cpu_base (CVE-2025-21816 bsc#1238472)
- commit 0177587
- xfs: rename the old_crc variable in xlog_recover_process
(git-fixes).
- commit a33e036
- NFSD: Minor cleanup in layoutcommit processing (git-fixes).
- commit 0111c00
- NFSD: Rework encoding and decoding of nfsd4_deviceid
(git-fixes).
- commit 9c6f966
- nfsd: Drop dprintk in blocklayout xdr functions (git-fixes).
- commit 6cb9aff
- nfsd: Use correct error code when decoding extents (git-fixes).
- commit 080ee5e
- blk-zoned: Fix a lockdep complaint about recursive locking
(git-fixes).
- block: fix kobject double initialization in add_disk
(git-fixes).
- lib/sbitmap: convert shallow_depth from one word to the whole
sbitmap (git-fixes).
- block: avoid possible overflow for chunk_sectors check in
blk_stack_limits() (git-fixes).
- commit 213ae89
- net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() (CVE-2025-39876 bsc#1250400)
- commit 3be7e1e
- proc: fix type confusion in pde_set_flags() (bsc#1248630)
- commit 12ef5f2
- proc: fix missing pde_set_flags() for net proc files (bsc#1248630)
- commit 9aac12e
- proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al (CVE-2025-38653 bsc#1248630)
- commit 038e313
- add bug reference to existing hv_netvsc change (bsc#1252265)
- commit bded92b
- fs/xattr.c: fix simple_xattr_list() (git-fixes).
- commit 0c27ee1
- net/tcp: Fix a NULL pointer dereference when using TCP-AO with
TCP_REPAIR (CVE-2025-39950 bsc#1251176).
- commit cf7da46
- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (jsc#PED-348).
- Delete
patches.suse/x86-virt-tdx-Mark-memory-cache-state-incoherent-when-making-seamcall.patch.
- commit 4525f45
- perf hwmon_pmu: Fix uninitialized variable warning
(perf-sle16-v6.13-userspace-update, git-fixes).
- commit ce493c8
- kbuild/modfinal: Link livepatches with module-common.o
(bsc#1218644, bsc#1252270).
- commit 6e2ca7b
- ixgbe: fix too early devlink_free() in ixgbe_remove()
(git-fixes).
- ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd
(bsc#1247222).
- ixgbevf: fix mailbox API compatibility by negotiating supported
features (bsc#1247222).
- ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation
(bsc#1247222).
- ixgbevf: fix getting link speed data for E610 devices
(bsc#1247222).
- commit 350b510
- btrfs: subpage: keep TOWRITE tag until folio is cleaned
(bsc#1249495 CVE-2025-39779).
- commit 27527fb
- i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path (CVE-2025-39911 bsc#1250704)
- commit 963571a
- sched: Fix sched_numa_find_nth_cpu() if mask offline (CVE-2025-39895 bsc#1250721)
- commit 6265695
- sctp: initialize more fields in sctp_v6_from_sk() (CVE-2025-39812 bsc#1250202)
- commit faea944
- of_numa: fix uninitialized memory nodes causing kernel panic (CVE-2025-39903 bsc#1250749)
- commit 8722073
- ipv6: sr: Fix MAC comparison to be constant-time (CVE-2025-39702 bsc#1249317)
- commit 01c4905
- sctp: linearize cloned gso packets in sctp_rcv (CVE-2025-38718 bsc#1249161)
- commit dadd6c3
- scsi: qla4xxx: Prevent a potential error pointer dereference (CVE-2025-39676 bsc#1249302)
- commit 7b25b2e
- io_uring: fix incorrect io_kiocb reference in io_link_skb (CVE-2025-39963 bsc#1251819)
- commit 69302e5
- dpll: zl3073x: Handle missing or corrupted flash configuration
(bsc#1252253).
- dpll: zl3073x: Increase maximum size of flash utility
(bsc#1252253).
- dpll: zl3073x: Fix double free in zl3073x_devlink_flash_update()
(bsc#1252253).
- dpll: zl3073x: Implement devlink flash callback (bsc#1252253).
- dpll: zl3073x: Refactor DPLL initialization (bsc#1252253).
- dpll: zl3073x: Add firmware loading functionality (bsc#1252253).
- dpll: zl3073x: Add low-level flash functions (bsc#1252253).
- dpll: zl3073x: Add functions to access hardware registers
(bsc#1252253).
- net/mlx5: fs, fix UAF in flow counter release (CVE-2025-39979
bsc#1252067).
- net/mlx5e: Harden uplink netdev access against device unbind
(CVE-2025-39947 bsc#1251232).
- dpll: zl3073x: Add support to get fractional frequency offset
(bsc#1252253).
- dpll: zl3073x: Add support to get phase offset on connected
input pin (bsc#1252253).
- dpll: zl3073x: Add support to get/set esync on pins
(bsc#1252253).
- net/mlx5: fs, add API for sharing HWS action by refcount
(CVE-2025-39979 bsc#1252067).
- commit fe6aeff
- powerpc/fadump: skip parameter area allocation when fadump is
disabled (jsc#PED-9891 git-fixes).
- commit bdb01f7
- nfsd: refine and rename NFSD_MAY_LOCK (git-fixes).
- commit c7caa62
- NFSD: Replace use of NFSD_MAY_LOCK in nfsd4_lock() (git-fixes).
- commit 3a34ceb
- doc/README.SUSE: Correct the character used for TAINT_NO_SUPPORT
The character was previously 'N', but upstream used it for TAINT_TEST,
which prompted the change of TAINT_NO_SUPPORT to 'n'. This occurred in
commit c35dc3823d08 ("Update to 6.0-rc1") on master and in d016c04d731d
("Bump to 6.4 kernel (jsc#PED-4593)") for SLE15-SP6 (and onwards).
Update the documentation to reflect this change.
- commit f42ecf5
- expat
-
- Fix CVE-2025-59375 / bsc#1249584.
- Add patch file:
* CVE-2025-59375.patch
- gpgme
-
- Treat empty DISPLAY variable as unset. [bsc#1252425, bsc#1231055]
* To avoid gpgme constructing an invalid gpg command line when
the DISPLAY variable is empty it can be treated as unset.
* Add gpgme-Treat-empty-DISPLAY-variable-as-unset.patch
* Reported upstream: dev.gnupg.org/T7919
- cyrus-sasl
-
- Python3 error log upon importing pycurl (bsc#1233529)
Remove senceless log message.
* add remove-senceless-log.patch
- mdadm
-
- Split off the Software RAID HOWTO into a -doc package
- Update to version 4.4+29.gf8bb524b:
* fix race between mdcheck_start.service and mdcheck_continue.service
(bsc#1243443, bsc#1248097)
* various fixes for mdcheck (bsc#1248097)
* mdadm_env.sh: ignore MDADM_RAIDDEVICES if MDADM_SCAN is set
(bsc#1229997)
- Upstream bug fixes since 4.4 (bsc#1253060)
* mdadm: add attribute nonstring for signature
* super-ddf: Prevent crash when handling DDF metadata
* platform-intel: Disable legacy option ROM scan on UEFI machines
* mdadm: fix --grow with --add for linear
* mdadm/raid6check: add xmalloc.h to raid6check.c
* Coverity fixes resources leaks
* udev: persist properties of MD devices after switch_root
- _service: switch to tar_scm for better interoperabity with SLFO.
- _service: pull from github.com/openSUSE/mdadm, patches now managed in git
* delete 0010-mdopen-add-sbin-path-to-env-PATH-when-call-system-mo.patch
* delete 1000-Revert-mdmonitor-Abandon-custom-configuration-files.patch
* delete 1001-display-timeout-status.patch
* delete 1002-OnCalendar-format-fix-of-mdcheck_start-timer.patch
* delete 1003-mdadm-treat-the-Dell-softraid-array-as-local-array.patch
* delete 1004-call-mdadm_env.sh-from-usr-libexec-mdadm.patch
* delete 1005-mdadm-enable-Intel-Alderlake-RSTe-configuration.patch
* delete 1006-imsm-Fix-RAID0-to-RAID10-migration.patch
* delete 1007-mdadm-allow-any-valid-minor-number-in-md-device-name.patch
* delete 1008-mdmonitor-use-MAILFROM-to-set-sendmail-envelope-send.patch
- New versioning scheme: add tag offset and git commit from openSUSE/mdadm repo
- Fix systemd unit file handling in spec file (boo#1207266)
* make all units known to systemd
* restart only timers and mdmonitor.service
- Stop emitting %release into program binaries [boo#1246806]
- monitor: Add MAILFROM address to email envelope to avoid smtp auth
errors (bsc#1241474)
* add 1008-mdmonitor-use-MAILFROM-to-set-sendmail-envelope-send.patch
- openssh
-
- Add openssh-cve-2025-61984-username-validation.patch
(bsc#1251198, CVE-2025-61984).
- Add openssh-cve-2025-61985-nul-url-encode.patch
(bsc#1251199, CVE-2025-61985).
- runc
-
- Update to runc v1.3.3. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
- Remove upstreamed patches for bsc#1252232:
- 2025-11-05-CVEs.patch
[ This update was only released for SLE 12 and 15. ]
- Backport patches for three CVEs. All three vulnerabilities ultimately allow
(through different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files. bsc#1252232
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
+ 2025-11-05-CVEs.patch
- Update to runc v1.3.2. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
- Includes an important fix for the CPUSet translation for cgroupv2.
- Update to runc v1.3.1. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.1>
- Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11.
- Update to runc v1.3.0. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.3.0>
- wpa_supplicant
-
- Build wpa_gui with qt6 instead of obsolete qt5
[+ 0001-wpa_gui-Port-to-Qt6.patch]
- Update build config:
* Enable 802.11ax support