avahi
- Add avahi-CVE-2023-38473.patch: derive alternative host name from
  its unescaped version (bsc#1216419 CVE-2023-38473).
python3-base
- Refresh CVE-2023-27043-email-parsing-errors.patch from
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
python3
- Refresh CVE-2023-27043-email-parsing-errors.patch from
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
ca-certificates
- Use --overwrite option (bsc#1216685, ca-certificates-overwrite.diff)
tar
- Fix CVE-2023-39804, Incorrectly handled extension attributes in
  PAX archives can lead to a crash, bsc#1217969
  * fix-CVE-2023-39804.patch
jbigkit
- security update
- added patches
  fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler
  + jbigkit-CVE-2022-1210.patch
cloud-regionsrv-client
- Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159)
  + Fix the algorithm to determine the region from the availability zone
    information retrieved from IMDS.
- Update to version 10.1.6
  + Support specifying an IPv6 address for a manually configured target
    update server.

- Update to version 10.1.5 (bsc#1217583)
  + Fix fallback path when IPv6 network path is not usable
  + Enable an IPv6 fallback path in IMDS access if it cannot be accessed
    over IPv4
  + Enable IMDS access over IPv6

- Update to version 10.1.4 (bsc#1217451)
  + Fetch cert for new update server during failover
libzypp
- Touch /run/reboot-needed if a patch suggesting a reboot was
  installed (bsc#1217948)
  It is expected that /run is cleaned at boot time, so the presence
  of the file is one way to indicate that the system needs a reboot.
  The recommended way for scripts to test whether a system reboot
  is suggested will be calling `zypper needs-rebooting`.
- version 16.22.11 (0)

- Ignore if the media to unmount is no longer mounted
  (bsc#1216064)
- Close all media after having preloaded the cache.
  Mitigates the change that during package installation e.g. a
  nfs.service restart forcefully unmounts the media we access
  (bsc#1216064)
- version 16.22.10 (0)

- repo: Don't download unneeded sqlite metadata (fixes #476)
- version 16.22.9 (0)
regionServiceClientConfigEC2
- Version 4.1.1
  Add patch no-ipv6.patch to not serve IPv6 addresses on SLES12
  Related to bsc#1218656

- Update to version 4.1.1 (bsc#1217536)
  + Replace 54.247.166.75.pem and 54.253.118.149.pem old soon to expired certs
    with new generated ones that expire in 8 years and have longer length (4096)

- Update to version 4.1.0 (bsc#1203215)
  + New certs for 52.79.82.165 and 54.247.166.75

- Update to version 4.0.0 (bsc#1199668)
  + Move cert location to usr form var to accomodate ro filesystem of
    SLE-Micro
  + Fix source location in spec file
python-chardet
- Fix update-alternative in %postun, bsc#1218765
rsyslog
- fix rsyslog crash in imrelp (bsc#1210286)
  * add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
crmsh
- Update to version 4.1.1+git.1698634014.97c7bf37:
  * Fix: utils: Call stdout2list correctly (bsc#1216597)
wget
- Fixed the failure to detect SSL handshake timeout
  [bsc#1217717, wget-add-support-for-timeout-with-ssl.patch,
  wget-gnutls-honor-connect-timeout.patch]
samba
- Add new idmap_nss option 'use_upn' for those NSS modules able to
  handle UPNs or DOMAIN/user name format; (bsc#1215369);
- Avoid unnecessary locking in idmap parent setup; (bsc#1215369);
- Do not try to set domain online in the idmap child;
  (bsc#1215369); (bso#15317).
sqlite3
- Sync version 3.44.0 from Factory
  * Fixes bsc#1210660, CVE-2023-2137: Heap buffer overflow
  * sqlite3-rtree-i686.patch: temporary build fix for 32-bit x86.
  * Obsoletes sqlite-CVE-2022-46908.patch
  * Obsoletes sqlite-src-3390000-func7-pg-181.patch
vim
- Updated to version 9.0 with patch level 2103, fixes the following security problems
  * Fixing bsc#1215940 (CVE-2023-5344) - VUL-0: CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969.
  * Fixing bsc#1216001 (CVE-2023-5441) - VUL-0: CVE-2023-5441: vim: segfault in exmode when redrawing
  * Fixing bsc#1216167 (CVE-2023-5535) - VUL-0: CVE-2023-5535: vim: use-after-free from buf_contents_changed()
  * Fixing bsc#1216696 (CVE-2023-46246) - VUL-0: CVE-2023-46246: vim: Integer Overflow in :history command
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1894...v9.0.2103
w3m
- CVE-2023-4255 out-of-bounds write in function checkType() in etc.c
  (bsc#1218226)
  - add 0001-Fix-OOB-access-due-to-multiple-backspaces.patch
python
- Add CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
pam
- Add missing O_DIRECTORY flag in `protect_dir()` for pam_namespace module.
  [bsc#1218475, pam-bsc1218475-pam_namespace-O_DIRECTORY-flag.patch]

- pam_unix: Add no_pass_expiry option to ignore password expiration
  [bsc#1215594 pam-unix-add-no_pass_expiry-option.patch]
kernel-default
- PCI: Disable ATS for specific Intel IPU E2000 devices
  (bsc#1218622).
- commit 6c47e22

- smb: client: fix potential OOB in smb2_dump_detail()
  (bsc#1217946 CVE-2023-6610).
- commit 74aafd7

- netfilter: nf_tables: do not allow RULE_ID to refer to another chain (bsc#1202095 CVE-2022-2586).
- commit 32951b9

- netfilter: nf_tables: do not allow SET_ID to refer to another table (bsc#1202095 CVE-2022-2586).
- commit d107d27

- netfilter: preserve KABI for struct nft_set (bsc#1202095 CVE-2022-2586).
- commit b3d22c5

- netfilter: nf_tables: pass ctx to nf_tables_expr_destroy() (bsc#1202095 CVE-2022-2586).
- commit 61a0caa

- Resolve build warnings from previous series due to missing commit for
  Ice Lake freerunning counters
  perf/x86/intel/uncore: Add box_offsets for free-running counters
  (jsc#PED-5023 bsc#1211439).
- commit 8524ea3

- Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
  (CVE-2023-51779 bsc#1218559).
- commit f63e944

- blacklist.conf: update blacklist
- commit 6de7142

- xhci: Clear EHB bit only at end of interrupt handler
  (git-fixes).
- commit 21f5e35

- usb: config: fix iteration issue in 'usb_get_bos_descriptor()'
  (git-fixes).
- commit d5b5186

- MyBS: Workaround for kernel-obs-build build failure
  (JSC-SLE#5501, boo#1211226, bsc#1218184)
  kernel-obs-build needs root for build. This is in some way enabled for
  the package link case but not for multibuild case. As a workaround add
  the allowrootforbuild flag to prjconf for multibuild.
- commit 71a32af

- md/raid1: fix error: ISO C90 forbids mixed declarations
  (git-fixes).
- commit c63e55d

- dm-integrity: don't modify bio's immutable bio_vec in
  integrity_metadata() (git-fixes).
- md: don't leave 'MD_RECOVERY_FROZEN' in error path of
  md_set_readonly() (git-fixes).
- bcache: revert replacing IS_ERR_OR_NULL with IS_ERR (git-fixes).
- dm-verity: align struct dm_verity_fec_io properly (git-fixes).
- dm verity: don't perform FEC for failed readahead IO
  (git-fixes).
- bcache: add code comments for bch_btree_node_get() and
  __bch_btree_node_alloc() (git-fixes).
- bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in
  btree_gc_coalesce() (git-fixes).
- bcache: prevent potential division by zero error (git-fixes).
- bcache: check return value from btree_node_alloc_replacement()
  (git-fixes).
- md/raid1: hold the barrier until handle_read_error() finishes
  (git-fixes).
- md/raid1: free the r1bio before waiting for blocked rdev
  (git-fixes).
- md: raid1: fix potential OOB in raid1_remove_disk() (git-fixes).
- md: restore 'noio_flag' for the last mddev_resume() (git-fixes).
- dm cache policy smq: ensure IO doesn't prevent cleaner policy
  progress (git-fixes).
- dm raid: fix missing reconfig_mutex unlock in raid_ctr()
  error paths (git-fixes).
- md/raid0: add discard support for the 'original' layout
  (git-fixes).
- bcache: Fix __bch_btree_node_alloc to make the failure behavior
  consistent (git-fixes).
- bcache: Remove unnecessary NULL point check in node allocations
  (git-fixes).
- nbd: Add the maximum limit of allocated index in nbd_dev_add
  (git-fixes).
- nbd: Fix debugfs_create_dir error checking (git-fixes).
- dm flakey: fix a crash with invalid table line (git-fixes).
- dm integrity: call kmem_cache_destroy() in dm_integrity_init()
  error path (git-fixes).
- dm verity: fix error handling for check_at_most_once on FEC
  (git-fixes).
- dm stats: check for and propagate alloc_percpu failure
  (git-fixes).
- dm crypt: add cond_resched() to dmcrypt_write() (git-fixes).
- rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create()
  fails (git-fixes).
- dm cache: add cond_resched() to various workqueue loops
  (git-fixes).
- dm thin: add cond_resched() to various workqueue loops
  (git-fixes).
- dm: remove flush_scheduled_work() during local_exit()
  (git-fixes).
- dm flakey: fix logic when corrupting a bio (git-fixes).
- dm flakey: don't corrupt the zero page (git-fixes).
- dm verity: skip redundant verity_handle_err() on I/O errors
  (git-fixes).
- commit 640b528

- Previous perf cve-4.12->SLE12-SP5 manual merge was incorrect. Fix.
- Refresh
  patches.suse/perf-Fix-perf_event_validate_size-lockdep-splat.patch.
- Refresh patches.suse/perf-Fix-perf_event_validate_size.patch.
- commit 3382aa6

- MyBS: Fix the logic of the wipe conditional.
  - with no_init specified leave the built packages
  - with multibuild the package may be present even if build is not
  enabled, delete anyway
- commit 9c2f303

- mkspec: Add multibuild support (JSC-SLE#5501, boo#1211226, bsc#1218184)
  When MULTIBUILD option in config.sh is enabled generate a _multibuild
  file listing all spec files.
- commit f734347

- Build in the correct KOTD repository with multibuild
  (JSC-SLE#5501, boo#1211226, bsc#1218184)
  With multibuild setting repository flags is no longer supported for
  individual spec files - see
  https://github.com/openSUSE/open-build-service/issues/3574
  Add ExclusiveArch conditional that depends on a macro set up by
  bs-upload-kernel instead. With that each package should build only in
  one repository - either standard or QA.
  Note: bs-upload-kernel does not interpret rpm conditionals, and only
  uses the first ExclusiveArch line to determine the architectures to
  enable.
- commit aa5424d

- bs-upload-kernel, MyBS, Buildresults: Support multibuild
  (JSC-SLE#5501, boo#1211226, bsc#1218184)
- strip package name prefix when recording results
- add package prefix to linked packages
- when _multibuild file is present do not link packages
- use onlybuild BuildFlag for limiting build to specific packages
- generate is_kotd_qa macro in project config that can be used to
  determine if the package is built in the QA repository
  This is _very_ convoluted. No shell or lua tools can be used because
  this information needs to be available to the OBS to schedule the
  package in the correct repository, and it does not run scripts. The
  builtin sub macro for slicing strings causes a build error - it
  expanded correctly by the scheduler but not available at package build
  time. If conditional cannot be used because rpm macros from project
  config are added to a macro include file, and those do not support
  conditionals. That leaves the option to use an expression that
  explicitly enumerates all QA repository names. This requires unusal
  and convoluted check in the spec file to make use of.
- commit 747f601

- MyBS: create_package: Specify package should build in QA repository
  by argument (JSC-SLE#5501, boo#1211226, bsc#1218184)
  Drop the unused title and description arguments, move the package name
  match to upload_package and pass teh result, add additional argument for
  multibuild.
- commit a355e71

- bs-upload-kernel: Wipe kernel-obs-build before upload
  (JSC-SLE#5501, boo#1211226, bsc#1218184)
  The kernel upload takes long enough for packages to start building
  during the upload. If the project contains kernel-obs-build binary that
  crashes on boot builds fail as a result. Wipe kernel-obs-build before
  the upload. Handle the case when the package does not exist yet by
  ignoring the error.
- commit cdac4cc

- bs-upload-kernel: Use one package list (JSC-SLE#5501, boo#1211226, bsc#1218184)
  There were ultiple package lists passed to upload_package supporting the
  distinction between package names starting with kernel- which can be
  individually selected for build, and other packages. Pass only one
  package list to simplify the logic and make it possible to know the full
  package list before doing the upload.
- commit ec941eb

- bs-upload-kernel: Support package limit for non-kernel packages
  (JSC-SLE#5501, boo#1211226, bsc#1218184)
  The -f option of the bs-upload-kernel script adds kernel- prefix
  unconditionally the package name.
  List all spec files in the uploaded directory, and check if the package
  exists with or without the kernel- prefix.
- commit 354b77b

- bs-upload-kernel: Drop BS_SUFFIX (JSC-SLE#5501, boo#1211226, bsc#1218184)
  BS_SUFFIX was used by SLE12 SP1 for Arm. This release is no longer
  maintained, and this feature gets no testing.
  Substantial changes to this script are required, and it's unlikely this
  feture would keep working after that.
- commit e27b306

- blacklist.conf: Add 1ca0b6051505 cgroup: Remove duplicates in cgroup v1 tasks file
- commit a77e914

- blacklist.conf: add non-backport commits of git-fixes
- commit 4d91f49

- blacklist.conf: change to logging only
- commit a144be1

- net: usb: qmi_wwan: claim interface 4 for ZTE MF290 (git-fixes).
- commit 0feae40

- Fix termination state for idr_for_each_entry_ul() (bsc#1109837).
- commit d343735

- Bluetooth: avoid memcmp() out of bounds warning (bsc#1215237
  CVE-2020-26555).
- Bluetooth: hci_event: Fix coding style (bsc#1215237
  CVE-2020-26555).
- Bluetooth: hci_event: Fix using memcmp when comparing keys
  (bsc#1215237 CVE-2020-26555).
- commit eb3189f

- Bluetooth: Reject connection with the device which has same
  BD_ADDR (bsc#1215237 CVE-2020-26555).
- commit fea8835

- Bluetooth: hci_event: Ignore NULL link key (bsc#1215237
  CVE-2020-26555).
- commit c0e1033

- perf/x86/intel/uncore: Fix reference count leak in
  __uncore_imc_init_box() (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix reference count leak in
  snr_uncore_mmio_map() (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix broken read_counter() for SNB IMC
  PMU (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix CAS_COUNT_WRITE issue for ICX
  (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix IIO event constraints for Snowridge
  (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix Intel ICX IIO event constraints
  (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Support extra IMC channel on Ice Lake
  server (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix integer overflow on 23 bit left
  shift of a u32 (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server
  (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix the scale of the IMC free-running
  events (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix oops when counting IMC uncore events
  on some TGL (jsc#PED-5023 bsc#1211439 (git-fixes)).
- perf/x86/intel/uncore: Fix missing marker for
  snr_uncore_imc_freerunning_events (jsc#PED-5023 bsc#1211439
  (git-fixes)).
- commit 1cc4e6d

- perf: Fix perf_event_validate_size() lockdep splat
  (CVE-2023-6931 bsc#1218258).
- perf: Fix perf_event_validate_size() (CVE-2023-6931
  bsc#1218258).
- commit 6cfe60a

- smb: client: fix OOB in smbCalcSize() (bsc#1217947
  CVE-2023-6606).
- commit d398d5f

- smb: client: fix OOB in smbCalcSize() (bsc#1217947
  CVE-2023-6606).
- commit 6765acb

- perf/x86/intel/uncore: Add Rocket Lake support (jsc#PED-5023
  bsc#1211439).
- commit 60ab65b

- perf/x86/msr: Add Rocket Lake CPU support (jsc#PED-5023
  bsc#1211439).
- commit fac3f56

- perf/x86/msr: Add Tiger Lake CPU support (jsc#PED-5023
  bsc#1211439).
- commit 7c0409f

- perf/x86/cstate: Add Rocket Lake CPU support (jsc#PED-5023
  bsc#1211439).
- commit f918ead

- perf/x86/cstate: Add Tiger Lake CPU support (jsc#PED-5023
  bsc#1211439).
- Refresh
  patches.suse/x86-perf-events-convert-to-new-cpu-match-macros.patch.
- commit c544da1

- perf/x86/intel: Add Rocket Lake CPU support (jsc#PED-5023
  bsc#1211439).
- commit 5b98b63

- perf/x86/intel: Add Tiger Lake CPU support (jsc#PED-5023
  bsc#1211439).
- commit 0e12a3f

- perf/x86/intel: Fix Ice Lake event constraint table
  (jsc#PED-5023 bsc#1211439).
- commit cd283d5

- perf/x86/intel/uncore: Update Ice Lake uncore units
  (jsc#PED-5023 bsc#1211439).
- commit 0e10240

- perf/x86/intel/uncore: Split the Ice Lake and Tiger Lake MSR
  uncore support (jsc#PED-5023 bsc#1211439).
- commit 9c5fb1a

- x86/cpu: Add Lakefield, Alder Lake and Rocket Lake models to
  the to Intel CPU family (jsc#PED-5023 bsc#1211439).
- blacklist.conf:
- commit 2561a0a

- perf/x86/intel/uncore: Add Comet Lake support (jsc#PED-5023
  bsc#1211439).
- Refresh
  patches.suse/x86-perf-events-convert-to-new-cpu-match-macros.patch.
- commit 2e1087f

- x86/cpu: Add Sapphire Rapids CPU model number (jsc#PED-5023
  bsc#1211439).
- commit 5b5d85f

- perf/x86/rapl: Add Ice Lake RAPL support (jsc#PED-5023
  bsc#1211439).
- commit c6183ea

- perf/x86/intel/uncore: Add Ice Lake server uncore support
  (jsc#PED-5023 bsc#1211439).
- commit 4150606

- perf/x86/intel/uncore: Factor out __snr_uncore_mmio_init_box
  (jsc#PED-5023 bsc#1211439).
- commit c73e167

- perf/x86: Add Intel Tiger Lake uncore support (jsc#PED-5023
  bsc#1211439).
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-microserver-naming.patch.
- Refresh
  patches.suse/x86-perf-events-convert-to-new-cpu-match-macros.patch.
- commit f5492f0

- perf/x86/cstate: Update C-state counters for Ice Lake
  (jsc#PED-5023 bsc#1211439).
- Refresh
  patches.suse/x86-perf-events-convert-to-new-cpu-match-macros.patch.
- commit fef0544

- perf/x86/msr: Add new CPU model numbers for Ice Lake
  (jsc#PED-5023 bsc#1211439).
- Refresh
  patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch.
- Refresh
  patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch.
- Refresh
  patches.suse/x86-bugs-add-cannon-lake-to-retbleed-affected-cpu-list.patch.
- Refresh
  patches.suse/x86-common-Stamp-out-the-stepping-madness.patch.
- Refresh
  patches.suse/x86-intel-aggregate-microserver-naming.patch.
- Refresh
  patches.suse/x86-speculation-Mark-all-Skylake-CPUs-as-vulnerable-to-GDS.patch.
- Refresh
  patches.suse/x86-speculation-add-gather-data-sampling-mitigation.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
  patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- commit 68588a6

- perf/x86/msr: Add Comet Lake CPU support (jsc#PED-5023
  bsc#1211439).
- commit 2ec338b

- x86/cpu: Add Comet Lake to the Intel CPU models header
  (jsc#PED-5023 bsc#1211439).
- blacklist.conf:
- commit bd3eac7

- x86/cpu: Add Tiger Lake to Intel family (jsc#PED-5023
  bsc#1211439).
- blacklist.conf:
- Refresh patches.suse/x86-CPU-Add-Icelake-model-number.patch.
- Refresh patches.suse/x86-cpu-sanitize-fam6_atom-naming.patch.
- commit 45e2da6

- perf/x86/intel: Mark expected switch fall-throughs (jsc#PED-5023
  bsc#1211439).
- Refresh
  patches.suse/x86-intel-aggregate-big-core-client-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- commit ebba1f6

- perf/x86/intel: Fix invalid Bit 13 for Icelake MSR_OFFCORE_RSP_x
  register (jsc#PED-5023 bsc#1211439).
- commit b357e8f

- perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge
  (jsc#PED-5023 bsc#1211439).
- commit 1e6f0c4

- perf/x86/intel/uncore: Clean up client IMC (jsc#PED-5023
  bsc#1211439).
- commit b9f2803

- perf/x86/intel/uncore: Support MMIO type uncore blocks
  (jsc#PED-5023 bsc#1211439).
- Refresh
  patches.suse/x86-perf-events-convert-to-new-cpu-match-macros.patch.
- commit 2ed2c09

- perf/x86/intel/uncore: Factor out box ref/unref functions
  (jsc#PED-5023 bsc#1211439).
- commit 9298d3b

- perf/x86/intel/uncore: Add uncore support for Snow Ridge server
  (jsc#PED-5023 bsc#1211439).
- Refresh
  patches.suse/x86-intel-aggregate-big-core-client-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-microserver-naming.patch.
- Refresh
  patches.suse/x86-perf-events-convert-to-new-cpu-match-macros.patch.
- commit 6e7af12

- perf/x86/intel: Add more Icelake CPUIDs (jsc#PED-5023
  bsc#1211439).
- Refresh
  patches.suse/x86-intel-aggregate-big-core-client-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- commit ba0eb7e

- perf/x86/intel: Add Icelake desktop CPUID (jsc#PED-5023
  bsc#1211439).
- Refresh
  patches.suse/intel_rapl-add-support-for-IceLake-desktop.patch.
- Refresh
  patches.suse/powercap-intel-rapl-add-support-for-ICX.patch.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-client-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- Refresh
  patches.suse/x86-perf-events-convert-to-new-cpu-match-macros.patch.
- commit 7786ce1

- perf/x86/intel/uncore: Add new IMC PCI IDs for KabyLake,
  AmberLake and WhiskeyLake CPUs (jsc#PED-5023 bsc#1211439).
- commit 4d459ae

- perf/x86/intel/uncore: Add tabs to Uncore IMC PCI IDs
  (jsc#PED-5023 bsc#1211439).
- commit 1e8abbc

- perf/x86: Add Intel Ice Lake NNPI uncore support (jsc#PED-5023
  bsc#1211439).
- Refresh
  patches.suse/x86-intel-aggregate-big-core-client-naming.patch.
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- Refresh
  patches.suse/x86-perf-events-convert-to-new-cpu-match-macros.patch.
- commit 55befa5

- x86/cpu: Add Ice Lake NNPI to Intel family (jsc#PED-5023
  bsc#1211439).
- Refresh
  patches.suse/x86-intel-aggregate-big-core-mobile-naming.patch.
- commit 34f99e6

- s390/vx: fix save/restore of fpu kernel context (git-fixes
  bsc#1218362).
- commit 657e47b

- nvme: sanitize metadata bounce buffer for reads (git-fixes).
- commit 6f2b20c

- Input: powermate - fix use-after-free in
  powermate_config_complete (git-fixes).
- commit 6690cf9

- r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en() (git-fixes).
- commit 64cb7dc

- ipv4: igmp: fix refcnt uaf issue when receiving igmp query
  packet (bsc#1218253 CVE-2023-6932).
- commit ebe786a

- gve: Fixes for napi_poll when budget is 0 (bsc#1214479).
- gve: Do not fully free QPL pages on prefill errors
  (bsc#1214479).
- gve: fix frag_list chaining (bsc#1214479).
- gve: RX path for DQO-QPL (bsc#1214479).
- gve: Tx path for DQO-QPL (bsc#1214479).
- gve: Control path for DQO-QPL (bsc#1214479).
- gve: trivial spell fix Recive to Receive (bsc#1214479).
- gve: unify driver name usage (bsc#1214479).
- gve: Set default duplex configuration to full (bsc#1214479).
- gve: Unify duplicate GQ min pkt desc size constants
  (bsc#1214479).
- gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479).
- gve: Add XDP DROP and TX support for GQI-QPL format
  (bsc#1214479).
- gve: Changes to add new TX queues (bsc#1214479).
- gve: XDP support GQI-QPL: helper function changes (bsc#1214479).
- gve: Fix gve interrupt names (bsc#1214479).
- commit 9108d42

- tracing: Update snapshot buffer on resize if it is allocated
  (git-fixes).
- commit 30f36d0

- ring-buffer: Fix memory leak of free page (git-fixes).
- commit 7dfbb97

- blacklist.conf: add a not-relevant ftrace fix
- commit 09bf0c1

- blacklist.conf: false positive
- commit 71ff422

- r8152: Add RTL8152_INACCESSIBLE checks to more loops
  (git-fixes).
- commit 6e72146

- net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed
  (git-fixes).
- commit ce068ed

- r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
  (git-fixes).
- commit 715a8e7

- blacklist.conf: update blacklist
- commit 9a12072

- blacklist.conf: update blacklist
- commit cc9998b

- net: stmmac: Move debugfs init/exit to ->probe()/->remove() (git-fixes).
- commit e003b9a

- net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode (git-fixes).
- commit 39aa8c8

- net: macb: disable scatter-gather for macb on sama5d3 (git-fixes).
- commit a5f5aa8

- netfilter: nft_compat: use-after-free when deleting targets
  (git-fixes).
- commit 2ea1f0c

- netfilter: nf_tables: fix use-after-free when deleting compat
  expressions (git-fixes).
- commit b4fa1c0

- tcp: fix under-evaluated ssthresh in TCP Vegas (git-fixes).
- commit b480783

- blacklist.conf: update blacklist
- commit 14f35e3

- netfilter: ebtables: also count base chain policies (git-fixes).
- Refresh
  patches.kabi/netfilter-preserve-KABI-for-xt_compat_init_offsets.patch.
- commit 051bd2a

- netfilter: ebtables: compat: un-break 32bit setsockopt when
  no rules are present (git-fixes).
- Refresh
  patches.kabi/netfilter-preserve-KABI-for-xt_compat_init_offsets.patch.
- commit 332123a

- netfilter: ebtables: don't attempt to allocate 0-sized compat
  array (git-fixes).
- Refresh
  patches.kabi/netfilter-preserve-KABI-for-xt_compat_init_offsets.patch.
- commit 39f9e26

- netfilter: preserve KABI for xt_compat_init_offsets (git-fixes).
- commit 71e46a5

- netfilter: compat: reject huge allocation requests (git-fixes).
- commit f398964

- netfilter: compat: prepare xt_compat_init_offsets to return
  errors (git-fixes).
- commit a1a8d4f

- KVM: s390/mm: Properly reset no-dat (git-fixes bsc#1218057).
- commit d3f8ccb

- tracing: Disable snapshot buffer when stopping instance tracers
  (git-fixes).
- commit b07eab3

- tracing: Stop current tracer when resizing buffer (git-fixes).
- commit 5c0c11a

- tracing: Always update snapshot buffer size (git-fixes).
- commit c831a81

- tracing: relax trace_event_eval_update() execution with
  cond_resched() (git-fixes).
- commit f1e2f19

- xfrm6: fix inet6_dev refcount underflow problem (git-fixes).
- commit 50692e8

- README.BRANCH: update maintainers list
- commit 4795fb8

- ipv6/addrconf: fix a potential refcount underflow for idev
  (git-fixes).
- commit 0afb0f6

- ipv6: remove extra dev_hold() for fallback tunnels (git-fixes).
- commit a02e296

- ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods
  (git-fixes).
- commit 934530e

- sit: proper dev_{hold|put} in ndo_[un]init methods (git-fixes).
- commit 96165ef

- ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
  (git-fixes).
- commit 42264ea

- ip6_gre: proper dev_{hold|put} in ndo_[un]init methods
  (git-fixes).
- commit 8fe5105

- xsk: Fix incorrect netdev reference count (git-fixes).
- commit 2ed0c59

- xfrm: reuse uncached_list to track xdsts (git-fixes).
- blacklist.conf: remove from the blacklist
- Refresh
  patches.suse/ipv4-fix-race-condition-between-route-lookup-and-inv.patch.
- Refresh
  patches.suse/ipv4-lock-mtu-in-fnhe-when-received-PMTU-net.ipv4.ro.patch.
- commit 38edc03

- net/tg3: fix race condition in tg3_reset_task() (bsc#1217801).
- net/tg3: resolve deadlock in tg3_reset_task() during EEH
  (bsc#1217801).
- commit b55327d

- tracing: Fix a possible race when disabling buffered events
  (bsc#1217036).
- commit 5f21a8d

- net: usb: ax88179_178a: fix failed operations during
  ax88179_reset (git-fixes).
- commit 9041dc6

- r8152: Cancel hw_phy_work if we have an error in probe
  (git-fixes).
- commit 6ae718a

- r8152: Run the unload routine if we have errors during probe
  (git-fixes).
- commit d668b36

- r8152: Increase USB control msg timeout to 5000ms as per spec
  (git-fixes).
- commit 3e20995

- tracing: Fix a warning when allocating buffered events fails
  (bsc#1217036).
- commit 80b9661

- net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg
  (git-fixes).
- net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
  (git-fixes).
- commit 9c4175d

- KVM: s390: vsie: fix wrong VIR 37 when MSO is used (git-fixes
  bsc#1217936).
- commit 4da118c

- nvmet: nul-terminate the NQNs passed in the connect command
  (bsc#1217250 CVE-2023-6121).
- commit 2021a67

- tracing: Fix incomplete locking when disabling buffered events
  (bsc#1217036).
- commit 9d8e191

- tracing: Fix warning in trace_buffered_event_disable()
  (git-fixes, bsc#1217036).
- commit 693b5e0

- kernel-source: Remove config-options.changes (jsc#PED-5021)
  The file doc/config-options.changes was used in the past to document
  kernel config changes. It was introduced in 2010 but haven't received
  any updates on any branch since 2015. The file is renamed by tar-up.sh
  to config-options.changes.txt and shipped in the kernel-source RPM
  package under /usr/share/doc. As its content now only contains outdated
  information, retaining it can lead to confusion for users encountering
  this file.
  Config changes are nowadays described in associated Git commit messages,
  which get automatically collected and are incorporated into changelogs
  of kernel RPM packages.
  Drop then this obsolete file, starting with its packaging logic.
  For branch maintainers: Upon merging this commit on your branch, please
  correspondingly delete the file doc/config-options.changes.
- commit adedbd2

- README.md: Make a few polishing changes (jsc#PED-5021)
  * Move @suse.com address at the front of SUSE email domains, as that is
  the one that should be normally used for contributions, according to
  the current SUSE Open Source Policy.
  * Avoid repeatedly using "please" in two consecutive sentences.
  * Fix a typo in section "Patch sorting": "commit" -> "commits".
  * Prefix relative commands in section "Config option changes" with "./"
  even if they are from a subdirectory, for consistency with the rest of
  the document.
  * Turn "Related information" into a proper list.
- commit 7c8a1e3

- doc/README.SUSE: Simplify the list of references (jsc#PED-5021)
  Reduce indentation in the list of references, make the style consistent
  with README.md.
- commit 70e3c33

- doc/README.SUSE: Add how to update the config for module signing
  (jsc#PED-5021)
  Configuration files for SUSE kernels include settings to integrate with
  signing support provided by the Open Build Service. This creates
  problems if someone tries to use such a configuration file to build
  a "standalone" kernel as described in doc/README.SUSE:
  * Default configuration files available in the kernel-source repository
  unset CONFIG_MODULE_SIG_ALL to leave module signing to
  pesign-obs-integration. In case of a "standalone" build, this
  integration is not available and the modules don't get signed.
  * The kernel spec file overrides CONFIG_MODULE_SIG_KEY to
  ".kernel_signing_key.pem" which is a file populated by certificates
  provided by OBS but otherwise not available. The value ends up in
  /boot/config-$VERSION-$RELEASE-$FLAVOR and /proc/config.gz. If someone
  decides to use one of these files as their base configuration then the
  build fails with an error because the specified module signing key is
  missing.
  Add information on how to enable module signing and where to find the
  relevant upstream documentation.
- commit a699dc3

- net/ulp: use consistent error code when blocking ULP
  (CVE-2023-0461 bsc#1208787 bsc#1217079).
- net/ulp: prevent ULP without clone op from entering the LISTEN
  status (CVE-2023-0461 bsc#1208787 bsc#1217079).
- commit fb04b97

- scripts: Install pre-merge-commit hook
  When merge is not carried out with `--no-commit` or it does not yield in
  a conflict, our standard pre-commit checks are omitted.
  Rectify that by invoking pre-commit hook via pre-merge-commit too.
- commit 87067a7

- scripts: pre-commit: Check newly added blacklist.conf entries
  When blacklist.conf entries are added by merging an "upstream" branch,
  they are not checked against present commits and the repo ends up in
  inconsistent state when the patch is present and blacklisted at the same
  time.
  The state is checked in pre-commit hook when a (blacklisted) patch is
  added. Prevent reaching this state when adding blacklist.conf entries
  too.
  Using scripts/check-patch-blacklist for this check would be
  prohibitively slow (~5 minutes with 40k patches).
- commit 1f68a01

- doc/README.SUSE: Remove how to build modules using kernel-source
  (jsc#PED-5021)
  Remove the first method how to build kernel modules from the readme. It
  describes a process consisting of the kernel-source installation,
  configuring this kernel and then performing an ad-hoc module build.
  This method is not ideal as no modversion data is involved in the
  process. It results in a module with no symbol CRCs which can be wrongly
  loaded on an incompatible kernel.
  Removing the method also simplifies the readme because only two main
  methods how to build the modules are then described, either doing an
  ad-hoc build using kernel-devel, or creating a proper Kernel Module
  Package.
- commit 9285bb8

- Revert "Bluetooth: btsdio: fix use after free bug in
  btsdio_remove due to unfinished work" (git-fixes).
- commit a2b7495

- md/raid10: prevent soft lockup while flush writes (git-fixes).
- md/raid10: fix io loss while replacement replace rdev
  (git-fixes).
- md/raid10: Do not add spare disk when recovery fails
  (git-fixes).
- md/raid10: clean up md_add_new_disk() (git-fixes).
- md/raid10: prioritize adding disk to 'removed' mirror
  (git-fixes).
- md/raid10: improve code of mrdev in raid10_sync_request
  (git-fixes).
- md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
  (git-fixes).
- md/bitmap: factor out a helper to set timeout (git-fixes).
- md/bitmap: always wake up md_thread in timeout_store
  (git-fixes).
- dm-raid: remove useless checking in raid_message() (git-fixes).
- md/raid10: fix wrong setting of max_corr_read_errors
  (git-fixes).
- md/raid10: fix overflow of md/safe_mode_delay (git-fixes).
- md: fix data corruption for raid456 when reshape restart while
  grow up (git-fixes).
- md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
  (git-fixes).
- md/raid10: fix memleak of md thread (git-fixes).
- md/raid10: fix memleak for 'conf->bio_split' (git-fixes).
- md/raid10: fix leak of 'r10bio->remaining' for recovery
  (git-fixes).
- md/raid10: fix null-ptr-deref in raid10_sync_request
  (git-fixes).
- md: avoid signed overflow in slot_store() (git-fixes).
- md: fix incorrect declaration about claim_rdev in
  md_import_device (git-fixes).
- md: remove lock_bdev / unlock_bdev (git-fixes).
- md: Flush workqueue md_rdev_misc_wq in md_alloc() (git-fixes).
- md: do not return existing mddevs from mddev_find_or_alloc
  (git-fixes).
- md: refactor mddev_find_or_alloc (git-fixes).
- md: factor out a mddev_alloc_unit helper from mddev_find
  (git-fixes).
- md: get sysfs entry after redundancy attr group create
  (git-fixes).
- commit 293695f

- md: fix deadlock causing by sysfs_notify (git-fixes).
- Refresh patches.kabi/md-backport-kabi.patch.
- commit f6c5a12

- md: flush md_rdev_misc_wq for HOT_ADD_DISK case (git-fixes).
- md: add new workqueue for delete rdev (git-fixes).
- commit 17e8908

- blacklist.conf: update for non-backport commits
- commit 8da9f2d

- usb-storage: fix deadlock when a scsi command timeouts more
  than once (git-fixes).
- commit cf05cec

- USB: serial: option: add UNISOC vendor and TOZED LT70C product
  (git-fixes).
- commit 762e0de

- USB: serial: option: add Quectel RM500U-CN modem (git-fixes).
- Refresh
  patches.suse/USB-serial-option-add-Quectel-EC200A-module-support.patch.
- commit b94685a

- USB: serial: option: add Telit FE990 compositions (git-fixes).
- commit 55c3b8d

- blacklist.conf: cleanup
- commit 8877293

- blacklist.conf: pure cleanup
- commit e8a295a

- usb: typec: tcpm: Fix altmode re-registration causes sysfs
  create fail (git-fixes).
- commit fc9ee7b

- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- net: mana: Fix MANA VF unload when hardware is unresponsive
  (bsc#1214764).
- commit 66a91f5

- Update patches.kabi/NFSv4-Fix-OPEN-CLOSE-race-FIX.patch
  (bsc#1176950, bsc#1217525).
- Refresh
  patches.kabi/NFSv4-Wait-for-stateid-updates-after-CLOSE-OPEN_DOWN_kabi.patch.
- commit 70e60bf

- netfilter: conntrack: dccp: copy entire header to stack buffer,
  not just basic one (CVE-2023-39197 bsc#1216976).
- commit 91c26b6

- kernel-binary: suse-module-tools is also required when installed
  Requires(pre) adds dependency for the specific sciptlet.
  However, suse-module-tools also ships modprobe.d files which may be
  needed at posttrans time or any time the kernel is on the system for
  generating ramdisk. Add plain Requires as well.
- commit 8c12816

- Revert "tracing: Fix warning in trace_buffered_event_disable()"
  (bsc#1217036)
  Temporarily revert the commit. It exposed a separate issue related to
  trace buffered event synchronization which needs to be fixed first.
- commit 579dd1d

- README.SUSE: fix patches.addon use
  It's series, not series.conf in there.
  And make it more precise on when the patches are applied.
- commit cb8969c

- Do not store build host name in initrd
  Without this patch, kernel-obs-build stored the build host name
  in its .build.initrd.kvm
  This patch allows for reproducible builds of kernel-obs-build and thus
  avoids re-publishing the kernel-obs-build.rpm when nothing changed.
  Note that this has no influence on the /etc/hosts file
  that is used during other OBS builds.
  https://bugzilla.opensuse.org/show_bug.cgi?id=1084909
- commit fd3a75e

- cpu/hotplug: Create SMT sysfs interface for all arches
  (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588).
- Refresh patches.suse/cpu-SMT-Move-SMT-prototypes-into-cpu_smt.h.patch.
- Refresh patches.suse/cpu-SMT-Store-the-current-max-number-of-threads.patch.
- Refresh patches.suse/cpu-smt-create-and-export-cpu_smt_possible.patch.
- Refresh patches.suse/x86-power-Fix-nosmt-vs-hibernation-triple-fault-duri.patch.
- commit f37a0c7

- Update config files.
- commit dbf7641

- s390/cio: unregister device when the only path is gone
  (git-fixes bsc#1217607).
- commit 750467a

- s390/dasd: use correct number of retries for ERP requests
  (git-fixes bsc#1217604).
- s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling (git-fixes
  bsc#1217603).
- commit d2fc41b

- cpu/SMT: Remove topology_smt_supported() (bsc#1214408).
- commit 3012e9b

- cpu/SMT: Store the current/max number of threads (bsc#1214408).
- Refresh
  patches.kabi/cpu-hotplug-Fix-SMT-disabled-by-BIOS-detection-for-K.patch.
- commit bfa1761

- cpu/SMT: Move smt/control simple exit cases earlier (bsc#1214408).
- commit acb1c39

- cpu/SMT: Move SMT prototypes into cpu_smt.h (bsc#1214408).
- Refresh
  patches.kabi/cpu-hotplug-Fix-SMT-disabled-by-BIOS-detection-for-K.patch.
- commit 76bedc5

- s390/dasd: protect device queue against concurrent access
  (git-fixes bsc#1217519).
- commit dab3b0f

- tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and
  docker together (bsc#1216031).
- commit f260538

- Ensure ia32_emulation is always enabled for kernel-obs-build
  If ia32_emulation is disabled by default, ensure it is enabled
  back for OBS kernel to allow building 32bit binaries (jsc#PED-3184)
  [ms: Always pass the parameter, no need to grep through the config which
  may not be very reliable]
- commit 56a2c2f

- rpm: Define git commit as macro
- commit bcc92c8

- kernel-source: Move provides after sources
- commit dbbf742

- kobject: Fix slab-out-of-bounds in fill_kobj_path() (bsc#1216058
  CVE-2023-45863).
- commit 9922921

- xfs: make sure maxlen is still congruent with prod when rounding
  down (git-fixes).
- commit 0154927

- xfs: fix units conversion error in xfs_bmap_del_extent_delay
  (git-fixes).
- commit 6c99467

- l2tp: fix refcount leakage on PPPoL2TP sockets (git-fixes).
- commit 0e54c67

- l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file
  overflow (git-fixes).
- commit 28faea4

- perf/core: Fix potential NULL deref (bsc#1216584 CVE-2023-5717).
- commit f386e74

- perf: Disallow mis-matched inherited group reads (bsc#1216584 CVE-2023-5717).
  Implement KABI fix for above
- commit 5b65c0e

- perf/core: Fix __perf_read_group_add() locking (bsc#1216584
  CVE-2023-5717).
- perf/core: Fix locking for children siblings group read
  (bsc#1216584 CVE-2023-5717).
- commit 8ccfe6e

- s390/crashdump: fix TOD programmable field size (git-fixes
  bsc#1217206).
- commit 9780bde

- blacklist.conf: Add a not-suitable kprobes patch
- commit 0eb14eb

- ring-buffer: Avoid softlockup in ring_buffer_resize()
  (git-fixes).
- commit d8d3409

- scsi: qla2xxx: Use FIELD_GET() to extract PCIe capability fields
  (git-fixes).
- scsi: qla2xxx: Fix double free of dsd_list during driver load
  (git-fixes).
- commit 9172a73

- rpm/check-for-config-changes: add HAVE_SHADOW_CALL_STACK to IGNORED_CONFIGS_RE
  Not supported by our compiler.
- commit eb32b5a

- s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir
  (LTC#203996 bsc#1217087).
- commit 3a41a21

- s390/cmma: fix detection of DAT pages (LTC#203996 bsc#1217087).
- commit b4ffc60

- s390/mm: add missing arch_set_page_dat() call to gmap
  allocations (LTC#203996 bsc#1217087).
- commit 1b2cc83

- s390/mm: add missing arch_set_page_dat() call to
  vmem_crst_alloc() (LTC#203996 bsc#1217087).
- commit 0dd665d

- s390/cmma: fix initial kernel address space page table walk
  (LTC#203996 bsc#1217087).
- commit 1ad76c2

- igb: set max size RX buffer when store bad packet is enabled
  (bsc#1216259 CVE-2023-45871).
- commit d675d77

- drm/qxl: fix UAF on handle creation (CVE-2023-39198
  bsc#1216965).
- commit 9ba677b

- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in
  HCIUARTGETPROTO (bsc#1210780 CVE-2023-31083).
- commit b07c667

- rpm/check-for-config-changes: add AS_WRUSS to IGNORED_CONFIGS_RE
  Add AS_WRUSS as an IGNORED_CONFIGS_RE entry in check-for-config-changes
  to fix build on x86_32.
  There was a fix submitted to upstream but it was not accepted:
  https://lore.kernel.org/all/20231031140504.GCZUEJkMPXSrEDh3MA@fat_crate.local/
  So carry this in IGNORED_CONFIGS_RE instead.
- commit 7acca37

- net-memcg: Fix scope of sockmem pressure indicators
  (bsc#1216759).
- commit 508863b

- scripts/osc_wrapper: call osc init before build
  Otherwise osc build doesn't build anything and complains instead:
  Directory '...' is not a working copy.
  Use "kernel-source" as package as it doesn't matter which we build. It's
  only to make osc happy that we have a working copy. And all packages
  link to kernel-source anyway.
- commit 2201b26
gcc48
- Add gcc48-bsc1218020.patch to fix miscompile of wcstod on aarch64.
  [bsc#1218020]
tiff
- security update:
  * CVE-2023-2731 [bsc#1211478]
    Fix null pointer deference in LZWDecode()
    This patch also contains a required commit which is marked
    to fix CVE-2022-1622 [bsc#1199483] but we are not vulnerable
    to that CVE because relevant code is not present.
    + tiff-CVE-2023-2731.patch
  * CVE-2023-26965 [bsc#1212398]
    Fix heap-based use after free in loadImage()
    + tiff-CVE-2023-26965.patch
  * CVE-2022-40090 [bsc#1214680]
    Fix infinite loop in TIFFReadDirectory()
    + tiff-CVE-2022-40090.patch
  * CVE-2023-1916 [bsc#1210231]
    Fix out-of-bounds read in extractImageSection()
    + tiff-CVE-2023-1916.patch
libxkbcommon
- Add security patches (boo#1105832):
  * Fail-expression-lookup-on-invalid-atoms.patch (CVE-2018-15859)
  * compose-fix-infinite-loop-in-parser-on-some-inputs.patch (CVE-2018-15856)
  * keycodes-don-t-try-to-copy-zero-key-aliases.patch (CVE-2018-15858)
  * parser-Don-t-set-more-maps-when-we-don-t-have-any.patch (CVE-2018-15864)
  * xkbcomp-Don-t-crash-on-no-op-modmask-expressions.patch (CVE-2018-15863)
  * xkbcomp-Don-t-explode-on-invalid-virtual-modifiers.patch (CVE-2018-15862)
  * xkbcomp-Don-t-falsely-promise-from-ExprResolveLhs.patch (CVE-2018-15861)
  * xkbcomp-fix-crash-when-parsing-an-xkb_geometry-secti.patch (CVE-2018-15855)
  * xkbcomp-fix-crashes-in-the-parser-when-geometry-toke.patch (CVE-2018-15854)
  * xkbcomp-fix-pointer-value-for-FreeStmt.patch (CVE-2018-15857)
  * xkbcomp-fix-stack-overflow-when-evaluating-boolean-n.patch (CVE-2018-15853)
ncurses
- Add patch bsc1218014-cve-2023-50495.patch
  * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry()
    (bsc#1218014)
openssl-1_0_0
- Security fix: [bsc#1216922, CVE-2023-5678]
  * Fix excessive time spent in DH check / generation with large Q
    parameter value.
  * Applications that use the functions DH_generate_key() to generate
    an X9.42 DH key may experience long delays. Likewise,
    applications that use DH_check_pub_key(), DH_check_pub_key_ex
    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
    DH parameters may experience long delays. Where the key or
    parameters that are being checked have been obtained from an
    untrusted source this may lead to a Denial of Service.
  * Add openssl-CVE-2023-5678.patch
autofs
- autofs-5.1.8-dont-use-initgroups-at-spawn.patch
  Don't use initgroups at spawn (bsc#1214710)
openssh
- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
  This mitigates a prefix truncation attack that could be used to
  undermine channel security.
compat-openssl098
- Security fix: [bsc#1216922, CVE-2023-5678]
  * Fix excessive time spent in DH check / generation with large Q
    parameter value.
  * Applications that use the functions DH_generate_key() to generate
    an X9.42 DH key may experience long delays. Likewise,
    applications that use DH_check_pub_key(), DH_check_pub_key_ex
    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
    DH parameters may experience long delays. Where the key or
    parameters that are being checked have been obtained from an
    untrusted source this may lead to a Denial of Service.
  * Add openssl-CVE-2023-5678.patch
procps
- Add patch bsc1216825.patch
  Avoid SIGSEGV in case of sending SIGTERM to a top command
  running in batch mode (bsc#1216825)
systemd
- Import commit cdbaab11e02eb29810963d9248677cf5ce84dc7f
  bf57bec240 man: document that PAMName= and NotifyAccess=all don't mix well.
  823ec43d38 man: add brief documentation for the (sd-pam) processes created due to PAMName= (#4967)
  256f8e70d2 service: accept the fact that the three xyz_good() functions return ints
  2a62219d4d service: drop _pure_ decorator on static function
  14e71b9180 service: a cgroup empty notification isn't reason enough to go down (bsc#1212207)
  943f812b3d service: add explanatory comments to control_pid_good() and cgroup_good()
  87a54d3060 service: fix main_pid_good() comment

- Import commit 17837e912c887402ff309215056d441b2881f9b6
  27e9161566 utmp-wtmp: handle EINTR gracefully when waiting to write to tty
  557ac78b1c utmp-wtmp: fix error in case isatty() fails
  3e0bde3ade sd-netlink: handle EINTR from poll() gracefully, as success
  61d939f79a stdio-bridge: don't be bothered with EINTR
  367ee82375 sd-bus: handle -EINTR return from bus_poll() (bsc#1215241)
  acca59ec26 libsystemd: ignore both EINTR and EAGAIN
  0ae5743060 errno-util: introduce ERRNO_IS_TRANSIENT()

- Import commit f4af8cbfb8ddc2baddfd992ebff0fb4858e4f651
  02dde27b0e man/systemd-fsck@.service: clarify passno and noauto combination in /etc/fstab (bsc#1211725)
  9f0a3ab847 units/initrd-parse-etc.service: Conflict with emergency.target
  98035f2aa8 umount: /usr/ should never be unmounted regardless of HAVE_SPLIT_USR or not (bsc#1211576)
  0a8225faea core/mount: Don't unmount initramfs mounts
  9eaf1537b4 man: describe that changing Storage= does not move existing data
python-base
- Add CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
openssl-1_1
- Security fix: [bsc#1216922, CVE-2023-5678]
  * Fix excessive time spent in DH check / generation with large Q
    parameter value.
  * Applications that use the functions DH_generate_key() to generate
    an X9.42 DH key may experience long delays. Likewise,
    applications that use DH_check_pub_key(), DH_check_pub_key_ex
    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
    DH parameters may experience long delays. Where the key or
    parameters that are being checked have been obtained from an
    untrusted source this may lead to a Denial of Service.
  * Add openssl-CVE-2023-5678.patch
yast2-auth-client
- Skip whitespace-only lines parsing krb5.conf; (bsc#1215297);
- Remove duplicated when clause (dead code) in
  src/lib/authui/ldapkrb/main_dialog.rb
- 3.3.21
nfs-utils
- Add 0207-exportfs-Ingnore-export-failures-in-nfs-server.seriv.patch
  Inconsistencies in /etc/exports shouldn't be fatal.
  (bsc#1212594)
xen
- bsc#1218851 - VUL-0: CVE-2023-46839: xen: phantom functions
  assigned to incorrect contexts (XSA-449)
  xsa449.patch

- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
  fully effective (XSA-446)
  xsa446.patch

- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
  IOMMU quarantine page table levels (XSA-445)
  xsa445.patch
supportutils
- Changes in version 3.0.12
  + Optimize lsof usage (bsc#1183663)
  + Collects ntp or chrony as needed (bsc#1196293)

- Added email.txt based on OPTION_EMAIL

- Added run time detection (bsc#1213127)
jasper
- bsc#1218802 CVE-2023-51257:
  Fix invalid memory write on jas_icctxt_input()
  Add jasper-CVE-CVE-2023-51257.patch
pacemaker
- attrd: don't start a new election when receiving a client update (bsc#1215446)
  * bsc#1215446-0001-Low-attrd-don-t-start-a-new-election-when-receiving-.patch
mozilla-nss
- update to NSS 3.90.1
  * bmo#1813401 - regenerate NameConstraints test certificates.
  * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
- Remove nss-fix-bmo1813401.patch which is now upstream.

- Add nss-fix-bmo1813401.patch to fix bsc#1214980
python-urllib3
- Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803)
  gh#urllib3/urllib3@4e98d57809da
curl
- Fix: libssh: Implement SFTP packet size limit (bsc#1216987)
  * Add curl-libssh_Implement_SFTP_packet_size_limit.patch

- Security fixes:
  * [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
  * [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents
  * Add curl-CVE-2023-46218.patch curl-CVE-2023-46219.patch
zypper
- Backport needs-rebooting command from Code15 (bsc#1217948)
- BuildRequires:  libzypp-devel >= 16.22.11.
- version 1.13.65
SAPHanaSR
- Version bump to 0.162.2
  * inside SAPHanaSR-hookHelper use the full path for the cibadmin
    command to support non root users in special user environments
    (bsc#1216484)
  * if the SAPHanaSR.py hook has successfully reported a SR event
    to the cluster a still existing fall-back state file will be
    removed to prevent an override of an already reported
    SR state.
    (bsc#1215693)
  * improve supportability by providing the current process ID of
    the RA, which is logged in the RA outputs, to HANA tracefiles
    too.
    This allows a mapping of the SAP related command invocations
    from the RA and the HANA executions which might have a delay
    in between.
    (bsc#1214613)
  * avoid explicid and implicid usage of /tmp filesystem to keep
    the SAPHanaSR resource agents working even in situations with
    /tmp filesystem full.
    (bsc#1210728)
  * update man pages:
    SAPHanaSR.7
    SAPHanaSR_basic_cluster.7
    SAPHanaSR_maintenance_examples.7
    ocf_suse_SAPHana.7
    ocf_suse_SAPHanaTopology.7
    susCostOpt.py.7
    SAPHanaSR-monitor.8
    SAPHanaSR-showAttr.8
  * add improvements from SAP to the RA scripts, part II
    (jsc#PED-1739, jsc#PED-2608)
python36
- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
yast2-registration
- Switch to the new SUSEConnect-ng (bsc#1212799), includes
  additional fixes:
  - SSL reload fix (bsc#1195220)
  - Detection of base products coming from SCC
    (bsc#1194989, bsc#1217317)
- 3.3.2
ntp
- bsc#1215801: Use system-supplied libevent instead of local copy.
libxml2
- Security update:
  * [CVE-2023-45322, bsc#1216129] use-after-free in xmlUnlinkNode()
    in tree.c
  - Added file libxml2-CVE-2023-45322.patch
cpio
- Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571)
  * fix-CVE-2023-7207.patch
libssh2_org
- Security fix: [bsc#1218127, CVE-2023-48795]
  * Add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
  * Add libssh2_org-CVE-2023-48795.patch