SAPHanaSR
- Version bump to 0.155.0
- The resource start and stop timeout is now configurable by
  increasing the timeout for the action 'start' and/or 'stop'.
  We will use 95% of this action timeouts to calculate the new
  resource start and stop timeout for the 'WaitforStarted' and
  'WaitforStopped' functions. If the new, calculated timeout value
  is less than '3600', it will be set to '3600', so that we do not
  decrease this timeout by accident
  (bsc#1182545)
- change promotion scoring during maintenance procedure to prevent
  that both sides have an equal promotion scoring after refresh
  which might result in a critical promotion of the secondary.
  (bsc#1174557)
- update of man page SAPHanaSR.py.7 - correct the supported HANA
  version.
  (bsc#1182201)
- if the $hdbState command fails to retrieve the current state of
  the System Replication, the resource agent now uses the
  system_replication/actual_mode attribute (if available) from the
  global.ini file as a fallback.
  This should prevent some confusing and misleading log messages
  during a takeover and solves the problem of a not working
  takeover back (after a successful first takeover)
  (bsc#1181765)
- add dedicated logging of HANA_CALL problems. So it will be now
  possible to identify, if the called hana command or the needed
  su command throws the error and for further hints we log the
  stderr output.
  Additional it is possible to get regular log messages for the
  used commands, their return code and their stderr output by
  enabling the 'debug' mode of the resource agents.
  (bsc#1182774)
audit-secondary
- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)
  * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
augeas
- add augeas-sysctl_parsing.patch (bsc#1197443)
  * backport original patch
bash
- Add bsc1197674.patch to fix memory leak in array asignment (bsc#1197674)
bind
- When using forwarders, bogus NS records supplied by, or via, those
  forwarders may be cached and used by named if it needs to recurse
  for any reason, causing it to obtain and pass on potentially
  incorrect answers.
  [CVE-2021-25220, bsc#1197135, bind-9.11.37-0001-CVE-2021-25220.patch]
binutils
- Add binutils-revert-rela.diff to revert back to old behaviour
  of not ignoring the in-section content of to be relocated
  fields on x86-64, even though that's a RELA architecture.
  Compatibility with buggy object files generated by old tools.
  [bsc#1198422]
cifs-utils
- CVE-2022-27239: mount.cifs: fix length check for ip option
  parsing; (bsc#1197216) (bso#15025); CVE-2022-27239.
  * add 0016-CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch
cloud-regionsrv-client
- Update to version 10.0.3 (bsc#1198389)
  - Descend into the extension tree even if top level module is recommended
  - Cache license state for AHB support to detect type switch
  - Properly clean suse.com credentials when switching from SCC to update
    infrastructure
  - New log message to indicate base product registration success
- Update to version 10.0.2
  + Fix name of logfile in error message
  + Fix variable scoping to properly detect registration error
  + Cleanup any artifacts on registration failure
  + Fix latent bug with /etc/hosts population
  + Do not throw error when attemting to unregister a system that is not
    registered
  + Skip extension registration if the extension is recommended by the
    baseproduct as it gets automatically installed
- Update to version 10.0.1 (bsc#1197113)
  + Provide status feedback on registration, success or failure
  + Log warning message if data provider is configured but no data
    can be retrieved
- Update -addon-azure to 1.0.3 follow up fix for (bsc#1195414, bsc#1195564)
  + The repo enablement timer cannot depend on guestregister.service
cluster-glue
- Requesting cluster-glue bugfix (bsc#1197681)
  * Add upstream patch:
    0002-bugfix-for-comment-in-external-ec2.patch
- (jsc#SLE-23493) (jsc#SLE-23987) (jsc#SLE-23989)
  IMDSv2 support in ec2 stonith agent
  * add upstream patch:
    0001-Update-external-ec2-to-support-IMDSv2.patch
compat-openssl098
- Added	compat-openssl098-Fix-file-operations-in-c_rehash.patch
  * bsc#1200550
  * CVE-2022-2068
  * Fixed more shell code injection issues in c_rehash
- Fixed error in openssl-CVE-2022-1292.patch resulting in misnamed
  variable.
- Security fix: [bsc#1199166, CVE-2022-1292]
  * Added: openssl-CVE-2022-1292.patch
  * properly sanitise shell metacharacters in c_rehash script.
- Security Fix: [bsc#1196877, CVE-2022-0778]
  * Infinite loop in BN_mod_sqrt() reachable when parsing certificates
  * Add openssl-CVE-2022-0778.patch
crmsh
- Update to version 4.1.1+git.1647830282.d380378a:
  * medium: utils: update detect_cloud pattern for aws (bsc#1197351)
- Update to version 4.1.1+git.1646015979.1be4546d:
  * Fix: parse: Should still be able to show the empty property if it already exists(bsc#1188290)
dhcp
- bsc#1198657: properly handle DHCRELAY(6)_OPTIONS.
e2fsprogs
- libext2fs-add-sanity-check-to-extent-manipulation.patch: libext2fs: add
  sanity check to extent manipulation (bsc#1198446 CVE-2022-1304)
expat
  * (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
    breaks biboumi, ClairMeta, jxmlease, libwbxml,
    openleadr-python, rnv, xmltodict
  - Added expat-CVE-2022-25236-relax-fix.patch
- Security fixes:
fence-agents
- (bsc#1196350) fence_gce updates pull from Clusterlabs repo
  - Apply proposed upstream patch
    0001-fence_gce-Add-timeouts-and-failure-options-458.patch
gcc11
- Update to the GCC 11.3.0 release.
  * includes SLS hardening backport on x86_64.  [bsc#1195283]
- Update to gcc-11 branch head (691af15031e00227ba6d5935c), git1635
  * includes gcc11-pr104931.patch
  * includes fix for Firefox ICE  [gcc#105256]
- Add provides/conflicts to glibc crosses since only one GCC version
  for the same target can be installed at the same time.
- Add provides/conflicts to libgccjit.
- Update to gcc-11 branch head (6a1150d1524aeda3381b21717), git1406
  * includes change to adjust gnats idea of the target, fixing
    the build of gprbuild.  [bsc#1196861]
- Add gcc11-pr104931.patch to fix miscompile of embedded premake
  in 0ad on i586.  [bsc#1197065]
- drop armv5tel, merge arm and armv6hl
- use --with-cpu rather than specifying --with-arch/--with-tune
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recoomends.
- Remove sys/rseq.h from include-fixed
- Update to gcc-11 branch head (d4a1d3c4b377f1d4acb), git1173
  * Fix D memory corruption in -M output.
  * Fix ICE in is_this_parameter with coroutines.  [boo#1193659]
- Enable the cross compilers also on i586
- Enable some cross compilers also in rings
- Remove cross compilers for i386 target
- Update to gcc-11 branch head (7510c23c1ec53aa4a62705f03), git1018
  * fixes issue with debug dumping together with -o /dev/null
  * fixes libgccjit issue showing up in emacs build  [boo#1192951]
- Package mwaitintrin.h
- Remove spurious exit from change_spec.
- Enable the full cross compiler, cross-aarch64-gcc11 and
  cross-riscv64-gcc11 now provide a fully hosted C (and C++)
  cross compiler, not just a freestanding one.  I.e. with a cross
  glibc.  They don't yet support the sanitizer libraries.
  Part of [jsc#OBS-124].
gcc48
- Add gcc48-bsc1142649.patch.  [bsc#1142649, CVE-2019-14250]
- Add gcc48-texi2pod-fixes.patch to fix manpage build with newer
  perl versions.  [bsc#1185395]
- Fix 32bit libgnat.so link.  [bsc#1178675]
- Add gcc48-pr63567.patch to allow initializing objects with static
  storage duration with compound literals even in C99.  [bsc#1177947]
- Add gcc48-bsc1161913.patch to fix register allocation issue with
  exception handling code on s390x.  [bsc#1161913]
glib2
- Add glib2-CVE-2021-28153.patch: fix CREATE_REPLACE_DESTINATION
  with symlinks (boo#1183533 glgo#GNOME/glib#2325 CVE-2021-28153).
- Add glib2-CVE-2021-3800.patch: Fix a flaw due to random charset
  alias, pkexec can leak content from files owned by privileged
  users to unprivileged ones under the right condition (bsc#1191489,
  glgo#GNOME/glib!1369)
grub2
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
  * 0001-video-Remove-trailing-whitespaces.patch
  * 0002-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
  * 0003-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
  * 0004-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
  * 0005-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
  * 0006-misc-Format-string-for-grub_error-should-be-a-litera.patch
  * 0007-loader-efi-chainloader-Simplify-the-loader-state.patch
  * 0008-commands-boot-Add-API-to-pass-context-to-loader.patch
- Fix CVE-2022-28736 (bsc#1198496)
  * 0009-loader-efi-chainloader-Use-grub_loader_set_ex.patch
  * 0010-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
  * 0011-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
  * 0012-video-readers-png-Refuse-to-handle-multiple-image-he.patch
- Fix CVE-2021-3695 (bsc#1191184)
  * 0013-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
- Fix CVE-2021-3696 (bsc#1191185)
  * 0014-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
  * 0015-video-readers-png-Sanity-check-some-huffman-codes.patch
  * 0016-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
  * 0017-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
  * 0018-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
- Fix CVE-2021-3697 (bsc#1191186)
  * 0019-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
  * 0020-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
- Fix CVE-2022-28733 (bsc#1198460)
  * 0021-net-ip-Do-IP-fragment-maths-safely.patch
  * 0022-net-netbuff-Block-overly-large-netbuff-allocs.patch
  * 0023-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
  * 0024-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
  * 0025-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
  * 0026-net-tftp-Avoid-a-trivial-UAF.patch
  * 0027-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
- Fix CVE-2022-28734 (bsc#1198493)
  * 0028-net-http-Fix-OOB-write-for-split-http-headers.patch
- Fix CVE-2022-28734 (bsc#1198493)
  * 0029-net-http-Error-out-on-headers-with-LF-without-CR.patch
  * 0030-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
  * 0031-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
  * 0032-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
  * 0033-Use-grub_loader_set_ex-for-secureboot-chainloader.patch
- Update SBAT security contact (boo#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused by
  0001-ieee1275-implement-FCP-methods-for-WWPN-and-LUNs.patch, when
  the root LV is completely in the boot LUN (bsc#1197948)
  * 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
gzip
- Add hardening for zgrep (CVE-2022-1271, bsc#1198062)
  * bsc1198062-2.patch
- Fix escaping of malicious filenames (CVE-2022-1271 bsc#1198062)
  * bsc1198062.patch
jasper
- bsc#1184757 CVE-2021-3467: Fix NULL pointer deref in jp2_decode()
  Add jasper-CVE-2021-3467.patch
- bsc#1184798 CVE-2021-3443: Fix NULL pointer derefin jp2_decode()
  Add jasper-CVE-2021-3443.patch
- bsc#1182104 CVE-2021-26927: Fix NULL pointer deref in jp2_decode()
  bsc#1182105 CVE-2021-26926: Fix Out of bounds read in jp2_decode()
  Add jasper-CVE-2021-26926-CVE-2021-26927.patch
java-1_7_1-ibm
- Update to Java 7.1 Service Refresh 7 Fix Pack 5 [bsc#1197126]
  * https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities
    [bsc#1194927, CVE-2022-21366] [bsc#1194928, CVE-2022-21365]
    [bsc#1194929, CVE-2022-21360] [bsc#1196500, CVE-2022-21349]
    [bsc#1194941, CVE-2022-21341] [bsc#1194940, CVE-2022-21340]
    [bsc#1194939, CVE-2022-21305] [bsc#1194930, CVE-2022-21277]
    [bsc#1194931, CVE-2022-21299] [bsc#1194932, CVE-2022-21296]
    [bsc#1194933, CVE-2022-21282] [bsc#1194934, CVE-2022-21294]
    [bsc#1194935, CVE-2022-21293] [bsc#1194925, CVE-2022-21291]
    [bsc#1194937, CVE-2022-21283] [bsc#1194926, CVE-2022-21248]
    [CVE-2022-21271]
kdump
- Update kdump-add-watchdog-modules.patch
  Fix return code when no watchdog sysfs entry is found (bsc#1197069)
kernel-default
- x86/bugs: Add AMD retbleed= boot parameter (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- Update config files.
- commit fbfaf52
- x86: Add straight-line-speculation mitigation (bsc#1201050
  CVE-2021-26341).
- Update config files.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- commit abf0dbf
- x86: Prepare inline-asm for straight-line-speculation
  (bsc#1201050 CVE-2021-26341).
- commit 47e61d6
- x86: Prepare asm files for straight-line-speculation
  (bsc#1201050 CVE-2021-26341).
- commit 2e5dc3e
- x86/lib/atomic64_386_32: Rename things (bsc#1201050
  CVE-2021-26341).
- commit d056830
- x86/kexec: Disable RET on kexec (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit c0eb89c
- CVE Mitigation for CVE-2022-29900 and CVE-2022-29901
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 0fa8239
- x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 177c8f5
- x86/cpu/amd: Enumerate BTC_NO (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 7ea97e7
- x86/common: Stamp out the stepping madness (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 7537b64
- x86/speculation: Remove x86_spec_ctrl_mask (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit d33e39a
- x86/speculation: Use cached host SPEC_CTRL value for guest
  entry/exit (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 7fd2a83
- x86/speculation: Fix SPEC_CTRL write on SMT state change
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 6ba1aad
- x86/speculation: Fix firmware entry SPEC_CTRL handling
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 196832c
- x86/cpu/amd: Add Spectral Chicken (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit b4ccef5
- x86/bugs: Do IBPB fallback check only once (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 05a6c3a
- x86/bugs: Add retbleed=ibpb (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 92ac3f9
- intel_idle: Disable IBRS during long idle (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 8ddbed2
- x86/bugs: Report Intel retbleed vulnerability (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 260ab21
- x86/bugs: Split spectre_v2_select_mitigation() and
  spectre_v2_user_select_mitigation() (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit cebc589
- x86/speculation: Add spectre_v2=ibrs option to support Kernel
  IBRS (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 2771938
- x86/bugs: Optimize SPEC_CTRL MSR writes (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 0ac8576
- x86/entry: Add kernel IBRS implementation (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit a298b6d
- x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 433f5c3
- x86/bugs: Enable STIBP for JMP2RET (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 45ecd7f
- x86/bugs: Report AMD retbleed vulnerability (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit a12be1c
- x86: Add magic AMD return-thunk (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 87bdc70
- x86: Use return-thunk in asm code (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 837cd25
- x86/sev: Avoid using __x86_return_thunk (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 64e805b
- x86/vsyscall_emu/64: Don't use RET in vsyscall emulation
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 65b37b5
- x86/kvm: Fix SETcc emulation for return thunks (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit eeeb3f7
- x86: Undo return-thunk damage (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 29cd04a
- x86/retpoline: Use -mfunction-return (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 2d298bb
- x86/cpufeatures: Move RETPOLINE flags to word 11 (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 22cc527
- net: Rename and export copy_skb_header (bsc#1200762,
  CVE-2022-33741, XSA-403).
- commit 5e3ad99
- net: rose: fix UAF bugs caused by timer handler (CVE-2022-2318
  bsc#1201251).
- commit 6ad5c1f
- xen/netfront: force data bouncing when backend is untrusted
  (bsc#1200762, CVE-2022-33741, XSA-403).
- commit 459e62a
- xen/netfront: fix leaking data in shared pages (bsc#1200762,
  CVE-2022-33740, XSA-403).
- commit b225a00
- xen/blkfront: force data bouncing when backend is untrusted
  (bsc#1200762, CVE-2022-33742, XSA-403).
- commit 8bcc9cd
- xen/blkfront: fix leaking data in shared pages (bsc#1200762,
  CVE-2022-26365, XSA-403).
- commit f3412de
- Refresh
  patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch.
  Fix a build warning.
- commit 88f1e54
- sctp: handle kABI change in struct sctp_endpoint (CVE-2022-20154
  bsc#1200599).
- commit c46afe6
- sctp: use call_rcu to free endpoint (CVE-2022-20154 bsc#1200599).
- commit 3cb182d
- ath9k: fix use-after-free in ath9k_hif_usb_rx_cb (CVE-2022-1679
  bsc#1199487).
- commit 2c5abda
- exec: Force single empty string when argv is empty
  (bsc#1200571).
- commit 4ee3bdd
- HID: holtek: fix mouse probing (CVE-2022-20132 bsc#1200619).
- HID: add USB_HID dependancy to hid-prodikeys (CVE-2022-20132
  bsc#1200619).
- HID: add USB_HID dependancy to hid-chicony (CVE-2022-20132
  bsc#1200619).
- HID: add USB_HID dependancy on some USB HID drivers
  (CVE-2022-20132 bsc#1200619).
- HID: check for valid USB device for many HID drivers
  (CVE-2022-20132 bsc#1200619).
- HID: add hid_is_usb() function to make it simpler for USB
  detection (CVE-2022-20132 bsc#1200619).
- HID: introduce hid_is_using_ll_driver (CVE-2022-20132
  bsc#1200619).
- commit fb86cdd
- igmp: Add ip_mc_list lock in ip_check_mc_rcu (bsc#1200604
  CVE-2022-20141).
- commit 5040a6d
- certs: Add EFI_CERT_X509_GUID support for dbx entries
  (bsc#1177282 CVE-2020-26541).
- Update config files.
- commit 2e7bde8
- floppy: disable FDRAWCMD by default (bsc#1198866 CVE-2022-1836).
- Update config files.
- commit 9af4e3a
- add mainline tag for a pci-hyperv change
- commit dd0f473
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- commit 996513e
- NFC: netlink: fix sleep in atomic bug when firmware download
  timeout (CVE-2022-1975 bsc#1200143).
- commit a8211d8
- nfc: replace improper check device_is_registered() in netlink
  related functions (CVE-2022-1974 bsc#1200144).
- commit d539b18
- KVM: x86/speculation: Disable Fill buffer clear within guests
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation: Add a common function for MD_CLEAR mitigation
  update (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Add mitigation for Processor MMIO Stale
  Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Add sysfs reporting for Processor
  MMIO Stale Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127
  CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Enable CPU Fill buffer clearing on idle
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/mmio: Reuse SRBDS mitigation for SBDS
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- x86/speculation/srbds: Update SRBDS mitigation selection
  (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123
  CVE-2022-21125 CVE-2022-21180).
- Refresh
  patches.suse/powerpc-64s-flush-L1D-after-user-accesses.patch.
- Refresh
  patches.suse/powerpc-64s-flush-L1D-on-kernel-entry.patch.
- commit 96526da
- btrfs: extent-tree: kill the BUG_ON() in
  insert_inline_extent_backref() (CVE-2019-19377 bsc#1158266).
- commit 7762823
- btrfs: extent-tree: kill BUG_ON() in  __btrfs_free_extent()
  (CVE-2019-19377 bsc#1158266).
- commit fa0dbe1
- perf: Fix sys_perf_event_open() race against self
  (CVE-2022-1729, bsc#1199507).
- commit fc77f1c
- ext4: avoid cycles in directory h-tree (bsc#1198577
  CVE-2022-1184).
- commit ec51c1b
- ext4: verify dir block before splitting it (bsc#1198577
  CVE-2022-1184).
- commit 97bfb10
- debug: Lock down kgdb (bsc#1199426 CVE-2022-21499).
- debug: Lock down kgdb (bsc#1199426).
- commit 1cd17a0
- Update patch reference for ACPI fix (CVE-2017-13695 bsc#1055710)
- commit e74f546
- floppy: use a statically allocated error counter (bsc#1199063
  CVE-2022-1652).
- commit 7173277
- nfc: nfcmrvl: main: reorder destructive operations in
  nfcmrvl_nci_unregister_dev to avoid bugs (CVE-2022-1734
  bsc#1199605).
- commit d9ccce0
- btrfs: relocation: Only remove reloc rb_trees if reloc  control
  has been initialized (bsc#1199399).
- commit d95d9f9
- bpf: fix panic due to oob in bpf_prog_test_run_skb (bsc#1197219,
  CVE-2021-39711).
- commit 51bae76
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
  PTRACE_SEIZE (CVE-2022-30594 bsc#1199505 bsc#1198413).
- commit 26d8e0b
- btrfs: relocation: Only remove reloc rb_trees if reloc  control
  has been initialized (bsc#1199399).
- commit adb6d28
- NFSv4: nfs_atomic_open() can race when looking up a non-regular
  file (bsc#1195612 CVE-2022-24448).
- commit dd7b1a9
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- commit 07098d3
- Fix kernel-vanilla build issue
  Fix:
  [  315s]   CC [M]  fs/fat/namei_vfat.o
  [  315s]   CC      kernel/elfcore.o
  [  315s] ../scripts/Makefile.build:302: recipe for target 'kernel/elfcore.o' failed
  [  315s] Cannot find symbol for section 1: .text.
  [  315s] kernel/elfcore.o: failed
  [  315s] make[3]: *** [kernel/elfcore.o] Error 1
  due to toolchain updates and the patch missing in the vanilla flavor. So
  move it there.
- commit 23d6a8f
- ixgbevf: add disable link state (bsc#1196426 CVE-2021-33061).
- ixgbe: add improvement for MDD response functionality
  (bsc#1196426 CVE-2021-33061).
- ixgbe: add the ability for the PF to disable VF link state
  (bsc#1196426 CVE-2021-33061).
- commit 7ca9841
- net: mana: Remove unnecessary check of cqe_type in
  mana_process_rx_cqe() (bsc#1195651).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- commit a27cea8
- net: mana: Reuse XDP dropped page (bsc#1195651).
- commit c707c23
- net: mana: Add counter for XDP_TX (bsc#1195651).
- commit 9e62047
- net: mana: Add counter for packet dropped by XDP (bsc#1195651).
- commit e3af7bf
- net: mana: Use struct_size() helper in
  mana_gd_create_dma_region() (bsc#1195651).
- commit 2c30991
- net/x25: Fix null-ptr-deref caused by x25_disconnect
  (CVE-2022-1516 bsc#1199012).
- commit 70361a9
- ovl: fix missing negative dentry check in ovl_rename()
  (CVE-2021-20321 bsc#1191647).
- commit 3e23b63
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
  (bsc#1028340 bsc#1198825).
- commit 5e96c61
- net-sysfs: call dev_hold if kobject_init_and_add success
  (CVE-2019-20811 bsc#1172456).
- commit 5de8a61
- Update
  patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
  (bsc#1196018 CVE-2022-28748).
- commit 25ea790
- Update
  patches.suse/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
  (bsc#1051510 bsc#1084513 CVE-2018-7755).
- commit 371ca37
- drm/vgem: Close use-after-free race in vgem_gem_create (CVE-2022-1419 bsc#1198742)
- commit c2b5f0e
- isdn: cpai: check ctr->cnr to avoid array index out of bound
  (bsc#1191958 CVE-2021-43389).
- commit 6296574
- nfc: fix NULL ptr dereference in llcp_sock_getname() after
  failed connect (CVE-2021-38208 bsc#1187055).
- commit 54aed86
- powerpc/pseries: Fix use after free in remove_phb_dynamic()
  (bsc#1065729 bsc#1198660 ltc#197803).
- commit 534ea7f
- af_key: add __GFP_ZERO flag for compose_sadb_supported in
  function pfkey_register (CVE-2022-1353 bsc#1198516).
- commit ffb367f
- Update
  patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch
  (bsc#1198400).
- Update
  patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
  (bsc#1198400).
- commit b81f481
- drm/ttm/nouveau: don't call tt destroy callback on alloc failure
  (CVE-2021-20292 bsc#1183723).
- commit f1a5fa2
- x86/speculation: Restore speculation related MSRs during S3
  resume (bsc#1114648).
- commit 46f1ca5
- fuse: handle kABI change in struct fuse_req (bsc#1197343
  CVE-2022-1011).
- fuse: fix pipe buffer lifetime for direct_io (bsc#1197343
  CVE-2022-1011).
- commit e67cd7e
- x86/pm: Save the MSR validity status at context setup
  (bsc#1114648).
- commit 87c5893
- livepatch: Don't block removal of patches that are safe to
  unload (bsc#1071995).
- commit 2e90af6
- Refresh
  patches.suse/net-sched-use-Qdisc-rcu-API-instead-of-relying-on-rt.patch.
  Fix missplaced qdisc_put()
- commit 883b3be
- Update
  patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch
  references (add CVE-2022-28356 bsc#1197391).
- commit 658b50e
- netfilter: nf_tables: initialize registers in nft_do_chain()
  (CVE-2022-1016 bsc#1197227).
- commit 4726ea9
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- commit caaa7d4
- can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb
  in error path (CVE-2022-28389 bsc#1198033).
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28388 bsc#1198032).
- can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28390 bsc#1198031).
- commit 2396928
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
- tcp: change source port randomizarion at connect() time
  (bsc#1180153).
- commit c5e24fe
- xprtrdma: fix incorrect header size calculations (CVE-2022-0812
  bsc#1196639).
- commit 19d5b1d
- linux/dim: Move implementation to .c files (bsc#1197099
  jsc#SLE-24124).
- commit 03d416d
- net: ena: Select DIMLIB for ENA_ETHERNET (bsc#1197099
  jsc#SLE-24124).
- Update config files.
- commit fbae1a9
- net: ena: Change the name of bad_csum variable (bsc#1197099
  jsc#SLE-24124).
- net: ena: Remove ena_calc_queue_size_ctx struct (bsc#1197099
  jsc#SLE-24124).
- net: ena: Move reset completion print to the reset function
  (bsc#1197099 jsc#SLE-24124).
- net: ena: Remove redundant return code check (bsc#1197099
  jsc#SLE-24124).
- net: ena: Change ENI stats support check to use capabilities
  field (bsc#1197099 jsc#SLE-24124).
- net: ena: Add capabilities field with support for ENI stats
  capability (bsc#1197099 jsc#SLE-24124).
- net: ena: Change return value of ena_calc_io_queue_size()
  to void (bsc#1197099 jsc#SLE-24124).
- net: ena: Fix error handling when calculating max IO queues
  number (bsc#1197099 jsc#SLE-24124).
- net: ena: Fix wrong rx request id by resetting device
  (bsc#1197099 jsc#SLE-24124).
- net: ena: make symbol 'ena_alloc_map_page' static (bsc#1197099
  jsc#SLE-24124).
- net: ena: re-organize code to improve readability (bsc#1197099
  jsc#SLE-24124).
- net: ena: Use dev_alloc() in RX buffer allocation (bsc#1197099
  jsc#SLE-24124).
- net: ena: Remove module param and change message severity
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add jiffies of last napi call to stats (bsc#1197099
  jsc#SLE-24124).
- net: ena: Improve error logging in driver (bsc#1197099
  jsc#SLE-24124).
- net: ena: Remove unused code (bsc#1197099 jsc#SLE-24124).
- net: ena: remove extra words from comments (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix inaccurate print type (bsc#1197099 jsc#SLE-24124).
- ethernet: amazon: ena: A typo fix in the file ena_com.h
  (bsc#1197099 jsc#SLE-24124).
- net: ena: aggregate stats increase into a function (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix coding style nits (bsc#1197099 jsc#SLE-24124).
- net: ena: store values in their appropriate variables types
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add device distinct log prefix to files (bsc#1197099
  jsc#SLE-24124).
- net: ena: use constant value for net_device allocation
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix packet's addresses for rx_offset feature
  (bsc#1197099 jsc#SLE-24124).
- net: ena: set initial DMA width to avoid intel iommu issue
  (bsc#1197099 jsc#SLE-24124).
- net: ena: handle bad request id in ena_netdev (bsc#1197099
  jsc#SLE-24124).
- net: ena: Fix all static chekers' warnings (bsc#1197099
  jsc#SLE-24124).
- net: ena: Change RSS related macros and variables names
  (bsc#1197099 jsc#SLE-24124).
- net: ena: Remove redundant print of placement policy
  (bsc#1197099 jsc#SLE-24124).
- net: ena: Capitalize all log strings and improve code
  readability (bsc#1197099 jsc#SLE-24124).
- net: ena: Change log message to netif/dev function (bsc#1197099
  jsc#SLE-24124).
- net: ena: Change license into format to SPDX in all files
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ethtool: Add new device statistics (bsc#1197099
  jsc#SLE-24124).
- net: ena: ethtool: convert stat_offset to 64 bit resolution
  (bsc#1197099 jsc#SLE-24124).
- net: ena: Make missed_tx stat incremental (bsc#1197099
  jsc#SLE-24124).
- net: ena: Prevent reset after device destruction (bsc#1197099
  jsc#SLE-24124).
- net: ena: support new LLQ acceleration mode (bsc#1197099
  jsc#SLE-24124).
- net: ena: move llq configuration from ena_probe to
  ena_device_init() (bsc#1197099 jsc#SLE-24124).
- net: ena: enable support of rss hash key and function changes
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add support for traffic mirroring (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: change ena_com_stats_admin stats to u64
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add reserved PCI device ID (bsc#1197099
  jsc#SLE-24124).
- net: ena: avoid unnecessary rearming of interrupt vector when
  busy-polling (bsc#1197099 jsc#SLE-24124).
- net: ena: Fix using plain integer as NULL pointer in
  ena_init_napi_in_range (bsc#1197099 jsc#SLE-24124).
- net: ena: reduce driver load time (bsc#1197099 jsc#SLE-24124).
- net: ena: cosmetic: minor code changes (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: fix spacing issues (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: code reorderings (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: remove unnecessary code (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: fix line break issues (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: fix spelling and grammar mistakes in
  comments (bsc#1197099 jsc#SLE-24124).
- net: ena: cosmetic: set queue sizes to u32 for consistency
  (bsc#1197099 jsc#SLE-24124).
- net: ena: cosmetic: rename
  ena_update_tx/rx_rings_intr_moderation() (bsc#1197099
  jsc#SLE-24124).
- net: ena: simplify ena_com_update_intr_delay_resolution()
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix ena_com_comp_status_to_errno() return value
  (bsc#1197099 jsc#SLE-24124).
- net: ena: use explicit variable size for clarity (bsc#1197099
  jsc#SLE-24124).
- net: ena: rename ena_com_free_desc to make API more uniform
  (bsc#1197099 jsc#SLE-24124).
- net: ena: add support for the rx offset feature (bsc#1197099
  jsc#SLE-24124).
- net: ena: cosmetic: extract code to ena_indirection_table_set()
  (bsc#1197099 jsc#SLE-24124).
- net: ena: cosmetic: remove unnecessary spaces and tabs in
  ena_com.h macros (bsc#1197099 jsc#SLE-24124).
- net: ena: use SHUTDOWN as reset reason when closing interface
  (bsc#1197099 jsc#SLE-24124).
- net: ena: drop superfluous prototype (bsc#1197099
  jsc#SLE-24124).
- net: ena: add support for reporting of packet drops (bsc#1197099
  jsc#SLE-24124).
- net: ena: add unmask interrupts statistics to ethtool
  (bsc#1197099 jsc#SLE-24124).
- net: ena: remove code that does nothing (bsc#1197099
  jsc#SLE-24124).
- net: ena: changes to RSS hash key allocation (bsc#1197099
  jsc#SLE-24124).
- net: ena: change default RSS hash function to Toeplitz
  (bsc#1197099 jsc#SLE-24124).
- net: ena: allow setting the hash function without changing
  the key (bsc#1197099 jsc#SLE-24124).
- net: ena: fix error returning in ena_com_get_hash_function()
  (bsc#1197099 jsc#SLE-24124).
- net: ena: avoid unnecessary admin command when RSS function
  set fails (bsc#1197099 jsc#SLE-24124).
- net/ena: Fix build warning in ena_xdp_set() (bsc#1197099
  jsc#SLE-24124).
- net: ena: ethtool: clean up minor indentation issue (bsc#1197099
  jsc#SLE-24124).
- net: ena: ethtool: remove redundant non-zero check on rc
  (bsc#1197099 jsc#SLE-24124).
- net: ena: remove set but not used variable 'hash_key'
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix continuous keep-alive resets (bsc#1197099
  jsc#SLE-24124).
- net: ena: avoid memory access violation by validating req_id
  properly (bsc#1197099 jsc#SLE-24124).
- net: ena: fix request of incorrect number of IRQ vectors
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix incorrect setting of the number of msix vectors
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ena-com.c: prevent NULL pointer dereference
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ethtool: use correct value for crc32 hash (bsc#1197099
  jsc#SLE-24124).
- net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix corruption of dev_idx_to_host_tbl (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix incorrectly saving queue numbers when setting
  RSS indirection table (bsc#1197099 jsc#SLE-24124).
- net: ena: rss: store hash function as values and not bits
  (bsc#1197099 jsc#SLE-24124).
- net: ena: rss: fix failure to get indirection table (bsc#1197099
  jsc#SLE-24124).
- net: ena: rss: do not allocate key when not supported
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix incorrect default RSS key (bsc#1197099
  jsc#SLE-24124).
- net: ena: add missing ethtool TX timestamping indication
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix uses of round_jiffies() (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix potential crash when rxfh key is NULL (bsc#1197099
  jsc#SLE-24124).
- net: ena: Add first_interrupt field to napi struct (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix issues in setting interrupt moderation params
  in ethtool (bsc#1197099 jsc#SLE-24124).
- net: ena: fix default tx interrupt moderation interval
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ethtool: support set_channels callback (bsc#1197099
  jsc#SLE-24124).
- net: ena: remove redundant print of number of queues
  (bsc#1197099 jsc#SLE-24124).
- net: ena: make ethtool -l show correct max number of queues
  (bsc#1197099 jsc#SLE-24124).
- net: ena: ethtool: get_channels: use combined only (bsc#1197099
  jsc#SLE-24124).
- net: ena: multiple queue creation related cleanups (bsc#1197099
  jsc#SLE-24124).
- net: ena: change num_queues to num_io_queues for clarity and
  consistency (bsc#1197099 jsc#SLE-24124).
- net: update net_dim documentation after rename (bsc#1197099
  jsc#SLE-24124).
- net: ena: clean up indentation issue (bsc#1197099
  jsc#SLE-24124).
- lib: dimlib: fix help text typos (bsc#1197099 jsc#SLE-24124).
- dimlib: make DIMLIB a hidden symbol (bsc#1197099 jsc#SLE-24124).
- net: ena: don't wake up tx queue when down (bsc#1197099
  jsc#SLE-24124).
- net: ena: fix incorrect update of intr_delay_resolution
  (bsc#1197099 jsc#SLE-24124).
- net: ena: fix retrieval of nonadaptive interrupt moderation
  intervals (bsc#1197099 jsc#SLE-24124).
- net: ena: fix update of interrupt moderation register
  (bsc#1197099 jsc#SLE-24124).
- net: ena: remove all old adaptive rx interrupt moderation code
  from ena_com (bsc#1197099 jsc#SLE-24124).
- net: ena: remove ena_restore_ethtool_params() and relevant
  fields (bsc#1197099 jsc#SLE-24124).
- net: ena: remove old adaptive interrupt moderation code from
  ena_netdev (bsc#1197099 jsc#SLE-24124).
- net: ena: remove code duplication
  in ena_com_update_nonadaptive_moderation_interval _*()
  (bsc#1197099 jsc#SLE-24124).
- net: ena: enable the interrupt_moderation in
  driver_supported_features (bsc#1197099 jsc#SLE-24124).
- net: ena: reimplement set/get_coalesce() (bsc#1197099
  jsc#SLE-24124).
- net: ena: switch to dim algorithm for rx adaptive interrupt
  moderation (bsc#1197099 jsc#SLE-24124).
- net: ena: add intr_moder_rx_interval to struct ena_com_dev
  and use it (bsc#1197099 jsc#SLE-24124).
- lib/dim: Fix -Wunused-const-variable warnings (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Fix overflow in dim calculation (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Implement RDMA adaptive moderation (DIM) (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Add completions count to dim_sample (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Rename externally used net_dim members (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Rename net_dim_sample() to net_dim_update_sample()
  (bsc#1197099 jsc#SLE-24124).
- linux/dim: Rename externally exposed macros (bsc#1197099
  jsc#SLE-24124).
- linux/dim: Remove "/net"/ prefix from internal DIM members
  (bsc#1197099 jsc#SLE-24124).
- linux/dim: Move logic to dim.h (bsc#1197099 jsc#SLE-24124).
- Documentation/networking: Add net DIM documentation (bsc#1197099
  jsc#SLE-24124).
- MAINTAINERS: add entry for Dynamic Interrupt Moderation
  (bsc#1197099 jsc#SLE-24124).
- commit 051ce5b
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
  mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
  patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit 62bc950
- series sort
- commit 6f57f5d
- ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562
  bsc#1196761 CVE-2022-0850).
- commit 91866e7
- Update patches.suse/sr9700-sanity-check-for-packet-length.patch
  (bsc#1196836 CVE-2022-26966).
  fixed typo in References
- commit e04f4f1
- x86/tsc: Make calibration refinement more robust (bsc#1196573).
- commit cbea5b9
- esp: Fix possible buffer overflow in ESP transformation
  (bsc#1197131 CVE-2022-0886).
- commit d9e58bc
- Refresh patches.suse/xfrm-fix-mtu-regression.patch.
- commit 0ee241b
- quota: check block number when reading the block in quota  file
  (bsc#1197366 CVE-2021-45868).
- commit b7d9616
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
  bsc#1197331).
- Refresh patches.kabi/ALSA-pcm-oss-rw_ref-kabi-fix.patch.
- commit f284bec
- Fixing a series_sort.py issue for a patch
  The patch: blk-mq-move-_blk_mq_update_nr_hw_queues-synchronize_rcu-call
  was placed at the end of the sorted section by series_insert.py at
  one time, but now series_sort.py is complaining. So move this patch
  to later in series.conf, outside of the sorted section, making
  series_sort.py happy.
- commit a65cae5
- ALSA: pcm: Fix races among concurrent prealloc proc writes
  (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
  hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
  changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
  calls (CVE-2022-1048 bsc#1197331).
- commit 0f72275
- macros.kernel-source: Fix conditional expansion.
  Fixes: bb95fef3cf19 ("/rpm: Use bash for %() expansion (jsc#SLE-18234)."/)
- commit 7e857f7
- rpm: Use bash for %() expansion (jsc#SLE-18234).
  Since 15.4 alternatives for /bin/sh are provided by packages
  <something>-sh. While the interpreter for the build script can be
  selected the interpreter for %() cannot.
  The kernel spec files use bashisms in %().
  While this could technically be fixed there is more serious underlying
  problem: neither bash nor any of the alternatives are 100% POSIX
  compliant nor bug-free.
  It is not my intent to maintain bug compatibility with any number of
  shells for shell scripts embedded in the kernel spec file. The spec file
  syntax is not documented so embedding the shell script in it causes some
  unspecified transformation to be applied to it. That means that
  ultimately any changes must be tested by building the kernel, n times if
  n shells are supported.
  To reduce maintenance effort require that bash is used for kernel build
  always.
- commit bb95fef
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
  (bsc#1196018).
- commit 95d7e2c
- net: usb: ax88179_178a: fix packet alignment padding
  (bsc#1196018).
- commit 065384f
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32
  (bsc#1196018).
- commit f59903f
- Update patches.suse/sr9700-sanity-check-for-packet-length.patch
  (bac#1196836 CVE-2022-26966).
  added CVE number
- commit 7e940d6
- rpm: Run external scriptlets on uninstall only when available
  (bsc#1196514 bsc#1196114 bsc#1196942).
  When dependency cycles are encountered package dependencies may not be
  fulfilled during zypper transaction at the time scriptlets are run.
  This is a problem for kernel scriptlets provided by suse-module-tools
  when migrating to a SLE release that provides these scriptlets only as
  part of LTSS. The suse-module-tools that provides kernel scriptlets may
  be removed early causing migration to fail.
- commit ab8dd2d
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- commit f0d0e90
- rpm/kernel-source.spec.in: call fdupes per subpackage
  It is a waste of time to do a global fdupes when we have
  subpackages.
- commit 1da8439
- net: sched: use Qdisc rcu API instead of relying on rtnl lock
  (bsc#1196973 CVE-2021-39713).
- net: sched: add helper function to take reference to Qdisc
  (bsc#1196973 CVE-2021-39713).
- net: sched: extend Qdisc with rcu (bsc#1196973 CVE-2021-39713).
- net: sched: rename qdisc_destroy() to qdisc_put() (bsc#1196973
  CVE-2021-39713).
- net: core: netlink: add helper refcount dec and lock function
  (bsc#1196973 CVE-2021-39713).
- commit a22ecb0
- xen/netfront: react properly to failing
  gnttab_end_foreign_access_ref() (bsc#1196488, XSA-396,
  CVE-2022-23042).
- commit 2b38f30
- xen/gnttab: fix gnttab_end_foreign_access() without page
  specified (bsc#1196488, XSA-396, CVE-2022-23041).
- commit 7149843
- xen/9p: use alloc/free_pages_exact() (bsc#1196488, XSA-396,
  CVE-2022-23041).
- commit a920e1c
- xen/usb: don't use gnttab_end_foreign_access() in
  xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- commit e8ca175
- xen/gntalloc: don't use gnttab_query_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23039).
- commit 02e08de
- xen/scsifront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23038).
- commit 78fd62a
- xen/netfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23037).
- commit 335a138
- xen/blkfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23036).
- commit 69cc608
- xen/grant-table: add gnttab_try_end_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23036, CVE-2022-23038).
- commit d8d4a06
- xen/xenbus: don't let xenbus_grant_ring() remove grants in
  error case (bsc#1196488, XSA-396, CVE-2022-23040).
- commit 9eb0e70
- genirq: Use rcu in kstat_irqs_usr() (bsc#1193738).
- commit b6e9db8
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- commit 174a64f
- usb: host: xen-hcd: add missing unlock in error path
  (git-fixes).
- commit af60176
- Refresh
  patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch.
- commit ee8e3fd
- Refresh
  patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch.
- commit 29bb7f5
- rpm/kernel-docs.spec.in: use %%license for license declarations
  Limited to SLE15+ to avoid compatibility nightmares.
- commit 73d560e
- rpm/*.spec.in: Use https:// urls
- commit 77b5f8e
- sr9700: sanity check for packet length (bsc#1196836).
- commit 7ac3395
- nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  (CVE-2022-26490 bsc#1196830).
- commit 47ae8c5
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 43f0d0b
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- commit 4fdd4d6
- kernel-binary.spec: Also exclude the kernel signing key from devel package.
  There is a check in OBS that fails when it is included. Also the key is
  not reproducible.
  Fixes: bb988d4625a3 ("/kernel-binary: Do not include sourcedir in certificate path."/)
- commit 68fa069
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- commit 88ba5ec
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
  (bsc#1196584).
- commit 589ad87
- x86/speculation: Use generic retpoline by default on AMD
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 48c6ffe
- x86/speculation: Include unprivileged eBPF status in Spectre v2
  mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- commit 433d042
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit 1e409f9
- crypto: af_alg - get_page upon reassignment to TX SGL
  (bsc#1195840).
- commit f9977fb
- hv_netvsc: move VF to same namespace as netvsc device
  (bsc#1107207).
- Refresh
  patches.suse/hv_netvsc-ignore-devices-that-are-not-PCI.patch.
- commit 4149931
- hv_netvsc: fix network namespace issues with VF support
  (bsc#1107207).
- Refresh
  patches.suse/msft-hv-1755-hv_netvsc-fix-schedule-in-RCU-context.patch.
- commit 0206296
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- commit 7560138
- Refresh
  patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete patches.suse/do-not-default-to-ibrs-on-skl.patch.
  Remove a statement which cancels itself out with the following patch
  which removes it anyway.
- commit d8913d1
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit ffe3214
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1196079
  CVE-2022-0617).
- commit 2533a5b
- udf: Fix NULL ptr deref when converting from inline format
  (bsc#1196079 CVE-2022-0617).
- commit 87d491f
- x86/speculation: Merge one test in
  spectre_v2_user_select_mitigation() (bsc#1191580 CVE-2022-0001
  CVE-2022-0002).
- commit 2dadfe9
- cpu/SMT: create and export cpu_smt_possible() (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit 0a4181d
- Update patch reference for vfs fix (CVE-2022-0644 bsc#1196155)
- commit 4656612
- NFSv4.x: by default serialize open/close operations (bsc#1114893 bsc#1195934).
  Make this work-around for a server bug optional.
- commit 6204513
- f2fs: fix to do sanity check on inode type during garbage
  collection (CVE-2021-44879 bsc#1195987).
- commit e8b60dc
- Update
  patches.suse/0001-PCI-hv-Use-expected-affinity-when-unmasking-IRQ.patch
  (bsc#1185973, bsc#1195536).
- commit 82f717d
- tipc: improve size validations for received domain records
  (bsc#1195254, CVE-2022-0435).
- commit daaae48
- yam: fix a memory leak in yam_siocdevprivate() (CVE-2022-24959
  bsc#1195897).
- commit 2b51111
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487).
- commit b3ff0d9
- kernel-binary: Do not include sourcedir in certificate path.
  The certs macro runs before build directory is set up so it creates the
  aggregate of supplied certificates in the source directory.
  Using this file directly as the certificate in kernel config works but
  embeds the source directory path in the kernel config.
  To avoid this symlink the certificate to the build directory and use
  relative path to refer to it.
  Also fabricate a certificate in the same location in build directory
  when none is provided.
- commit bb988d4
- constraints: Also adjust disk requirement for x86 and s390.
- commit 9719db0
- constraints: Increase disk space for aarch64
- commit 09c2882
- cgroup-v1: Require capabilities to set release_agent
  (bsc#1195543 CVE-2022-0492).
- commit 25a96a7
- NFSv4: Handle case where the lookup of a directory fails
  (bsc#1195612 CVE-2022-24448).
- commit fe40712
- kernel-obs-build: include 9p (boo#1195353)
  To be able to share files between host and the qemu vm of the build
  script, the 9p and 9p_virtio kernel modules need to be included in
  the initrd of kernel-obs-build.
- commit 0cfe67a
- kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr
  directory (bsc#1195051).
- commit c80b5de
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
  Using the the default path is broken since Linux 5.17
- commit 68b36f0
- fix rpm build warning
  tumbleweed rpm is adding these warnings to the log:
  It's not recommended to have unversioned Obsoletes: Obsoletes:      microcode_ctl
- commit 3ba8941
- build initrd without systemd
  This reduces the size of the initrd by over 25%, which
  improves startup time of the virtual machine by 0.5-0.6s on
  very fast machines, more on slower ones.
- commit ef4c569
- kernel-obs-build: remove duplicated/unused parameters
  lbs=0 - this parameters is just giving "/unused parameter"/ and it looks
  like I can not find any version that implemented this.
  rd.driver.pre=binfmt_misc is not needed when setup_obs is used, it
  alread loads the kernel module.
  quiet and panic=1 will now be also always added by OBS, so we don't have
  to set it here anymore.
- commit 972c692
- Revert "/- rpm/*build: use buildroot macro instead of env variable"/
  buildroot macro is not being expanded inside a shell script. go
  back to the environment variable usage. This reverts parts of
  commit e2f60269b9330d7225b2547e057ef0859ccec155.
- commit fe85f96
- kernel-obs-build: include the preferred kernel parameters
  Currently the Open Build Service hardcodes the kernel boot parameters
  globally. Recently functionality was added to control the parameters
  by the kernel-obs-build package, so make use of that. parameters here
  will overwrite what is used by OBS otherwise.
- commit a631240
- kernel-obs-build: inform build service about virtio-serial
  Inform the build worker code that this kernel supports virtio-serial,
  which improves performance and relability of logging.
- commit 301a3a7
- rpm/*.spec.in: use buildroot macro instead of env variable
  The RPM_BUILD_ROOT variable is considered deprecated over
  a buildroot macro. future proof the spec files.
- commit e2f6026
- rpm/kernel-obs-build.spec.in: move to zstd for the initrd
  Newer distros have capability to decompress zstd, which
  provides a 2-5% better compression ratio at very similar
  cpu overhead. Plus this tests the zstd codepaths now as well.
- commit 3d53a5b
- pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
  (git-fixes CVE-2021-4157 bnc#1194013).
- commit 957ab2c
- powerpc/pseries: extract host bridge from pci_bus prior to
  bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).
- commit b12aafe
libfastjson
- update to 0.99.8:
  * make build under gcc7 with strict settings (warning==error)
  * bugfix: constant key names not properly handled
  * fix potentially invalid return value of fjson_object_iter_begin
  * fix small potential memory leak in json_tokener
- update to 0.99.7:
  * add option for case-insensitive comparisons
  * Remove userdata and custom-serialization functions
- update to 0.99.6:
  * fixes for platforms other than GNU/Linux
- update to 0.99.5:
  * fix floating point representation when fractional part is missing
  * m4: fix detection of atomics
  * add fjson_object_dump() and fjson_object_write() functions
libsolv
- fix memory leaks in SWIG generated code
- fix misparsing of '&' in attributes with libxml2
- try to keep packages from a cycle close togther in the
  transaction order [bsc#1189622]
- fix split provides not working if the update includes a
  forbidden vendor change [bsc#1195485]
- fix segfault on conflict resolution when using bindings
- do not replace noarch problem rules with arch dependent ones
  in problem reporting
- fix and simplify pool_vendor2mask implementation
- bump version to 0.6.39
libtirpc
- fix memory leak in params.r_addr assignement (bsc#1198752)
  - add 0001-fix-parms.r_addr-memory-leak.patch
- fix memory leak in client protocol version 2 code (bsc#1193805)
  - update: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
libxml2
- Security fix: [bsc#1069689, CVE-2017-16932]
  * parser.c in libxml2 before 2.9.5 does not prevent infinite
    recursion inparameter entities.
  * Add libxml2-CVE-2017-16932.patch
- Sync and fix changelog entries between libxml2 and
  python-libxml2.
- Security fix: [bsc#1199132, CVE-2022-29824]
  * Integer overflow leading to out-of-bounds write in buf.c
    (xmlBuf*) and tree.c (xmlBuffer*)
  * Add libxml2-CVE-2022-29824.patch
- Security fix: [bsc#1196490, CVE-2022-23308]
  * Use-after-free of ID and IDREF attributes.
  * Add libxml2-CVE-2022-23308.patch
  * Add libxml2-CVE-2021-3541.patch
- Version update to 2.9.7 release:
  * Bug Fixes:
    + xmlcatalog: restore ability to query system catalog easily
    + Fix comparison of nodesets to strings
  * Improvements:
    + Add Makefile rules to rebuild HTML man pages
    + Remove generated file python/setup.py from version control
    + Fix mixed decls and code in timsort.h
    + Rework handling of return values in thread tests
    + Fix unused variable warnings in testrecurse
    + Fix -Wimplicit-fallthrough warnings
    + Upgrade timsort.h to latest revision
    + Fix a couple of warnings in dict.c and threads.c
    + Fix unused variable warnings in nanohttp.c
    + Don't include winsock2.h in xmllint.c
    + Use __linux__ macro in generated code
  * Portability:
    + Add declaration for DllMain
    + Fix preprocessor conditional in threads.h
    + Fix macro redefinition warning
    + many Windows specific improvements
  * Documentation:
    + xmlcatalog: refresh man page wrt. quering system catalog easily
- Includes bug fixes from 2.9.6:
  * Fix XPath stack frame logic
  * Report undefined XPath variable error message
  * Fix regression with librsvg
  * Handle more invalid entity values in recovery mode
  * Fix structured validation errors
  * Fix memory leak in LZMA decompressor
  * Set memory limit for LZMA decompression
  * Handle illegal entity values in recovery mode
  * Fix debug dump of streaming XPath expressions
  * Fix memory leak in nanoftp
  * Fix memory leaks in SAX1 parser
- Drop libxml2-bug787941.patch
  * upstreamed in 3157cf4e53c03bc3da604472c015c63141907db8
- Update package summaries and RPM groups. Trim descriptions for
  size on secondary subpackages. Replace install call by a
  commonly-used macro.
- Add patch to fix TW integration:
  * libxml2-bug787941.patch
- Version update to 2.9.5 release:
  * Merged all the previous cve fixes that were patched in
  * Few small tweaks
- Remove merged patches:
  * libxml2-CVE-2016-4658.patch
  * libxml2-CVE-2017-0663.patch
  * libxml2-CVE-2017-5969.patch
  * libxml2-CVE-2017-9047.patch
  * libxml2-CVE-2017-9048.patch
  * libxml2-CVE-2017-9049.patch
  * libxml2-2.9.4-fix_attribute_decoding.patch
- Added libxml2-CVE-2016-4658.patch: Disallow namespace nodes in
  XPointer ranges. Namespace nodes must be copied to avoid
  use-after-free errors. But they don't necessarily have a physical
  representation in a document, so simply disallow them in XPointer
  ranges [bsc#1005544] [CVE-2016-4658]
- Remove obsolete patches libxml2-2.9.1-CVE-2016-3627.patch,
  0001-Add-missing-increments-of-recursion-depth-counter-to.patch,
  and libxml2-2.9.3-bogus_UTF-8_encoding_error.patch.
- add libxml2-2.9.3-bogus_UTF-8_encoding_error.patch to fix XML
  push parser that fails with bogus UTF-8 encoding error when
  multi-byte character in large CDATA section is split across
  buffer [bnc#962796]
- temporarily reverting libxml2-CVE-2014-0191.patch until there is a fix
  that doesn't break other applications
- buildignore python to avoid build cycle
- fix version
- renamed to python-libxml2 to follow python naming expectations
- do not require python but let rpm figure it out
- buildrequire python-xml to fix build
libyajl
- add libyajl-CVE-2022-24795.patch (CVE-2022-24795, bsc#1198405)
libzypp
- Hint on ptf resolver conflicts (bsc#1194848)
- Fix package signature check (bsc#184501)
  Pay attention that header and payload are secured by a valid
  signature and report more detailed which signature is missing.
- Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.
- version 16.22.4 (0)
lifecycle-data-sle-live-patching
- Added data for 4_12_14-122_116, 4_12_14-95_96, 4_4_180-94_161. (bsc#1020320)
- Added data for 4_12_14-122_110, 4_12_14-122_113, 4_12_14-95_88,
  4_12_14-95_93, 4_4_180-94_153, 4_4_180-94_156. (bsc#1020320)
- Added data for 4_12_14-122_106. (bsc#1020320)
lifecycle-data-sle-module-toolchain
- Added expiration data for GCC 10 yearly update for the Toolchain/Development modules.
  (jsc#ECO-2373, jsc#SLE-16821, jsc#SLE-16822)
  (jsc#ECO-368, jsc#SLE-5825, jsc#SLE-5838, jsc#SLE-7268, jsc#SLE-10952, FATE#327368)
logrotate
- Security fix: (bsc#1192449) related to (bsc#1191281, CVE-2021-3864)
  * enforce stricter parsing to avoid CVE-2021-3864
  * Added patch logrotate-enforce-stricter-parsing-and-extra-tests.patch
- Fix "/logrotate emits unintended warning: keyword size not properly
  separated, found 0x3d"/ (bsc#1200278, bsc#1200802):
  * Added patch logrotate-dont_warn_on_size=_syntax.patch
mozilla-nss
- Mozilla NSS 3.68.4 (bsc#1200027)
  * Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
    (bmo#1767590)
- Mozilla NSS 3.68.3 (bsc#1197903)
  This release improves the stability of NSS when used in a multi-threaded
  environment. In particular, it fixes memory safety violations that
  can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
  We presume that with enough effort these memory safety violations are exploitable.
  * Remove token member from NSSSlot struct (bmo#1756271).
  * Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
    (bmo#1755555).
  * Check return value of PK11Slot_GetNSSToken (bmo#1370866).
mutt
- Add patch uudecode-e5ed080c.patch for bsc#1198518 and CVE-2022-1328
  to fix a buffer overflow in uudecoder
ocfs2-tools
- fsck.ocfs2: do not try locking after replaying journals if -F is given (bsc#1196705)
  + fsck.ocfs2-do-not-try-locking-after-replaying-journa.patch
openldap2
- bsc#1199240 - CVE-2022-29155 - Resolve sql injection in back-sql
  * 0225-ITS-9815-slapd-sql-escape-filter-values.patch
- bsc#1198383 - Resolve issue with SASL init
  * 0224-ITS-8648-init-SASL-library-in-global-init.patch
openssl-1_0_0
- Added	openssl-1_0_0-Fix-file-operations-in-c_rehash.patch
  * bsc#1200550
  * CVE-2022-2068
  * Fixed more shell code injection issues in c_rehash
- Fixed error in openssl-CVE-2022-1292.patch resulting in misnamed
  variable.
- Security fix: [bsc#1199166, CVE-2022-1292]
  * Added: openssl-CVE-2022-1292.patch
  * properly sanitise shell metacharacters in c_rehash script.
- Security Fix: [bsc#1196249]
  * Allow CRYPTO_THREADID_set_callback to be called with NULL parameter
  * Add openssl-CRYPTO_THREADID_set_callback.patch
- Security Fix: [bsc#1196877, CVE-2022-0778]
  * Infinite loop in BN_mod_sqrt() reachable when parsing certificates
  * Add openssl-CVE-2022-0778.patch
pcre
- Added pcre-8.45-bsc1199232-unicode-property-matching.patch
  * bsc#1199232
  * CVE-2022-1586
  * Fixes unicode property matching issue
psmisc
  * Add a fallback if the system call name_to_handle_at() is
    not supported by the used file system.
- Add patch psmisc-22.21-semaphores.patch
  * Replace the synchronizing over pipes of the sub process for the
    stat(2) system call with mutex and conditions from pthreads(7)
    (bsc#1194172)
- Add patch psmisc-22.21-statx.patch
  * Use statx(2) or SYS_statx system call to replace the stat(2)
    system call and avoid the sub process at all (bsc#1194172)
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
python
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
python-PyJWT
- Add CVE-2022-29217-non-blocked-pubkeys.patch fixing
  CVE-2022-29217 (bsc#1199756), which disallows use of blocked
  pubkeys (heavily modified from upstream).
python-base
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
python3
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
  on s390x.
- drop PYTHONSTARTUP hooks that cause spurious startup errors
  (bsc#1070738, bsc#1199441), as the relevant feature (REPL
  history) is now built into Python itself.
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
python3-base
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
  on s390x.
- drop PYTHONSTARTUP hooks that cause spurious startup errors
  (bsc#1070738, bsc#1199441), as the relevant feature (REPL
  history) is now built into Python itself.
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
resource-agents
- AUDIT-FIND: resource-agents: Predictable log file in /tmp in mariadb.in
  (bsc#1146691)
  Add patch:
    0001-mariadb-Remove-obsolete-DEBUG_LOG-functionality-1191.patch
rsyslog
- (CVE-2022-24903) fix potential heap buffer overflow in modules for TCP
  syslog reception (bsc#1199061)
  * add CVE-2022-24903.patch
sapconf
- version update from 5.0.3 to 5.0.4
- change block device handling to handle multipath devices
  correctly. Only the DM multipath devices (mpath) will be used for
  the settings, but not its paths.
  (bsc#1188743)
- fixed wrong comparison used for setting force_latency
  (bsc#1185702)
- SAP Note 1771258 v6 updates nofile values to 1048576
  (bsc#1192841)
suse-build-key
- extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
- added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- extended expiry of SUSE SLES11 key (bsc#1194845)
- added SUSE Contaner signing key in PEM format for use e.g. by cosign.
- SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
- removed old security key.
systemd
- Import commit 81e1235110a58f78e4e7514b45a2897ceddadf88
  8348b7f7ea systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871)
  d827639164 systemctl: exit with 1 if no unit files found (bsc#1193841)
  99d0949499 umount: show correct error message
  16f9b8a5fa core/umount: fix unitialized fields in MountPoint in dm_list_get()
  8f7b39e250 umount: Add more asserts and remove some unused arguments
  6858714b68 umount: Fix memory leak
  4a83c21fb1 mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- Import commit 3fad90a5e2a1d0099ba2925793df42e0084cad35
  dbf8419fdb busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861)
  7a9abad886 sysctl: configure kernel parameters in the order they occur in each sysctl configuration files (#4205) (bsc#1191399)
  7dd902bfa6 manager: reexecute on SIGRTMIN+25, user instances only
  fb9e399bca basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
  e0fde642ec logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018)
  fe106cccdd units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480)
- Avoid the error message when udev is updated due to udev being
  already active when the sockets are started again (bsc#1188291)
- Drop 1001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
  It's been merged in branch SUSE/v228.
- Allow systemd sysusers config files to be overriden during system
  installation (bsc#1171962).
- While at it, add a comment to explain why we don't use
  %sysusers_create in %pre and why it should be safe in %post.
tiff
- security update
  * CVE-2022-0561 [bsc#1195964]
    + tiff-CVE-2022-0561.patch
  * CVE-2022-0562 [bsc#1195965]
    + tiff-CVE-2022-0562.patch
  * CVE-2022-0865 [bsc#1197066]
    + tiff-CVE-2022-0865.patch
  * CVE-2022-0909 [bsc#1197072]
    + tiff-CVE-2022-0909.patch
  * CVE-2022-0924 [bsc#1197073]
    + tiff-CVE-2022-0924.patch
  * CVE-2022-0908 [bsc#1197074]
    + tiff-CVE-2022-0908.patch
- security update
  * CVE-2022-1056 [bsc#1197631]
  * CVE-2022-0891 [bsc#1197068]
    + tiff-CVE-2022-1056,CVE-2022-0891.patch
timezone
- timezone update 2022a (bsc#1177460):
  * Palestine will spring forward on 2022-03-27, not -03-26*
  * zdump -v now outputs better failure indications
  * Bug fixes for code that reads corrupted TZif data
util-linux
- Apply a simple work-around for root owning of
  /var/lib/libuuid/clock.txt (bsc#1194642#c66).
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
  util-linux-libuuid-extend-cache.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
  util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
  (bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
- ipcutils: Avoid potential memory allocation overflow
  (bsc#1188921, CVE-2021-37600,
  util-linux-ipcutils-overflow-CVE-2021-37600.patch).
- Fix ipcs testsuite (bsc#1178236#c19,
  util-linux-ipcs-shmall-overflow-ts.patch).
- ipcs: Avoid overflows (bsc#1178236,
  util-linux-ipcs-shmall-overflow-1.patch,
  util-linux-ipcs-shmall-overflow-2.patch).
- libblkid: Do not trigger CDROM autoclose (bsc#1084671,
  util-linux-libblkid-cdrom-autoclose-1.patch,
  util-linux-libblkid-cdrom-autoclose-2.patch,
  util-linux-libblkid-cdrom-autoclose-3.patch).
- Modernize patch util-linux-sulogin4bsc1175514.patch
  * Try to autoconfigure broken serial lines
- Add patch util-linux-sulogin4bsc1175514.patch
  Avoid sulogin failing on not existing or not functional console
  devices (bsc#1175514)
- Build with libudev support to support non-root users
  (boo#1169006).
- lscpu: avoid segfault on PowerPC systems with valid hardware
  configurations
  (bsc#1175623, bsc#1178554, bsc#1178825,
  lscpu-avoid-segfault-on-PowerPC-systems-with-valid-h.patch)
- Fix for SG#57988, bsc#1174942:
  libmount-fix-mount-a-EBUSY-for-cifs.patch: Fix warning on mounts
  to CIFS with mount –a.
- blockdev: Do not fail --report on kpartx-style partitions on
  multipath (bsc#1168235, util-linux-blockdev-report-dm.patch).
- nologin: Add support for -c to prevent error from su -c
  (bsc#1151708, util-linux-nologin-su-c.patch).
- Add libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch:
  Avoid triggering autofs in lookup_umount_fs_by_statfs
  (boo#1168389)
- Issue a warning for outdated pam files
  (bsc#1082293, boo#1081947#c68).
- Do not skip trim of file systems with bind mounts
  (boo1089529, util-linux-fstrim-a-bindmount.patch).
- Do not trim read-only volumes
  (boo#1106214, util-linux-fstrim-RO.patch).
- libmount: To prevent incorrect behavior, recognize more pseudofs
  and netfs (bsc#1122417, util-linux-libmount-pseudofs.patch).
- Fix license of libraries: LGPL-2.1-or-later and BSD-3-Clause for
  libuuid (bsc#1135708).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196,
  util-linux-agetty-smart-reload-01.patch,
  util-linux-agetty-smart-reload-02.patch,
  util-linux-agetty-smart-reload-03.patch,
  util-linux-agetty-smart-reload-04.patch,
  util-linux-agetty-smart-reload-05.patch,
  util-linux-agetty-smart-reload-06.patch,
  util-linux-agetty-smart-reload-07.patch,
  util-linux-agetty-smart-reload-08.patch,
  util-linux-agetty-smart-reload-09.patch,
  util-linux-agetty-smart-reload-10.patch,
  util-linux-agetty-smart-reload-11.patch,
  util-linux-agetty-smart-reload-12.patch).
- agetty: Return previous response of agetty for special characters
  (bsc#1085196, bsc#1125886,
  util-linux-agetty-smart-reload-13.patch,
  util-linux-agetty-smart-reload-14.patch).
- agetty BEHAVIOR CHANGE: Terminal switches to character mode when
  entering logname; echo is generated by the agetty itself.
  (In past, logname echo was generated locally by the terminal,
  using the canonical line editing mode.)
util-linux-systemd
- Apply a simple work-around for root owning of
  /var/lib/libuuid/clock.txt (bsc#1194642#c66).
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
  util-linux-libuuid-extend-cache.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
  util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
  (bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
- ipcutils: Avoid potential memory allocation overflow
  (bsc#1188921, CVE-2021-37600,
  util-linux-ipcutils-overflow-CVE-2021-37600.patch).
- Fix ipcs testsuite (bsc#1178236#c19,
  util-linux-ipcs-shmall-overflow-ts.patch).
- ipcs: Avoid overflows (bsc#1178236,
  util-linux-ipcs-shmall-overflow-1.patch,
  util-linux-ipcs-shmall-overflow-2.patch).
- libblkid: Do not trigger CDROM autoclose (bsc#1084671,
  util-linux-libblkid-cdrom-autoclose-1.patch,
  util-linux-libblkid-cdrom-autoclose-2.patch,
  util-linux-libblkid-cdrom-autoclose-3.patch).
- Modernize patch util-linux-sulogin4bsc1175514.patch
  * Try to autoconfigure broken serial lines
- Add patch util-linux-sulogin4bsc1175514.patch
  Avoid sulogin failing on not existing or not functional console
  devices (bsc#1175514)
- Build with libudev support to support non-root users
  (boo#1169006).
- lscpu: avoid segfault on PowerPC systems with valid hardware
  configurations
  (bsc#1175623, bsc#1178554, bsc#1178825,
  lscpu-avoid-segfault-on-PowerPC-systems-with-valid-h.patch)
- Fix for SG#57988, bsc#1174942:
  libmount-fix-mount-a-EBUSY-for-cifs.patch: Fix warning on mounts
  to CIFS with mount –a.
- blockdev: Do not fail --report on kpartx-style partitions on
  multipath (bsc#1168235, util-linux-blockdev-report-dm.patch).
- nologin: Add support for -c to prevent error from su -c
  (bsc#1151708, util-linux-nologin-su-c.patch).
- Add libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch:
  Avoid triggering autofs in lookup_umount_fs_by_statfs
  (boo#1168389)
- Issue a warning for outdated pam files
  (bsc#1082293, boo#1081947#c68).
- Do not skip trim of file systems with bind mounts
  (boo1089529, util-linux-fstrim-a-bindmount.patch).
- Do not trim read-only volumes
  (boo#1106214, util-linux-fstrim-RO.patch).
- libmount: To prevent incorrect behavior, recognize more pseudofs
  and netfs (bsc#1122417, util-linux-libmount-pseudofs.patch).
- Fix license of libraries: LGPL-2.1-or-later and BSD-3-Clause for
  libuuid (bsc#1135708).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196,
  util-linux-agetty-smart-reload-01.patch,
  util-linux-agetty-smart-reload-02.patch,
  util-linux-agetty-smart-reload-03.patch,
  util-linux-agetty-smart-reload-04.patch,
  util-linux-agetty-smart-reload-05.patch,
  util-linux-agetty-smart-reload-06.patch,
  util-linux-agetty-smart-reload-07.patch,
  util-linux-agetty-smart-reload-08.patch,
  util-linux-agetty-smart-reload-09.patch,
  util-linux-agetty-smart-reload-10.patch,
  util-linux-agetty-smart-reload-11.patch,
  util-linux-agetty-smart-reload-12.patch).
- agetty: Return previous response of agetty for special characters
  (bsc#1085196, bsc#1125886,
  util-linux-agetty-smart-reload-13.patch,
  util-linux-agetty-smart-reload-14.patch).
- agetty BEHAVIOR CHANGE: Terminal switches to character mode when
  entering logname; echo is generated by the agetty itself.
  (In past, logname echo was generated locally by the terminal,
  using the canonical line editing mode.)
xen
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
  CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
  map (AMD-Vi) handling issues (XSA-400)
  624ebcef-VT-d-dont-needlessly-look-up-DID.patch
  624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch
  624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch
- bsc#1197423 - VUL-0: CVE-2022-26356: xen: Racy interactions
  between dirty vram tracking and paging log dirty hypercalls
  (XSA-397)
  xsa397.patch
- bsc#1197425 - VUL-0: CVE-2022-26357: xen: race in VT-d domain ID
  cleanup (XSA-399)
  xsa399.patch
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
  CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
  map (AMD-Vi) handling issues (XSA-400)
  xsa400-00a.patch
  xsa400-00b.patch
  xsa400-01.patch
  xsa400-02.patch
  xsa400-03.patch
  xsa400-04.patch
  xsa400-05.patch
  xsa400-06.patch
  xsa400-07.patch
  xsa400-08.patch
  xsa400-09.patch
  xsa400-10.patch
  xsa400-11.patch
- bsc#1196915 - VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401:
  xen: BHB speculation issues (XSA-398)
  xsa398.patch
xz
- Fix ZDI-CAN-16587 Fix escaping of malicious filenames
  (ZDI-CAN-16587 bsc#1198062 CVE-2022-1271)
  * bsc1198062.patch
zlib
- CVE-2018-25032: Fix memory corruption on deflate, bsc#1197459
  * zlib-bsc1197459.patch
zsh
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
  unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Add CVE-2018-1100.patch: it fixes buffer overflow in utils.c:checkmailpath()
  can lead to local arbitrary code execution (CVE-2018-1100 bsc#1089030)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
  could be exploited through e.g.  VCS_Info to execute arbitrary shell
  commands (CVE-2021-45444 bsc#1196435)
zypper
- Return ZYPPER_EXIT_INF_RPM_SCRIPT_FAILED (107) also if %posttrans
  script failed. Requires ZYPPER_ON_CODE12_RETURN_107=1 being set
  in the environment (bsc#1198139)
- version 1.13.62
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- version 1.13.61