SUSEConnect
- Update to 0.3.32
- Allow --regcode and --instance-data attributes at the same time (jsc#PCT-164)
- Document that 'debug' can also get set in the config file
- --status will also print the subscription name
- Update to 0.3.31
- Disallow registering via SUSEConnect if the system is managed by SUSE Manager.
- Add subscription name to output of 'SUSEConnect --status'
- Update to 0.3.30
- send payload of GET requests as part of the url,
  not in the body (see bsc#1185611)
aaa_base
- use autopatch
  - update first two patches from git originals to have the
    same apply depth as the rest:
  - git-01-61c106aac03930e03935172eaf94d92c02a343bd.patch
  - git-02-4e5fe2a6ec5690b51a369d2134a1119962438fd1.patch
  - fix get_kernel_version.c to work also for recent kernels
    on the s390/X platform (bsc#1191563)
  - git-37-dfc5b8af96bec249e44a83d573af1f95a661a85c.patch
  - support xz compressed kernel (bsc#1162581)
  - git-38-4c0060639f6fa854830a708a823976772afe7764.patch
  - Fixing possible resource leak
  - git-39-df622b89bc92fd882a6715c5743095528a643546.patch
  - excluding new kernel string in version search
- Add git-36-16d1cb895c2742e96a56af98111f8281bedd3188.patch:
  * Add $HOME/.local/bin to PATH, if it exists (bsc#1192248)
- Add patch git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch
  * sysctl.d/50-default.conf:
    allow everybody to create IPPROTO_ICMP sockets (bsc#1174504)
- Add patch git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch
  * sysctl.d/50-default.conf: fix ping_group_range syntax error
amazon-ssm-agent
- Update to version 3.0.1209.0 (bsc#1186239, bsc#1186262)
  + For detailed changes see RELEASENOTES.md
  + Drop fix-version.patch replaced by sed expression in spec file
  + Drop remove-unused-import.patch no longer included from upstream
  + Drop fix-config.patch all SUSE distros use systemd
  + Remove amazon-ssm-agent.service included in upstream source, use it
  + Move all binaries into sbin and fix the hard coded config path via sed
- Update to 2.3.1205.0:
  * Updated the SSM Agent Snap to core18
  * Bug fix for expired in-progress documents being resumed
  * Bug fix for update specific files not being deleted after agent update is finished
  * Bug fix for cached manifest files not being deleted in the configurepackage plugin
- Update to 2.3.978.0 (2020-04-08) (bsc#1170744)
- Add patch to remove unused import
  + remove-unused-import.patch
- Refresh patches for new version
  + fix-version.patch
- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
  shortcut through the -mini flavors.
- Update version patch.
- Update to 2.3.415.0 (2019-03-05)
- Update to 2.3.372.0 (2019-03-05)
- Update to 2.3.344.0 (2019-03-05)
- Update to 2.3.274.0 (2019-03-05)
- Update to 2.3.235.0 (2019-03-05)
- Update to 2.3.193.0 (2019-03-05)
- Update to 2.3.169.0 (2019-03-05)
- Update to 2.3.136.0 (2019-03-05)
- Update to 2.3.117.0 (2019-03-05)
- Update to 2.3.101.0 (2019-03-05)
- Update to 2.3.68.0 (2019-03-05)
- Update to 2.3.13.0 (2019-03-05)
- Update to 2.2.916.0 (2019-03-05)
- Update to 2.2.902.0 (2019-03-05)
- Update to 2.2.800.0 (2019-03-05)
  + Streaming AWS Systems Manager Run Command output to CloudWatch
    Logs
- Update to 2.2.619.0 (2019-03-05)
- Update to 2.2.607.0 (2019-03-05)
- Update to 2.2.546.0 (2019-03-05)
  + Bug fix to retry sending document results if they couldn't
    reach the service
- Update to 2.2.493.0 (2019-03-05)
  + Bug fix so that aws:downloadContent does not change permissions
    of directories
  + Bug fix to Cloudwatch plugin where StartType has duplicated
    Enabled value
- Update to 2.2.392.0 (2019-03-05)
  + Added support for agent hibernation so that Agent backs off or
    enters hibernation mode if it does not have access to the
    service
- Update to 2.2.355.0 (2019-03-05)
apparmor
- fixed requires of python3 module (bsc#1191690)
- Don't provide python2 symbol for python3 package (bsc#1191690).
- Be explicit about using python2 macros, when needed.
augeas
- Allow all printable ASCII characters in WPA-PSK definition
  * augeas-allow_printable_ASCII.patch
  * bsc#1187512
  * Sourced from https://github.com/hercules-team/augeas/pull/723/commits
  * Credit to Michal Filka <mfilka@suse.com
autofs
- Update pidfile path to /run from /var/run (bsc#1185155)
autogen
- Add reproducible.patch to normalize tar
- Normalize date in man-pages (boo#1047218)
avahi
- Add avahi-CVE-2021-3468.patch: avoid infinite loop by handling
  HUP event in client_work (boo#1184521 CVE-2021-3468).
  https://github.com/lathiat/avahi/pull/330
- Update avahi-daemon-check-dns.sh from Debian. Our previous
  version relied on ifconfig, route, and init.d.
- Rebase avahi-daemon-check-dns-suse.patch, and drop privileges
  when invoking avahi-daemon-check-dns.sh (boo#1180827
  CVE-2021-26720).
- Add sudo to requires: used to drop privileges.
bash
- Add patch bsc1183064.patch
  * Fix bug bsc#1183064: Segfault from reading a history file not
    starting with # with HISTTIMEFORMAT set and history_multiline_entries
    nonzero and with the history cleared and read on the same input line.
bind
- Fixed CVE-2021-25219:
  The lame-ttl option controls how long named caches certain types
  of broken responses from authoritative servers (see the security
  advisory for details). This caching mechanism could be abused by
  an attacker to significantly degrade resolver performance. The
  vulnerability has been mitigated by changing the default value of
  lame-ttl to 0 and overriding any explicitly set value with 0,
  effectively disabling this mechanism altogether. ISC's testing has
  determined that doing that has a negligible impact on resolver
  performance while also preventing abuse.
  Administrators may observe more traffic towards servers issuing
  certain types of broken responses than in previous BIND 9 releases.
  [bsc#1192146, CVE-2021-25219, bind-CVE-2021-25219.patch]
- Fix off-by-one error when calculating new hashtable size
  When calculating the new hashtable bitsize, there was an off-by-one
  error that would allow the new bitsize to be larger than maximum allowed
  causing assertion failure in the rehash() function.
  [bsc#1188763, 0001-Fix-off-by-one-error-when-calculating-new-hashtable.patch]
- Since BIND 9.9, it has been easier to use tsig-keygen and
  ddns-confgen to generare TSIG keys. In 9.13, TSIG support was
  removed from dnssec-keygen, so now it is just for DNSKEY (and KEY
  for obscure cases). tsig-keygen is now used to generate DDNS keys.
  [bsc#1187921, vendor-files.tar.bz2]
- * A broken inbound incremental zone update (IXFR)
    can cause named to terminate unexpectedly
    [CVE-2021-25214, bind-CVE-2021-25214.patch]
  * An assertion check can fail while answering queries
    for DNAME records that require the DNAME to be processed to resolve
    itself
    [CVE-2021-25215, bind-CVE-2021-25215.patch]
  * A second vulnerability in BIND's GSSAPI security
    policy negotiation can be targeted by a buffer overflow attack
    This does not affect this package as the affected code is
    disabled.
    [CVE-2021-25216]
  [bsc#1185345]
- pass PIE compiler and linker flags via environment variables to make
  /usr/bin/delv in bind-tools also position independent (bsc#1183453).
- drop pie_compile.diff: no longer needed, this patch is difficult to
  maintain, the environment variable approach is less error prone.
  [bsc#1183453, bind.spec, pie_compile.diff]
blktrace
- Fix crash due to dropped first event while using pipe input (bsc#1191788).
  * blkparse: skip check_cpu_map with pipe input
  * blkparse: fix incorrectly sized memset in check_cpu_map
  * Added:
  - blkparse-skip-check_cpu_map-with-pipe-input.patch
  - blkparse-fix-incorrectly-sized-memset-in-check_cpu_m.patch
c-ares
- 5c995d5.patch: augment input validation on hostnames to allow _
  as part of DNS response (bsc#1190225)
- Version update to git snapshot 1.17.1+20200724:
  * fixes missing input validation on hostnames returned by DNS
    servers (bsc#1188881, CVE-2021-3672)
  * If ares_getaddrinfo() was terminated by an ares_destroy(),
    it would cause crash
  * Crash in sortaddrinfo() if the list size equals 0 due to
    an unexpected DNS response
  * Expand number of escaped characters in DNS replies as
    per RFC1035 5.1 to prevent spoofing
  * Use unbuffered /dev/urandom for random data to prevent early startup
    performance issues
- missing_header.patch: upstreamed
ca-certificates-mozilla
- remove the DST_Root_CA_X3.pem trust, as it expires september 30th 2021.
  (bsc#1190858)
chrony
- bsc#1173760: MD5 is not available from mozilla-nss in FIPS mode,
  but needed for calculating refids from IPv6 addresses as part of
  the NTP protocol (rfc5905). As this is a non-cryptographic use of
  MD5 we can use our own implementation without violating FIPS
  rules: chrony-refid-internal-md5.patch .
- boo#1162964, bsc#1183783, clknetsim-glibc-2.31.patch:
  Fix build with glibc-2.31
- bsc#1184400, chrony-pidfile.patch:
  Use /run instead of /var/run for PIDFile in chronyd.service.
cifs-utils
- cifs.upcall: fix regression in kerberos mount; (bsc#1184815).
  * add 0015-cifs.upcall-fix-regression-in-kerberos-mount.patch
- CVE-2021-20208: cifs-utils: cifs.upcall kerberos auth leak in
  container; (bsc#1183239); CVE-2021-20208.
  * add 0014-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch
- CVE-2020-14342: Shell command injection vulnerability in mount.cifs;
  (bsc#1174477); (bso#14442); CVE-2020-14342.
  * add 0013-CVE-2020-14342-mount.cifs-fix-shell-command-injectio.patch
- Fix invalid free in mount.cifs; (bsc#1152930).
  * add 0012-mount.cifs-Fix-invalid-free.patch
cloud-init
- Update to version 21.2 (bsc#1186004)
  + Remove patches included upstream:
  - cloud-init-azure-def-usr-pass.patch
  - cloud-init-after-kvp.diff
  - cloud-init-recognize-hpc.patch
  - use_arroba_to_include_sudoers_directory-bsc_1181283.patch
  - cloud-init-bonding-opts.patch
  - cloud-init-log-file-mode.patch
  - cloud-init-no-pwd-in-log.patch
  - 0001-templater-drop-Jinja-Python-2-compatibility-shim.patch
  + Remove cloud-init-sle12-compat.patch, version in SLE 12 is frozen to 20.2
  + Remove cloud-init-tests-set-exec.patch no longer needed
  + Forward port:
  - cloud-init-write-routes.patch
  - cloud-init-break-resolv-symlink.patch
  - cloud-init-sysconf-path.patch
  - cloud-init-no-tempnet-oci.patch
  +  Add rn check for SSH keys in Azure (#889)
  +  Revert "/Add support to resize rootfs if using LVM (#721)"/ (#887)
    (LP: #1922742)
  +  Add Vultaire as contributor (#881) [Paul Goins]
  +  Azure: adding support for consuming userdata from IMDS (#884) [Anh Vo]
  +  test_upgrade: modify test_upgrade_package to run for more sources (#883)
  +  Fix chef module run failure when chef_license is set (#868) [Ben Hughes]
  +  Azure: Retry net metadata during nic attach for non-timeout errs (#878)
    [aswinrajamannar]
  +  Azure: Retrieve username and hostname from IMDS (#865) [Thomas Stringer]
  +  Azure: eject the provisioning iso before reporting ready (#861) [Anh Vo]
  +  Use `partprobe` to re-read partition table if available (#856)
    [Nicolas Bock] (LP: #1920939)
  +  fix error on upgrade caused by new vendordata2 attributes (#869)
    (LP: #1922739)
  +  add prefer_fqdn_over_hostname config option (#859)
    [hamalq] (LP: #1921004)
  +  Emit dots on travis to avoid timeout (#867)
  +  doc: Replace remaining references to user-scripts as a config module
    (#866) [Ryan Harper]
  +  azure: Removing ability to invoke walinuxagent (#799) [Anh Vo]
  +  Add Vultr support (#827) [David Dymko]
  +  Fix unpickle for source paths missing run_dir (#863)
    [lucasmoura] (LP: #1899299)
  +  sysconfig: use BONDING_MODULE_OPTS on SUSE (#831) [Jens Sandmann]
  +  bringup_static_routes: fix gateway check (#850) [Petr Fedchenkov]
  +  add hamalq user (#860) [hamalq]
  +  Add support to resize rootfs if using LVM (#721)
    [Eduardo Otubo] (LP: #1799953)
  +  Fix mis-detecting network configuration in initramfs cmdline (#844)
    (LP: #1919188)
  +  tools/write-ssh-key-fingerprints: do not display empty header/footer
    (#817) [dermotbradley]
  +  Azure helper: Ensure Azure http handler sleeps between retries (#842)
    [Johnson Shi]
  +  Fix chef apt source example (#826) [timothegenzmer]
  +  .travis.yml: generate an SSH key before running tests (#848)
  +  write passwords only to serial console, lock down cloud-init-output.log
    (#847) (LP: #1918303)
  +  Fix apt default integration test (#845)
  +  integration_tests: bump pycloudlib dependency (#846)
  +  Fix stack trace if vendordata_raw contained an array (#837) [eb3095]
  +  archlinux: Fix broken locale logic (#841)
    [Kristian Klausen] (LP: #1402406)
  +  Integration test for #783 (#832)
  +  integration_tests: mount more paths IN_PLACE (#838)
  +  Fix requiring device-number on EC2 derivatives (#836) (LP: #1917875)
  +  Remove the vi comment from the part-handler example (#835)
  +  net: exclude OVS internal interfaces in get_interfaces (#829)
    (LP: #1912844)
  +  tox.ini: pass OS_* environment variables to integration tests (#830)
  +  integration_tests: add OpenStack as a platform (#804)
  +  Add flexibility to IMDS api-version (#793) [Thomas Stringer]
  +  Fix the TestApt tests using apt-key on Xenial and Hirsute (#823)
    [Paride Legovini] (LP: #1916629)
  +  doc: remove duplicate "/it"/ from nocloud.rst (#825) [V.I. Wood]
  +  archlinux: Use hostnamectl to set the transient hostname (#797)
    [Kristian Klausen]
  +  cc_keys_to_console.py: Add documentation for recently added config key
    (#824) [dermotbradley]
  +  Update cc_set_hostname documentation (#818) [Toshi Aoyama]
  From 21.1
  +  Azure: Support for VMs without ephemeral resource disks. (#800)
    [Johnson Shi] (LP: #1901011)
  +  cc_keys_to_console: add option to disable key emission (#811)
    [Michael Hudson-Doyle] (LP: #1915460)
  +  integration_tests: introduce lxd_use_exec mark (#802)
  +  azure: case-insensitive UUID to avoid new IID during kernel upgrade
    (#798) (LP: #1835584)
  +  stale.yml: don't ask submitters to reopen PRs (#816)
  +  integration_tests: fix use of SSH agent within tox (#815)
  +  integration_tests: add UPGRADE CloudInitSource (#812)
  +  integration_tests: use unique MAC addresses for tests (#813)
  +  Update .gitignore (#814)
  +  Port apt cloud_tests to integration tests (#808)
  +  integration_tests: fix test_gh626 on LXD VMs (#809)
  +  Fix attempting to decode binary data in test_seed_random_data test (#806)
  +  Remove wait argument from tests with session_cloud calls (#805)
  +  Datasource for UpCloud (#743) [Antti Myyrä]
  +  test_gh668: fix failure on LXD VMs (#801)
  +  openstack: read the dynamic metadata group vendor_data2.json (#777)
    [Andrew Bogott] (LP: #1841104)
  +  includedir in suoders can be prefixed by "/arroba"/ (#783)
    [Jordi Massaguer Pla]
  +  [VMware] change default max wait time to 15s (#774) [xiaofengw-vmware]
  +  Revert integration test associated with reverted #586 (#784)
  +  Add jordimassaguerpla as contributor (#787) [Jordi Massaguer Pla]
  +  Add Rick Harding to CLA signers (#792) [Rick Harding]
  +  HACKING.rst: add clarifying note to LP CLA process section (#789)
  +  Stop linting cloud_tests (#791)
  +  cloud-tests: update cryptography requirement (#790) [Joshua Powers]
  +  Remove 'remove-raise-on-failure' calls from integration_tests (#788)
  +  Use more cloud defaults in integration tests (#757)
  +  Adding self to cla signers (#776) [Andrew Bogott]
  +  doc: avoid two warnings (#781) [Dan Kenigsberg]
  +  Use proper spelling for Red Hat (#778) [Dan Kenigsberg]
  +  Add antonyc to .github-cla-signers (#747) [Anton Chaporgin]
  +  integration_tests: log image serial if available (#772)
  +  [VMware] Support cloudinit raw data feature (#691) [xiaofengw-vmware]
  +  net: Fix static routes to host in eni renderer (#668) [Pavel Abalikhin]
  +  .travis.yml: don't run cloud_tests in CI (#756)
  +  test_upgrade: add some missing commas (#769)
  +  cc_seed_random: update documentation and fix integration test (#771)
    (LP: #1911227)
  +  Fix test gh-632 test to only run on NoCloud (#770) (LP: #1911230)
  +  archlinux: fix package upgrade command handling (#768) [Bao Trinh]
  +  integration_tests: add integration test for LP: #1910835 (#761)
  +  Fix regression with handling of IMDS ssh keys (#760) [Thomas Stringer]
  +  integration_tests: log cloud-init version in SUT (#758)
  +  Add ajmyyra as contributor (#742) [Antti Myyrä]
  +  net_convert: add some missing help text (#755)
  +  Missing IPV6_AUTOCONF=no to render sysconfig dhcp6 stateful on RHEL
    (#753) [Eduardo Otubo]
  +  doc: document missing IPv6 subnet types (#744) [Antti Myyrä]
  +  Add example configuration for datasource `AliYun` (#751) [Xiaoyu Zhong]
  +  integration_tests: add SSH key selection settings (#754)
  +  fix a typo in man page cloud-init.1 (#752) [Amy Chen]
  +  network-config-format-v2.rst: add Netplan Passthrough section (#750)
  +  stale: re-enable post holidays (#749)
  +  integration_tests: port ca_certs tests from cloud_tests (#732)
  +  Azure: Add telemetry for poll IMDS (#741) [Johnson Shi]
  +  doc: move testing section from HACKING to its own doc (#739)
  +  No longer allow integration test failures on travis (#738)
  +  stale: fix error in definition (#740)
  +  integration_tests: set log-cli-level to INFO by default (#737)
  +  PULL_REQUEST_TEMPLATE.md: use backticks around commit message (#736)
  +  stale: disable check for holiday break (#735)
  +  integration_tests: log the path we collect logs into (#733)
  +  .travis.yml: add (most) supported Python versions to CI (#734)
  +  integration_tests: fix IN_PLACE CLOUD_INIT_SOURCE (#731)
  +  cc_ca_certs: add RHEL support (#633) [cawamata]
  +  Azure: only generate config for NICs with addresses (#709)
    [Thomas Stringer]
  +  doc: fix CloudStack configuration example (#707) [Olivier Lemasle]
  +  integration_tests: restrict test_lxd_bridge appropriately (#730)
  +  Add integration tests for CLI functionality (#729)
  +  Integration test for gh-626 (#728)
  +  Some test_upgrade fixes (#726)
  +  Ensure overriding test vars with env vars works for booleans (#727)
  +  integration_tests: port lxd_bridge test from cloud_tests (#718)
  +  Integration test for gh-632. (#725)
  +  Integration test for gh-671 (#724)
  +  integration-requirements.txt: bump pycloudlib commit (#723)
  +  Drop unnecessary shebang from cmd/main.py (#722) [Eduardo Otubo]
  +  Integration test for LP: #1813396 and #669 (#719)
  +  integration_tests: include timestamp in log output (#720)
  +  integration_tests: add test for LP: #1898997 (#713)
  +  Add integration test for power_state_change module (#717)
  +  Update documentation for network-config-format-v2 (#701) [ggiesen]
  +  sandbox CA Cert tests to not require ca-certificates (#715)
    [Eduardo Otubo]
  +  Add upgrade integration test (#693)
  +  Integration test for 570 (#712)
  +  Add ability to keep snapshotted images in integration tests (#711)
  +  Integration test for pull #586 (#706)
  +  integration_tests: introduce skipping of tests by OS (#702)
  +  integration_tests: introduce IntegrationInstance.restart (#708)
  +  Add lxd-vm to list of valid integration test platforms (#705)
  +  Adding BOOTPROTO = dhcp to render sysconfig dhcp6 stateful on RHEL
    (#685) [Eduardo Otubo]
  +  Delete image snapshots created for integration tests (#682)
  +  Parametrize ssh_keys_provided integration test (#700) [lucasmoura]
  +  Drop use_sudo attribute on IntegrationInstance (#694) [lucasmoura]
  +  cc_apt_configure: add riscv64 as a ports arch (#687)
    [Dimitri John Ledkov]
  +  cla: add xnox (#692) [Dimitri John Ledkov]
  +  Collect logs from integration test runs (#675)
  From 20.4.1
  +  Revert "/ssh_util: handle non-default AuthorizedKeysFile config (#586)"/
  From 20.4
  +  tox: avoid tox testenv subsvars for xenial support (#684)
  +  Ensure proper root permissions in integration tests (#664) [James Falcon]
  +  LXD VM support in integration tests (#678) [James Falcon]
  +  Integration test for fallocate falling back to dd (#681) [James Falcon]
  +  .travis.yml: correctly integration test the built .deb (#683)
  +  Ability to hot-attach NICs to preprovisioned VMs before reprovisioning
    (#613) [aswinrajamannar]
  +  Support configuring SSH host certificates. (#660) [Jonathan Lung]
  +  add integration test for LP: #1900837 (#679)
  +  cc_resizefs on FreeBSD: Fix _can_skip_ufs_resize (#655)
    [Mina Galić] (LP: #1901958, #1901958)
  +  DataSourceAzure: push dmesg log to KVP (#670) [Anh Vo]
  +  Make mount in place for tests work (#667) [James Falcon]
  +  integration_tests: restore emission of settings to log (#657)
  +  DataSourceAzure: update password for defuser if exists (#671) [Anh Vo]
  +  tox.ini: only select "/ci"/ marked tests for CI runs (#677)
  +  Azure helper: Increase Azure Endpoint HTTP retries (#619) [Johnson Shi]
  +  DataSourceAzure: send failure signal on Azure datasource failure (#594)
    [Johnson Shi]
  +  test_persistence: simplify VersionIsPoppedFromState (#674)
  +  only run a subset of integration tests in CI (#672)
  +  cli: add  + -system param to allow validating system user-data on a
    machine (#575)
  +  test_persistence: add VersionIsPoppedFromState test (#673)
  +  introduce an upgrade framework and related testing (#659)
  +  add  + -no-tty option to gpg (#669) [Till Riedel] (LP: #1813396)
  +  Pin pycloudlib to a working commit (#666) [James Falcon]
  +  DataSourceOpenNebula: exclude SRANDOM from context output (#665)
  +  cloud_tests: add hirsute release definition (#662)
  +  split integration and cloud_tests requirements (#652)
  +  faq.rst: add warning to answer that suggests running `clean` (#661)
  +  Fix stacktrace in DataSourceRbxCloud if no metadata disk is found (#632)
    [Scott Moser]
  +  Make wakeonlan Network Config v2 setting actually work (#626)
    [dermotbradley]
  +  HACKING.md: unify network-refactoring namespace (#658) [Mina Galić]
  +  replace usage of dmidecode with kenv on FreeBSD (#621) [Mina Galić]
  +  Prevent timeout on travis integration tests. (#651) [James Falcon]
  +  azure: enable pushing the log to KVP from the last pushed byte  (#614)
    [Moustafa Moustafa]
  +  Fix launch_kwargs bug in integration tests (#654) [James Falcon]
  +  split read_fs_info into linux & freebsd parts (#625) [Mina Galić]
  +  PULL_REQUEST_TEMPLATE.md: expand commit message section (#642)
  +  Make some language improvements in growpart documentation (#649)
    [Shane Frasier]
  +  Revert "/.travis.yml: use a known-working version of lxd (#643)"/ (#650)
  +  Fix not sourcing default 50-cloud-init ENI file on Debian (#598)
    [WebSpider]
  +  remove unnecessary reboot from gpart resize (#646) [Mina Galić]
  +  cloudinit: move dmi functions out of util (#622) [Scott Moser]
  +  integration_tests: various launch improvements (#638)
  +  test_lp1886531: don't assume /etc/fstab exists (#639)
  +  Remove Ubuntu restriction from PR template (#648) [James Falcon]
  +  util: fix mounting of vfat on *BSD (#637) [Mina Galić]
  +  conftest: improve docstring for disable_subp_usage (#644)
  +  doc: add example query commands to debug Jinja templates (#645)
  +  Correct documentation and testcase data for some user-data YAML (#618)
    [dermotbradley]
  +  Hetzner: Fix instance_id / SMBIOS serial comparison (#640)
    [Markus Schade]
  +  .travis.yml: use a known-working version of lxd (#643)
  +  tools/build-on-freebsd: fix comment explaining purpose of the script
    (#635) [Mina Galić]
  +  Hetzner: initialize instance_id from system-serial-number (#630)
    [Markus Schade] (LP: #1885527)
  +  Explicit set IPV6_AUTOCONF and IPV6_FORCE_ACCEPT_RA on static6 (#634)
    [Eduardo Otubo]
  +  get_interfaces: don't exclude Open vSwitch bridge/bond members (#608)
    [Lukas Märdian] (LP: #1898997)
  +  Add config modules for controlling IBM PowerVM RMC. (#584)
    [Aman306] (LP: #1895979)
  +  Update network config docs to clarify MAC address quoting (#623)
    [dermotbradley]
  +  gentoo: fix hostname rendering when value has a comment (#611)
    [Manuel Aguilera]
  +  refactor integration testing infrastructure (#610) [James Falcon]
  +  stages: don't reset permissions of cloud-init.log every boot (#624)
    (LP: #1900837)
  +  docs: Add how to use cloud-localds to boot qemu (#617) [Joshua Powers]
  +  Drop vestigial update_resolve_conf_file function (#620) [Scott Moser]
  +  cc_mounts: correctly fallback to dd if fallocate fails (#585)
    (LP: #1897099)
  +  .travis.yml: add integration-tests to Travis matrix (#600)
  +  ssh_util: handle non-default AuthorizedKeysFile config (#586)
    [Eduardo Otubo]
  +  Multiple file fix for AuthorizedKeysFile config (#60) [Eduardo Otubo]
  +  bddeb: new  + -packaging-branch argument to pull packaging from branch
    (#576) [Paride Legovini]
  +  Add more integration tests (#615) [lucasmoura]
  +  DataSourceAzure: write marker file after report ready in preprovisioning
    (#590) [Johnson Shi]
  +  integration_tests: emit settings to log during setup (#601)
  +  integration_tests: implement citest tests run in Travis (#605)
  +  Add Azure support to integration test framework (#604) [James Falcon]
  +  openstack: consider product_name as valid chassis tag (#580)
    [Adrian Vladu] (LP: #1895976)
  +  azure: clean up and refactor report_diagnostic_event (#563) [Johnson Shi]
  +  net: add the ability to blacklist network interfaces based on driver
    during enumeration of physical network devices (#591) [Anh Vo]
  +  integration_tests: don't error on cloud-init failure (#596)
  +  integration_tests: improve cloud-init.log assertions (#593)
  +  conftest.py: remove top-level import of httpretty (#599)
  +  tox.ini: add integration-tests testenv definition (#595)
  +  PULL_REQUEST_TEMPLATE.md: empty checkboxes need a space (#597)
  +  add integration test for LP: #1886531 (#592)
  +  Initial implementation of integration testing infrastructure (#581)
    [James Falcon]
  +  Fix name of ntp and chrony service on CentOS and RHEL. (#589)
    [Scott Moser] (LP: #1897915)
  +  Adding a PR template (#587) [James Falcon]
  +  Azure parse_network_config uses fallback cfg when generate IMDS network
    cfg fails (#549) [Johnson Shi]
  +  features: refresh docs for easier out-of-context reading (#582)
  +  Fix typo in resolv_conf module's description (#578) [Wacław Schiller]
  +  cc_users_groups: minor doc formatting fix (#577)
  +  Fix typo in disk_setup module's description (#579) [Wacław Schiller]
  +  Add vendor-data support to seedfrom parameter for NoCloud and OVF (#570)
    [Johann Queuniet]
  +  boot.rst: add First Boot Determination section (#568) (LP: #1888858)
  +  opennebula.rst: minor readability improvements (#573) [Mina Galić]
  +  cloudinit: remove unused LOG variables (#574)
  +  create a shutdown_command method in distro classes (#567)
    [Emmanuel Thomé]
  +  user_data: remove unused constant (#566)
  +  network: Fix type and respect name when rendering vlan in
    sysconfig. (#541) [Eduardo Otubo] (LP: #1788915, #1826608)
  +  Retrieve SSH keys from IMDS first with OVF as a fallback (#509)
    [Thomas Stringer]
  +  Add jqueuniet as contributor (#569) [Johann Queuniet]
  +  distros: minor typo fix (#562)
  +  Bump the integration-requirements versioned dependencies (#565)
    [Paride Legovini]
  +  network-config-format-v1: fix typo in nameserver example (#564)
    [Stanislas]
  +  Run cloud-init-local.service after the hv_kvp_daemon (#505)
    [Robert Schweikert]
  +  Add method type hints for Azure helper (#540) [Johnson Shi]
  +  systemd: add Before=shutdown.target when Conflicts=shutdown.target is
    used (#546) [Paride Legovini]
  +  LXD: detach network from profile before deleting it (#542)
    [Paride Legovini] (LP: #1776958)
  +  redhat spec: add missing BuildRequires (#552) [Paride Legovini]
  +  util: remove debug statement (#556) [Joshua Powers]
  +  Fix cloud config on chef example (#551) [lucasmoura]
  From 20.3
  +  Azure: Add netplan driver filter when using hv_netvsc driver (#539)
    [James Falcon] (LP: #1830740)
  +  query: do not handle non-decodable non-gzipped content (#543)
  +  DHCP sandboxing failing on noexec mounted /var/tmp (#521) [Eduardo Otubo]
  +  Update the list of valid ssh keys. (#487)
    [Ole-Martin Bratteng] (LP: #1877869)
  +  cmd: cloud-init query to handle compressed userdata (#516) (LP: #1889938)
  +  Pushing cloud-init log to the KVP (#529) [Moustafa Moustafa]
  +  Add Alpine Linux support. (#535) [dermotbradley]
  +  Detect kernel version before swap file creation (#428) [Eduardo Otubo]
  +  cli: add devel make-mime subcommand (#518)
  +  user-data: only verify mime-types for TYPE_NEEDED and x-shellscript
    (#511) (LP: #1888822)
  +  DataSourceOracle: retry twice (and document why we retry at all) (#536)
  +  Refactor Azure report ready code (#468) [Johnson Shi]
  +  tox.ini: pin correct version of httpretty in xenial{,-dev} envs (#531)
  +  Support Oracle IMDSv2 API (#528) [James Falcon]
  +  .travis.yml: run a doc build during CI (#534)
  +  doc/rtd/topics/datasources/ovf.rst: fix doc8 errors (#533)
  +  Fix 'Users and Groups' configuration documentation (#530) [sshedi]
  +  cloudinit.distros: update docstrings of add_user and create_user (#527)
  +  Fix headers for device types in network v2 docs (#532)
    [Caleb Xavier Berger]
  +  Add AlexBaranowski as contributor (#508) [Aleksander Baranowski]
  +  DataSourceOracle: refactor to use only OPC v1 endpoint (#493)
  +  .github/workflows/stale.yml: s/Josh/Rick/ (#526)
  +  Fix a typo in apt pipelining module (#525) [Xiao Liang]
  +  test_util: parametrize devlist tests (#523) [James Falcon]
  +  Recognize LABEL_FATBOOT labels (#513) [James Falcon] (LP: #1841466)
  +  Handle additional identifier for SLES For HPC (#520) [Robert Schweikert]
  +  Revert "/test-requirements.txt: pin pytest to <6 (#512)"/ (#515)
  +  test-requirements.txt: pin pytest to <6 (#512)
  +  Add "/tsanghan"/ as contributor (#504) [tsanghan]
  +  fix brpm building (LP: #1886107)
  +  Adding eandersson as a contributor (#502) [Erik Olof Gunnar Andersson]
  +  azure: disable bouncing hostname when setting hostname fails (#494)
    [Anh Vo]
  +  VMware: Support parsing DEFAULT-RUN-POST-CUST-SCRIPT (#441)
    [xiaofengw-vmware]
  +  DataSourceAzure: Use ValueError when JSONDecodeError is not available
    (#490) [Anh Vo]
  +  cc_ca_certs.py: fix blank line problem when removing CAs and adding
    new one (#483) [dermotbradley]
  +  freebsd: py37-serial is now py37-pyserial (#492) [Gonéri Le Bouder]
  +  ssh exit with non-zero status on disabled user (#472)
    [Eduardo Otubo] (LP: #1170059)
  +  cloudinit: remove global disable of pylint W0107 and fix errors (#489)
  +  networking: refactor wait_for_physdevs from cloudinit.net (#466)
    (LP: #1884626)
  +  HACKING.rst: add pytest.param pytest gotcha (#481)
  +  cloudinit: remove global disable of pylint W0105 and fix errors (#480)
  +  Fix two minor warnings (#475)
  +  test_data: fix faulty patch (#476)
  +  cc_mounts: handle missing fstab (#484) (LP: #1886531)
  +  LXD cloud_tests: support more lxd image formats (#482) [Paride Legovini]
  +  Add update_etc_hosts as default module on *BSD (#479) [Adam Dobrawy]
  +  cloudinit: fix tip-pylint failures and bump pinned pylint version (#478)
  +  Added BirknerAlex as contributor and sorted the file (#477)
    [Alexander Birkner]
  +  Update list of types of modules in cli.rst [saurabhvartak1982]
  +  tests: use markers to configure disable_subp_usage (#473)
  +  Add mention of vendor-data to no-cloud format documentation (#470)
    [Landon Kirk]
  +  Fix broken link to OpenStack metadata service docs (#467)
    [Matt Riedemann]
  +  Disable ec2 mirror for non aws instances (#390)
    [lucasmoura] (LP: #1456277)
  +  cloud_tests: don't pass  + -python-version to read-dependencies (#465)
  +  networking: refactor is_physical from cloudinit.net (#457) (LP: #1884619)
  +  Enable use of the caplog fixture in pytest tests, and add a
    cc_final_message test using it (#461)
  +  RbxCloud: Add support for FreeBSD (#464) [Adam Dobrawy]
  +  Add schema for cc_chef module (#375) [lucasmoura] (LP: #1858888)
  +  test_util: add (partial) testing for util.mount_cb (#463)
  +  .travis.yml: revert to installing ubuntu-dev-tools (#460)
  +  HACKING.rst: add details of net refactor tracking (#456)
  +  .travis.yml: rationalise installation of dependencies in host (#449)
  +  Add dermotbradley as contributor. (#458) [dermotbradley]
  +  net/networking: remove unused functions/methods (#453)
  +  distros.networking: initial implementation of layout (#391)
  +  cloud-init.service.tmpl: use "/rhel"/ instead of "/redhat"/ (#452)
  +  Change from redhat to rhel in systemd generator tmpl (#450)
    [Eduardo Otubo]
  +  Hetzner: support reading user-data that is base64 encoded. (#448)
    [Scott Moser] (LP: #1884071)
  +  HACKING.rst: add strpath gotcha to testing gotchas section (#446)
  +  cc_final_message: don't create directories when writing boot-finished
    (#445) (LP: #1883903)
  +  .travis.yml: only store new schroot if something has changed (#440)
  +  util: add ensure_dir_exists parameter to write_file (#443)
  +  printing the error stream of the dhclient process before killing it
    (#369) [Moustafa Moustafa]
  +  Fix link to the MAAS documentation (#442)
    [Paride Legovini] (LP: #1883666)
  +  RPM build: disable the dynamic mirror URLs when using a proxy (#437)
    [Paride Legovini]
  +  util: rename write_file's copy_mode parameter to preserve_mode (#439)
  +  .travis.yml: use $TRAVIS_BUILD_DIR for lxd_image caching (#438)
  +  cli.rst: alphabetise devel subcommands and add net-convert to list (#430)
  +  Default to UTF-8 in /var/log/cloud-init.log (#427) [James Falcon]
  +  travis: cache the chroot we use for package builds (#429)
  +  test: fix all flake8 E126 errors (#425) [Joshua Powers]
  +  Fixes KeyError for bridge with no "/parameters:"/ setting (#423)
    [Brian Candler] (LP: #1879673)
  +  When tools.conf does not exist, running cmd "/vmware-toolbox-cmd
    config get deployPkg enable-custom-scripts"/, the return code will
    be EX_UNAVAILABLE(69), on this condition, it should not take it as
    error. (#413) [chengcheng-chcheng]
  +  Document CloudStack data-server well-known hostname (#399) [Gregor Riepl]
  +  test: move conftest.py to top-level, to cover tests/ also (#414)
  +  Replace cc_chef is_installed with use of subp.is_exe. (#421)
    [Scott Moser]
  +  Move runparts to subp. (#420) [Scott Moser]
  +  Move subp into its own module. (#416) [Scott Moser]
  +  readme: point at travis-ci.com (#417) [Joshua Powers]
  +  New feature flag functionality and fix includes failing silently (#367)
    [James Falcon] (LP: #1734939)
  +  Enhance poll imds logging (#365) [Moustafa Moustafa]
  +  test: fix all flake8 E121 and E123 errors (#404) [Joshua Powers]
  +  test: fix all flake8 E241 (#403) [Joshua Powers]
  +  test: ignore flake8 E402 errors in main.py (#402) [Joshua Powers]
  +  cc_grub_dpkg: determine idevs in more robust manner with grub-probe
    (#358) [Matthew Ruffell] (LP: #1877491)
  +  test: fix all flake8 E741 errors (#401) [Joshua Powers]
  +  tests: add groovy integration tests for ubuntu (#400)
  +  Enable chef_license support for chef infra client (#389) [Bipin Bachhao]
  +  testing: use flake8 again (#392) [Joshua Powers]
  +  enable Puppet, Chef mcollective in default config (#385)
    [Mina Galić (deprecated: Igor Galić)] (LP: #1880279)
  +  HACKING.rst: introduce .net  + > Networking refactor section (#384)
  +  Travis: do not install python3-contextlib2 (dropped dependency) (#388)
    [Paride Legovini]
  +  HACKING: mention that .github-cla-signers is alpha-sorted (#380)
  +  Add bipinbachhao as contributor (#379) [Bipin Bachhao]
  +  cc_snap: validate that assertions property values are strings (#370)
  +  conftest: implement partial disable_subp_usage (#371)
  +  test_resolv_conf: refresh stale comment (#374)
  +  cc_snap: apply validation to snap.commands properties (#364)
  +  make finding libc platform independent (#366)
    [Mina Galić (deprecated: Igor Galić)]
  +  doc/rtd/topics/faq: Updates LXD docs links to current site (#368) [TomP]
  +  templater: drop Jinja Python 2 compatibility shim (#353)
  +  cloudinit: minor pylint fixes (#360)
  +  cloudinit: remove unneeded __future__ imports (#362)
  +  migrating momousta lp user to Moustafa-Moustafa GitHub user (#361)
    [Moustafa Moustafa]
  +  cloud_tests: emit dots on Travis while fetching images (#347)
  +  Add schema to apt configure config (#357) [lucasmoura] (LP: #1858884)
  +  conftest: add docs and tests regarding CiTestCase's subp functionality
    (#343)
  +  analyze/dump: refactor shared string into variable (#350)
  +  doc: update boot.rst with correct timing of runcmd (#351)
  +  HACKING.rst: change contact info to Rick Harding (#359) [lucasmoura]
  +  HACKING.rst: guide people to add themselves to the CLA file (#349)
  +  HACKING.rst: more unit testing documentation (#354)
  +  .travis.yml: don't run lintian during integration test package builds
    (#352)
  +  Add test to ensure docs examples are valid cloud-init configs (#355)
    [James Falcon] (LP: #1876414)
  +  make suse and sles support 127.0.1.1 (#336) [chengcheng-chcheng]
  +  Create tests to validate schema examples (#348)
    [lucasmoura] (LP: #1876412)
  +  analyze/dump: add support for Amazon Linux 2 log lines (#346)
    (LP: #1876323)
  +  bsd: upgrade support (#305) [Gonéri Le Bouder]
  +  Add lucasmoura as contributor (#345) [lucasmoura]
  +  Add "/therealfalcon"/ as contributor (#344) [James Falcon]
  +  Adapt the package building scripts to use Python 3 (#231)
    [Paride Legovini]
  +  DataSourceEc2: use metadata's NIC ordering to determine route-metrics
    (#342) (LP: #1876312)
  +  .travis.yml: introduce caching (#329)
  +  cc_locale: introduce schema (#335)
  +  doc/rtd/conf.py: bump copyright year to 2020 (#341)
  +  yum_add_repo: Add Centos to the supported distro list (#340)
- Add cloud-init-update-test-characters-in-substitution-unit-test.patch
  to fix unit test fail in TestGetPackageMirrorInfo::test_substitution.
- Add patch from upstream to remove python2 compatibility so
  cloud-init builds fine in Tumbleweed with a recent Jinja2
  version. This patch is only applied in TW.
  * 0001-templater-drop-Jinja-Python-2-compatibility-shim.patch
- Add cloud-init-log-file-mode.patch (bsc#1183939)
  + Change log file creation mode to 640
- Add cloud-init-no-pwd-in-log.patch (bsc#1184758)
  + Do not write the generated password to the log file
- Add cloud-init-purge-cache-py-ver-change.patch
- Add cloud-init-bonding-opts.patch (bsc#1184085)
  + Write proper bonding option configuration for SLE/openSUSE
- Fix application and inclusion of
  use_arroba_to_include_sudoers_directory-bsc_1181283.patchfix (bsc#1181283)
- Add use_arroba_to_include_sudoers_directory-bsc_1181283.patchfix (bsc#1181283)
  - Do not including sudoers.d directory twice
cloud-netconfig
- Update to version 1.6:
  + Ignore proxy when accessing metadata (bsc#1187939)
  + Print warning in case metadata is not accessible
  + Documentation update
containerd
- Update to containerd v1.4.11, to fix CVE-2021-41103 bsc#1191121. bsc#1191355
- Switch to Go 1.16.x compiler, in line with upstream.
- Install systemd service file as well (fixes bsc#1190826)
- Update to containerd v1.4.8, to fix CVE-2021-32760. bsc#1188282
- Remove upstreamed patches:
  - bsc1188282-use-chmod-path-for-checking-symlink.patch
[ This patch was only released in SLES and Leap. ]
- Add patch for GHSA-c72p-9xmj-rx3w. CVE-2021-32760 bsc#1188282
  + bsc1188282-use-chmod-path-for-checking-symlink.patch
- Build with go1.15 for reproducible build results (boo#1102408)
- Drop long-since upstreamed patch, originally needed to fix i386 builds on
  SLES:
  - 0001-makefile-remove-emoji.patch
- Update to containerd v1.4.4, to fix CVE-2021-21334.
- Update to handle the docker-runc removal, and drop the -kubic flavour.
  bsc#1181677 bsc#1181749
- Update to containerd v1.4.3, which is needed for Docker v20.10.2-ce.
  bsc#1181594
- Install the containerd-shim* binaries and stop creating
  docker-containerd-shim because that isn't used by Docker anymore.
  bsc#1183024
corosync
- corosync totemudpu: bsc#1192467, Fix don't block local socketpair when interface is down
  Added: bsc#1192467_dont-block-local-socket-pair.patch
- corosync totem: bsc#1189680, Add cancel_token_hold_on_retransmit config option
  Added: bug-1189680_cancel_token_hold_on_retransmit-option.patch
cpio
- Add another patch to fix regression (bsc#1189465)
  * fix-CVE-2021-38185_3.patch
- Fix regression in last update (bsc#1189465)
  * fix-CVE-2021-38185_2.patch
- Fix CVE-2021-38185 Remote code execution caused by an integer overflow in ds_fgetstr
  (CVE-2021-38185, bsc#1189206)
  * fix-CVE-2021-38185.patch
crash
- Fix crash utility is taking forever to initialize a vmcore from large config
  system (bsc#1178827 ltc#189279).
  crash-task.c-avoid-unnecessary-cpu-cycles-in-stkptr_to_tas.patch
crmsh
- Update to version 4.3.1+20211119.97feb471:
  * Fix: ui_resource: Parse node and lifetime correctly (bsc#1192618)
- Update to version 4.3.1+20211012.52d4086a:
  * Fix: ui_resource: Parse lifetime option correctly (bsc#1191508)
  * Fix: utils: Improve detect_cloud function and support non-Hyper-V in Azure
- Update to version 4.3.1+20210827.4fb174c4:
  * Fix: hb_report: Using python way to collect ra trace files (bsc#1189641)
  * Fix: bootstrap: adjust host list for parallax to get and copy known_hosts file(bsc#1188971)
- Update to version 4.3.1+20210811.2a30e37e:
  * Dev: ui_resource: Enhancement trace output
  * Fix: doc: Note that resource tracing is only supported by OCF RAs(bsc#1188966)
  * Medium: ra: performance/usability improvement (avoid systemd)
  * Dev: ui_context: Add info when spell-corrections happen
  * Fix: parse: Should still be able to show the empty property if it already exists(bsc#1188290)
- Update to version 4.3.1+20210702.4e0ee8fb:
  * Fix: bootstrap: check for missing fields in 'crm_node -l' output (bsc#1182131)
  * Fix: resource: make untrace consistent with trace (bsc#1187396)
  * Dev: sbd: enable SBD_DELAY_START in virtualization environment
- Update to version 4.3.1+20210624.67223df2:
  * Fix: ocfs2: Skip verifying UUID for ocfs2 device on top of raid or lvm on the join node (bsc#1187553)
- Update to version 4.3.0+20210616.cdcfe52e:
  * Fix: history: use Path.mkdir instead of mkdir command(bsc#1179999, CVE-2020-35459)
  * Dev: crash_test: Add big warnings to have users' attention to potential failover(jsc#SLE-17979)
  * Dev: crash_test: rename preflight_check as crash_test(jsc#SLE-17979)
  * Fix: bootstrap: update sbd watchdog timeout when using diskless SBD with qdevice(bsc#1184465)
  * Dev: utils: allow configure link-local ipv6 address(bsc#1163460)
  * Fix: parse: shouldn't allow property setting with an empty value(bsc#1185423)
  * Fix: help: show help message from argparse(bsc#1175982)
- Remove patches:
  0001-Fix-history-use-Path.mkdir-instead-of-mkdir-command-.patch
- Update to version 4.3.0+20210507.bf02d791:
  * Fix: bootstrap: add sbd via bootstrap stage on an existing cluster (bsc#1181906)
  * Fix: bootstrap: change StrictHostKeyChecking=no as a constants(bsc#1185437)
  * Dev: bootstrap: disable unnecessary warnings (bsc#1178118)
  * Fix: bootstrap: sync corosync.conf before finished joining(bsc#1183359)
  * Dev: add "/crm corosync status qdevice"/ sub-command
  * Dev: ui_cluster: add qdevice help info
- Update to version 4.3.0+20210330.06bf9cad:
  * Dev: ui_cluster: enable/disable corosync-qdevice.service
  * Fix: bootstrap: parse space in sbd device correctly(bsc#1183883)
  * Dev: preflight_check: move preflight_check directory into crmsh
  * Fix: bootstrap: get the peer node name correctly (bsc#1183654)
  * Fix: update verion and author (bsc#1183689)
  * Dev: bootstrap: enable configuring qdevice on interactive mode (jsc#ECO-3567)
  * Fix: ui_resource: change return code and error to warning for some unharmful actions(bsc#1180332)
  * Dev: lock: change lock directory under /run
  * Fix: bootstrap: raise warning when configuring diskless SBD with node's count less than 3(bsc#1181907)
  * Fix: bootstrap: Adjust qdevice configure/remove process to avoid race condition due to quorum lost(bsc#1181415)
  * Fix: ui_configure: raise error when params not exist(bsc#1180126)
  * Dev: ui_node: remove status subcommand
- Update to version 4.3.0+20210219.5d1bf034:
  * Fix: hb_report: walk through hb_report process under hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571)
  * Fix: bootstrap: setup authorized ssh access for hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571)
  * Dev: analyze: Add analyze sublevel and put preflight_check in it(jsc#ECO-1658)
  * Dev: utils: change default file mod as 644 for str2file function
  * Dev: hb_report: Detect if any ocfs2 partitions exist
  * Dev: lock: give more specific error message when raise ClaimLockError
  * Fix: Replace mktemp() to mkstemp() for security
  * Fix: Remove the duplicate --cov-report html in tox.
  * Fix: fix some lint issues.
  * Fix: Replace utils.msg_info to task.info
  * Fix: Solve a circular import error of utils.py
  * Fix: hb_report: run lsof with specific ocfs2 device(bsc#1180688)
  * Dev: corosync: change the permission of corosync.conf to 644
  * Fix: preflight_check: task: raise error when report_path isn't a directory
  * Fix: bootstrap: Use class Watchdog to simplify watchdog config(bsc#1154927, bsc#1178869)
  * Dev: Polish the sbd feature.
  * Dev: Replace -f with -c and run check when no parameter provide.
  * Fix: Fix the yes option not working
  * Fix: Remove useless import and show help when no input.
  * Dev: Correct SBD device id inconsistenc during ASR
  * Fix: completers: return complete start/stop resource id list correctly(bsc#1180137)
  * Dev: Makefile.am: change makefile to integrate preflight_check
  * Medium: integrate preflight_check into crmsh(jsc#ECO-1658)
  * Fix: bootstrap: make sure sbd device UUID was the same between nodes(bsc#1178454)
cronie
- Increase limit of allowed entries in crontab files to fix bsc#1187508
  * cronie-1.5.1-increase_crontab_limit.patch
csync2
- (bsc#1187080) Upgrade and removal of csync2 package throws error
  for non-existent service template:
  Removeinstance templates from %service_* macros.
- VUL-1: CVE-2019-15522: csync2: daemon fails to enforce TLS
  (bsc#1147137)
- VUL-1: CVE-2019-15523: csync2: incorrect TLS handshake error handling
  (bsc#1147139)
  Apply upstream patch:
  0001-fail-HELLO-command-when-SSL-is-required.patch
  0002-repeat-gnutls_handshake-call-in-case-of-warnings.patch
cups
- When cupsd creates directories with specific owner group
  and permissions (usually owner is 'root' and group matches
  "/configure --with-cups-group=lp"/) specify same owner group and
  permissions in the RPM spec file to ensure those directories
  are installed by RPM with the right settings because if those
  directories were installed by RPM with different settings then
  cupsd would use them as is and not adjust its specific owner
  group and permissions which could lead to privilege escalation
  from 'lp' user to 'root' via symlink attacks e.g. if owner is
  falsely 'lp' instead of 'root' CVE-2021-25317 (bsc#1184161)
- cups-2.2.7-web-ui-kerberos-authentication.patch (bsc#1175960)
  Fix web UI kerberos authentication
curl
- libssh: do not let libssh create socket [bsc#1192790]
  * Fixes sftp over a proxy failure in curl with error:
    Failure establishing ssh session
  * Add curl-libssh-socket.patch
- MIME: Properly check Content-Type even if it has parameters
  * Add curl-check-content-type.patch [bsc#1190153]
- Security fix: [bsc#1190374, CVE-2021-22947]
  * STARTTLS protocol injection via MITM
  * Add curl-CVE-2021-22947.patch
- Security fix: [bsc#1190373, CVE-2021-22946]
  * Protocol downgrade required TLS bypassed
  * Add curl-CVE-2021-22946.patch
- Security fix: [bsc#1188220, CVE-2021-22925]
  * TELNET stack contents disclosure again
  * Add curl-CVE-2021-22925.patch
- Security fix: [bsc#1188219, CVE-2021-22924]
  * Bad connection reuse due to flawed path name checks
  * Add curl-CVE-2021-22924.patch
- Security fix: Disable the metalink feature:
  * Insufficiently Protected Credentials [bsc#1188218, CVE-2021-22923]
  * Wrong content via metalink not discarded [bsc#1188217, CVE-2021-22922]
- Security fix: [bsc#1186114, CVE-2021-22898]
  * TELNET stack contents disclosure
- Add curl-CVE-2021-22898.patch
- Allow partial chain verification [jsc#SLE-17956]
  * Have intermediate certificates in the trust store be treated
    as trust-anchors, in the same way as self-signed root CA
    certificates are. This allows users to verify servers using
    the intermediate cert only, instead of needing the whole chain.
  * Set FLAG_TRUSTED_FIRST unconditionally.
  * Do not check partial chains with CRL check.
- Add curl-X509_V_FLAG_PARTIAL_CHAIN.patch
- Security fix: [bsc#1183933, CVE-2021-22876]
  * The automatic referer leaks credentials
- Add curl-CVE-2021-22876-URL-API.patch curl-CVE-2021-22876.patch
- Fix: SFTP uploads result in empty uploaded files [bsc#1177976]
- Add curl-fix-O_APPEND.patch
dbus-1
- Add missing patch for CVE-2020-12049
  * fix-upstream-CVE-2020-12049_2.patch
- Fix CVE-2020-12049 truncated messages lead to resource exhaustion
  (CVE-2020-12049, bsc#1172505)
  * fix-upstream-CVE-2020-12049.patch
- Fix CVE-2020-35512 - shared UID's caused issues (CVE-2020-35512 bsc#1187105)
  * fix-upstream-userdb-constpointer.patch
  * fix-upstream-CVE-2020-35512.patch
dhcp
- Oops, when upgrading to 4.3.6-P1 in 2018 only isc_version was
  bumped, but not the RPM package version.
- CVE-2021-25217, bsc#1186382, dhcp-CVE-2021-25217.patch: A buffer
  overrun in lease file parsing code can be used to exploit a
  common vulnerability shared by dhcpd and dhclient.
- bsc#1185157:
  Use /run instead of /var/run for PIDFile in dhcrelay.service.
docker
- Update to Docker 20.10.9-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355
  CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
  * 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Switch to Go 1.16.x compiler, in line with upstream.
- Add patch to return ENOSYS for clone3 to avoid breaking glibc again.
  bsc#1190670
  + 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Add shell requires for the *-completion subpackages.
- Update to Docker 20.10.6-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1184768
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Backport upstream fix <https://github.com/moby/moby/pull/42273> for btrfs
  quotas being removed by Docker regularly. bsc#1183855 bsc#1175081
  + 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Update to Docker 20.10.5-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1182947
- Update runc dependency to 1.0.0~rc93.
- Remove upstreamed patches:
  - cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Switch version to use -ce suffix rather than _ce to avoid confusing other
  tools. boo#1182476
- Fix incorrect cast in SUSE secrets patches causing warnings on SLES.
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Update to Docker 20.10.3-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. Fixes bsc#1181732
  (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).
- Rebase patches on top of 20.10.3-ce.
  - 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  - 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  - 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  + 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  - 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Drop docker-runc, docker-test and docker-libnetwork packages. We now just use
  the upstream runc package (it's stable enough and Docker no longer pins git
  versions). docker-libnetwork is so unstable that it doesn't have any
  versioning scheme and so it really doesn't make sense to maintain the project
  as a separate package. bsc#1181641 bsc#1181677
- Remove no-longer-needed patch for packaging now that we've dropped
  docker-runc and docker-libnetwork.
  - 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
- Update to Docker 20.10.2-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1181594
- Remove upstreamed patches:
  - bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch
  - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Add patches to fix build:
  + cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch
- Since upstream has changed their source repo (again) we have to rebase all of
  our patches. While doing this, I've collapsed all patches into one branch
  per-release and thus all the patches are now just one series:
  - packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch
  + 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch
  - secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  - secrets-0002-SUSE-implement-SUSE-container-secrets.patch
  + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  - private-registry-0001-Add-private-registry-mirror-support.patch
  + 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  - bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
  + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
dosfstools
- To be able to create filesystems compatible with previous
  version, add -g command line option to mkfs (boo#1188401,
  dosfstools-add-g.patch).
- BREAKING CHANGES:
  After fixing of bsc#1172863 in the last update, mkfs started to
  create different images than before. Applications that depend on
  exact FAT file format (e. g. embedded systems) may be broken in
  two ways:
  * The introduction of the alignment may create smaller images
    than before, with a different positions of important image
    elements. It can break existing software that expect images in
    doststools <= 4.1 style.
    To work around these problems, use "/-a"/ command line argument.
  * The new image may contain a different geometry values. Geometry
    sensitive applications expecting doststools <= 4.1 style images
    can fails to accept different geometry values.
    There is no direct work around for this problem. But you can
    take the old image, use "/file -s $IMAGE"/, check its
    "/sectors/track"/ and "/heads"/, and use them in the newly
    introduced "/-g"/ command line argument.
- Add fix-calculation.patch (gh#dosfstools/dosfstools#153, bsc#1172863)
  to work with different size of clusters.
drbd
- bsc#1189995, backport to fix the stuck in resync.
  Add patch fix-stuck-resync-when-cancelled.patch
- bsc#1183970, disconnect when invalid dual primaries
  Add patch disconnect-invalid-two-primaries.patch
drbd-utils
- bsc#1185132, all binaries in SLE-15 are position independent
  Add patch pie-fix.patch
e2fsprogs
- Remove autoreconf call from e2fsprogs.spec (bsc#1183791)
expat
- Security fix (CVE-2021-45960, bsc#1194251)
  * A left shift by 29 (or more) places in the storeAtts function
    in xmlparse.c can lead to realloc misbehavior.
  * Added expat-CVE-2021-45960.patch
- Security fix (CVE-2021-46143, bsc#1194362)
  * Integer overflow exists for m_groupSize in doProlog
  * Added expat-CVE-2021-46143.patch
- Security fix (CVE-2022-22822, bsc#1194474)
  * Integer overflow in addBinding in xmlparse.c
  * Added expat-CVE-2022-22822.patch
- Security fix (CVE-2022-22823, bsc#1194476)
  * Integer overflow in build_model in xmlparse.c
  * Added expat-CVE-2022-22823.patch
- Security fix (CVE-2022-22824, bsc#1194477)
  * Integer overflow in defineAttribute in xmlparse.c
  * Added expat-CVE-2022-22824.patch
- Security fix (CVE-2022-22825, bsc#1194478)
  * Integer overflow in lookup in xmlparse.c
  * Added expat-CVE-2022-22825.patch
- Security fix (CVE-2022-22826, bsc#1194479)
  * Integer overflow in nextScaffoldPart in xmlparse.c
  * Added expat-CVE-2022-22826.patch
- Security fix (CVE-2022-22827, bsc#1194480)
  * Integer overflow in storeAtts in xmlparse.c
  * Added expat-CVE-2022-22826.patch
- Refresh expat-CVE-2018-20843.patch as a p1 patch.
- Use %autosetup macro
expect
- bsc#1183904, expect-errorfd.patch:
  errorfd file descriptors should be closed when forking
- fix previous change regarding PIE linking. Passing SHLIB_CFLAGS="/-shared"/
  causes /usr/bin/expect to become a shared library that SEGFAULTs upon
  execution. Instead use SHLIB_LD to pass -shared only to shared library
  linking.
- pass explicit -pie flag to CFLAGS and hack `make` invocation so that
  /usr/bin/expect actually becomes a PIE binary. This is especially awkard
  since the expect build system implicitly passes -fPIC which breaks our
  gcc-PIE package, but does not pass -pie while linking the executable.
  Shared libraries are also not linked with -shared so we need to explicitly
  pass this, too, to avoid build breakage (bsc#1184122).
- Add an unversioned symlink to make linking easier for
  applications that use libexpect without Tcl (boo#1172681).
- New version 5.45.4:
  * Fix two bugs in EOF handling.
file
- Add patch bsc1189996-9fbe768a.patch to fix bsc#1189996
filesystem
- Remove duplicate line due to merge error
- add /etc/skel/.cache with perm 0700 (bsc#1181011)
- Set correct permissions when creating /proc and /sys
- Ignore postfix user (pulled in from buildsystem)
- /proc and /sys should be %ghost to allow filesystem package updates in
  rootless container environments (rh#1548403) (bsc#1146705)
- Split /var/tmp out of fs-var.conf, new file is fs-var-tmp.conf.
  Allows to override config to add cleanup options of /var/tmp
  [bsc#1078466]
- Create fs-tmp.conf to cleanup /tmp regular (required with tmpfs)
  [bsc#1175519]
- Fix bug about missing group in tmpfiles.d files
- Generic cleanup:
  - Remove /usr/local/games
gcc
- With gcc-PIE add -pie even when -fPIC is specified but we are
  not linking a shared library.  [boo#1185348]
- Fix postun of gcc-go alternative.
- Add gccgo symlink, add go and gofmt as alternatives to support
  parallel install of golang.  [bnc#1096677]
gcc7
- Adjust some ambiguous SPDX license specifications to prevent
  spec-cleaner from messing up.
- Add gcc7-pr55917.patch to do not handle exceptions in std::thread
  (jsc#CAR-1182)
- - Add gcc7-pfe-0001-Backport-Add-entry-for-patchable_function_entry.patch
  gcc7-pfe-0002-Backport-Skip-fpatchable-function-entry-tests-for-nv.patch
  gcc7-pfe-0003-Backport-Error-out-on-nvptx-for-fpatchable-function-.patch
  gcc7-pfe-0004-Backport-Adapt-scan-assembler-times-for-alpha.patch
  gcc7-pfe-0005-Backport-patchable_function_entry-decl.c-Use-3-NOPs-.patch
  gcc7-pfe-0006-Backport-IBM-Z-Use-the-dedicated-NOP-instructions-fo.patch
  gcc7-pfe-0007-Backport-Add-regex-to-search-for-uppercase-NOP-instr.patch
  gcc7-pfe-0008-Backport-ICE-segmentation-fault-with-patchable_funct.patch
  gcc7-pfe-0009-Backport-patchable_function_entry-decl.c-Pass-mcpu-g.patch
  gcc7-pfe-0010-Backport-patchable_function_entry-decl.c-Do-not-run-.patch
  gcc7-pfe-0011-Backport-patchable_function_entry-decl.c-Add-fno-pie.patch
  gcc7-pfe-0012-Backport-PR-c-89946-ICE-in-assemble_start_function-a.patch
  gcc7-pfe-0013-Backport-targhooks.c-default_print_patchable_functio.patch
  gcc7-pfe-0014-Backport-Align-__patchable_function_entries-to-POINT.patch
  gcc7-pfe-0015-Backport-Fix-PR-93242-patchable-function-entry-broke.patch
  gcc7-pfe-0016-Backport-AArch64-PR92424-Fix-fpatchable-function-ent.patch
  gcc7-pfe-0017-Backport-Fix-patchable-function-entry-on-arc.patch
  gcc7-pfe-0018-Backport-Add-patch_area_size-and-patch_area_entry-to.patch
  gcc7-pfe-0019-Backport-testsuite-Adjust-patchable_function-tests-f.patch
  gcc7-pfe-0020-Backport-Use-the-section-flag-o-for-__patchable_func.patch
  gcc7-pfe-0021-Backport-varasm-Fix-up-__patchable_function_entries-.patch
  gcc7-pfe-0022-Backport-rs6000-Avoid-fpatchable-function-entry-regr.patch
  gcc7-pfe-0023-Fix-unwinding-issues-when-pfe-is-enabled.patch
  to add -fpatchable-function-entry feature to gcc-7.
- Add gcc7-ada-MINSTKSZ.patch to fix build with glibc 2.34.
- Add bits/unistd_ext.h to the list of removed fixed includes.
- Add gcc7-sanitizer-cyclades.patch to remove cyclades.h use from
  libsanitizer fixing builds with recent kernels.
glib2
- Add glib2-CVE-2021-27218.patch: g_byte_array_new_take takes a
  gsize as length but stores in a guint, this patch will refuse if
  the length is larger than guint. (bsc#1182328,
  glgo#GNOME/glib!1944)
- Add glib2-CVE-2021-27219-add-g_memdup2.patch: g_memdup takes a
  guint as parameter and sometimes leads into an integer overflow,
  so add a g_memdup2 function which uses gsize to replace it.
  (bsc#1182362, glgo#GNOME/glib!1927, glgo#GNOME/glib!1933,
  glgo#GNOME/glib!1943)
glibc
- always-do-locking-when-iterating-over-list-of-streams.patch: Upstream
  part of fix-locking-in-_IO_cleanup.patch
- libio-do-not-attempt-to-free-wide-buffers-of-legacy-streams.patch:
  libio: do not attempt to free wide buffers of legacy streams
  (bsc#1183085, BZ #24228)
- fix-locking-in-_IO_cleanup.patch: rediff
- iconv-option-parsing.patch: Rewrite iconv option parsing
  (CVE-2016-10228, bsc#1027496, BZ #19519)
- wordexp-param-overflow.patch: wordexp: handle overflow in positional
  parameter number (CVE-2021-35942, bsc#1187911, BZ #28011)
- mq-notify-use-after-free.patch: Use __pthread_attr_copy in mq_notify
  (CVE-2021-33574, bsc#1186489, BZ #27896)
gmp
- Add gmp-6.2.1-CVE-2021-43618.patch to fix buffer overflow on
  malformed input to mpz_inp_raw.  [bsc#1192717, CVE-2021-43618]
gnutls
- Security fix: [bsc#1183456, CVE-2021-20232]
  * A use after free issue in client_send_params
    in lib/ext/pre_shared_key.c may lead to memory
    corruption and other potential consequences.
- Add gnutls-CVE-2021-20232.patch
- Security fix: [bsc#1183457, CVE-2021-20231]
  * A use after free issue in client sending key_share extension
    may lead to memory corruption and other consequences.
- Add gnutls-CVE-2021-20231.patch
gpg2
- Fix warning: agent returned different signature type ssh-rsa
  * The gpg-agent's ssh-agent does not handle flags in signing
    requests properly [bsc#1161268, bsc#1172308]
  * Add gnupg-gpg-agent-ssh-agent.patch
graphviz
-  Added graphviz-2.40.1-fix-dot-segfault.patch to fix a segfault in dot
  bsc#1151207
- Added graphviz-out-of-bounds-write.patch to fix CVE-2020-18032
  (bsc#1185833)
grub2
- Fix boot failure as journaled data not get drained due to abrupt power
  off after grub-install (bsc#1167756)
- Fix boot failure after kdump due to the content of grub.cfg is not
  completed with pending modificaton in xfs journal (bsc#1186975)
  * grub-install-force-journal-draining-to-ensure-data-i.patch
- Fix executable stack in grub-emu (bsc#1181696)
  * 0001-emu-fix-executable-stack-marking.patch
hawk2
- Update to version 2.6.4:
  * Fix wizards ui (bsc#1184274)
- Update to version 2.6.3:
  * Remove hawk_invoke and use capture3 instead of runas (bsc#1179999)(CVE-2020-35459)
  * Remove unnecessary chmod (bsc#1182166)(CVE-2021-25314)
  * Sanitize filename to contains whitelist of alphanumeric (bsc#1182165)
insserv-compat
- Require sysvinit-tools (boo#1187941)
ipvsadm
- Hardening: link as position independent executable (bsc#1184988).
  * Added ipvsadm-PIE.patch
java-1_8_0-ibm
- Update to Java 8.0 Service Refresh 7 Fix Pack 0 [bsc#1194232]
  [bsc#1194198, bsc#1192052, CVE-2021-41035]
  [bsc#1191902, CVE-2021-35560] [bsc#1191904, CVE-2021-35578]
  [bsc#1191914, CVE-2021-35586] [bsc#1191913, CVE-2021-35564]
  [bsc#1191911, CVE-2021-35559] [bsc#1191910, CVE-2021-35556]
  [bsc#1191909, CVE-2021-35565] [bsc#1191905, CVE-2021-35588]
- Update to Java 8.0 Service Refresh 6 Fix Pack 35
  [bsc#1188565, CVE-2021-2369] [bsc#1188564, CVE-2021-2341]
- Update to Java 8.0 Service Refresh 6 Fix Pack 30
  [bsc#1185056, CVE-2021-2161][bsc#1185055, CVE-2021-2163]
  * Service, Build, Packaging and Deliver:
  - Symlink issue reported for javaws in jre packages
  - ibmjceplus security provider depends on msvcr120.dll on windows
  * Class Libraries:
  - Exception in pure ipv6 environment in IBM sdk
  - Fix security vulnerability CVE-2021-2161
  - Update cacerts to include certificates from entrust and globalsign
  - Update timezone information to the latest tzdata2021a
  * Java Virtual Machine:
  - Sssertion failed at copyforwardscheme.cpp because a tag slot
    (0x3) was treated as an object
  - GPF event from method unlinkclassloadingconstraints
  - JVM takes more time to start up
  - xgc:classunloadingkickoffthreshold not working as expected
  * JIT Compiler:
  - The JIT incorrectly compiles a method consisting of non-javac
    generated bytecodes from java 8.0.6.20 and up to 8.0.6.30
  * Security:
  - httpsurlconnection drops the timeout and hangs forever in read
  - sslsocket that is never bound or connected leaks socket resources
  - TLS connection always receives close_notify exception
  - JSSE fails to open racf keystores
  - Kerberos ticket renewal fails with debug enabled following
    java.lang.illegalstateexception
  - Update JSSE to oracle jdk8u281 fix level
- Update to Java 8.0 Service Refresh 6 Fix Pack 26
  * Java Virtual Machine:
  - Behaviour change in getmethod for java8_sr6_fp20
  - Crash when outputting to verbose GC log using the specifier
    characters
  - Outofmemoryerror happens due to nursery heap space shortage
  * JIT Compiler:
  - Occasional assertion being triggered in code generation
  - SEGV when using hashmap$hashiterator.nextnode() in
    multiple threads concurrently
json-c
- Add patch bsc1171479.patch
  + fix integer overflow and out-of-bounds write (CVE-2020-12762, bsc#1171479)
kdump
- kdump-do-not-iterate-past-end-of-string.patch:
  URLParser::extractAuthority(): Do not iterate past end of string
  (bsc#1186037).
- kdump-fix-incorrect-exit-code-checking.patch: Fix incorrect exit
  code checking after "/local"/ with assignment (bsc#1184616
  LTC#192282).
- kdump-Add-bootdev-to-dracut-command-line.patch: Add 'bootdev=' to
  dracut command line (bsc#1182309).
- kdump-avoid-endless-loop-EAI_AGAIN.patch: Avoid an endless loop
  when resolving a hostname fails with EAI_AGAIN (bsc#1183070).
- kdump-install-etc-resolv.conf-using-resolved-path.patch: Install
  /etc/resolv.conf using its resolved path (bsc#1183070).
- kdump-query-systemd-network.service.patch: Query systemd
  network.service to find out if wicked is used (bsc#1182309).
- kdump-check-explicit-ip-options.patch: Do not add network-related
  dracut options if ip= is set explicitly (bsc#1182309).
- kdump-ensure-initrd.target.wants-directory.patch: Make sure that
  initrd.target.wants directory exists (bsc#1172670).
- kdump-activate-udev-rules-late-during-boot.patch: activate udev
  rules late during boot (bsc#1154837).
- kdump-make-sure-that-the-udev-runtime-directory-exists.patch:
  Make sure that the udev runtime directory exists (bsc#1164713).
- kdump-prefer-by-path-and-device-mapper.patch: Prefer by-path and
  device-mapper aliases over kernel names (bsc#1101149 LTC#168532).
- kdump-powerpc-no-reload-on-CPU-removal.patch: powerpc: Do not
  reload on CPU hot removal (bsc#1133407 LTC#176111).
- kdump-skip-mounts-if-no-proc-vmcore.patch: Skip kdump-related
  mounts if there is no /proc/vmcore (bsc#1102252 bsc#1125011).
- kdump-clean-up-kdump-mount-points.patch: Make sure that kdump
  mount points are cleaned up (bsc#1102252 bsc#1125011).
kernel-default
- Revert "/header.py: Reject Patch-mainline: No"/
  Allow Patch-mainline: No on historical branch.
- commit 93a453e
- config: disable unprivileged BPF by default (jsc#SLE-22913)
  Backport of mainline commit 8a03e56b253e ("/bpf: Disallow unprivileged bpf
  by default"/) only changes kconfig default, used e.g. for "/make oldconfig"/
  when the config option is missing, but does not update our kernel configs
  used for build. Update also these to make sure unprivileged BPF is really
  disabled by default.
- commit 5f769a4
- Refresh patches.suse/hisax-fix-spectre-issues.patch.
- commit 8ad1382
- bpf: Remove MTU check in __bpf_skb_max_len (bsc#1192045
  CVE-2021-0941).
- commit 9de0315
- osst: fix spectre issue in osst_verify_frame (bsc#1192802).
- mpt3sas: fix spectre issues (bsc#1192802).
- infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
- hysdn: fix spectre issue in hycapi_send_message (bsc#1192802).
- hisax: fix spectre issues (bsc#1192802).
- gigaset: fix spectre issue in do_data_b3_req (bsc#1192802).
- iwlwifi: fix spectre issue in iwl_dbgfs_update_pm (bsc#1192802).
- drm: fix spectre issue in vmw_execbuf_ioctl (bsc#1192802).
- media: wl128x: get rid of a potential spectre issue
  (bsc#1192802).
- net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd()
  (bsc#1192802).
- sysvipc/sem: mitigate semnum index against spectre v1
  (bsc#1192802).
- media: dvb_ca_en50221: prevent using slot_info for Spectre
  attacs (bsc#1192802).
- media: dvb_ca_en50221: sanity check slot number from userspace
  (bsc#1192802).
- commit f2e7f94
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22913).
- bpf: Add kconfig knob for disabling unpriv bpf
  by default (jsc#SLE-22913)
- Update config files: Add
  CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- commit 065d420
- dm ioctl: fix out of bounds array access when no devices
  (CVE-2021-31916 bsc#1192781).
- commit 0ab7d09
- ipv4: make exception cache less predictible (bsc#1191790,
  CVE-2021-20322).
- ipv4: use siphash instead of Jenkins in fnhe_hashfun()
  (bsc#1191790, CVE-2021-20322).
- commit 74af5bd
- Revert "/config.sh: Build cve/linux-4.12 against SLE15-SP1."/
  This reverts commit ec3bd8c5b541a336b6608cd92493d50ba56230dc.
  See https://github.com/openSUSE/suse-module-tools/pull/44
- commit bede44a
- Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
  (bsc#1191961 CVE-2021-34981).
- commit 0392318
- cpufreq: intel_pstate: Add Icelake servers support in no-HWP
  mode (bsc#1185758,bsc#1192400).
- commit 83a28a8
- x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
- commit c8e7a88
- config.sh: Build cve/linux-4.12 against SLE15-SP1.
  SLE15 is no longer updated and we will need recent update to
  suse-module-tools to continue building the kernel.
- commit ec3bd8c
- ftrace: Fix scripts/recordmcount.pl due to new binutils
  (bsc#1192267).
- commit adeb3ce
- usb: hso: fix error handling code of hso_create_net_device
  (bsc#1188601 CVE-2021-37159).
- commit 3ae1a19
- blacklist.conf: blacklist pair of obsoleted patches
  (bsc#1188601 CVE-2021-37159)
- commit 2c55ec1
- sctp: add vtag check in sctp_sf_ootb (CVE-2021-3772
  bsc#1190351).
- sctp: add vtag check in sctp_sf_do_8_5_1_E_sa (CVE-2021-3772
  bsc#1190351).
- sctp: add vtag check in sctp_sf_violation (CVE-2021-3772
  bsc#1190351).
- sctp: fix the processing for COOKIE_ECHO chunk (CVE-2021-3772
  bsc#1190351).
- sctp: fix the processing for INIT_ACK chunk (CVE-2021-3772
  bsc#1190351).
- sctp: fix the processing for INIT chunk (CVE-2021-3772
  bsc#1190351).
- sctp: use init_tag from inithdr for ABORT chunk (CVE-2021-3772
  bsc#1190351).
- sctp: check asoc peer.asconf_capable before processing asconf
  (bsc#1190351).
- commit 81f6dbd
- sctp: add param size validation for SCTP_PARAM_SET_PRIMARY
  (CVE-2021-3655 bsc#1188563).
- sctp: validate chunk size in __rcv_asconf_lookup (CVE-2021-3655
  bsc#1188563).
- sctp: add size validation when walking chunks (CVE-2021-3655
  bsc#1188563).
- commit b0a2686
- cipso,calipso: resolve a number of problems with the DOI
  refcounts (CVE-2021-33033 bsc#1186109).
- commit 017dde5
- nfc: nci: fix the UAF of rf_conn_info object (CVE-2021-3760
  bsc#1190067).
- commit 6401849
- Update patch reference for a firewire fix (CVE-2021-42739 CVE-2021-3542 bsc#1184673)
- commit 7614f38
- xfs: fix up non-directory creation in SGID directories
  (bsc#1190006 CVE-2018-13405).
- commit 888b5ee
- xfs: remove the icdinode di_uid/di_gid members (bsc#1190006
  CVE-2018-13405).
- commit d7d9af2
- xfs: ensure that the inode uid/gid match values match the
  icdinode ones (bsc#1190006 CVE-2018-13405).
- commit f969983
- kabi: hide return value type change of sctp_af::from_addr_param
  (CVE-2021-3655 bsc#1188563).
- sctp: fix return value check in __sctp_rcv_asconf_lookup
  (CVE-2021-3655 bsc#1188563).
- sctp: validate from_addr_param return (CVE-2021-3655
  bsc#1188563).
- sctp: fully initialize v4 addr in some functions (bsc#1188563).
- commit 535a60e
- Update
  patches.suse/net_sched-cls_route-remove-the-right-filter-from-has.patch
  references (add CVE-2021-3715 bsc#1190349).
- commit 2e6d83a
- net: mana: Fix error handling in mana_create_rxq() (git-fixes,
  bsc#1191800).
- commit 77fef0c
- media: firewire: firedtv-avc: fix a buffer overflow in
  avc_ca_pmt() (CVE-2021-3542 bsc#1184673).
- commit d196d58
- powerpc/bpf: Emit stf barrier instruction sequences
  for BPF_NOSPEC (bsc#1188983 CVE-2021-34556 bsc#1188985
  CVE-2021-35477).
- powerpc/security: Add a helper to query stf_barrier type
  (bsc#1188983 CVE-2021-34556 bsc#1188985 CVE-2021-35477).
- powerpc/bpf: Validate branch ranges (bsc#1188983 CVE-2021-34556
  bsc#1188985 CVE-2021-35477).
- powerpc/lib: Add helper to check if offset is within
  conditional branch range (bsc#1188983 CVE-2021-34556 bsc#1188985
  CVE-2021-35477).
- commit d4beb54
- Move upstreamed bpf patch into sorted section
- commit 848cbf8
- soc: aspeed: lpc-ctrl: Fix boundary check for mmap
  (CVE-2021-42252 bsc#1190479).
- commit 5b9f8af
- bpf: Fix integer overflow in prealloc_elems_and_freelist()
  (bsc#1191317, CVE-2021-41864).
- commit d0cde41
- net: 6pack: fix slab-out-of-bounds in decode_data
  (CVE-2021-42008 bsc#1191315).
- commit 7ea0770
- ipc: remove memcg accounting for sops objects in do_semtimedop()
  (bsc#1190115 CVE-2021-3759).
- Delete
  patches.suse/ipc-remove-memcg-accounting-for-sops-objects.patch.
  This commit is effectively patch refresh but filename changed too. This
  only adds metadata to the patch after it was accepted upstream.
- commit d2aacd0
- kABI compatibility for ath_key_delete() changes (CVE-2020-3702
  bsc#1191193).
- commit f8ebcef
- ath9k: Postpone key cache entry deletion for TXQ frames
  reference it (CVE-2020-3702 bsc#1191193).
- ath: Modify ath_key_delete() to not need full key entry
  (CVE-2020-3702 bsc#1191193).
- ath: Export ath_hw_keysetmac() (CVE-2020-3702 bsc#1191193).
- ath9k: Clear key cache explicitly on disabling hardware
  (CVE-2020-3702 bsc#1191193).
- ath: Use safer key clearing with key cache entries
  (CVE-2020-3702 bsc#1191193).
- commit 9bf1f45
- kabi/severities: skip kABI check for ath9k-local symbols (CVE-2020-3702 bsc#1191193)
  ath9k modules have some exported symbols for the common helpers
  and the recent fixes broke kABI of those.  They are specific to
  ath9k's own usages, so safe to ignore.
- commit b554871
- net/mlx4_en: Handle TX error CQE (bsc#1181854).
- net/mlx4_en: Avoid scheduling restart task if it is already
  running (bsc#1181854).
- commit 806c43a
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
- hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185726).
- hv: mana: fake bitmap API (jsc#SLE-18779, bsc#1185726).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
- commit e05a8bb
- Bluetooth: check for zapped sk before connecting (CVE-2021-3752
  bsc#1190023).
- commit 7504476
- net: sched: sch_teql: fix null-pointer dereference
  (bsc#1190717).
- commit a4b5f51
- s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant
  (bsc#1190601).
- s390/bpf: Fix branch shortening during codegen pass
  (bsc#1190601).
- s390/bpf: Wrap JIT macro parameter usages in parentheses
  (bsc#1190601).
- s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_*
  (bsc#1190601).
- commit 79e76b1
- ext4: fix race writing to an inline_data file while its xattrs
  are changing (bsc#1190159 CVE-2021-40490).
- commit 3973759
- crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
  (bsc#1189884 CVE-2021-3744 bsc#1190534 CVE-2021-3764).
- commit 5fef1e1
- ipc: remove memcg accounting for sops objects in do_semtimedop()
  (bsc#1190115).
- commit 2e73db0
- bpf: Fix leakage due to insufficient speculative store bypass mitigation
  (bsc#1188983, bsc#1188985, CVE-2021-34556, CVE-2021-35477).
- Refresh
  patches.kabi/bpf-prevent-memory-disambiguation-attack.patch.
- Refresh
  patches.kabi/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch.
- commit 15cd454
- scsi: sg: add sg_remove_request in sg_write (bsc#1171420
  CVE-2020-12770).
- commit c1e2c47
- Bluetooth: schedule SCO timeouts with delayed_work
  (CVE-2021-3640 bsc#1188172).
- Refresh patches.kabi/bt_accept_enqueue-kabi-workaround.patch.
- Refresh patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch.
- commit adfd842
- Revert "/memcg: enable accounting for file lock caches (bsc#1190115)."/
  This reverts commit 912b4421a3e9bb9f0ef1aadc64a436666259bd4d.
  It's effectively upstream commit
  3754707bcc3e190e5dadc978d172b61e809cb3bd applied to kernel-source (to
  avoid proliferation of patches). Make a note in blacklist.conf too.
- commit 84da196
- vhost: scsi: add weight support (CVE-2019-3900 bsc#1133374).
- vhost: vsock: add weight support (CVE-2019-3900 bsc#1133374).
- vhost_net: fix possible infinite loop (CVE-2019-3900 bsc#1133374).
- refresh patches.kabi/kabi-mask-changes-to-vhost_dev_init-and-struct-vhost.patch
- kabi: mask changes to vhost_dev_init() and struct vhost_dev
  (CVE-2019-3900 bsc#1133374).
- vhost: introduce vhost_exceeds_weight() (CVE-2019-3900
  bsc#1133374).
- vhost_net: introduce vhost_exceeds_weight() (CVE-2019-3900
  bsc#1133374).
- refresh patches.suse/vhost-log-dirty-page-correctly.patch
- vhost_net: use packet weight for rx handler, too (CVE-2019-3900
  bsc#1133374).
- refresh patches.suse/vhost-log-dirty-page-correctly.patch
- vhost-net: set packet weight of tx polling to 2 * vq size
  (CVE-2019-3900 bsc#1133374).
- commit fac5272
- sctp: implement memory accounting on rx path (CVE-2019-3874
  bsc#1129898).
- sctp: implement memory accounting on tx path (CVE-2019-3874
  bsc#1129898).
- commit d1cd2ad
- Update
  patches.suse/l2tp-pass-tunnel-pointer-to-session_create.patch
  references (add CVE-2018-9517 bsc#1108488).
- commit 902e6bb
- memcg: enable accounting of ipc resources (bsc#1190115
  CVE-2021-3759).
- memcg: enable accounting for file lock caches (bsc#1190115).
- commit e2a14e4
- virtio_console: Assure used length from device is limited
  (CVE-2021-38160 bsc#1190117).
- commit 495fc27
- Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
  (CVE-2021-3640 bsc#1188172).
- commit d78ba89
- Move upstreamed BT fixes into sorted section
- commit 52a00c3
- vt_kdsetmode: extend console locking (bsc#1190025
  CVE-2021-3753).
- commit 9420ba7
- ovl: prevent private clone if bind mount is not allowed
  (bsc#1189706, CVE-2021-3732).
- ovl: fix dentry leak in ovl_get_redirect (bsc#1189846).
- ovl: initialize error in ovl_copy_xattr (bsc#1189846).
- ovl: relax WARN_ON() on rename to self (bsc#1189846).
- ovl: filter of trusted xattr results in audit (bsc#1189846).
- ovl: check whiteout in ovl_create_over_whiteout() (bsc#1189846).
- commit 1f3eb84
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
- commit c241169
- bpf: Introduce BPF nospec instruction for mitigating Spectre v4
  (bsc#1188983, bsc#1188985, CVE-2021-34556, CVE-2021-35477).
- commit 84b20f7
- KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
  (bsc#1189399, CVE-2021-3653).
- KVM: nSVM: always intercept VMLOAD/VMSAVE when nested
  (bsc#1189400, CVE-2021-3656).
- KVM: X86: MMU: Use the correct inherited permissions to get
  shadow page (CVE-2021-38198 bsc#1189262).
- commit 9c35f8d
- Bluetooth: switch to lock_sock in SCO (CVE-2021-3640
  bsc#1188172).
- Bluetooth: avoid circular locks in sco_sock_connect
  (CVE-2021-3640 bsc#1188172).
- commit 73d3a49
- Bluetooth: defer cleanup of resources in hci_unregister_dev()
  (CVE-2021-3640 bsc#1188172).
- commit c8012e0
- usb: max-3421: Prevent corruption of freed memory
  (CVE-2021-38204 bsc#1189291).
- commit cfb9fc6
- tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop
  (CVE-2021-3679 bsc#1189057).
- commit dfd73b3
- powerpc/pesries: Get STF barrier requirement from
  H_GET_CPU_CHARACTERISTICS (CVE-2018-3639 bsc#1087082 git-fixes bsc#1188885 ltc#193722).
- powerpc/security: Add a security feature for STF barrier
  (CVE-2018-3639 bsc#1087082 git-fixes bsc#1188885 ltc#193722).
- powerpc/pseries: Get entry and uaccess flush required bits
  from H_GET_CPU_CHARACTERISTICS (CVE-2020-4788 bsc#1177666 git-fixes bsc#1188885 ltc#193722).
- powerpc/64s: rename pnv|pseries_setup_rfi_flush to
  _setup_security_mitigations (CVE-2018-3639, bsc#1087082, bsc#1188885 ltc#193722).
- commit bd9e95f
- net: mac802154: Fix general protection fault (CVE-2021-3659
  bsc#1188876).
- commit c0396b9
- xfrm: xfrm_state_mtu should return at least 1280 for ipv6
  (bsc#1185377).
- commit 6f8f910
- Update
  patches.suse/l2tp-ensure-sessions-are-freed-after-their-PPPOL2TP-.patch
  references (add CVE-2020-0429 bsc#1176724).
- Update
  patches.suse/l2tp-fix-race-between-l2tp_session_delete-and-l2tp_t.patch
  references (add CVE-2020-0429 bsc#1176724).
- commit b29ebd9
- use 3.0 SPDX identifier in rpm License tags
  As requested by Maintenance, change rpm License tags from "/GPL-2.0"/
  (SPDX 2.0) to "/GPL-2.0-only"/ (SPDX 3.0) so that their scripts do not have
  to adjust the tags with each maintenance update submission.
- commit f888e0b
- KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow (bsc#1188838
  CVE-2021-37576).
- commit 50c1fab
- KVM: do not allow mapping valid but non-reference-counted pages
  (bsc#1186482, CVE-2021-22543).
- KVM: Use kvm_pfn_t for local PFN variable in
  hva_to_pfn_remapped() (bsc#1186482, CVE-2021-22543).
- KVM: do not assume PTE is writable after follow_pfn
  (bsc#1186482, CVE-2021-22543).
- kvm: Map PFN-type memory regions as writable (if possible)
  (bsc#1186482, CVE-2021-22543).
- commit 9c4f9b4
- Update seq_file fix to the upstreamed one and moved into sorted section (bsc#1188062, CVE-2021-33909).
- commit 175d85f
- rpm/kernel-binary.spec.in: Do not install usrmerged kernel on Leap
  (boo#1184804).
- commit 5b51131
- netfilter: x_tables: fix compat match/target pad out-of-bound
  write (CVE-2021-22555 bsc#1188116).
- commit 62f1359
- kabi: preserve struct header_ops after bsc#1176081 fix
  (bsc#1176081).
- af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL
  (bsc#1176081).
- net/mlx5e: Trust kernel regarding transport offset
  (bsc#1176081).
- net/mlx5e: Remove the wrong assumption about transport offset
  (bsc#1176081).
- net/packet: Remove redundant skb->protocol set (bsc#1176081).
- net/packet: Ask driver for protocol if not provided by user
  (bsc#1176081).
- net/ethernet: Add parse_protocol header_ops support
  (bsc#1176081).
- net: Introduce parse_protocol header_ops callback (bsc#1176081).
- net: Don't set transport offset to invalid value (bsc#1176081).
  Refresh patches.suse/tun-properly-test-for-IFF_UP.patch
- commit ec37ca9
- rpm/kernel-binary.spec.in: Remove zdebug define used only once.
- commit 85a9fc2
- kernel-binary.spec: Exctract s390 decompression code (jsc#SLE-17042).
- commit 7f97df2
- seq_file: Disallow extremely large seq buffer allocations (bsc#1188062, CVE-2021-33909).
- commit c848c42
- kernel-binary.spec: Fix up usrmerge for non-modular kernels.
- commit d718cd9
- can: bcm: delay release of struct bcm_op after synchronize_rcu()
  (CVE-2021-3609 bsc#1187215).
- commit 36fe7da
- kernel-binary.spec: Remove obsolete and wrong comment
  mkmakefile is repleced by echo on newer kernel
- commit d9209e7
- bpf: Fix leakage under speculation on mispredicted branches
  (bsc#1187554,CVE-2021-33624).
- commit daa92a2
- af_key: pfkey_dump needs parameter validation (CVE-2021-0605
  bsc#1187601).
- commit 685407a
- HID: make arrays usage and value to be the same (CVE-2021-0512
  bsc#1187595).
- commit 3d7a48c
- Update patch reference for a BT fix (CVE-2020-26558)
- commit ee30101
- can: bcm: fix infoleak in struct bcm_msg_head (CVE-2021-34693
  bsc#1187452).
- commit 8f80d3a
- UsrMerge the kernel (boo#1184804)
- Move files in /boot to modules dir
  The file names in /boot are included as %ghost links. The %post script
  creates symlinks for the kernel, sysctl.conf and System.map in
  /boot for compatibility. Some tools require adjustments before we
  can drop those links. If boot is a separate partition, a copy is
  used instead of a link.
  The logic for /boot/vmlinuz and /boot/initrd doesn't change with
  this patch.
- Use /usr/lib/modules as module dir when usermerge is active in the
  target distro.
- commit 6f5ed04
- kernel-binary.spec.in: Regenerate makefile when not using mkmakefile.
- commit 6b30fe5
- rpm/kernel-binary.spec.in: Fix handling of +arch marker (bsc#1186672)
  The previous commit made a module wrongly into Module.optional.
  Although it didn't influence on the end result, better to fix it.
  Also, add a comment to explain the markers briefly.
- commit 8f79742
- Add arch-dependent support markers in supported.conf (bsc#1186672)
  We may need to put some modules as supported only on specific archs.
  This extends the supported.conf syntax to allow to put +arch additionally
  after the unsupported marker, then it'll be conditionally supported on
  that arch.
- commit 8cbdb41
- Create Symbols.list and ipa-clones.list determistically
  without this patch, filesystem readdir order would influence
  order of entries in these files.
  This patch was done while working on reproducible builds for SLE.
- commit a898b6d
- RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy (bsc#1187050, CVE-2020-36385)
- commit ee0f2cc
- Bluetooth: SMP: Fail if remote and local public keys are
  identical (bsc#1186463 CVE-2021-0129).
- commit effcfea
- kernel-binary.spec.in: Add Supplements: for -extra package on Leap
  kernel-$flavor-extra should supplement kernel-$flavor on Leap, like
  it does on SLED, and like the kernel-$flavor-optional package does.
- commit c60d87f
- Bluetooth: Fix slab-out-of-bounds read in
  hci_extended_inquiry_result_evt() (CVE-2020-36386 bsc#1187038).
- commit e0be120
- cfg80211: mitigate A-MSDU aggregation attacks (CVE-2020-24588
  bsc#1185861).
- commit 821e5ae
- Refresh patches.suse/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch.
  Adjust the diff for fixup_bpf_calls() to apply to the correct code block
- commit dd58306
- kernel-binary.spec.in: build-id check requires elfutils.
- commit 01569b3
- kernel-binary.spec: Only use mkmakefile when it exists
  Linux 5.13 no longer has a mkmakefile script
- commit b453c7b
- bpf: No need to simulate speculative domain for immediates
  (bsc#1186484,CVE-2021-33200).
- bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1186484,CVE-2021-33200).
  Refresh patches.suse/bpf-Wrap-aux-data-inside-bpf_sanitize_info-container.patch
- bpf: Fix masking negation logic upon negative dst register
  (bsc#1186484,CVE-2021-33200).
- commit b1c6278
- bpf: Fix mask direction swap upon off reg sign change
  (bsc#1186484,CVE-2021-33200).
- bpf: Wrap aux data inside bpf_sanitize_info container
  (bsc#1186484,CVE-2021-33200).
- commit 3ce8728
- powerpc/64s: Fix crashes when toggling entry flush barrier
  (CVE-2020-4788 bsc#1177666 git-fixes).
- commit 3917f8f
- powerpc/64s: Fix crashes when toggling stf barrier (CVE-2018-3639 bsc#1087082 git-fixes).
- commit 2a6a70d
- kABI workaround for hci_chan amp field addition (CVE-2021-33034
  bsc#1186111).
- commit 53b1091
- Bluetooth: verify AMP hci_chan before amp_destroy
  (CVE-2021-33034 bsc#1186111).
- commit daddd4e
- video: hyperv_fb: Add ratelimit on error message (bsc#1185725).
- Drivers: hv: vmbus: Increase wait time for VMbus unload
  (bsc#1185725).
- Drivers: hv: vmbus: Initialize unload_event statically
  (bsc#1185725).
- commit 45edadf
- Correct CVE number for a mac80211 fix (CVE-2020-26139 bsc#1186062)
- commit 9e5446b
- net/nfc: fix use-after-free llcp_sock_bind/connect
  (CVE-2021-23134 bsc#1186060).
- commit 577df82
- kABI workaround for cfg80211 changes (CVE-2020-24586
  bsc#1185859).
- ath10k: Validate first subframe of A-MSDU before processing
  the list (CVE-2020-26141 bsc#1185863 bsc#1185987).
- ath10k: Fix TKIP Michael MIC verification for PCIe
  (CVE-2020-26141 bsc#1185863 bsc#1185987).
- ath10k: drop fragments with multicast DA for PCIe
  (CVE-2020-26145 bsc#1185860).
- mac80211: extend protection against mixed key and fragment
  cache attacks (CVE-2020-24586 bsc#1185859).
- mac80211: do not accept/forward invalid EAPOL frames
  (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185862
  bsc#1185859).
- mac80211: prevent attacks on TKIP/WEP as well (CVE-2020-24586
  bsc#1185859).
- mac80211: check defrag PN against current frame (CVE-2020-24587
  CVE-2020-24586 bsc#1185863 bsc#1185862 bsc#1185859).
- mac80211: add fragment cache to sta_info (CVE-2020-24587
  CVE-2020-24586 bsc#1185863 bsc#1185859).
- mac80211: drop A-MSDUs on old ciphers (CVE-2020-24587
  CVE-2020-24586 bsc#1185863 bsc#1185862 bsc#1185859).
- mac80211: properly handle A-MSDUs that start with an RFC 1042
  header (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185862
  bsc#1185859).
- mac80211: prevent mixed key and fragment cache attacks
  (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185862
  bsc#1185859).
- mac80211: assure all fragments are encrypted (CVE-2020-26147
  bsc#1185863 bsc#1185859).
- commit f9c088d
- scripts/git_sort/git_sort.py: add bpf git repo
- commit 65979e3
- proc: Avoid mixing integer types in mem_rw() (CVE-2021-3491
  bsc#1185642).
- commit fb84449
- blacklist: add commit b166a20b0738
  Mainline commit b166a20b0738 ("/net/sctp: fix race condition in
  sctp_destroy_sock"/) was found buggy so that it was reverted by commit
  01bfe5e8e428 ("/Revert "/net/sctp: fix race condition in sctp_destroy_sock"/"/)
  and replaced by a new fix, commit 34e5b0118685 ("/sctp: delay auto_asconf
  init until binding the first addr"/).
- commit 23ad848
- sctp: delay auto_asconf init until binding the first addr
  (CVE-2021-23133 bsc#1184675).
- commit c06b5aa
- bluetooth: eliminate the potential race condition when removing
  the HCI controller (CVE-2021-32399 bsc#1185898).
- commit 4b51cab
- dm: fix redundant IO accounting for bios that need splitting
  (bsc#1183738).
- commit 917e1b1
- kernel-docs.spec.in: Build using an utf-8 locale.
  Sphinx cannot handle UTF-8 input in non-UTF-8 locale.
- commit 0db6da1
- rpm: drop /usr/bin/env in interpreter specification
  OBS checks don't like /usr/bin/env in script interpreter lines but upstream
  developers tend to use it. A proper solution would be fixing the depedency
  extraction and drop the OBS check error but that's unlikely to happen so
  that we have to work around the problem on our side and rewrite the
  interpreter lines in scripts before collecting files for packages instead.
- commit 45c5c1a
- scripts/git_sort/git_sort.py: Update nvme repositories
- commit e849c44
- KVM: Add proper lockdep assertion in I/O bus unregister
  (CVE-2020-36312 bsc#1184509).
- KVM: Stop looking for coalesced MMIO zones if the bus is
  destroyed (CVE-2020-36312 bsc#1184509).
- KVM: Destroy I/O bus devices on unregister failure _after_
  sync'ing SRCU (CVE-2020-36312 bsc#1184509).
- commit bc1f707
- rpm/constraints.in: bump disk space to 45GB on riscv64
- commit f8b883f
- rpm/constraints.in: remove aarch64 disk size exception
  obs://Kernel:stable/kernel-default/ARM/aarch64 currrently fails:
  installing package kernel-default-livepatch-devel-5.12.0-3.1.g6208a83.aarch64 needs 3MB more space on the / filesystem
  The stats say:
  Maximal used disk space: 31799 Mbyte
  By default, we require 35G. For aarch64 we had an exception to lower
  this limit to 30G there. Drop this exception as it is obviously no
  longer valid.
- commit ee00b50
- hv_netvsc: remove ndo_poll_controller (bsc#1185248).
- commit fb443e9
- netfilter: x_tables: Use correct memory barriers (bsc#1184208
  CVE-2021-29650).
- commit 719c6a8
- rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244)
- commit 52805ed
- rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063).
  Previously essiv was part of dm-crypt but now it is separate.
  Include the module in kernel-obs-build when available.
  Fixes: 7cf5b9e26d87 ("/rpm/kernel-obs-build.spec.in: add dm-crypt for building with cryptsetup"/)
- commit fe15b78
- Revert "/rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)"/
  This turned out to be a bad idea: the kernel-$flavor-devel package
  must be usable without kernel-$flavor, e.g. at the build of a KMP.
  And this change brought superfluous installation of kernel-preempt
  when a system had kernel-syms (bsc#1185113).
- commit d771304
- rpm/check-for-config-changes: add AS_HAS_* to ignores
  arch/arm64/Kconfig defines a lot of these. So far our current compilers
  seem to support them all. But it can quickly change with SLE later.
- commit a4d8194
- bpf: Tighten speculative pointer arithmetic mask (bsc#1184942
  CVE-2021-29155).
- bpf: Move sanitize_val_alu out of op switch (bsc#1184942
  CVE-2021-29155).
- bpf: Refactor and streamline bounds check into helper
  (bsc#1184942 CVE-2021-29155).
- bpf: Improve verifier error messages for users (bsc#1184942
  CVE-2021-29155).
- bpf: Rework ptr_limit into alu_limit and add common error path
  (bsc#1184942 CVE-2021-29155).
- bpf: Ensure off_reg has no mixed signed bounds for all types
  (bsc#1184942 CVE-2021-29155).
- bpf: Move off_reg into sanitize_ptr_alu (bsc#1184942
  CVE-2021-29155).
- commit c3fe286
- blacklist.conf: Add b6b79dd53082 powerpc/64s: Fix allnoconfig build
  since uaccess flush
- commit e9d5937
- Refresh ppc L1D flush patch metadata.
- commit 9db13af
- rpm/check-for-config-changes: remove stale comment
  It is stale since 8ab393bf905a committed in 2005 :).
- commit c9f9f5a
- rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650)
- commit f37613f
- Update bsc#1184170 fixes to fix a mistakenly modified BPF instruction
- Refresh
  patches.suse/bpf-Fix-32-bit-src-register-truncation-on-div-mod.patch.
- Refresh
  patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch
- commit e62aa97
- KVM: SVM: avoid infinite loop on NPF from bad address (CVE-2020-36310 bsc#1184512).
- commit a90e23c
- rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)
  The devel package requires the kernel binary package itself for building
  modules externally.
- commit 794be7b
- KVM: fix memory leak in kvm_io_bus_unregister_dev() (CVE-2020-36312 bsc#1184509).
- commit 8663791
- xen/events: fix setting irq affinity (bsc#1184583 XSA-332
  CVE-2020-27673).
- commit de73046
- bpf, x86: Validate computation of branch displacements for
  x86-64 (bsc#1184391 CVE-2021-29154).
- commit 1d1eb4d
- nfc: Avoid endless loops caused by repeated llcp_sock_connect()
  (CVE-2020-25673 bsc#1178181).
- nfc: fix memory leak in llcp_sock_connect() (CVE-2020-25672
  bsc#1178181).
- nfc: fix refcount leak in llcp_sock_connect() (CVE-2020-25671
  bsc#1178181).
- nfc: fix refcount leak in llcp_sock_bind() (CVE-2020-25670
  bsc#1178181).
- commit 71faffc
- KVM: SVM: Periodically schedule when unregistering regions on
  destroy (bsc#1184511 CVE-2020-36311).
- commit e140650
- rpm/check-for-config-changes: Also ignore AS_VERSION added in 5.12.
- commit bd64cb2
- post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388).
- commit 18f65df
- Update bsc#1184170 fixes to do 32bit jump correctly
- Refresh
  patches.suse/bpf-Fix-32-bit-src-register-truncation-on-div-mod.patch.
- Refresh
  patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch.
- commit c609295
- fuse: fix live lock in fuse_iget() (bsc#1184211 CVE-2021-28950).
- fuse: fix bad inode (bsc#1184211 CVE-2020-36322).
- commit 920863f
- hv: clear ring_buffer pointer during cleanup (part of ae6935ed) (bsc#1181032).
- commit 2867407
- media: v4l: ioctl: Fix memory leak in video_usercopy
  (bsc#1184120 CVE-2021-30002).
- commit 26d6beb
- media: v4l: ioctl: Fix memory leak in video_usercopy
  (bsc#1184120 CVE-2021-30002).
- commit 08b20fe
- firewire: nosy: Fix a use-after-free bug in nosy_ioctl()
  (CVE-2021-3483 bsc#1184393).
- commit 9292696
- Update patch reference of tty fix (CVE-2021-20219 bsc#1184397)
- commit b4b1b38
- btrfs: fix race when cloning extent buffer during rewind of
  an old root (bsc#1184193 CVE-2021-28964).
- commit 8039ed4
- bpf: Fix truncation handling for mod32 dst reg wrt zero
  (bsc#1184170 CVE-2021-3444).
- bpf: Fix 32 bit src register truncation on div/mod
  (bsc#1184170).
- commit 0962666
- bpf: fix subprog verifier bypass by div/mod by 0 exception (bsc#1184170).
- Refresh
  patches.suse/bpf-move-tmp-variable-into-ax-register-in-interprete.patch.
- commit 4d5a2c3
- perf/x86/intel: Fix a crash caused by zero PEBS status
  (CVE-2021-28971 bsc#1184196).
- commit 40c1d32
- xen-blkback: don't leak persistent grants from xen_blkbk_map()
  (bsc#1183646, CVE-2021-28688, XSA-371).
- commit 55909b8
- usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
  (CVE-2021-29265 bsc#1184167).
- commit 6095add
- gianfar: fix jumbo packets+napi+rx overrun crash (CVE-2021-29264
  bsc#1184168).
- commit 9dcbb37
- PCI: rpadlpar: Fix potential drc_name corruption in store
  functions (CVE-2021-28972 bsc#1184198).
- commit 6348e09
- net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()
  (CVE-2021-29647 bsc#1184192).
- commit 3ab36f2
- bpf: Add sanity check for upper ptr_limit (bsc#1183686
  bsc#1183775).
- bpf: Simplify alu_limit masking for pointer arithmetic
  (bsc#1183686 bsc#1183775).
- bpf: Fix off-by-one for area size in creating mask to left
  (bsc#1183775 CVE-2020-27171).
- bpf: Prohibit alu ops for pointer types not defining ptr_limit
  (bsc#1183686 CVE-2020-27170).
- commit dbf16ca
- Fix a typo in r8188eu fix patch that caused a build error (CVE-2021-28660 bsc#1183593)
- commit b574698
- Update patch reference for x25 fix (CVE-2020-35519 bsc#1183696)
- commit c241986
- staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
  (CVE-2021-28660 bsc#1183593).
- commit 5b4b262
- Update tags
  patches.suse/ext4-check-journal-inode-extents-more-carefully.patch
  (bsc#1173485 bsc#1183509 CVE-2021-3428).
- commit f1fc1ff
- blk-mq: move _blk_mq_update_nr_hw_queues synchronize_rcu call
  (CVE-2020-0433 bsc#1176720).
- blk-mq: Allow blocking queue tag iter callbacks (CVE-2020-0433
  bsc#1176720 bsc#1167316).
- commit 7fb1c08
- Update
  patches.suse/Xen-gnttab-handle-p2m-update-errors-on-a-per-slot-ba.patch
  (bsc#1183022 XSA-367 CVE-2021-28038): added CVE number
- Update
  patches.suse/xen-netback-respect-gnttab_map_refs-s-return-value.patch
  (bsc#1183022 XSA-367 CVE-2021-28038): added CVE number
- commit cfcdec5
- xen/events: avoid handling the same event on two cpus at the
  same time (bsc#1183638 XSA-332 CVE-2020-27673).
- commit 89c8a49
- xen/events: don't unmask an event channel when an eoi is pending
  (bsc#1183638 XSA-332 CVE-2020-27673).
- commit e4088d0
- xen/events: reset affinity of 2-level event when tearing it down
  (bsc#1183638 XSA-332 CVE-2020-27673).
- commit 6e06fe9
- jfs: Fix array index bounds check in dbAdjTree  (bsc#1179454 CVE-2020-27815).
- commit 981c2ff
- rpm/check-for-config-changes: comment on the list
  To explain what it actually is.
- commit e94bacf
- rpm/check-for-config-changes: define ignores more strictly
  * search for whole words, so make wildcards explicit
  * use ' for quoting
  * prepend CONFIG_ dynamically, so it need not be in the list
- commit f61e954
- rpm/check-for-config-changes: sort the ignores
  They are growing so to make them searchable by humans.
- commit 67c6b55
- rpm/check-for-config-changes: add -mrecord-mcount ignore
  Added by 3b15cdc15956 (tracing: move function tracer options to Kconfig)
  upstream.
- commit 018b013
- Correct bugzilla reference (CVE-2021-27365 CVE-2021-27363 CVE-2021-27364 bsc#1182716 bsc#1182717 bsc#1182715)
- commit e2a0905
- scsi: iscsi: Verify lengths on passthrough PDUs (CVE-2021-27365
  bsc#182715).
- scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE
  (CVE-2021-27365 bsc#182715).
- scsi: iscsi: Restrict sessions and handles to admin capabilities
  (CVE-2021-27363 CVE-2021-27364 bsc#182716 bsc#182717).
- commit ee332c8
- rpm/check-for-config-changes: declare sed args as an array
  So that we can reuse it in both seds.
  This also introduces IGNORED_CONFIGS_RE array which can be easily
  extended.
- commit a1976d2
- xen-netback: respect gnttab_map_refs()'s return value
  (bsc#1183022 XSA-367).
- commit 6e61f26
- Xen/gnttab: handle p2m update errors on a per-slot basis
  (bsc#1183022 XSA-367).
- commit 1ab6d01
- rpm/check-for-config-changes: ignore more configs
  Specifially, these:
  * CONFIG_CC_HAS_*
  * CONFIG_CC_HAVE_*
  * CONFIG_CC_CAN_*
  * CONFIG_HAVE_[A-Z]*_COMPILER
  * CONFIG_TOOLS_SUPPORT_*
  are compiler specific too. This will allow us to use super configs
  using kernel's dummy-tools.
- commit d12dcbd
- mm, THP, swap: make reuse_swap_page() works for THP swapped out
  (partial) (CVE-2020-29368, bsc#1179660.).
- commit 556db3f
- mm: thp: fix MADV_REMOVE deadlock on shmem THP (CVE-2020-29368,
  bsc#1179660.).
- commit 4eb863b
- mm: thp: make the THP mapcount atomic against
  __split_huge_pmd_locked() (CVE-2020-29368, bsc#1179660.).
- commit 2881aaa
- macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672).
  Since rpm 4.16 files installed during build phase are lost.
- commit d0b887e
- rpm/kernel-subpackage-build: Workaround broken bot
  (https://github.com/openSUSE/openSUSE-release-tools/issues/2439)
- commit b74d860
- xen-blkback: fix error handling in xen_blkbk_map() (XSA-365
  CVE-2021-26930 bsc#1181843).
- commit 0ed98dc
- xen-scsiback: don't "/handle"/ error by BUG() (XSA-362
  CVE-2021-26931 bsc#1181753).
- commit b067c04
- xen-netback: don't "/handle"/ error by BUG() (XSA-362
  CVE-2021-26931 bsc#1181753).
- commit 4c9cf8b
- xen-blkback: don't "/handle"/ error by BUG() (XSA-362
  CVE-2021-26931 bsc#1181753).
- commit 603464d
- xen/arm: don't ignore return errors from set_phys_to_machine
  (XSA-361 CVE-2021-26932 bsc#1181747).
- commit 9ff68db
- Xen/gntdev: correct error checking in gntdev_map_grant_pages()
  (XSA-361 CVE-2021-26932 bsc#1181747).
- commit 7fd73db
- Xen/gntdev: correct dev_bus_addr handling in
  gntdev_map_grant_pages() (XSA-361 CVE-2021-26932 bsc#1181747).
- commit 131ffb6
- Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
  (XSA-361 CVE-2021-26932 bsc#1181747).
- commit 4b44d15
- Xen/x86: don't bail early from clear_foreign_p2m_mapping()
  (XSA-361 CVE-2021-26932 bsc#1181747).
- commit 92a5a6c
- xen/netback: fix spurious event detection for common event case
  (bsc#1182175).
- commit 1f35f61
- kernel-binary.spec: Add back initrd and image symlink ghosts to
  filelist (bsc#1182140).
  Fixes: 76a9256314c3 ("/rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082)."/)
- commit 606c9d1
- rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058)
- commit c29e77d
- xen/netback: avoid race in xenvif_rx_ring_slots_available()
  (bsc#1065600).
- commit 8f2c4d9
- objtool: Don't fail on missing symbol table (bsc#1192379).
- commit e7ec5af
- rpm/kernel-binary.spec.in: Correct Supplements in optional subpkg (jsc#SLE-11796)
  The product string was changed from openSUSE to Leap.
- commit 3cb7943
- blacklist.conf: Add 08685be7761d powerpc/64s: fix scv entry fallback flush vs interrupt
  No scv support.
- commit f4c561c
- Exclude Symbols.list again.
  Removing the exclude builds vanilla/linux-next builds.
  Fixes: 55877625c800 ("/kernel-binary.spec.in: Package the obj_install_dir as explicit filelist."/)
- commit a1728f2
- rpm/kernel-{source,binary}.spec: do not include ghost symlinks
  (boo#1179082).
- commit 76a9256
- scripts/lib/SUSE/MyBS.pm: properly close prjconf Macros: section
- commit 965157e
- rpm/kernel-binary.spec.in: use grep -E instead of egrep (bsc#1179045)
  egrep is only a deprecated bash wrapper for "/grep -E"/. So use the latter
  instead.
- commit 63d7072
- kernel-{binary,source}.spec.in: do not create loop symlinks (bsc#1179082)
- commit adf56a8
- rpm/kernel-binary.spec.in: avoid using more barewords (bsc#1179014)
  %split_extra still contained two.
- commit d9b4c40
- kernel-source.spec: Fix build with rpm 4.16 (boo#1179015).
  RPM_BUILD_ROOT is cleared before %%install. Do the unpack into
  RPM_BUILD_ROOT in %%install
- commit 13bd533
- rpm/kernel-binary.spec.in: avoid using barewords (bsc#1179014)
  Author: Dominique Leuenberger <dimstar@opensuse.org>
- commit 21f8205
- rpm/mkspec: do not build kernel-obs-build on x86_32
  We want to use 64bit kernel due to various bugs (bsc#1178762 to name
  one).
  There is:
  ExportFilter: ^kernel-obs-build.*.x86_64.rpm$ . i586
  in Factory's prjconf now. No other actively maintained distro (i.e.
  merging packaging branch) builds a x86_32 kernel, hence pushing to
  packaging directly.
- commit 8099b4b
- Updated Copyright line in rpm templates with SUSE LLC
- commit 39a1fcf
- rpm/kernel-obs-build.spec.in: Add -q option to modprobe calls (bsc#1178401)
- commit 33ded45
- rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886)
  The in-tree KMP that is built with SLE kernels have a different scriptlet
  that is embedded in kernel-binary.spec.in rather than *.sh files.
- commit e32ee2c
- rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592)
- commit 552ec97
- kernel-binary.spec.in: pack scripts/module.lds into kernel-$flavor-devel
  Since mainline commit 596b0474d3d9 ("/kbuild: preprocess module linker
  script"/) in 5.10-rc1, scripts/module.lds linker script is needed to build
  out of tree modules. Add it into kernel-$flavor-devel subpackage.
- commit fe37c16
- rpm/split-modules: Avoid errors even if Module.* are not present
- commit 752fbc6
- Add the support for kernel-FLAVOR-optional subpackage (jsc#SLE-11796)
  This change allows to create kernel-*-optional subpackage containing
  the modules that are not shipped on SLE but only on Leap.  Those
  modules are marked in the new "/-!optional"/ marker in supported.conf.
  Flip split_optional definition in kernel-binaries.spec.in for the
  branch that needs the splitting.
- commit 1fa25f8
- kernel-binary.spec.in: Exclude .config.old from kernel-devel
  - use tar excludes for .kernel-binary.spec.buildenv
- commit 939a79b
- ext4: check journal inode extents more carefully (bsc#1173485).
- commit 794d98a
- ext4: don't allow overlapping system zones (bsc#1173485).
- commit 9b895a5
- ext4: handle error of ext4_setup_system_zone() on remount
  (bsc#1173485).
- commit 7164881
- net_sched: cls_route: remove the right filter from hashtable
  (networking-stable-20_03_28).
- commit a96d7a8
keyutils
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
- update to 1.6.3:
  * Revert the change notifications that were using /dev/watch_queue.
  * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
  * Allow "/keyctl supports"/ to retrieve raw capability data.
  * Allow "/keyctl id"/ to turn a symbolic key ID into a numeric ID.
  * Allow "/keyctl new_session"/ to name the keyring.
  * Allow "/keyctl add/padd/etc."/ to take hex-encoded data.
  * Add "/keyctl watch*"/ to expose kernel change notifications on keys.
  * Add caps for namespacing and notifications.
  * Set a default TTL on keys that upcall for name resolution.
  * Explicitly clear memory after it's held sensitive information.
  * Various manual page fixes.
  * Fix C++-related errors.
  * Add support for keyctl_move().
  * Add support for keyctl_capabilities().
  * Make key=val list optional for various public-key ops.
  * Fix system call signature for KEYCTL_PKEY_QUERY.
  * Fix 'keyctl pkey_query' argument passing.
  * Use keyctl_read_alloc() in dump_key_tree_aux().
  * Various manual page fixes.
- spec-cleaner run (fixup failing homepage url)
- prepare usrmerge (boo#1029961)
- updated to 1.6
  - Apply various specfile cleanups from Fedora.
  - request-key: Provide a command line option to suppress helper execution.
  - request-key: Find least-wildcard match rather than first match.
  - Remove the dependency on MIT Kerberos.
  - Fix some error messages
  - keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
  - Fix doc and comment typos.
  - Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
  - Add pkg-config support for finding libkeyutils.
- upstream isn't offering PGP signatures for the source tarballs anymore
- Replace krb5-devel BuildRequires with pkgconfig(krb5): Allow OBS
  to shortcut the ring0 bootstrap cycle by also using krb5-mini.
- add upstream signing key and verify source signature
- updated to 1.5.11 (bsc#1113013)
  - Add keyring restriction support.
  - Add KDF support to the Diffie-Helman function.
  - DNS: Add support for AFS config files and SRV records
kmod
- Remove enum padding constants, add enum.patch (boo#1097869).
less
- Add missing runtime dependency on which, which is used by lessopen.sh.
  Fix bsc#1190552.
libX11
- redone U_CVE-2021-31535.patch due to regressions (boo#1186643)
  * fixes segfaults for xforms applications like fdesign
-  U_CVE-2021-31535.patch
  * adds missing request length checks in libX11 (CVE-2021-31535,
    bsc#1182506)
- U_0001-_XIOError-dpy-will-never-return-so-remore-dead.patch
  U_0002-remove-empty-line.patch
  U_0003-poll_for_response-Call-poll_for_event-again-if-xcb_p.patch
  U_0004-poll_for_event-Allow-using-xcb_poll_for_queued_event.patch
  U_0005-Prepare-for-_XIOError-possibly-returning.patch
  U_0006-Fix-poll_for_response-race-condition.patch
  * fixes a race condition in libX11 that causes various
    applications to crash randomly (boo#1181963)
- refreshed U_0001-Fix-an-integer-overflow-in-init_om.patch
libcap
- Add explicit dependency on libcap2 with version to libcap-progs
  and pam_cap (bsc#1184690)
- Update to libcap 2.26 for supporting the ambient capabilities
  (jsc#SLE-17092, jsc#ECO-3460)
- Use "/or"/ in the license tag to avoid confusion (bsc#1180073)
libesmtp
- Add libesmtp-fix-cve-2019-19977.patch: Fix stack-based buffer
  over-read in ntlm/ntlmstruct.c (bsc#1160462 bsc#1189097).
libgcrypt
- FIPS: Fix gcry_mpi_sub_ui subtraction [bsc#1193480]
  * gcry_mpi_sub_ui: fix subtracting from negative value
  * Add libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch
- Security fix: [bsc#1187212, CVE-2021-33560]
  * Libgcrypt mishandles ElGamal encryption because it lacks exponent
    blinding to address a side-channel attack against mpi_powm
- Add patches:
  * libgcrypt-CVE-2021-33560-ElGamal-exponent-blinding.patch
  * libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
libjpeg-turbo
  fix CVE-2020-17541 [bsc#1186764], stack-based buffer overflow in the "/transform"/ component
  + libjpeg-turbo-CVE-2020-17541.patch
- security update
- added patches
libjpeg62-turbo
  fix CVE-2020-17541 [bsc#1186764], stack-based buffer overflow in the "/transform"/ component
  + libjpeg-turbo-CVE-2020-17541.patch
- security update
- added patches
libnettle
- Security fix: [CVE-2021-3580, bsc#1187060]
  * Remote crash in RSA decryption via manipulated ciphertext
- Add patches:
  * libnettle-CVE-2021-3580-rsa_sec.patch
  * libnettle-CVE-2021-3580-rsa_decrypt.patch
- Security fix: [bsc#1184401, CVE-2021-20305]
  * multiply function being called with out-of-range scalars
  * Affects ecc-ecdsa-sign(), ecc_ecdsa_verify() and _eddsa_hash().
- Add libnettle-CVE-2021-20305.patch
libqt5-qtbase
- Add patch to avoid loading library relative to PWD (bsc#1189408,
  CVE-2020-24741)
  * 0001-Do-not-attempt-to-load-a-library-relative-to-pwd.patch
- Fix clipboard breaking when timer wraps after 50 days (bsc#1178600)
  * 0001-XCB-Fix-clipboard-breaking-when-timer-wraps-after-50days.patch
libsolv
- fix misparsing of '&' in attributes with libxml2
- choice rules: treat orphaned packages as newest [bsc#1190465]
- fix compatibility with Python 3.10
- new SOLVER_EXCLUDEFROMWEAK job type
- support for environments in comps parser
- bump version to 0.7.20
- Disable python2 usage on suse_version >= 1550 by default (still
  possible to use osc build --with=python).
- fix rare segfault in resolve_jobrules() that could happen
  if new rules are learnt
- fix a couple of memory leaks in error cases
- fix error handling in solv_xfopen_fd()
- bump version to 0.7.19
- fixed regex code on win32
- fixed memory leak in choice rule generation
- repo_add_conda: add flag to skip v2 packages
- bump version to 0.7.18
- repo_write: fix handling of nested flexarray
- improve choicerule generation a bit more to cover more cases
- harden testcase parser against repos being added too late
- support python-3.10
- check %_dbpath macro in rpmdb code
- handle default/visible/langonly attributes in comps parser
- support multiple collections in updateinfo parser
- add '-D' option in rpmdb2solv to set the dbpath
- bump version to 0.7.17
libunwind
- update to 1.5.0:
  * dwarf: clang doesn't respect the static alias
  * Fixed a missing dependency in dwarf-eh.h
  * x86_64: Fix tdep_init_done when built with libatomic_ops
  * mips: make _step_n64 as a static function
  * Added braces to suppress empty if/else warnings
  * Delete hardcode of address size to support MIPS64.
  * Fix format specifier for int64_t:29
  * Add initial support for Solaris x86-64
  * x86_64: Add fixup code if previous RIP was invalid
  * x86-64: make `is_cached_valid_mem` functional
  * arm: clear ip thumb/arm mode bit before move to previous instruction
  * Fix compilation with -fno-common.
  * Fix off-by-one error in x86_64 stack frames
  * aarch64: Fix __sigset build issue on muslC
  * Make SHF_COMPRESSED use contingent on its existence
- remove libunwind_U_dyn_info_list.patch (upstream)
- Enable s390x for building
- Fix compilation with -fno-common [bsc#1171549]
- Add patch libunwind_U_dyn_info_list.patch
- Update to 1.4.0
  - Fix compilation with -fno-common.
  - arm: clear ip thumb/arm mode bit before move to previous instruction (#131)
  - tests: fix test-coredump-unwind without HAVE_EXECINFO_H (#165)
  - There are 20 not 9 failing tests on Solaris (#162)
  - change asm to __asm__ to support -std=c11 or similar (#149)
  - x86-64: make `is_cached_valid_mem` functional (#146)
  - Allow to build without weak `backtrace` symbol. (#142)
  - fix compile issue on SH platform (#137)
  - Add support for zlib compressed elf .debug_frame sections
  - README: add libc requirement description (#121)
  - Older systems (e.g. RHEL5) do not have pipe2(). (#122)
  - x86_64: Add fixup code if previous RIP was invalid (#120)
  - Fix format specifier for int64_t:29 (#117)
  - Delete hardcode of address size to support MIPS64. (#114)
  - Added braces to suppress empty if/else warnings (#112)
  - mips: make _step_n64 as a static function
  - x86_64: Fix tdep_init_done when built with libatomic_ops
  - x86_64: tsan clean (#109)
  - Fixed a missing dependency in dwarf-eh.h
  - dwarf: clang doesn't respect the static alias (#102)
- Update libunwind.keyring
- Remove libunwind-gcc10-build-fno-common.patch fixed upstream
- Fix build with GCC-10: [bsc#1160876]
  * In GCC-10, the default option -fcommon will change to -fno-common
- Add libunwind-gcc10-build-fno-common.patch
- Ensure neutrality of description. Avoid name repetition in
  summaries.
- Update to 1.3.1
  * Iteration of unwind register states support
  * Freebsd/Armv6 support
  * Many, many dwarf bugfixes
  * Mips remote unwind support
  * aarch64 ptrace support
- fix_versioning_libunwind_1.2.1.patch: removed
libvirt
- CVE-2021-4147: libxl: Fix libvirtd segfault
  a7a03324-libxl-protect-logger-access.patch
  bsc#1193981, bsc#1194041
- CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF
  1ac703a7-CVE-2021-3975.patch
  bsc#1192876
libwebp
- Add libwebp-CVE-2018-25011.patch: fail on
  multiple image chunks (bsc#1186247 CVE-2018-25011).
- Add libwebp-CVE-2020-36328.patch: fix invalid check for buffer
  size (bsc#1185688 CVE-2020-36328).
- Add libwebp-CVE-2020-36329.patch: fix for thread race heap use
  after free (bsc#1185652 CVE-2020-36329).
- Add libwebp-CVE-2020-36330.patch: fix riff size checks
  (bsc#1185691 CVE-2020-36330).
- Add libwebp-CVE-2018-25013.patch: wait for all threads to be
  done in DecodeRemaining (bsc#1185654 bsc#1186250 CVE-2018-25013
  CVE-2018-25014).
- Add libwebp-CVE-2020-36331.patch: fix possible overflow when
  validating chunk size (bsc#1185686 CVE-2020-36331).
- Add libwebp-CVE-2018-25010.patch: fix alpha-filtering crash when
  image is larger than radius (bsc#1185685 CVE-2018-25010).
- Add libwebp-CVE-2018-25009.patch: fix overflow while reading
  VP8X chunk (bsc#1185673 bsc#1185690 CVE-2018-25009
    CVE-2018-25012).
- Add libwebp-CVE-2020-36332.patch: better handling of bogus
  Huffman code (bsc#1185674 CVE-2020-36332).
libxml2
- Security fix: [bsc#1186015, CVE-2021-3541]
  * Exponential entity expansion attack bypasses all existing
    protection mechanisms.
- Add libxml2-CVE-2021-3541.patch
- Security fix: [bsc#1185698, bsc#1185879, CVE-2021-3537]
  * NULL pointer dereference in valid.c:xmlValidBuildAContentModel
  * Add libxml2-CVE-2021-3537.patch
- Security fix: [bsc#1185408, CVE-2021-3518]
  * Fix use-after-free in xinclude.c:xmlXIncludeDoProcess()
  * Add libxml2-CVE-2021-3518.patch
- Security fix: [bsc#1185410, CVE-2021-3517]
  * Fix heap-based buffer overflow in entities.c:xmlEncodeEntitiesInternal()
  * Add libxml2-CVE-2021-3517.patch
- Security fix: [bsc#1185409, CVE-2021-3516]
  * Fix use-after-free in entities.c:xmlEncodeEntitiesInternal()
  * Add libxml2-CVE-2021-3516.patch
libzypp
- Use the default zypp.conf settings if no zypp.conf exists
  (bsc#1193488)
- Fix wrong encoding of iso: URL components (bsc#954813)
- Handle armv8l as armv7hl compatible userland.
- Introduce zypp-curl a sublibrary for CURL related code.
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set.
- Save all signatures associated with a public key in its
  PublicKeyData.
- version 17.29.0 (22)
- Disable logger in the child after fork (bsc#1192436)
- version 17.28.8 (22)
- Check log writer before accessing it (fixes #355, bsc#1192337)
- Save locks: Update an existing locks changed comment string.
- Allow uname-r format in purge kernels keepspec (fixes
  openSUSE/zypper#418)
- version 17.28.7 (22)
- Zypper should keep cached files if transaction is aborted
  (bsc#1190356)
  Singletrans mode currently does not keep files around if the
  transaction is aborted. This patch fixes the problem.
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Use procfs to detect nr of open fd's if rlimit is too high
  (bsc#1191324)
  Especially in a VM iterating over all possible fd's to close open
  ones right before a exec() slows down zypper unnecessarily. This
  patch uses /proc/self/fd to iterate over open fd's in case rlimit
  is above 1024.
- po: Fix some lost '%' signs in positional args (bsc#1191370)
- RepoManager: Don't probe for plaindir repo if URL schema is
  plugin: (bsc#1191286)
- version 17.28.6 (22)
- Downloader does not respect checkExistsOnly flag (bsc#1190712)
  A missing check causes zyppng::Downloader to always download full
  files even if the checkExistsOnly flag is set. This patch adds
  the missing logic.
- Fix kernel-*-livepatch removal in purge-kernels (bsc#1190815)
  The kernel-*-livepatch packages are supposed to serve as a stable
  handle for the ephemeral kernel livepatch packages. See
  FATE#320268 for details. As part of the kernel live patching
  ecosystem, kernel-*-livepatch packages should not block the
  purge-kernels step.
- version 17.28.5 (22)
- Make sure to keep states alives while transitioning
  (bsc#1190199)
- May set techpreview variables for testing in /etc/zypp/zypp.conf.
  If environment variables are unhandy one may enable the desired
  techpreview in zypp.conf as well:
    [main]
    techpreview.ZYPP_SINGLE_RPMTRANS=1
    techpreview.ZYPP_MEDIANETWORK=1
- version 17.28.4 (22)
- CMake/spec: Add option to force SINGLE_RPMTRANS as default for
  zypper (fixes #340)
- Make sure singleTrans is zypper-only for now.
- Do not double check signatures and keys (bsc#1190059)
- version 17.28.3 (22)
- Workaround Bug 1189788: Don't allow ZYPP_SINGLE_RPMTRANS=1 on a
  not UsrMerged Tumbleweed system.
- version 17.28.2 (22)
- Fix crashes in logging code when shutting down (bsc#1189031)
- version 17.28.1 (22)
- Rephrase vendor conflict message in case 2 packages are
  involved (bsc#1187760)
  This covers the case where not the packages itself would change
  its vendor, but replaces a package from a different vendor.
- Fix solver jobs for PTFs (bsc#1186503)
- spec: switch to pkgconfig(openssl)
- Show key fpr from signature when signature check fails
  (bsc#1187224)
  Rpm by default only shows the short key ID when checking the
  signature of a package fails. This patch reads the signatures
  from the RPM headers and replaces she short IDs with the key
  fingerprints fetched from the signatures.
- Implement alternative single transaction commit strategy.
  This patch adds a experimental commit strategy that runs all
  operations in a single rpm transaction, speeding up the execution
  a lot.
- Use ZYPP_MEDIANETWORK=1 to enable the experimental new media
  backend.
- Implement zchunk download, refactor Downloader backend.
- Fix purge-kernels fails with kernels from Kernel:HEAD
  (bsc#1187738)
  There recently was a change in the kernel package naming scheme
  in regards to rc kernels. Since kernel upstream uses characters
  in the version that are not allowed in rpm versions a "/-rc"/ was
  previously replaced with "/.rc"/ which broke sorting by version, to
  fix this issue it was replaced with "/~rc"/, which unfortunately
  broke the purge-kernels logic. This patch makes sure purge-kernel
  does apply the same conversion.
- version 17.28.0 (22)
- Enhance XML output of repo GPG options (fixes openSUSE/zypper#390)
  In addition to the effective values, add optional attributes
  showing the raw values actually present in the .repo file.
  (raw_gpgcheck, raw_repo_gpgcheck, raw_pkg_gpgcheck)
- Link all executables with -pie (bsc#1186447)
- Ship an empty /etc/zypp/needreboot per default (fixes #311, jsc#PM-2645)
  If packages want to trigger the reboot-needed hiint upon installation
  they may provide 'installhint(reboot-needed)'.
  Builtin packages triggering the hint without the provides are
  only kernel and kernel-firmware related.
- Add Solvable::isBlacklisted as superset of retracted and ptf
  packages (bsc#1186503)
- Fix segv if ZYPP_FULLOG is set (fixes #317)
- version 17.27.0 (22)
- Work around download.o.o broken https redirects.
- Allow trusted repos to add additional signing keys (bsc#1184326)
  Repositories signed with a trusted gpg key may import additional
  package signing keys. This is needed if different keys were used
  to sign the the packages shipped by the repository.
- MediaCurl: Fix logging of redirects.
- Use 15.3 resolver problem and solution texts on all distros.
- $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the
  zypp lock (bsc#1184399)
  Helps boot time services like 'zypper purge-kernels' to wait for
  the zypp lock until other services using zypper have completed.
- Fix purge-kernels is broken in Leap 15.3 (bsc#1185325)
  Leap 15.3 introduces a new kernel package called
  kernel-flavour-extra, which contain kmp's. Currently kmp's are
  detected by name "/.*-kmp(-.*)?"/ but this does not work which
  those new packages. This patch fixes the problem by checking
  packages for kmod(*) and ksym(*) provides and only falls back to
  name checking if the package in question does not provide one of
  those.
- Introduce zypp-runpurge, a tool to run purge-kernels on
  testcases.
- version 17.26.0 (22)
- Properly handle permission denied when providing optional files
  (bsc#1185239)
- Fix service detection with cgroupv2 (bsc#1184997)
- version 17.25.10 (22)
- Add missing includes for GCC 11 (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- Solver: Avoid segfault if no system is loaded (bsc#1183628)
- MediaVerifier: Relax media set verification in case of a single
  not-volatile medium (bsc#1180851)
- Do no cleanup in custom cache dirs (bsc#1182936)
- ZConfig: let pubkeyCachePath follow repoCachePath.
- version 17.25.9 (22)
- Try to provide a mounted /proc in --root installs (bsc#1181328)
  Some systemd tools require /proc to be mounted and fail if it's
  not there.
- Enable release packages to request a releaxed suse/opensuse
  vendorcheck in dup when migrating. (bsc#1182629)
- version 17.25.8 (22)
- Patch: Identify well-known category names (bsc#1179847)
  This allows to use the RH and SUSE patch categrory names
  synonymously:
  (recommendedi = bugfix) and (optional = feature = enhancement).
- Add missing includes for GCC 11 compatibility. (bsc#1181874)
- Fix %posttrans script execution (fixes #265)
  The scripts are execuable. No need to call them through 'sh -c'.
- Commit: Fix rpmdb compat symlink in case rpm got removed.
- Repo: Allow multiple baseurls specified on one line (fixes #285)
- Regex: Fix memory leak and undefined behavior.
- Add rpm buildrequires for test suite (fixes #279)
- Use rpmdb2solv new -D switch to tell the location ob the
  rpmdatabase to use.
- BuildRequires:  libsolv-devel >= 0.7.17.
- version 17.25.7 (22)
- Rephrase solver problem descriptions (jsc#SLE-8482)
- Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
- Multicurl backend breaks with with unknown filesize (fixes #277)
- version 17.25.6 (22)
- Fix lsof monitoring (bsc#1179909)
- version 17.25.5 (22)
- Prevent librpmDb iterator from accidentally creating an empty
  rpmdb in / (repoened bsc#1178910)
- Fix update of gpg keys with elongated expire date (bsc#1179222)
- needreboot: remove udev from the list (bsc#1179083)
- Prefer /run over /var/run.
- version 17.25.4 (22)
- RepoManager: Carefully tidy up the caches. Remove non-directory
  entries. (bsc#1178966)
- RpmDb: If no database exists use the _dbpath configured in rpm.
  Still makes sure a compat symlink at /var/lib/rpm exists in case
  the configures _dbpath is elsewhere. (bsc#1178910)
- Url: Hide known password entries when writing the query part
  (bsc#1050625 bsc#1177583, CVE-2017-9271)
- adapt testcase to change introduced by libsolv#402.
- RepoManager: Force refresh if repo url has changed (bsc#1174016)
- RepoInfo: ignore legacy type= in a .repo file and let RepoManager
  probe (bsc#1177427, Fixes openSUSE/zypper#357).
- version 17.25.3 (22)
- Bump version to force rebuild against a fixed libsolv.
  (bsc#1177238, bsc#1177275)
- version 17.25.2 (22)
lua53
- Sync with Factory (5.3.6), includes fixes for
  - Long brackets with a huge number of '=' overflow some
    internal buffer arithmetic.
  - bsc#1123043 CVE-2019-6706 Fix free-after-use bug in
    lua_upvaluejoin function of lapi.c
- Remove upstreamed patches:
  - CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
- Update to version 5.3.6:
  * Fixes bugs found in Lua 5.3.5 and Lua 5.4.0
  * Lua 5.3 is now EOL
- Removed upstream-bugs.patch: new release (no bugs found yet)
- Removed upstream-bugs-backport-lua54.patch: new release (no bugs found yet)
- Added upstream-bugs.patch: upstream bug patches
  * Patches 2,3,4
- Added upstream-bugs-backport-lua54.patch: bugs discovered in lua54
  * Patch 10: CVE-2020-24371, boo#1175449
  * Patch 11: CVE-2020-24370, boo#1175448
  * Patch 13
- Add RISC-V to list of 64-bit architectures
- Use FAT LTO objects in order to provide proper static library.
- Update to 5.3.5:
  (it is really problematic to find ANY documentation of changes
  between minor versions; the best we have is
  https://www.lua.org/bugs.html)
  - Long brackets with a huge number of '=' overflow some
    internal buffer arithmetic.
  - Small build tweaks.
lz4
- security update
- added patches
  fix CVE-2021-3520 [bsc#1185438], memory corruption due to an integer overflow bug caused by memmove argument
  + lz4-CVE-2021-3520.patch
mailx
- Add patch mailx-12.5-systemd.patch to add description how to avoid
  bugs like bsc#1192916 -- mailx does not send mails unless run via
  strace or in verbose mode
- fix-sendmail-name.patch: fix name argument when calling
  /usr/sbin/sendmail [bsc#1180355].
- Updates to mailx-12.5-openssl-1.1.0f.patch
  * If the openssl RNG is already
  seeded (on linux it always is) skip snake-oil reeseeding from
  file. Update man page accordingly.
  * Update man page with information that ssl2 and ssl3 are
    not only deprecated but currently unavailable and that
    tls1 forces TLS 1.0 but not later versions.
  * RAND_EGD is also unavailable, not just unused.
  * set SSL_OP_NO_TICKET, many servers accept session
    tickets, but almost never rotate them properly, TLS 1.3
    session tickets are not affected by this flag.
  * When using client certificates, check if the cert and key
    match each other.
- Remove redundant %clean section.
- Replace old $RPM_* shell vars by macros.
man-pages
- install kernel_lockdown.7 man page [bsc#1185534]
- added sources
  + kernel_lockdown.7
mozilla-nspr
- update to version 4.32:
  * implement new socket option PR_SockOpt_DontFrag
  * support larger DNS records by increasing the default buffer
    size for DNS queries
- update to version 4.31:
  * Lock access to PRCallOnceType members in PR_CallOnce* for
    thread safety bmo#1686138
- update to version 4.30
  * support longer thread names on macOS
  * fix a build failure on OpenBSD
- update to version 4.29
  * Remove macOS Code Fragment Manager support code
  * Remove XP_MACOSX and OS_TARGET=MacOSX
  * Refresh config.guess and config.sub
  * Remove NSPR's patch to config.sub
  * Add support for e2k target (64-bit Elbrus 2000)
- update to version 4.28
  * Fix a compiler warning
  * Add rule for cross-compiling with cygwin
- update to version 4.27
  * the macOS platform code for shared library loading was
  * An include statement for a Windows system library header
    was added
- update to version 4.26
  * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
    information about the operating system build version.
  * Better support parallel building on Windows.
  * The internal release automatic script requires python 3.
mozilla-nss
- Mozilla NSS 3.68.2 (bsc#1193845)
  * mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
    (bmo#966856)
- Mozilla NSS 3.68.1
  MFSA 2021-51 (bsc#1193170)
  * CVE-2021-43527 (bmo#1737470)
    Memory corruption via DER-encoded DSA and RSA-PSS signatures
- Remove now obsolete patch nss-bsc1193170.patch
- Add patch to fix CVE-2021-43527 (bsc#1193170):
  nss-bsc1193170.patch
- Removed nss-fips-kdf-self-tests.patch.  This was made
  obsolete by upstream changes. (bmo#1660304)
- Rebase nss-fips-stricter-dh.patch needed due to upstream changes.
- Update nss-fips-constructor-self-tests.patch to fix crashes
  reported by upstream. This was likely affecting WebRTC calls.
- update to NSS 3.68
  * bmo#1713562 - Fix test leak.
  * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
  * bmo#1693206 - Implement PKCS8 export of ECDSA keys.
  * bmo#1712883 - DTLS 1.3 draft-43.
  * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
  * bmo#1713562 - Validate ECH public names.
  * bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
- update to NSS 3.67
  * bmo#1683710 - Add a means to disable ALPN.
  * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
  * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
  * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
  * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
- update to NSS 3.66
  * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
  * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
  * bmo#1708307 - Remove Trustis FPS Root CA from NSS.
  * bmo#1707097 - Add Certum Trusted Root CA to NSS.
  * bmo#1707097 - Add Certum EC-384 CA to NSS.
  * bmo#1703942 - Add ANF Secure Server Root CA to NSS.
  * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
  * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
  * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
  * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
  * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
  * bmo#1709291 - Add VerifyCodeSigningCertificateChain.
  * Use GNU tar for the release helper script.
- update to NSS 3.65
  * bmo#1709654 - Update for NetBSD configuration.
  * bmo#1709750 - Disable HPKE test when fuzzing.
  * bmo#1566124 - Optimize AES-GCM for ppc64le.
  * bmo#1699021 - Add AES-256-GCM to HPKE.
  * bmo#1698419 - ECH -10 updates.
  * bmo#1692930 - Update HPKE to final version.
  * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
  * bmo#1703936 - New coverity/cpp scanner errors.
  * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
  * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
  * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
- refreshed patches
- Firefox 90.0 requires NSS 3.66
- update to NSS 3.64
  * bmo#1705286 - Properly detect mips64.
  * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
    disable_crypto_vsx.
  * bmo#1698320 - replace __builtin_cpu_supports("/vsx"/) with
    ppc_crypto_support() for clang.
  * bmo#1613235 - Add POWER ChaCha20 stream cipher vector
    acceleration.
- update to NSS 3.63.1
  * no upstream release notes for 3.63.1 (yet)
  Fixed in 3.63
  * bmo#1697380 - Make a clang-format run on top of helpful contributions.
  * bmo#1683520 - ECCKiila P384, change syntax of nested structs
    initialization to prevent build isses with GCC 4.8.
  * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
    scalar multiplication.
  * bmo#1683520 - ECCKiila P521, change syntax of nested structs
    initialization to prevent build isses with GCC 4.8.
  * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
    scalar multiplication.
  * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
  * bmo#1694214 - tstclnt can't enable middlebox compat mode.
  * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
    profiles.
  * bmo#1685880 - Minor fix to prevent unused variable on early return.
  * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
    with nss build.
  * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
    of root CA changes, CA list version 2.48.
  * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
    'Chambers of Commerce' and 'Global Chambersign' roots.
  * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
  * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
  * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
  * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
    from NSS.
  * bmo#1687822 - Turn off Websites trust bit for the “Staat der
    Nederlanden Root CA - G3” root cert in NSS.
  * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
    Root - 2008' and 'Global Chambersign Root - 2008’.
  * bmo#1694291 - Tracing fixes for ECH.
- required for Firefox 88
- update to NSS 3.62
  * bmo#1688374 - Fix parallel build NSS-3.61 with make
  * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
    can corrupt "/cachedCertTable"/
  * bmo#1690583 - Fix CH padding extension size calculation
  * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
  * bmo#1690421 - Install packaged libabigail in docker-builds image
  * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
  * bmo#1674819 - Fixup a51fae403328, enum type may be signed
  * bmo#1681585 - Add ECH support to selfserv
  * bmo#1681585 - Update ECH to Draft-09
  * bmo#1678398 - Add Export/Import functions for HPKE context
  * bmo#1678398 - Update HPKE to draft-07
- required for Firefox 87
- Add nss-btrfs-sqlite.patch to address bmo#1690232
- update to NSS 3.61
  * required for Firefox 86
  * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
    values under certain conditions.
  * bmo#1684300 - Fix default PBE iteration count when NSS is compiled
    with NSS_DISABLE_DBM.
  * bmo#1651411 - Improve constant-timeness in RSA operations.
  * bmo#1677207 - Upgrade Google Test version to latest release.
  * bmo#1654332 - Add aarch64-make target to nss-try.
- update to NSS 3.60.1
  Notable changes in NSS 3.60:
  * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
    has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
    implementation. See bmo#1654332 for more information.
  * December 2020 batch of Root CA changes, builtins library updated
    to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
    for more information.
- removed obsolete ppc-old-abi-v3.patch
- update to NSS 3.59.1
  * bmo#1679290 - Fix potential deadlock with certain third-party
    PKCS11 modules
- update to NSS 3.59
  Notable changes
  * Exported two existing functions from libnss:
    CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
  Bugfixes
  * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
  * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
  * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
  * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
  * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
    root certs when SHA1 signatures are disabled.
  * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
    solve some test intermittents
  * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
    our CVE-2020-25648 fix that broke purple-discord
    (boo#1179382)
  * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
  * bmo#1667989 - Fix gyp linking on Solaris
  * bmo#1668123 - Export CERT_AddCertToListHeadWithData and
    CERT_AddCertToListTailWithData from libnss
  * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
  * bmo#1663091 - Remove unnecessary assertions in the streaming
    ASN.1 decoder that affected decoding certain PKCS8
    private keys when using NSS debug builds
  * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
- update to NSS 3.58
  Bugs fixed:
  * bmo#1641480 (CVE-2020-25648)
    Tighten CCS handling for middlebox compatibility mode.
  * bmo#1631890 - Add support for Hybrid Public Key Encryption
    (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
    (draft-ietf-tls-esni).
  * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
    extensions.
  * bmo#1668328 - Handle spaces in the Python path name when using
    gyp on Windows.
  * bmo#1667153 - Add PK11_ImportDataKey for data object import.
  * bmo#1665715 - Pass the embedded SCT list extension (if present)
    to TrustDomain::CheckRevocation instead of the notBefore value.
- install libraries in %{_libdir} (boo#1029961)
- Fix build with RPM 4.16: error: bare words are no longer
  supported, please use "/..."/:  lib64 == lib64.
- update to NSS 3.57
  * The following CA certificates were Added:
    bmo#1663049 - CN=Trustwave Global Certification Authority
    SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
    bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
    SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
    bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
    SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
  * The following CA certificates were Removed:
    bmo#1651211 - CN=EE Certification Centre Root CA
    SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
    bmo#1656077 - O=Government Root Certification Authority; C=TW
    SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
  * Trust settings for the following CA certificates were Modified:
    bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
    Websites (server authentication) trust bit removed.
  * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
- requires NSPR 4.29
- removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256)
- introduced _constraints due to high memory requirements especially
  for LTO on Tumbleweed
- Add patch to fix build on aarch64 - boo#1176934:
  * nss-freebl-fix-aarch64.patch
- Update nss-fips-approved-crypto-non-ec.patch to match RC2 code
  being moved to deprecated/.
- Remove nss-fix-dh-pkcs-derive-inverted-logic.patch. This was made
  obsolete by upstream changes.
- update to NSS 3.56
  Notable changes
  * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
  * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
  * bmo#1654142 - Add CPU feature detection for Intel SHA extension.
  * bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
  * bmo#1656986 - Properly detect arm64 during GYP build architecture
    detection.
  * bmo#1652729 - Add build flag to disable RC2 and relocate to
    lib/freebl/deprecated.
  * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
  * bmo#1588941 - Send empty certificate message when scheme selection
    fails.
  * bmo#1652032 - Fix failure to build in Windows arm64 makefile
    cross-compilation.
  * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
  * bmo#1653975 - Fix 3.53 regression by setting "/all"/ as the default
    makefile target.
  * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
  * bmo#1659814 - Fix interop.sh failures with newer tls-interop
    commit and dependencies.
  * bmo#1656519 - NSPR dependency updated to 4.28
- do not hard require mozilla-nss-certs-32bit via baselibs
  (boo#1176206)
- update to NSS 3.55
  Notable changes
  * P384 and P521 elliptic curve implementations are replaced with
    verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
  * PK11_FindCertInSlot is added. With this function, a given slot
    can be queried with a DER-Encoded certificate, providing performance
    and usability improvements over other mechanisms. (bmo#1649633)
  * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
  Relevant Bugfixes
  * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
    P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
  * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
  * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
  * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
    ChaCha20 (which was not functioning correctly) and more strictly
    enforce tag length.
  * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1653202 - Fix initialization bug in blapitest when compiled
    with NSS_DISABLE_DEPRECATED_SEED.
  * bmo#1646594 - Fix AVX2 detection in makefile builds.
  * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
    for a DER-encoded certificate.
  * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
  * bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
  * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
  * bmo#1649226 - Add Wycheproof ECDSA tests.
  * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
  * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
    RSA_CheckSignRecover.
  * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
    signature_algorithms extension.
- update to NSS 3.54
  Notable changes
  * Support for TLS 1.3 external pre-shared keys (bmo#1603042).
  * Use ARM Cryptography Extension for SHA256, when available
    (bmo#1528113)
  * The following CA certificates were Added:
    bmo#1645186 - certSIGN Root CA G2.
    bmo#1645174 - e-Szigno Root CA 2017.
    bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
    bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
  * The following CA certificates were Removed:
    bmo#1645199 - AddTrust Class 1 CA Root.
    bmo#1645199 - AddTrust External CA Root.
    bmo#1641718 - LuxTrust Global Root 2.
    bmo#1639987 - Staat der Nederlanden Root CA - G2.
    bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
    bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
    bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
  * A number of certificates had their Email trust bit disabled.
    See bmo#1618402 for a complete list.
  Bugs fixed
  * bmo#1528113 - Use ARM Cryptography Extension for SHA256.
  * bmo#1603042 - Add TLS 1.3 external PSK support.
  * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
  * bmo#1645186 - Add "/certSIGN Root CA G2"/ root certificate.
  * bmo#1645174 - Add Microsec's "/e-Szigno Root CA 2017"/ root certificate.
  * bmo#1641716 - Add Microsoft's non-EV root certificates.
  * bmo1621151 - Disable email trust bit for "/O=Government
    Root Certification Authority; C=TW"/ root.
  * bmo#1645199 - Remove AddTrust root certificates.
  * bmo#1641718 - Remove "/LuxTrust Global Root 2"/ root certificate.
  * bmo#1639987 - Remove "/Staat der Nederlanden Root CA - G2"/ root
    certificate.
  * bmo#1618402 - Remove Symantec root certificates and disable email trust
    bit.
  * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
  * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
  * bmo#1642153 - Fix infinite recursion building NSS.
  * bmo#1642638 - Fix fuzzing assertion crash.
  * bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
  * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
  * bmo#1643557 - Fix numerous compile warnings in NSS.
  * bmo#1644774 - SSL gtests to use ClearServerCache when resetting
    self-encrypt keys.
  * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
  * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
mpfr
- Add cummulative patch mpfr-4.0.2-p6.patch fixing various bugs.
- Add floating-point-format-no-lto.patch in order to fix assembler scanning
  (boo#1141190).
- Update to mpfr 4.0.2
  * Cummulative bugfix release, includes mpfr-4.0.1-cummulative-patch.patch.
- Fix %install_info_delete usage:
  * It has to be performed in %preun not in %postun.
  * See https://en.opensuse.org/openSUSE:Packaging_Conventions_RPM_Macros#.25install_info_delete.
- Add mpfr-4.0.1-cummulative-patch.patch.  Fixes
  * A subtraction of two numbers of the same sign or addition of two
    numbers of different signs can be rounded incorrectly (and the
    ternary value can be incorrect) when one of the two inputs is
    reused as the output (destination) and all these MPFR numbers
    have exactly GMP_NUMB_BITS bits of precision (typically, 32 bits
    on 32-bit machines, 64 bits on 64-bit machines).
  * The mpfr_fma and mpfr_fms functions can behave incorrectly in case
    of internal overflow or underflow.
  * The result of the mpfr_sqr function can be rounded incorrectly
    in a rare case near underflow when the destination has exactly
    GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit
    machines, 64 bits on 64-bit machines) and the input has at most
    GMP_NUMB_BITS bits of precision.
  * The behavior and documentation of the mpfr_get_str function are
    inconsistent concerning the minimum precision (this is related to
    the change of the minimum precision from 2 to 1 in MPFR 4.0.0). The
    get_str patch fixes this issue in the following way: the value 1
    can now be provided for n (4th argument of mpfr_get_str); if n = 0,
    then the number of significant digits in the output string can now
    be 1, as already implied by the documentation (but the code was
    increasing it to 2).
  * The mpfr_cmp_q function can behave incorrectly when the rational
    (mpq_t) number has a null denominator.
  * The mpfr_inp_str and mpfr_out_str functions might behave
    incorrectly when the stream is a null pointer: the stream is
    replaced by stdin and stdout, respectively. This behavior is
    useless, not documented (thus incorrect in case a null pointer
    would have a special meaning), and not consistent with other
    input/output functions.
ncurses
- Add patch bsc1190793-63ca9e06.patch to fix bsc#1190793 for
  CVE-2021-39537: ncurses: heap-based buffer overflow in
  _nc_captoinfo in captoinfo.c
net-snmp
- Fix hrStorage autofs objects timeout problems (bsc#1179699, bsc#1145864).
  Add net-snmp-5.7.3-host-mib-skip-autofs-entries.patch
  Add net-snmp-5.7.3-fix-missing-mib-hrStorage-indexes.patch
- Fix NSS mounted volumes in hrStorageDescr (bsc#1100146).
  Add net-snmp-5.7.3-recognize-nss-pools-and-nss-volumes-oes.patch
- Fix subagent crash at save_set_var() (bsc#1178021).
  Add net-snmp-5.7.3-subagent-set-response.patch
- Fix subagent data corruption (bsc#1178351, bsc#1179009).
  Add net-snmp-5.7.3-fix-subagent-data-corruption.patch
- Fix output for high memTotalReal RAM values (bsc#1152968).
  Add net-snmp-5.7.3-ucd-snmp-mib-add-64-bit-mem-obj.patch
- Make extended MIB read-only (bsc#1174961, CVE-2020-15862).
  Add net-snmp-5.7.3-make-extended-mib-read-only.patch
netcfg
- add submissions port number [bsc#1189683]
- modified patches
  % services-suse.diff
nghttp2
- security update
- added patches
  fix CVE-2020-11080 [bsc#1181358], HTTP/2 Large Settings Frame DoS
  + nghttp2-CVE-2020-11080.patch
numactl
- include bugfixes in SLE, to enable 32 bit systems (SLE-17217)
- Enable LTO (boo#1133098) as it works now.
- update to 2.0.14:
  * manpage update
  * numademo: fix issue on 32 bit systems
  * drop custom cflags for libnuma
  * use symvers attribute for symbol versioning
- Update to version 2.0.13:
  * Release numactl 2.0.13
  * Skip `test/move_pages` if we don't have at least two nodes available
  * Add license files: GPLv2 + LGPLv2.1
  * Handle cpu-less node for bind_range test
  * Convert numastat.c to standard numactl coding style
  * Disable clang travis targets for now
  * numastat.8: clarify that information relates to resident pages
  * Fix all declarations to be C prototypes
  * numatopology: Add check for cpu-less nodes
  * Update INSTALL.md
  * numastat: when reading no-exist pid, return EXIT_FAILURE
  * numastat: Add KReclaimable to list of known fields in meminfo
  * numastat: Better diagnostic when find unknown string in meminfo
  * Enable building on s390x
  * Correct sysconf constants
  * Removed unnecessary exit from memhog.c Solves issue #50
  * Synchronized usage function with man page
  * Added memhog.8 to Makefile.am
  * memhog: add man page
  * Allow linking with lld by deduplicating symbols
  * numademo: free the node_to_use on the way out
  * numademo: free test nodemask
  * libnuma: cleanup node cpu mask in destructor
  * numactl: add va_end to usage function
  * travis: add build matrix
  * remove kernel version check
  * add missing linux version header
  * make MPOL_ macros match linux kernel
  * add missing policy
  * Fix: Add ShmemHugePages and ShmemPmdMapped to system_meminfo[]
  * Fix: move_pages test for non-contiguous nodes
  * Correct calculation of nr_nodes and re-enable move_pages test
  * Fix: regress test numastat function and few test fixes
  * Fix: distance test to include all existing nodes
  * numademo: fix wrong node input
  * Fix: node_list with memory-less nodes
- Drop autoconf/libtool BuildRequires and autoreconf invocation,
  bundled configure is up-to-date.
- Drop obsolete revert_date_in_numastat.patch, gcc sets __DATE__
  based on SOURCE_DATE_EPOCH now.
- Correct License for devel subpackage, same as for the library
  (LGPL-2.1-or-later).
- numastat doesn't need perl anymore since 2012
- For obs regression checker, this version includes following SLE
  fixes:
  - enable build for aarch64 (fate#319973) (bsc#976199)
    factory has an extra patch to disable ARM 32 bit archs which
    looks a bit misleading as %arm macro only covers 32 bit ARM.
  - Bug 955334 - numactl/libnuma: add patch for Dynamic Reconfiguration
    bsc#955334
- Disable LTO (boo#1133098).
- Update to version 2.0.12:
  * Release numactl 2.0.12
  * Cleanup whitespace from *.c and *.h files
  * Add Travis build status to numactl README
  * Convert README and INSTALL to Markdown
  * Remove `threadtest.c`
  * Remove `mkolddemo` script
  * Remove file TODO, which has outdated contents
  * Remove file DESIGN, which has no contents
  * Remove changelogs from the repository
  * Revert "/make clearcache work on x86/PIC"/
  * Add "/NAME"/ section to numastat manpage
  * Allow building on ARM systems
  * Add pkg-config file for NUMA library
  * readdir_r(3) is deprecated, use readdir(3) instead
  * Avoid filename truncation in numastat
  * fix coding style in last change
  * Fix: numademo test between sparse nodes
  * Fix: allocation of dynamic array
  * Fix: numactl distance between sparse nodes
  * include sys/sysmacros.h for major/minor
  * make clearcache work on x86/PIC
  * Fix regress test for invalid hard code of nodenames
  * Fix end of line check in distance parsing
  * Optimize numa_distance check
  * affinity: Include sys/sysmacros.h to fix warning
  * numademo: Increase buffer to avoid theoretical buffer overflow
  * Check for invalid nodes in numa_distance
- sysmacros.patch: Include <sys/sysmacros.h> for major/minor (bsc#1181571) (bsc#1183796)
open-iscsi
- Cherry-picked 3 Factory/upstream commits, for bsc#1179908
  (which addresses CVE-2020-17437, CVE-2020-17438, CVE-2020-13987,
  and CVE-2020-13988):
  * check for TCP urgent pointer past end of frame
  * check for u8 overflow when processing TCP options
  * check for header length underflow during checksum calculation
- Enabled no-wait ("/-W"/) iscsiadm option for iscsi login
  service (bsc#1173886, bsc#1183421)
- Added two upstream commits:
  * 40a39d7b93a1 Implement login "/no_wait"/ for iscsiadm NODE mode
  * e27ac1318510 Add ability to attempt target logins asynchronously
  for bsc#1173886. This adds the ability to perform async logins.
openldap2
- bsc#1187210 - Resolve bug in the idle / connection TTL timeout
  implementation in OpenLDAP.
  * 0231-ITS-9468-Added-test-case-for-proxy-re-binding-anonym.patch
  * 0232-ITS-9468-back-ldap-Return-disconect-if-rebind-cannot.patch
  * 0233-ITS-9468-removed-accidental-unicode-characters.patch
  * 0234-ITS-9468-documented-that-re-connecting-does-not-happ.patch
  * 0235-ITS-9468-summarize-discussion-about-rebind-as-user.patch
  * 0236-ITS-9468-fixed-typos.patch
  * 0237-ITS-9468-always-init-lc_time-and-lc_create_time.patch
  * 0238-ITS-9468-do-not-arm-expire-timer-for-connections-tha.patch
- bsc#1182791 - improve proxy connection timout options to correctly
  prune connections.
  * 0225-ITS-8625-Separate-Avlnode-and-TAvlnode-types.patch
  * 0226-ITS-9197-back-ldap-added-task-that-prunes-expired-co.patch
  * 0227-ITS-9197-Increase-timeouts-in-test-case-due-to-spora.patch
  * 0228-ITS-9197-fix-typo-in-prev-commit.patch
  * 0229-ITS-9197-Fix-test-script.patch
  * 0230-ITS-9197-fix-info-msg-for-slapd-check.patch
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
  X.509 DN parsing in decode.c ber_next_element, resulting in denial
  of service.
  * 0220-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
  parsing in ad_keystring, resulting in denial of service.
  * 0222-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
  in the Certificate List Exact Assertion processing, resulting in
  denial of service.
  * 0223-ITS-9427-fix-issuerAndThisUpdateCheck.patch
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
  cancel_extop Cancel operation, resulting in denial of service.
  * 0224-ITS-9428-fix-cancel-exop.patch
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
  saslAuthzTo processing, resulting in denial of service.
  * 0218-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
  in the saslAuthzTo processing, resulting in denial of service.
  * 0217-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch
  * 0216-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
  crash in the saslAuthzTo processing, resulting in denial of service.
  * 0219-ITS-9413-fix-slap_parse_user.patch
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
  saslAuthzTo validation, resulting in denial of service.
  * 0213-ITS-9406-9407-remove-saslauthz-asserts.patch
  * 0214-ITS-9406-fix-debug-msg.patch
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
  Assertion processing, resulting in denial of service (schema_init.c
  serialNumberAndIssuerCheck).
  * 0212-ITS-9404-fix-serialNumberAndIssuerCheck.patch
  * 0221-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
  control handling, resulting in denial of service (double free and
  out-of-bounds read).
  * 0215-ITS-9408-fix-vrfilter-double-free.patch
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
    in the issuerAndThisUpdateCheck function via a crafted packet,
    resulting in a denial of service (daemon exit) via a short timestamp.
    This is related to schema_init.c and checkTime.
  * patch: 0211-ITS-9454-fix-issuerAndThisUpdateCheck.patch
openslp
- Implement automatic active discovery retries so that DAs do
  not get dropped if they are not reachable for some time
  [bnc#1166637] [bnc#1184008]
  new patch: openslp.unicastactivediscovery.diff
openssh
- Add openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch
  (bsc#1190975, CVE-2021-41617), backported from upstream by
  Ali Abdallah.
openssl-1_1
- Other OpenSSL functions that print ASN.1 data have been found to assume that
  the ASN1_STRING byte array will be NUL terminated, even though this is not
  guaranteed for strings that have been directly constructed. Where an application
  requests an ASN.1 structure to be printed, and where that ASN.1 structure
  contains ASN1_STRINGs that have been directly constructed by the application
  without NUL terminating the "/data"/ field, then a read buffer overrun can occur.
  * CVE-2021-3712 continued
  * bsc#1189521
  * Add CVE-2021-3712-other-ASN1_STRING-issues.patch
  * Sourced from openssl-CVE-2021-3712.tar.bz2 posted on bsc-1189521
    2021-08-24 00:47 PDT by Marcus Meissner
- The function X509_aux_print() has a bug which may cause a read buffer overrun
  when printing certificate details. A malicious actor could construct a
  certificate to deliberately hit this bug, which may result in a crash of the
  application (causing a Denial of Service attack).
  * CVE-2021-3712
  * bsc#1189521
  * Add CVE-2021-3712-Fix-read-buffer-overrun-in-X509_aux_print.patch
- Security fixes:
  * Integer overflow in CipherUpdate: Incorrect SSLv2 rollback
    protection [bsc#1182333, CVE-2021-23840]
  * Null pointer deref in X509_issuer_and_serial_hash()
    [bsc#1182331, CVE-2021-23841]
- Add openssl-CVE-2021-23840.patch openssl-CVE-2021-23841.patch
p11-kit
- 0001-common-Use-reallocarray-instead-of-realloc-as-approp.patch
  0001-Check-for-arithmetic-overflows-before-allocating.patch
  0001-Follow-up-to-arithmetic-overflow-fix.patch:
  Fixed multiple integer overflows in rpc code (bsc#1180064
  CVE-2020-29361)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993,
  0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch)
- add bcond to spec file to enable debug easily
pacemaker
- scheduler: add test for probe of unmanaged resource on pending node (bsc#1188653)
  * bsc#1188653-0003-Test-scheduler-add-test-for-probe-of-unmanaged-resou.patch
- scheduler: update existing tests for probe scheduling change (bsc#1188653)
  * bsc#1188653-0002-Test-scheduler-update-existing-tests-for-probe-sched.patch
- scheduler: don't schedule probes of unmanaged resources on pending nodes (bsc#1188653)
  * bsc#1188653-0001-Fix-scheduler-don-t-schedule-probes-of-unmanaged-res.patch
- libcrmcommon: Correctly handle case-sensitive ids of xml objects when changing a value. (bsc#1187414)
  * bsc#1187414-0001-Fix-libcrmcommon-Correctly-handle-case-sensitive-ids.patch
- controld: purge attrd attributes when the remote node is up to ensure sync with CIB (bsc#1186693)
  * bsc#1186693-clean-attrd-attributes-when-remote-node-is-up.patch
- iso8601: prevent sec overrun before adding up as long long
  * 0001-Fix-iso8601-prevent-sec-overrun-before-adding-up-as-.patch
- execd: Skips merging of canceled fencing monitors.(Fix:#CLBZ5393)
  * 0001-Mid-execd-Skips-merging-of-canceled-fencing-monitors.patch
- fencing: remove any devices that are not installed
  * 0001-Fix-fencing-remove-any-devices-that-are-not-installe.patch
- liblrmd: Limit node name addition to proxied attrd update commands (rh#1907726)
  * rh#1907726-0001-Fix-liblrmd-Limit-node-name-addition-to-proxied-attr.patch
- attrd: prevent leftover attributes of shutdown node in cib (bsc#1173668)
  * bsc#1173668-0001-Fix-attrd-prevent-leftover-attributes-of-shutdown-no.patch
- crmadmin: printing DC quietly if needed (bsc#1178865)
  * bsc#1178865-0001-Fix-crmadmin-printing-DC-quietly-if-needed.patch
- controller, Pacemaker Explained: improve the documentation of `stonith-watchdog-timeout` cluster option (bsc#1174696, bsc#1184557)
  * bsc#1174696-0004-Doc-controller-Pacemaker-Explained-improve-the-docum.patch
- scheduler: improve the documentation of `have-watchdog` cluster option (bsc#1174696, bsc#1184557)
  * bsc#1174696-0003-Doc-scheduler-improve-the-documentation-of-have-watc.patch
- libpe_status: downgrade the message about the meaning of `have-watchdog=true` to info (bsc#1174696, bsc#1184557)
  * bsc#1174696-0002-Log-libpe_status-downgrade-the-message-about-the-mea.patch
- scheduler: clarify message about when watchdog will be used (bsc#1174696, bsc#1184557)
  * bsc#1174696-0001-Log-scheduler-clarify-message-about-when-watchdog-wi.patch
- scheduler: update migrate-fail-9 test for migration code change (bsc#1177212, bsc#1182607)
  * bsc#1177212-0010-Test-scheduler-update-migrate-fail-9-test-for-migrat.patch
- scheduler: don't schedule a dangling migration stop if one already occurred (bsc#1177212, bsc#1182607)
  * bsc#1177212-0009-Fix-scheduler-don-t-schedule-a-dangling-migration-st.patch
- scheduler: properly detect dangling migrations (bsc#1177212)
  * bsc#1177212-0008-Test-scheduler-test-failed-migration-followed-by-suc.patch
  * bsc#1177212-0007-Fix-scheduler-properly-detect-dangling-migrations.patch
  * bsc#1177212-0006-Refactor-scheduler-functionize-getting-call-ID-from-.patch
- scheduler: only successful ops count for migration comparisons (bsc#1177212)
  * bsc#1177212-0005-Low-scheduler-only-successful-ops-count-for-migratio.patch
  * bsc#1177212-0004-Test-scheduler-fix-invalid-test-XML.patch
- libpe_status: add sanity check when unpacking migration history (bsc#1177212)
  * bsc#1177212-0003-Low-libpe_status-add-sanity-check-when-unpacking-mig.patch
  * bsc#1177212-0002-Refactor-libpe_status-reorganize-unpacking-migration.patch
- libpe_status: check for stops correctly when unpacking migration (bsc#1177212)
  * bsc#1177212-0001-Low-libpe_status-check-for-stops-correctly-when-unpa.patch
- libpe_status: handle pending migrations correctly (bsc#1177212)
  * bsc#1177212-0000-Low-libpe_status-handle-pending-migrations-correctly.patch
- fencer: don't require API registration for list and status commands (bsc#1148236)
  * bsc#1148236-0002-Low-fencer-don-t-require-API-registration-for-list-a.patch
- fencer: improve error checking and log messages for API action requests (bsc#1148236)
  * bsc#1148236-0001-Low-fencer-improve-error-checking-and-log-messages-f.patch
pam
- Corrected a bad directive file which resulted in
  the "/securetty"/ file to be installed as "/macros.pam"/.
  [pam.spec]
- Added tmpfiles for pam to set up directory for pam_faillock.
  [pam.conf]
- Corrected macros.pam entry for %_pam_moduledir
  Cleanup in pam.spec:
  * Replaced all references to ${_lib}/security in pam.spec by
  %{_pam_moduledir}
  * Removed definition of (unused) "/amdir"/.
- Added new file macros.pam on request of systemd.
  [bsc#1190052, macros.pam]
- Added pam_faillock to the set of modules.
  [jsc#sle-20638, pam-sle20638-add-pam_faillock.patch]
- In the 32-bit compatibility package for 64-bit architectures,
  require "/systemd-32bit"/ to be also installed as it contains
  pam_systemd.so for 32 bit applications.
  [bsc#1185562, baselibs.conf]
- If "/LOCAL"/ is configured in access.conf, and a login attempt from
  a remote host is made, pam_access tries to resolve "/LOCAL"/ as
  a hostname and logs a failure.
  Checking explicitly for "/LOCAL"/ and rejecting access in this case
  resolves this issue.
  [bsc#1184358, bsc1184358-prevent-LOCAL-from-being-resolved.patch]
- pam_limits: "/unlimited"/ is not a legitimate value for "/nofile"/
  (see setrlimit(2)). So, when "/nofile"/ is set to one of the
  "/unlimited"/ values, it is set to the contents of
  "//proc/sys/fs/nr_open"/ instead.
  Also changed the manpage of pam_limits to express this.
  [bsc#1181443, pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch]
- Add a definition for pamdir to pam.spec
  So that a proper contents of macros.pam can be constructed.
  [pam.spec]
pcre
- pcre 8.45 (the final release)
  * Fixed a small (*MARK) bug in the interpreter (Bugzilla #2771).
- pcre 8.44
  * Small patch to pcreposix.c to set the erroroffset field to -1 immediately
  after a successful compile, instead of at the start of matching to avoid a
  sanitizer complaint (regexec is supposed to be thread safe).
  * Check the size of the number after (?C as it is read, in order to avoid
  integer overflow. (bsc#1172974, CVE-2020-14155)
  * Tidy up left shifts to avoid sanitize warnings; also fix one NULL deference
  in pcretest.
- pcre 8.43
  * In a pattern such as /[^x{100}-x{ffff}]*[x80-xff]/ which has a repeated
  negative class with no characters less than 0x100 followed by a positive class
  with only characters less than 0x100, the first class was incorrectly being
  auto-possessified, causing incorrect match failures.
  * If the only branch in a conditional subpattern was anchored, the whole
  subpattern was treated as anchored, when it should not have been, since the
  assumed empty second branch cannot be anchored. Demonstrated by test patterns
  such as /(?(1)^())b/ or /(?(?=^))b/.
  * Fix subject buffer overread in JIT when UTF is disabled and X or R has
  a greater than 1 fixed quantifier. This issue was found by Yunho Kim.
  (bsc#1172973 CVE-2019-20838)
  * If a pattern started with a subroutine call that had a quantifier with a
  minimum of zero, an incorrect "/match must start with this character"/ could be
  recorded. Example: /(?&xxx)*ABC(?<xxx>XYZ)/ would (incorrectly) expect 'A' to
  be the first character of a match.
- pcre 8.42
  * If a backreference with a minimum repeat count of zero was first in a
  pattern, apart from assertions, an incorrect first matching character could be
  recorded. For example, for the pattern /(?=(a))1?b/, "/b"/ was incorrectly set
  as the first character of a match.
  * Fix out-of-bounds read for partial matching of /./ against an empty string
  when the newline type is CRLF.
  * When matching using the the REG_STARTEND feature of the POSIX API with a
  non-zero starting offset, unset capturing groups with lower numbers than a
  group that did capture something were not being correctly returned as "/unset"/
  (that is, with offset values of -1).
  * Matching the pattern /(*UTF)C[^v]+x80/ against an 8-bit string
  containing multi-code-unit characters caused bad behaviour and possibly a
  crash. This issue was fixed for other kinds of repeat in release 8.37 by change
  38, but repeating character classes were overlooked.
- Do not run profiling 'check' in parallel
  to make package build reproducible (boo#1040589)
pcre2
- Added 0001-Fixed-atomic-group-backtracking-bug.patch
  * bsc#1187937
  * PHP 7.6.4 on s390x returns different results for preg_match
    function as compared to older PHP versions and x86
  * Sourced from upstream subversion commit:
    $ svn log -r965 svn://vcs.pcre.org/pcre2/code/trunk
pixman

      
polkit
- CVE-2021-4034: fixed a local privilege escalation in pkexec (bsc#1194568)
  added CVE-2021-4034-pkexec-fix.patch
- CVE-2021-3560: fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync()
  (bsc#1186497)
  CVE-2021-3560.patch
procps
- Add upstream patch procps-vmstat-1b9ea611.patch for bsc#1185417
  * Support up to 2048 CPU as well
- Add upstream patch procps-3.3.17-bsc1181976.patch based on
  commit 3dd1661a to fix bsc#1181976 that is change descripton
  of psr, which is for 39th field of /proc/[pid]/stat
psmisc
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
  * Fix bsc#1185208 to make private mount namespaces work as well
    as to distinguish NFS mounts from same remote device share.
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
  * Fix bsc#1178407: fuser does not show open kvm storage image files
    such as qcow2 files. Patch from Ali Abdallah <ali.abdallah@suse.com>
python
- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
  in specifically crafted tarball.
  Add recursion.tar as a testing tarball for the patch.
- Renamed patch for assigned CVE:
  * bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch ->
    CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
    (boo#1189241, CVE-2021-3737)
- Renamed patch for assigned CVE:
  * bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch
    (boo#1189287, CVE-2021-3733)
- Fix python-doc build (bpo#35293):
  * sphinx-update-removed-function.patch
- Update documentation formatting for Sphinx 3.0 (bpo#40204).
- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
  request (bpo#43075, boo#1189287).
- Add missing security announcement to
  bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
  which fixes http client infinite line reading (DoS) after a http
  100 (bpo#44022, boo#1189241).
- Modify Lib/ensurepip/__init__.py to contain the same version
  numbers as are in reality the ones in the bundled wheels
  (bsc#1187668).
- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids
  use of semicolon as a query string separator (bpo#42967,
  bsc#1182379, CVE-2021-23336).
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- (bsc#1180125) We really don't Require python-rpm-macros package.
  Unnecessary dependency.
- Add patch configure_PYTHON_FOR_REGEN.patch which makes
  configure.ac to consider the correct version of
  PYTHON_FO_REGEN (bsc#1078326).
- Use python3-Sphinx on anything more recent than SLE-15 (inclusive).
- Update to 2.7.18, final release of Python 2. Ever.:
  - Newline characters have been escaped when performing uu
    encoding to prevent them from overflowing into to content
    section of the encoded file. This prevents malicious or
    accidental modification of data during the decoding process.
  - Fixes a ReDoS vulnerability in `http.cookiejar`. Patch by Ben
    Caller.
  - Fixed line numbers and column offsets for AST nodes for calls
    without arguments in decorators.
  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
    hostnames in http.client. Such potentially malicious header
    injection URLs now cause a InvalidURL to be raised.
  - Fix urllib.urlretrieve failing on subsequent ftp transfers
    from the same host.
  - Fix problems identified by GCC's -Wstringop-truncation
    warning.
  - AddRefActCtx() was needlessly being checked for failure in
    PC/dl_nt.c.
  - Prevent failure of test_relative_path in test_py_compile on
    macOS Catalina.
  - Fixed possible leak in `PyArg_Parse` and similar
    functions for format units "/es#"/ and "/et#"/ when the macro
    `PY_SSIZE_T_CLEAN` is not defined.
- Remove upstreamed patches:
  - CVE-2019-18348-CRLF_injection_via_host_part.patch
  - python-2.7.14-CVE-2017-1000158.patch
  - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
  - CVE-2018-1061-DOS-via-regexp-difflib.patch
  - CVE-2019-10160-netloc-port-regression.patch
  - CVE-2019-16056-email-parse-addr.patch
- bsc#1109847 (CVE-2018-14647): add
  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
  bpo-34623.
  fixing bpo-35746 (CVE-2019-5010).
python-base
- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
  in specifically crafted tarball.
  Add recursion.tar as a testing tarball for the patch.
- Renamed patch for assigned CVE:
  * bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch ->
    CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
    (boo#1189241, CVE-2021-3737)
- Renamed patch for assigned CVE:
  * bpo43075-fix-ReDoS-in-request.patch -> CVE-2021-3733-fix-ReDoS-in-request.patch
    (boo#1189287, CVE-2021-3733)
- Fix python-doc build (bpo#35293):
  * sphinx-update-removed-function.patch
- Update documentation formatting for Sphinx 3.0 (bpo#40204).
- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in
  request (bpo#43075, boo#1189287).
- Add missing security announcement to
  bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch.
- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
  which fixes http client infinite line reading (DoS) after a http
  100 (bpo#44022, boo#1189241).
- Modify Lib/ensurepip/__init__.py to contain the same version
  numbers as are in reality the ones in the bundled wheels
  (bsc#1187668).
- Add CVE-2021-23336-only-amp-as-query-sep.patch which forbids
  use of semicolon as a query string separator (bpo#42967,
  bsc#1182379, CVE-2021-23336).
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- (bsc#1180125) We really don't Require python-rpm-macros package.
  Unnecessary dependency.
- Add patch configure_PYTHON_FOR_REGEN.patch which makes
  configure.ac to consider the correct version of
  PYTHON_FO_REGEN (bsc#1078326).
- Use python3-Sphinx on anything more recent than SLE-15 (inclusive).
- Update to 2.7.18, final release of Python 2. Ever.:
  - Newline characters have been escaped when performing uu
    encoding to prevent them from overflowing into to content
    section of the encoded file. This prevents malicious or
    accidental modification of data during the decoding process.
  - Fixes a ReDoS vulnerability in `http.cookiejar`. Patch by Ben
    Caller.
  - Fixed line numbers and column offsets for AST nodes for calls
    without arguments in decorators.
  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
    hostnames in http.client. Such potentially malicious header
    injection URLs now cause a InvalidURL to be raised.
  - Fix urllib.urlretrieve failing on subsequent ftp transfers
    from the same host.
  - Fix problems identified by GCC's -Wstringop-truncation
    warning.
  - AddRefActCtx() was needlessly being checked for failure in
    PC/dl_nt.c.
  - Prevent failure of test_relative_path in test_py_compile on
    macOS Catalina.
  - Fixed possible leak in `PyArg_Parse` and similar
    functions for format units "/es#"/ and "/et#"/ when the macro
    `PY_SSIZE_T_CLEAN` is not defined.
- Remove upstreamed patches:
  - CVE-2019-18348-CRLF_injection_via_host_part.patch
  - python-2.7.14-CVE-2017-1000158.patch
  - CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
  - CVE-2018-1061-DOS-via-regexp-difflib.patch
  - CVE-2019-10160-netloc-port-regression.patch
  - CVE-2019-16056-email-parse-addr.patch
- bsc#1109847 (CVE-2018-14647): add
  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
  bpo-34623.
  fixing bpo-35746 (CVE-2019-5010).
python-dbus-python
- Update to latest version from tumbleweed jira#OPENSUSE-22
  boo#1183818
- Enable testsuite
- update to 1.2.16:
  * All tests are run even if the tap.py module is not available, although
    diagnostics for failing tests will be better if it is present.
  * Forbid unexpanded AX-prefixed macros more selectively
- Support builds with more than one python3 flavor
  gh#openSUSE/python-rpm-macros#66
- Remove shebang from examples (rpmlint warning, is in common doc)
- Clean duplicate python flavor variables for configure
- Update the provides/obsoletes tags for old-style dbus-1-$python
- Version update to version 1.2.14:
  * Ensure that the numeric types from dbus.types get the same
    str() under Python 3.8 that they did under previous versions.
  * Disable -Winline.
  * Add Python 3.8 to CI.
  - Changes in version 1.2.12:
  * Don't save and restore the exception indicator when called
    from C code.
  - Changes in version 1.2.10:
  * Rewrite CONTRIBUTING.md document, based on Wayland's equivalent
  * Add clearer license information using SPDX-License-Identifier.
  * Improve test coverage.
  * Don't set deprecated tp_print to NULL under Python 3.
  * Include inherited methods and properties when documenting
    objects, which regressed when migrating from epydoc to sphinx.
  * Add missing variant_level member to UnixFd type, for parity
    with the other dbus.types types (dbus-python!3.
  - Note that this is a potentially incompatible change: unknown
    keyword arguments were previously ignored (!) and are now an
    error.
  * Don't reply to method calls if they have the NO_REPLY_EXPECTED
    flag (fd.o#32529, dbus-python#26.
  * Silence -Wcast-function-type with gcc 8.
  * Fix distcheck with python3.7 by deleting __pycache__ during
    uninstall.
  * Consistently save and restore the exception indicator when
    called from C code.
  * Avoid a long-standing race condition in the automated tests.
  * Fix Qt website URL.
- Up dbus dependency; 1.8 is now required.
- Add missing dependency for pkg-config files
- Version update to version 1.2.8:
  * Python 2.7 required or 3.4 respectively
  * Tests use tap.py functionality
  * Upstream dropped epydoc completely
  * See NEWS for more
- Use requires_ge instead of the rpm calls
python-oauthlib

      
python-paramiko
- paramiko-fix-1169489.patch: fixed fallout from last patch (bsc#1169489)
- add-support-for-new-OpenSSH-private-key-format.patch:
  Add support for new OpenSSH >= 7.8p1 private key format  (bsc#1166758)
python-py
- CVE-2020-29651.patch (bsc#1179805, CVE-2020-29651, bsc#1184505)
  * python-py: regular expression denial of service in svnwc.py
python-pyasn1

      
python-pycparser

      
python-pyzmq
- update to version 17.1.2 (fixes boo#1186945)
  * Fix possible hang when working with asyncio
  * Remove some outdated workarounds for old Cython versions
  * Fix some compilation with custom compilers
  * Remove unneeded link of libstdc++ on PyPy
python-rsa
- Add cve_2020-13757.patch (CVE-2020-13757 bsc#1172389)
  + Handle leading '0' bytes during decryption of ciphertext
python3
- The previous construct works only on the current Factory, not
  in SLE.
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Due to conflicting demands of bsc#1183858 and platforms where
  Python 3.6 is only in interpreter+pip set we have to make
  complicated ugly construct about Sphinx BR.
- Make python36 primary interpreter on SLE-15
- Make build working even on older SLEs.
- Update to 3.6.15:
  - bpo-43124: Made the internal putcmd function in smtplib
    sanitize input for presence of r and n characters to avoid
    (unlikely) command injection. Library
  - bpo-45001: Made email date parsing more robust against
    malformed input, namely a whitespace-only Date: header. Patch
    by Wouter Bolsterlee. Tests
  - bpo-38965: Fix test_faulthandler on GCC 10. Use the
    “volatile” keyword in faulthandler._stack_overflow() to
    prevent tail call optimization on any compiler, rather than
    relying on compiler specific pragma.
- Remove upstreamed patches:
  - faulthandler_stack_overflow_on_GCC10.patch
- test_faulthandler is still problematic under qemu linux-user emulation,
  disable it there
- Update to 3.6.14:
  * Security
  - bpo-44022 (bsc#1189241, CVE-2021-3737): mod:http.client now
    avoids infinitely reading potential HTTP headers after
    a 100 Continue status response from the server.
  - bpo-43882: The presence of newline or tab characters in parts
    of a URL could allow some forms of attacks.
    Following the controlling specification for URLs defined by
    WHATWG urllib.parse() now removes ASCII newlines and tabs
    from URLs, preventing such attacks.
  - bpo-42988 (CVE-2021-3426, bsc#1183374): Remove the getfile feature
    of the pydoc module which could be abused to read arbitrary files
    on the disk (directory traversal vulnerability). Moreover, even
    source code of Python modules can contain sensitive data like
    passwords. Vulnerability reported by David Schwörer.
  - bpo-43285: ftplib no longer trusts the IP address value
    returned from the server in response to the PASV command by
    default. This prevents a malicious FTP server from using the
    response to probe IPv4 address and port combinations on the
    client network.
    Code that requires the former vulnerable behavior may set a
    trust_server_pasv_ipv4_address attribute on their ftplib.FTP
    instances to True to re-enable it.
  - bpo-43075 (CVE-2021-3733, bsc#1189287): Fix Regular Expression
    Denial of Service (ReDoS) vulnerability in
    urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable
    regex has quadratic worst-case complexity and it allows cause
    a denial of service when identifying crafted invalid RFCs. This
    ReDoS issue is on the client side and needs remote attackers to
    control the HTTP server.
- Upstreamed patches were removed:
  - CVE-2021-3426-inf-disclosure-pydoc-getfile.patch
- Refreshed patches:
  - python3-sorted_tar.patch
  - riscv64-ctypes.patch
- Rebuild to get new headers, avoid building in support for
  stropts.h (bsc#1187338).
- Use versioned python-Sphinx to avoid dependency on other
  version of Python (bsc#1183858).
- Modify Lib/ensurepip/__init__.py to contain the same version
  numbers as are in reality the ones in the bundled wheels
  (bsc#1187668).
- add 22198.patch to build with Sphinx 4
- Stop providing "/python"/ symbol (bsc#1185588), which means
  python2 currently.
- Make sure to close the import_failed.map file after the exception
  has been raised in order to avoid ResourceWarnings when the
  failing import is part of a try...except block.
- Add CVE-2021-3426-inf-disclosure-pydoc-getfile.patch to remove
  getfile feature from pydoc, which is a security nightmare
  (among other things, CVE-2021-3426, allows disclosure of any
  file on the system; bsc#1183374, bpo#42988).
Update to 3.6.13, final release of 3.6 branch:
  * Security
  - bpo#42967 (bsc#1182379, CVE-2021-23336): Fix web cache
    poisoning vulnerability by defaulting the query args
    separator to &, and allowing the user to choose a custom
    separator.
  - bpo#42938 (bsc#1181126, CVE-2021-3177): Avoid static
    buffers when computing the repr of ctypes.c_double and
    ctypes.c_longdouble values.
  - bpo#42103: Prevented potential DoS attack via CPU and RAM
    exhaustion when processing malformed Apple Property List
    files in binary format.
  - bpo#42051: The plistlib module no longer accepts entity
    declarations in XML plist files to avoid XML
    vulnerabilities. This should not affect users as entity
    declarations are not used in regular plist files.
  - bpo#40791: Add volatile to the accumulator variable in
    hmac.compare_digest, making constant-time-defeating
    optimizations less likely.
  * Core and Builtins
  - bpo#35560: Fix an assertion error in format() in debug
    build for floating point formatting with “n” format, zero
    padding and small width. Release build is not impacted.
    Patch by Karthikeyan Singaravelan.
  * Library
  - bpo#42103: InvalidFileException and RecursionError are now
    the only errors caused by loading malformed binary Plist
    file (previously ValueError and TypeError could be raised
    in some specific cases).
  * Tests
  - bpo#42794: Update test_nntplib to use offical group name of
    news.aioe.org for testing. Patch by Dong-hee Na.
  - bpo#41944: Tests for CJK codecs no longer call eval() on
    content received via HTTP.
- Patches removed, because they were included in the upstream
  tarball:
  - CVE-2020-27619-no-eval-http-content.patch
  - CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
- (bsc#1180125) We really don't Require python-rpm-macros package.
  Unnecessary dependency.
resource-agents
- (bsc#1188975) azure-lb RA is using /usr/bin/nc instead of
  /usr/bin/socat
  Add upstream patch:
    0001-ocf-distro-Improve-robustness-and-specificity-1558.patch
- (bsc#1183971) L3: azure-events puts both nodes in standby
  Add upostream patch:
    0001-azure-events-only-decode-when-exec-output-not-of-typ.patch
- (bsc#1177796) ethmonitor bloats journal with warnings for VLAN
    devices [ref:_00D1igLOd._5001iTe6jj:ref]
  Add upstream patch:
    0001-ethmonitor-is_interface-RE-matches-vlan-names.patch
- (bsc#1180590) azure-events URLError fixed upstream
  Add upstream patch:
    0001-azure-events-import-URLError-and-encode-postData-whe.patch
rsync
- Fixed an error when using the external compression library
  where files larger that 1GB would not be transferred completely
  and failing with error:
  - deflate on token returned 0 (XXX bytes left)
  - rsync error: error in rsync protocol data stream (code 12)
  * Add rsync-fix-external-compression.patch [bsc#1190828]
- Fix a segmentation fault in iconv [bsc#1188258]
  * Add rsync-iconv-segfault.patch
rsyslog
- fix groupname retrieval for large groups (bsc#1178490)
  * add 0001-rainerscript-call-getgrnam_r-repeatedly-to-get-all-g.patch
ruby2
Add patches to fix the following CVE's:
  - CVE-2021-32066.patch (CVE-2021-32066): Fix StartTLS stripping
    vulnerability in Net:IMAP (bsc#1188160)
  - CVE-2021-31810.patch (CVE-2021-31810): Fix trusting FTP PASV
    responses vulnerability in  Net:FTP (bsc#1188161)
  - CVE-2021-31799.patch (CVE-2021-31799): Fix Command injection
    vulnerability in RDoc (bsc#1190375)
- Update to 2.5.9 (boo#1184644)
  https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/
  - CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability
    in WEBrick
  - CVE-2021-28965: XML round-trip vulnerability in REXML
  Complete list of changes at
  https://github.com/ruby/ruby/compare/v2_5_8...v2_5_9
- Update suse.patch:
  Remove fix for CVE-2020-25613 as it is included in the update
- Update suse.patch: (boo#1177125)
  Backport fix CVE-2020-25613: Potential HTTP Request Smuggling
  Vulnerability in WEBrick
- replace all patches with suse.patch (v2_5_8..2.5-suse)
  (we keep remove-unneeded-files.patch as it can not be done in our
  backports branch)
- backport patch to enable optimizations also on ARM64
  (boo#1177222)
- make sure that update-alternative weight for the default
  distribution is always greater than our normal weight
- make the update-alternative weight based on the ruby version
rubygem-actionpack-5_1
- Added patch 0003-CVE-2021-22885.patch (CVE-2021-22885, bsc#1185715)
rubygem-activerecord-5_1
- bsc#1182169, CVE-2021-22880: Fix possible DoS vector in PostgreSQL money type
  added: CVE-2021-22880-postgresql-money-dos.patch
salt
- Use dnfnotify instead yumnotify for relevant distros
- Remove wrong _parse_cpe_name from grains.core
- dnfnotify pkgset plugin implementation
- Add rpm_vercmp python library support for version comparison
- Prevent pkg plugins errors on missing cookie path (bsc#1186738)
- Added:
  * add-rpm_vercmp-python-library-for-version-comparison.patch
  * mock-ip_addrs-in-utils-minions.py-unit-test-444.patch
  * prevent-pkg-plugins-errors-on-missing-cookie-path-bs.patch
  * remove-wrong-_parse_cpe_name-from-grains.core-452.patch
  * dnfnotify-pkgset-plugin-implementation-3002.2-450.patch
- Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412)
- Make "/salt-api"/ package to require python3-cherrypy on RHEL systems
- Make "/tar"/ as required for "/salt-transactional-update"/ package
- Added:
  * fix-ip6_interface-grain-to-not-leak-secondary-ipv4-a.patch
- Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446)
- Fix traceback.*_exc() calls
- Added:
  * 3002.2-do-not-consider-skipped-targets-as-failed-for.patch
  * fix-traceback.-_exc-calls-429.patch
- Support querying for JSON data in external sql pillar
- Added:
  * 3002.2-postgresql-json-support-in-pillar-424.patch
- Exclude the full path of a download URL to prevent injection of
  malicious code (bsc#1190265) (CVE-2021-21996)
- Added:
  * exclude-the-full-path-of-a-download-url-to-prevent-i.patch
- Fix wrong relative paths resolution with Jinja renderer when importing subdirectories
- Added:
  * templates-move-the-globals-up-to-the-environment-jin.patch
- Don't pass shell="//sbin/nologin"/ to onlyif/unless checks (bsc#1188259)
- Add missing aarch64 to rpm package architectures
- Backport of upstream PR#59492
- Added:
  * backport-of-upstream-pr59492-to-3002.2-404.patch
  * add-missing-aarch64-to-rpm-package-architectures-405.patch
  * don-t-use-shell-sbin-nologin-in-requisites.patch
- Fix failing unit test for systemd
- Fix error handling in openscap module (bsc#1188647)
- Better handling of bad public keys from minions (bsc#1189040)
- Added:
  * fix-failing-unit-tests-for-systemd.patch
  * fix-error-handling-in-openscap-module-bsc-1188647-40.patch
  * better-handling-of-bad-public-keys-from-minions-bsc-.patch
- Define license macro as doc in spec file if not existing
- Add standalone formulas configuration for salt minion and remove salt-master requirement (bsc#1168327)
- Do noop for services states when running systemd in offline mode (bsc#1187787)
- transactional_updates: do not execute states in parallel but use a queue (bsc#1188170)
- Added:
  * do-noop-for-services-states-when-running-systemd-in-.patch
- Handle "/master tops"/ data when states are applied by "/transactional_update"/ (bsc#1187787)
- Enhance openscap module: add "/xccdf_eval"/ call
- Added:
  * handle-master-tops-data-when-states-are-applied-by-t.patch
  * enhance-openscap-module-add-xccdf_eval-call-386.patch
- virt: pass emulator when getting domain capabilities from libvirt
- Adding preliminary support for Rocky Linux
- Implementation of held/unheld functions for state pkg (bsc#1187813)
- Added:
  * implementation-of-held-unheld-functions-for-state-pk.patch
  * virt-pass-emulator-when-getting-domain-capabilities-.patch
  * adding-preliminary-support-for-rocky.-59682-391.patch
- Replace deprecated Thread.isAlive() with Thread.is_alive()
- Added:
  * backport-thread.is_alive-fix-390.patch
- Fix exception in yumpkg.remove for not installed package
- Fix save for iptables state module (bsc#1185131)
- Added:
  * fix-exception-in-yumpkg.remove-for-not-installed-pac.patch
  * fix-save-for-iptables-state-module-bsc-1185131-372.patch
- virt: use /dev/kvm to detect KVM
- Added:
  * virt-use-dev-kvm-to-detect-kvm-383.patch
- zypperpkg: improve logic for handling vendorchange flags
- Added:
  * move-vendor-change-logic-to-zypper-class-355.patch
- Add bundled provides for tornado to the spec file
- Enhance logging when inotify beacon is missing pyinotify (bsc#1186310)
- Add "/python3-pyinotify"/ as a recommended package for Salt in SUSE/openSUSE distros
- Added:
  * enhance-logging-when-inotify-beacon-is-missing-pyino.patch
- Fix tmpfiles.d configuration for salt to not use legacy paths (bsc#1173103)
- Detect Python version to use inside container (bsc#1167586) (bsc#1164192)
- Handle volumes on stopped pools in virt.vm_info (bsc#1186287)
- Added:
  * figure-out-python-interpreter-to-use-inside-containe.patch
  * handle-volumes-on-stopped-pools-in-virt.vm_info-373.patch
- grains.extra: support old non-intel kernels (bsc#1180650)
- Fix missing minion returns in batch mode (bsc#1184659)
- Added:
  * grains.extra-support-old-non-intel-kernels-bsc-11806.patch
  * fix-missing-minion-returns-in-batch-mode-360.patch
- Parsing Epoch out of version provided during pkg remove (bsc#1173692)
- Added:
  * parsing-epoch-out-of-version-provided-during-pkg-rem.patch
- Check if dpkgnotify is executable (bsc#1186674)
- Added:
  * check-if-dpkgnotify-is-executable-bsc-1186674-376.patch
- Update to Salt release version 3002.2 (jsc#ECO-3212) (jsc#SLE-18033)
- See release notes: https://docs.saltstack.com/en/latest/topics/releases/3002.2.html
- Drop support for Python2. Obsoletes "/python2-salt"/ package
- virt module updates
  * network: handle missing ipv4 netmask attribute
  * more network support
  * PCI/USB host devices passthrough support
  * drop wrong capabilities code after rebasing patches
- Set distro requirement to oldest supported version in requirements/base.txt
- Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315)
- Always require python3-distro (bsc#1182293)
- Remove deprecated warning that breaks minion execution when "/server_id_use_crc"/ opts is missing
- Fix pkg states when DEB package has "/all"/ arch
- Do not force beacons configuration to be a list.
  (Revert https://github.com/saltstack/salt/pull/58655)
- Remove msgpack < 1.0.0 from base requirements (bsc#1176293)
- msgpack support for version >= 1.0.0 (bsc#1171257)
- Added:
  * 3002-set-distro-requirement-to-oldest-supported-vers.patch
  * add-alibaba-cloud-linux-2-by-backporting-upstream-s-.patch
  * add-almalinux-and-alibaba-cloud-linux-to-the-os-fami.patch
  * add-sleep-on-exception-handling-on-minion-connection.patch
  * async-batch-implementation-fix-320.patch
  * drop-wrong-virt-capabilities-code-after-rebasing-pat.patch
  * fix-aptpkg.normalize_name-when-package-arch-is-all.patch
  * fix-grains.test_core-unit-test-277.patch
  * fix-__mount_device-wrapper-254.patch
  * opensuse-3000.2-virt-backports-236-257.patch
  * opensuse-3000.3-spacewalk-runner-parse-command-250.patch
  * opensuse-3000-libvirt-engine-fixes-251.patc
  * open-suse-3002.2-bigvm-310.patch
  * open-suse-3002.2-virt-network-311.patch
  * pkgrepo-support-python-2.7-function-call-295.patch
  * remove-deprecated-warning-that-breaks-miniion-execut.patch
  * remove-msgpack-1.0.0-requirement-in-the-installed-me.patch
  * revert-fixing-a-use-case-when-multiple-inotify-beaco.patch
  * support-transactional-systems-microos-271.patch
  * update-target-fix-for-salt-ssh-to-process-targets-li.patch
  * virt.network_update-handle-missing-ipv4-netmask-attr.patch
  * zypperpkg-filter-patterns-that-start-with-dot-244.patch
- Modified:
  * 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch
  * accumulated-changes-from-yomi-167.patch
  * accumulated-changes-required-for-yomi-165.patch
  * activate-all-beacons-sources-config-pillar-grains.patch
  * add-all_versions-parameter-to-include-all-installed-.patch
  * add-astra-linux-common-edition-to-the-os-family-list.patch
  * add-batch_presence_ping_timeout-and-batch_presence_p.patch
  * add-cpe_name-for-osversion-grain-parsing-u-49946.patch
  * add-custom-suse-capabilities-as-grains.patch
  * add-docker-logout-237.patch
  * add-environment-variable-to-know-if-yum-is-invoked-f.patch
  * add-hold-unhold-functions.patch
  * add-migrated-state-and-gpg-key-management-functions-.patch
  * add-multi-file-support-and-globbing-to-the-filetree-.patch
  * add-new-custom-suse-capability-for-saltutil-state-mo.patch
  * add-patch-support-for-allow-vendor-change-option-wit.patch
  * add-pkg.services_need_restart-302.patch
  * add-publish_batch-to-clearfuncs-exposed-methods.patch
  * add-saltssh-multi-version-support-across-python-inte.patch
  * adds-explicit-type-cast-for-port.patch
  * add-standalone-configuration-file-for-enabling-packa.patch
  * add-supportconfig-module-for-remote-calls-and-saltss.patch
  * add-virt.all_capabilities.patch
  * allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch
  * allow-passing-kwargs-to-pkg.list_downloaded-bsc-1140.patch
  * allow-vendor-change-option-with-zypper-313.patch
  * ansiblegate-take-care-of-failed-skipped-and-unreacha.patch
  * apply-patch-from-upstream-to-support-python-3.8.patch
  * async-batch-implementation.patch
  * avoid-excessive-syslogging-by-watchdog-cronjob-58.patch
  * avoid-traceback-when-http.query-request-cannot-be-pe.patch
  * backport-a-few-virt-prs-272.patch
  * backport-virt-patches-from-3001-256.patch
  * batch_async-avoid-using-fnmatch-to-match-event-217.patch
  * batch-async-catch-exceptions-and-safety-unregister-a.patch
  * batch.py-avoid-exception-when-minion-does-not-respon.patch
  * bsc-1176024-fix-file-directory-user-and-group-owners.patch
  * calculate-fqdns-in-parallel-to-avoid-blockings-bsc-1.patch
  * changed-imports-to-vendored-tornado.patch
  * debian-info_installed-compatibility-50453.patch
  * do-not-break-repo-files-with-multiple-line-values-on.patch
  * do-not-crash-when-there-are-ipv6-established-connect.patch
  * do-not-crash-when-unexpected-cmd-output-at-listing-p.patch
  * do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch
  * do-not-make-ansiblegate-to-crash-on-python3-minions.patch
  * do-not-monkey-patch-yaml-bsc-1177474.patch
  * do-not-raise-streamclosederror-traceback-but-only-lo.patch
  * don-t-call-zypper-with-more-than-one-no-refresh.patch
  * drop-wrong-mock-from-chroot-unit-test.patch
  * early-feature-support-config.patch
  * enable-passing-a-unix_socket-for-mysql-returners-bsc.patch
  * ensure-virt.update-stop_on_reboot-is-updated-with-it.patch
  * fall-back-to-pymysql.patch
  * fix-aptpkg-systemd-call-bsc-1143301.patch
  * fix-async-batch-multiple-done-events.patch
  * fix-async-batch-race-conditions.patch
  * fix-a-test-and-some-variable-names-229.patch
  * fix-a-wrong-rebase-in-test_core.py-180.patch
  * fix-batch_async-obsolete-test.patch
  * fix-bsc-1065792.patch
  * fix-cve-2020-25592-and-add-tests-bsc-1178319.patch
  * fixed-bug-lvm-has-no-parttion-type.-the-scipt-later-.patch
  * fixes-56144-to-enable-hotadd-profile-support.patch
  * fixes-cve-2018-15750-cve-2018-15751.patch
  * fix-failing-unit-tests-for-batch-async.patch
  * fix-for-log-checking-in-x509-test.patch
  * fix-for-some-cves-bsc1181550.patch
  * fix-for-suse-expanded-support-detection.patch
  * fix-for-temp-folder-definition-in-loader-unit-test.patch
  * fix-git_pillar-merging-across-multiple-__env__-repos.patch
  * fixing-streamclosed-issue.patch
  * fix-ipv6-scope-bsc-1108557.patch
  * fix-issue-2068-test.patch
  * fix-issue-parsing-errors-in-ansiblegate-state-module.patch
  * fix-memory-leak-produced-by-batch-async-find_jobs-me.patch
  * fix-novendorchange-option-284.patch
  * fix-onlyif-unless-when-multiple-conditions-bsc-11808.patch
  * fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch
  * fix-salt.utils.stringutils.to_str-calls-to-make-it-w.patch
  * fix-the-removed-six.itermitems-and-six.-_type-262.patch
  * fix-unit-test-for-grains-core.patch
  * fix-unit-tests-for-batch-async-after-refactor.patch
  * fix-virt.update-with-cpu-defined-263.patch
  * fix-wrong-test_mod_del_repo_multiline_values-test-af.patch
  * fix-zypper.list_pkgs-to-be-aligned-with-pkg-state.patch
  * fix-zypper-pkg.list_pkgs-expectation-and-dpkg-mockin.patch
  * force-zyppnotify-to-prefer-packages.db-than-packages.patch
  * get-os_arch-also-without-rpm-package-installed.patch
  * grains-master-can-read-grains.patch
  * implementation-of-suse_ip-execution-module-bsc-10999.patch
  * implement-network.fqdns-module-function-bsc-1134860-.patch
  * improve-batch_async-to-release-consumed-memory-bsc-1.patch
  * improvements-on-ansiblegate-module-354.patch
  * include-aliases-in-the-fqdns-grains.patch
  * info_installed-works-without-status-attr-now.patch
  * integration-of-msi-authentication-with-azurearm-clou.patch
  * invalidate-file-list-cache-when-cache-file-modified-.patch
  * let-salt-ssh-use-platform-python-binary-in-rhel8-191.patch
  * loop-fix-variable-names-for-until_no_eval.patch
  * loosen-azure-sdk-dependencies-in-azurearm-cloud-driv.patch
  * make-aptpkg.list_repos-compatible-on-enabled-disable.patch
  * make-profiles-a-package.patch
  * make-setup.py-script-to-not-require-setuptools-9.1.patch
  * move-server_id-deprecation-warning-to-reduce-log-spa.patch
  * notify-beacon-for-debian-ubuntu-systems-347.patch
  * opensuse-3000-virt-defined-states-222.patch
  * open-suse-3002.2-xen-grub-316.patch
  * option-to-en-disable-force-refresh-in-zypper-215.patch
  * path-replace-functools.wraps-with-six.wraps-bsc-1177.patch
  * prevent-ansiblegate-unit-tests-to-fail-on-ubuntu.patch
  * prevent-command-injection-in-the-snapper-module-bsc-.patch
  * prevent-import-errors-when-running-test_btrfs-unit-t.patch
  * prevent-logging-deadlock-on-salt-api-subprocesses-bs.patch
  * prevent-race-condition-on-sigterm-for-the-minion-bsc.patch
  * prevent-systemd-run-description-issue-when-running-a.patch
  * prevent-test_mod_del_repo_multiline_values-to-fail.patch
  * provide-the-missing-features-required-for-yomi-yet-o.patch
  * python3.8-compatibility-pr-s-235.patch
  * re-adding-function-to-test-for-root.patch
  * read-repo-info-without-using-interpolation-bsc-11356.patch
  * regression-fix-of-salt-ssh-on-processing-targets-353.patch
  * reintroducing-reverted-changes.patch
  * remove-arch-from-name-when-pkg.list_pkgs-is-called-w.patch
  * remove-deprecated-usage-of-no_mock-and-no_mock_reaso.patch
  * remove-unnecessary-yield-causing-badyielderror-bsc-1.patch
  * remove-vendored-backports-abc-from-requirements.patch
  * restore-default-behaviour-of-pkg-list-return.patch
  * return-the-expected-powerpc-os-arch-bsc-1117995.patch
  * revert-add-patch-support-for-allow-vendor-change-opt.patch
  * run-salt-api-as-user-salt-bsc-1064520.patch
  * run-salt-master-as-dedicated-salt-user.patch
  * sanitize-grains-loaded-from-roster_grains.json.patch
  * strip-trailing-from-repo.uri-when-comparing-repos-in.patch
  * support-config-non-root-permission-issues-fixes-u-50.patch
  * support-for-btrfs-and-xfs-in-parted-and-mkfs.patch
  * switch-firewalld-state-to-use-change_interface.patch
  * temporary-fix-extend-the-whitelist-of-allowed-comman.patch
  * transactional_update-detect-recursion-in-the-executo.patch
  * transactional_update-unify-with-chroot.call.patch
  * use-adler32-algorithm-to-compute-string-checksums.patch
  * use-current-ioloop-for-the-localclient-instance-of-b.patch
  * use-threadpool-from-multiprocessing.pool-to-avoid-le.patch
  * virt-adding-kernel-boot-parameters-to-libvirt-xml-55.patch
  * virt._get_domain-don-t-raise-an-exception-if-there-i.patch
  * virt-uefi-fix-backport-312.patch
  * x509-fixes-111.patch
  * xen-disk-fixes-264.patch
  * xfs-do-not-fails-if-type-is-not-present.patch
  * zypperpkg-ignore-retcode-104-for-search-bsc-1176697-.patch
- Removed:
  * add-alibaba-cloud-linux-2-to-salt-3000-branch-351.patch
  * add-almalinux-to-the-os-family-list-340.patch
  * add-ip-filtering-by-network.patch
  * add-missing-fun-for-returns-from-wfunc-executions.patch
  * add-missing-_utils-at-loader-grains_func.patch
  * add-sleep-on-exception-handling-minion-connecting-to.patch
  * avoid-has_docker-true-if-import-messes-with-salt.uti.patch
  * backport-commit-1b16478c51fb75c25cd8d217c80955feefb6.patch
  * decide-if-the-source-should-be-actually-skipped.patch
  * do-not-report-patches-as-installed-when-not-all-the-.patch
  * fix-cve-2020-11651-and-fix-cve-2020-11652.patch
  * fix-for-bsc-1102248-psutil-is-broken-and-so-process-.patch
  * fix-for-return-value-ret-vs-return-in-batch-mode.patch
  * fix-for-unless-requisite-when-pip-is-not-installed.patch
  * fix-grains.test_core-unit-test-276.patch
  * fix-__mount_device-wrapper-253.patch
  * fix-recursion-false-detectioni-in-payload-305.patch
  * fix-regression-in-service-states-with-reload-argumen.patch
  * fix-type-error-in-tornadoimporter.patch patch
  * fix-typo-on-msgpack-version-when-sanitizing-msgpack-.patch
  * fix-zmq-hang-backport-of-saltstack-salt-58364.patch
  * loader-invalidate-the-import-cachefor-extra-modules.patch
  * make-lazyloader.__init__-call-to-_refresh_file_mappi.patch
  * make-salt.ext.tornado.gen-to-use-salt.ext.backports_.patch
  * opensuse-3000.2-virt-backports-236.patch
  * opensuse-3000-bigvm-backports-300.patch
  * opensuse-3000-libvirt-engine-fixes-248.patch
  * opensuse-3000-spacewalk-runner-parse-command-247.patch
  * opensuse-3000-virtual-network-backports-329.patch
  * pkgrepo-support-python-2.7-function-call-294.patch
  * removes-unresolved-merge-conflict-in-yumpkg-module.patch
  * revert-changes-to-slspath-saltstack-salt-56341.patch
  * set-passphrase-for-salt-ssh-keys-to-empty-string-293.patch
  * support-transactional-systems-microos-268.patch
  * update-target-fix-for-salt-ssh-and-avoiding-race-con.patch
  * use-full-option-name-instead-of-undocumented-abbrevi.patch
  * various-fixes-to-the-mysql-module-to-break-out-the-h.patch
  * zypperpkg-filter-patterns-that-start-with-dot-243.patch
- Fix issue parsing errors in ansiblegate state module
- Added:
  * fix-issue-parsing-errors-in-ansiblegate-state-module.patch
- Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607)
- transactional_update: detect recursion in the executor
- Add subpackage salt-transactional-update (jsc#SLE-18028)
- Remove duplicate directories from specfile
- Added:
  * transactional_update-detect-recursion-in-the-executo.patch
  * prevent-command-injection-in-the-snapper-module-bsc-.patch
- Improvements on "/ansiblegate"/ module (bsc#1185092):
  * New methods: ansible.targets / ansible.discover_playbooks
  * General bugfixes
- Added:
  * improvements-on-ansiblegate-module-354.patch
- Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
- Regression fix of salt-ssh on processing targets
- Added:
  * add-alibaba-cloud-linux-2-to-salt-3000-branch-351.patch
  * regression-fix-of-salt-ssh-on-processing-targets-353.patch
- Update target fix for salt-ssh and avoiding race condition
  on salt-ssh event processing (bsc#1179831, bsc#1182281)
- Added:
  * update-target-fix-for-salt-ssh-and-avoiding-race-con.patch
- Add notify beacon for Debian/Ubuntu systems
- Added:
  * notify-beacon-for-debian-ubuntu-systems-347.patch
- Fix zmq bug that causes salt-call to freeze (bsc#1181368)
- Added:
  * fix-zmq-hang-backport-of-saltstack-salt-58364.patch
- Add core grains support for AlmaLinux
- Added:
  * add-almalinux-to-the-os-family-list-340.patch
- Allow vendor change option with zypper
- Added:
  * allow-vendor-change-option-with-zypper-313.patch
- virt: virtual network backports to Salt 3000
- Added:
  * opensuse-3000-virtual-network-backports-329.patch
- Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules (bsc#1177474)
- Added:
  * do-not-monkey-patch-yaml-bsc-1177474.patch
- Only require python-certifi for CentOS7
- Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110)
- Added:
  * prevent-race-condition-on-sigterm-for-the-minion-bsc.patch
- Rename patch file
- Renamed:
  * fix_regression_in_cmd_run_after_cve.patch -> fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch
- Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976)
- Fix recursion false detection in payload (bsc#1180101)
- Add sleep on exception handling on minion connection attempt to the master (bsc#1174855)
- Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347)
- Always require python-certifi (used by salt.ext.tornado)
- Exclude SLE 12 from requiring python-certifi
- Added:
  * fixes-56144-to-enable-hotadd-profile-support.patch
  * fix-recursion-false-detectioni-in-payload-305.patch
  * add-sleep-on-exception-handling-minion-connecting-to.patch
  * implementation-of-suse_ip-execution-module-bsc-10999.patch
- Do not crash when unexpected cmd output at listing patches (bsc#1181290)
- Added:
  * do-not-crash-when-unexpected-cmd-output-at-listing-p.patch
- Fix behavior for "/onlyif/unless"/ when multiple conditions (bsc#1180818)
- Added:
  * fix-onlyif-unless-when-multiple-conditions-bsc-11808.patch
- Master can read grains (bsc#1179696)
samba
- The username map [script] advice from CVE-2020-25717 advisory
  note has undesired side effects for the local nt token. Fallback
  to a SID/UID based mapping if the name based lookup fails;
  (bsc#1192849); (bso#14901).
- CVE-2016-2124: SMB1 client connections can be downgraded to
  plaintext authentication (bsc#1014440); (bso#12444);
- CVE-2020-25717: A user in an AD Domain could become root on
  domain members; (bsc#1192284); (bso#14556);
- CVE-2021-20254 Buffer overrun in sids_to_unixids();
  (bso#14571); (bsc#1184677).
- Avoid free'ing our own pointer in memcache when memcache_trim
  attempts to reduce cache size; (bso#14625); (bnc#1179156).
- Adjust smbcacls '--propagate-inheritance' feature to align with
  upstream; (bsc#1178469).
sapconf
- version update from 5.0.2 to 5.0.3
- adapt the activity detection of saptune to the upcoming saptune
  version 3
  (bsc#1189496)
- version update from 5.0.0 to 5.0.2
- added sapconf_check and supportconfig plugin for sapconf
- change log message for 'MIN_PERF_PCT' parameter to reduce the
  spot light
  (bsc#1179524)
- add additional check to detect an active saptune service
  (started but disabled and without any notes applied).
  Improve the logging message.
  (bsc#1182314)
- enable and start sapconf.service during package update, if tuned
  is running with sapconf as profile
  (bsc#1176061)
- preserve the state of the sapconf.service during the package
  update. Only disable the sapconf service, if saptune is active.
  In any other cases don't touch the state of the sapconf service.
  If tuned has problems and the command 'tune-adm off' does not
  work properly in the preinstall script of the package, try to
  stop the tuned service to avoid weird error messages in the log
  of tuned during and after the package update
  (bsc#1182906)
sbd
- Update to version 1.5.0+20210720.f4ca41f:
- sbd-inquisitor: Implement default delay start for diskless sbd (bsc#1189398)
- sbd-inquisitor: Sanitize numeric arguments
- Update to version 1.5.0+20210629.1c72cf2:
- sbd-inquisitor: tolerate and strip any leading spaces of command line option values (bsc#1187547)
- sbd-inquisitor: tell the actual watchdog device specified with `-w` (bsc#1187547)
- Revert "/Doc: adapt description of startup/shutdown sync with pacemaker"/
  * 0001-Revert-Doc-adapt-description-of-startup-shutdown-syn.patch
- Update to version 1.5.0+20210614.d7f447d (v1.5.0):
- Deprecated path "//var/run/"/ used in systemd-services (bsc#1185182)
- Update to version 1.4.2+20210305.926b554:
- sbd-inquisitor: take the defaults for the options set in sysconfig with empty strings (bsc#1183259)
- Update to version 1.4.2+20210305.57b84b5:
- sbd-inquisitor: prevent segfault if no command is supplied (bsc#1183237)
- Update to version 1.4.2+20210304.488a5b9:
- sbd-inquisitor,sbd-md: make watchdog warning messages more understandable (bsc#1182648)
- sbd-inquisitor: calculate the default timeout for watchdog warning based on the watchdog timeout consistently (bsc#1182648)
- sbd-inquisitor: ensure the timeout for watchdog warning specified with `-5` option is respected (bsc#1182648)
- sbd-common: ensure the default timeout for watchdog warning is about 3/5 of the default watchdog timeout (bsc#1182648)
- sbd-inquisitor: downgrade the warning about SBD_SYNC_RESOURCE_STARTUP to notice (bsc#1180966)
  * bsc#1180966-0001-Log-sbd-inquisitor-downgrade-the-warning-about-SBD_S.patch
- Update to version 1.4.2+20210129.5e2100f:
- Doc: adapt description of startup/shutdown sync with pacemaker
- Update to version 1.4.2+20201214.01c18c7:
- sbd-inquisitor: check SBD_SYNC_RESOURCE_STARTUP only in watch mode (bsc#1180966)
- Update to version 1.4.2+20201202.0446439 (v1.4.2):
- ship sbd.pc with basic sbd build information for downstream packages to use
- Update to version 1.4.1+20201105.507bd5f:
- sbd: inform the user to restart the sbd service (bsc#1179655)
- Update the uses of the systemd rpm macros
  * use '%service_del_postun_without_restart' instead of '%service_del_postun -n'
  * drop use of '%service_del_preun -n' as '-n' is unsafe and is deprecated
    This part still needs to be reworked as leaving services running why their
    package has been removed is unsafe.
- Update to version 1.4.1+20200819.4a02ef2:
- sbd-pacemaker: stay with basic string handling
- build: use configure for watchdog-default-timeout & others
- Update to version 1.4.1+20200807.7c21899:
- Update to version 1.4.1+20200727.1117c6b:
- make syncing of pacemaker resource startup configurable
- sbd-pacemaker: sync with pacemakerd for robustness
- Update to version 1.4.1+20200727.971affb:
- sbd-cluster: match qdevice-sync_timeout against wd-timeout
- Rebase:
  * bsc#1140065-Fix-sbd-cluster-exit-if-cmap-is-disconnected.patch
- Update to version 1.4.1+20200624.cee826a:
- sbd-pacemaker: handle new no_quorum_demote (rh#1850078)
sed
- Build fix for the new glibc-2.31 (bsc#1183797,
  sed-tests-build-fix.patch).
sensors
- change-pidfile-path-from-var-run-to-run.patch: Change PIDFile
  path from /var/run to /run (bsc#1185183).
- var-run-deprecated.patch: /var/run is deprecated (bsc#1185183).
snappy
- update to 1.1.8:
  * Small performance improvements.
  * Removed snappy::string alias for std::string.
  * Improved CMake configuration.
- remove snappy-pcfile.patch (never went upstream)
- Better neutrality of from description. Quantify "/Core i7"/.
  Trim description of SRPM and -devel as the user already has an
  idea what to look for.
- Fix RPM groups.
- Version update to 1.1.7:
  * Aarch64 fixes
  * ppc speedups
  * PIE improvements
  * Switch to cmake build system
- Add patch snappy-pcfile.patch:
  * Pull 55 on upstream github, was dropped when moving to cmake
    of course we still need it
- Fix license install wrt bsc#1080040
- Version bump to 1.1.4
  * Fix a 1% performance regression when snappy is used in PIE executables.
  * Improve compression performance by 5%.
  * Improve decompression performance by 20%.
- Use better download url.
sqlite3
- Sync version 3.36.0 from Factory to implement jsc#SLE-16032.
- Obsoletes sqlite3-CVE-2019-16168.patch.
- The following CVEs have been fixed in upstream releases up to
  this point, but were not mentioned in the change log so far:
  * bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
    multiSelectOrderBy due to mishandling of query-flattener
    optimization
  * bsc#1164719, CVE-2020-9327: NULL pointer dereference and
    segmentation fault because of generated column optimizations in
    isAuxiliaryVtabOperator
  * bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
    with WITH stack unwinding even after a parsing error
  * bsc#1160438, CVE-2019-19959: memory-management error via
    ext/misc/zipfile.c involving embedded '0' input
  * bsc#1160309, CVE-2019-19923: improper handling  of  certain uses
    of SELECT DISTINCT in flattenSubquery may lead to null pointer
    dereference
  * bsc#1159850, CVE-2019-19924: improper error handling in
    sqlite3WindowRewrite()
  * bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
    during an update of a ZIP archive
  * bsc#1159715, CVE-2019-19926: improper handling  of certain
    errors during parsing  multiSelect in select.c
  * bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
    allows attackers to trigger an invalid pointer dereference
  * bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
    and CREATE VIEW statements, does not consider confusion with
    a shadow table name
  * bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
    integrity_check PRAGMA command in certain cases of generated
    columns
  * bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
    infinite recursion via certain types of self-referential views
    in conjunction with ALTER TABLE statements
  * bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
    from the colUsed bitmask in the case of a generated column,
    which allows attackers to cause a denial of service
  * bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
    function sqlite3Select in select.c allows a crash if a
    sub-select uses both DISTINCT and window functions, and also
    has certain ORDER BY usage
  * bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
    vulnerability
  * bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
    collation-sequence names
  * CVE-2020-13434 boo#1172115: integer overflow in
    sqlite3_str_vappendf
  * CVE-2020-13630 boo#1172234: use-after-free in fts3EvalNextRow
  * CVE-2020-13631 boo#1172236: virtual table allowed to be renamed
    to one of its shadow tables
  * CVE-2020-13632 boo#1172240: NULL pointer dereference via
    crafted matchinfo() query
  * CVE-2020-13435: Malicious SQL statements could have crashed the
    process that is running SQLite (boo#1172091)
sudo
- Update to 1.8.27
  - jsc#SLE-17083
  - Rebased the following patches:
    sudo-1.8.22-CVE-2019-18634.patch
    sudo-1.8.22-fix_listpw.patch
    sudo-1.8.22-pam_xauth.patch
    sudo-CVE-2019-14287.patch
    sudo-CVE-2021-23239.patch
    sudo-CVE-2021-23240.patch
    sudo-CVE-2021-3156.patch
    sudo-fix-bsc-1180687.patch
    sudo-sudoers.patch
  - Deleted sudoers2ldif-env.patch
  - Added from SLE-12-SP5:
  * sudo-1.8.27-ipa_hostname.patch
  * sudo-1.8.27-ldap-respect-SUDOERS_TIMED.patch
  - Major changes between version 1.8.27 and 1.8.26:
  * Fixes and clarifications to the sudo plugin documentation.
  * The sudo manuals no longer require extensive post-processing to hide
    system-specific features. Conditionals in the roff source are now used
    instead. This fixes corruption of the sudo manual on systems without BSD
    login classes. Bug #861.
  * If an I/O logging plugin is configured but the plugin does not actually
    log any I/O, sudo will no longer force the command to be run in a pseudo-tty.
  * In visudo, it is now possible to specify the path to sudoers without
    using the -f option. Bug #864.
  * Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx) file
    would not be updated when a command was run in a pseudo-tty. Bug #865.
  * Sudo now sets the silent flag when opening the PAM session except when
    running a shell via sudo -s or sudo -i. This prevents the pam_lastlog
    module from printing the last login information for each sudo command.
    Bug #867.
  - Major changes between version 1.8.26 and 1.8.25p1:
  * Fixed a bug in cvtsudoers when converting to JSON format when alias
    expansion is enabled. Bug #853.
  * Sudo no long sets the USERNAME environment variable when running
    commands. This is a non-standard environment variable that was set on
    some older Linux systems.
  * Sudo now treats the LOGNAME and USER environment variables (as well as
    the LOGIN variable on AIX) as a single unit. If one is preserved or removed
    from the environment using env_keep, env_check or env_delete, so is the
    other.
  * Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.
  * Sudo now logs when the command was suspended and resumed in the I/O logs.
    This information is used by sudoreplay to skip the time suspended when
    replaying the session unless the new -S flag is used.
  * Fixed documentation problems found by the igor utility. Bug #854.
  * Sudo now prints a warning message when there is an error or end of file
    while reading the password instead of exiting silently.
  * Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
    role, type, privs and limitprivs sudoOptions. This also affected cvtsudoers
    conversion from LDIF to sudoers or JSON.
  * Fixed a bug that prevented timeout settings in sudoers from functioning
    unless a timeout was also specified on the command line.
  * Asturian translation for sudo from translationproject.org.
  * When generating LDIF output, cvtsudoers can now be configured to pad the
    sudoOrder increment such that the start order is used as a prefix. Bug #856.
  * If the user specifies a group via sudo's -g option that matches any of
    the target user's groups, it is now allowed even if no groups are present
    in the Runas_Spec. Previously, it was only allowed if it matched the target
    user's primary group.
  * The sudoers LDAP back-end now supports negated sudoRunAsUser and
    sudoRunAsGroup entries.
  * Sudo now provides a proper error message when the "/fqdn"/ sudoers option
    is set and it is unable to resolve the local host name. Bug #859.
  * Portuguese translation for sudo and sudoers from translationproject.org.
  * Sudo now includes sudoers LDAP schema for the on-line configuration
    supported by OpenLDAP.
  - Major changes between version 1.8.25p1 and 1.8.25:
  * Fixed a bug introduced in sudo 1.8.25 that caused a crash on systems that
    have the poll() function but not the ppoll() function. Bug #851.
  - Major changes between version 1.8.25 and 1.8.24:
  * Fixed a bug introduced in sudo 1.8.20 that broke formatting of I/O log
    timing file entries on systems without a C99-compatible snprintf()
    function. Our replacement snprintf() doesn't support floating point so we
    can't use the %f format directive.
  * I/O log timing file entries now use a monotonic timer and include
    nanosecond precision. A monotonic timer that does not increment while the
    system is sleeping is used where available.
  * When sudo runs a command in a pseudo-tty, the slave device is now closed
    in the main process immediately after starting the monitor process. This
    removes the need for an AIX-specific workaround that was added in sudo 1.8.24.
  * Fixed a bug displaying timeout values the "/sudo -V"/ output. The value
    displayed was 3600 times the actual value. Bug #846.
  * The testsudoers utility now supports querying an LDIF-format policy.
  * Fixed a regression introduced in sudo 1.8.24 where the LDAP and SSSD
    backends evaluated the rules in reverse sudoOrder. Bug #849.
  - Major changes between version 1.8.24 and 1.8.23:
  * The LDAP and SSS back-ends now use the same rule evaluation code as the
    sudoers file backend. This builds on the work in sudo 1.8.23 where the
    formatting functions for sudo -l output were shared. The handling of
    negated commands in SSS and LDAP is unchanged.
  * Fixed a regression introduced in 1.8.23 where sudo -i could not be used
    in conjunction with --preserve-env=VARIABLE. Bug #835.
  * cvtsudoers can now parse base64-encoded attributes in LDIF files.
  * Random insults are now more random.
  * Added SUDO_CONV_PREFER_TTY flag for conversation function to tell sudo to
    try writing to /dev/tty first. Can be used in conjunction with SUDO_CONV_
    INFO_MSG and SUDO_CONV_ERROR_MSG.
  * Fixed typos in the OpenLDAP sudo schema. Bugs #839 and #840. Bug #839 and
    bug #840.
  * Fixed a race condition when building with parallel make. Bug #842.
  * Fixed a duplicate free when netgroup_base in ldap.conf is set to an
    invalid value.
  * On systems using PAM, sudo now ignores the PAM_NEW_AUTHTOK_REQD and
    PAM_AUTHTOK_EXPIRED errors from PAM account management if authentication is
    disabled for the user. This fixes a regression introduced in sudo 1.8.23.
    Bug #843.
  * Fixed an ambiguity in the sudoers manual in the description and
    definition of User, Runas, Host, and Cmnd Aliases. Bug #834.
  * Fixed a bug that resulted in only the first window size change event
    being logged.
  * Fixed a compilation problem on systems that define O_PATH or O_SEARCH in
    fnctl.h but do not define O_DIRECTORY. Bug #844.
  - Major changes between version 1.8.23 and 1.8.22:
  * PAM account management modules and BSD auth approval modules are now run
    even when no password is required.
  * For kernel-based time stamps, if no terminal is present, fall back to
    parent-pid style time stamps.
  * The new cvtsudoers utility replaces both the sudoers2ldif script and the
    visudo -x functionality. It can read a file in either sudoers or LDIF
    format and produce JSON, LDIF or sudoers output. It is also possible to
    filter the generated output file by user, group or host name.
  * The file, ldap and sss sudoers backends now share a common set of
    formatting functions for "/sudo -l"/ output, which is also used by the
    cvtsudoers utility.
  * The /run directory is now used in preference to /var/run if it exists.
    Bug #822.
  * More accurate descriptions of the --with-rundir and --with-vardir
    configure options. Bug #823.
  * The setpassent() and setgroupent() functions are now used on systems that
    support them to keep the passwd and group database open. Sudo performs a
    lot of passwd and group lookups so it can be beneficial to avoid opening
    and closing the files each time.
  * The new case_insensitive_user and case_insensitive_group sudoers options
    can be used to control whether sudo does case-sensitive matching of users
    and groups in sudoers. Case insensitive matching is now the default.
  * Fixed a bug on some systems where sudo could hang on command exit when
    I/O logging was enabled. Bug #826.
  * Fixed a problem with the process start time test in make check when run
    in a Linux container. The test now uses the "/btime"/ field in /proc/stat to
    get the system start time instead of using /proc/uptime, which is the
    container uptime. Bug #829.
  * When determining which temporary directory to use, sudoedit now checks
    the directory for writability before using it. Previously, sudoedit only
    performed an existence check. Bug #827.
  * Sudo now includes an optional set of Monty Python-inspired insults.
  * Chinese (Taiwan) translation for sudo from translationproject.org.
- Tenable Scan reports sudo is still vulnerable to CVE-2021-3156
  [bsc#1183936]
- Add sudo-1.8.27-ipa_hostname.patch to fix special handling of
  ipa_hostname that was lost in sudo 1.8.24.
  We now include the long and short hostname in sudo parser container
  [bsc#1181371]
- Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED
  option is not set in /etc/ldap.conf
  * [bsc#1176473]
  * Added sudo-1.8.27-ldap-respect-SUDOERS_TIMED.patch
    From: https://www.sudo.ws/repos/sudo/rev/d1e1bb5a6cc1
supportutils
- Changes to version 3.1.17
  + Adding ethtool options g l m to network.txt (jsc#SLE-18240)
- Changes to version 3.1.16
  + lsof options to improve performance (bsc#1186687)
- Fixes to supportconfig
  + Exclude rhn.conf from etc.txt (bsc#1186347)
- analyzevmcore supports local directories (bsc#1186397)
- getappcore checks for valid compression binary (bsc#1185991)
- getappcore does not trigger errors with help message (bsc#1185993)
- Additions to version 3.1.15
  + Checks package signatures in rpm.txt (bsc#1021918)
  + Optimize find (bsc#1184912)
- Using zypper --xmlout (bsc#1181351)
- Error fix for sysfs.txt (bsc#1089870)
- Additions to version 3.1.15
  + Added drbd-overview to drbd.txt
  + Added list-timers to systemd.txt (bsc#1169348)
  + Including nfs4 in search (bsc#1184829)
- Minor: Fix a typo (executible -> executable) #99
- Changed minor wording to loaded module
- [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826)
- Fixed mismatched taint flags (bsc#1178491)
- Removed redundant fdisk code that can cause timeout issues (bsc#1181679)
- Supportconfig processes -f without hanging (bsc#1182904)
- Remove net-tools from requires, it does not contain any tool
  anymore used by supportutils pr#96
- Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950)
  + Additional nvme information
  + Additional kdump configuration and logs
- Additions to version 3.1.14
  + [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911)
  + Updated pam.txt documentation explaining GDPR
  + ha.txt: Fix pacemaker.log location for SLE15 pr#90
  + supportconfig: use readlink /proc/<pid>/cwd to get cwd list instead of lsof pr#91
  + supportconfig: sssd_info consistency pr#93
  + Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932)
- No longer truncates boot log (bsc#1181610)
- Require the awk, which and sed commands instead of packages to
  allow alternate implementations on embedded/Edge systems
- Additions to version 3.1.13
  + Added update-alternatives to etc.txt #82
  + Collects rotated logs with different compression types (bsc#1180478)
  + Added GPL-2.0-only license tag to spec file
- Additions to version 3.1.12
  + btrfs_info: add -pce argument to qgroup show #80
  + docker: add /etc/docker/daemon.json contents #81
- Additions to version 3.1.12
  + Capture IBM Power bootlist (SLE-15557)
  + Fix spelling typos in man pages #78
  + Collect multipath wwids file #77
  + Removed unnecessary appname parameter from HTTP upload URL
  + added aa-status #74
- Additions to version 3.1.12
  + [powerpc] Collect logs for power specific components #72 (bscn#1176895)
  + supportconfig: fs-btrfs: Add "/btrfs device stats"/ output #73
- Additions to version 3.1.11
  + Changes affecting supportconfig
  - disk_info: Show discard information in lsblk #70
  - memory_info: Show VMware memory balloon infomation #71
- Addition to version 3.1.10
  + Changes affecting analyzevmcore
  - Fixed typo in error message #67
  + Changes affecting supportconfig
  - Fixed btrfs errors (bsc#1168894)
  - Large ntp.txt with binary data (bsc#1169122)
  - Check btrfs balance status #69
supportutils-plugin-ha-sap
- Update to version 0.0.2+git.1623772960.fed5aa7:
  to fix bsc#1187373
  * Added process list for sid<adm> user
  * Added ENSA1 and ENSA2 informational messages
  * Added filter to gather logs for "/sap_suse_cluster_connector"/
  * Fixed documentation links
  * Updated Documentation Links
  * Added Authentication Section and capture information about
    sid<adm> user
  * Added some additional logic.
  * Obscure clear text password from cluster resources using
    "/crm configure show"/ output
suse-module-tools
- Update to version 15.0.10:
  * Add kernel rpm scriptlets
  * rpm-script: fix bad exit status in OpenQA (bsc#1191922)
  * cert-script: Deal with existing $cert.delete file (bsc#1191804).
  * cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480).
  * cert-script: Only print mokutil output in verbose mode.
  * inkmp-script(postun): don't pass  existing files to weak-modules2
    (boo#1191200)
  * kernel-scriptlets: skip cert scriptlet on non-UEFI systems
    (boo#1191260)
  * rpm-script: link config also into /boot (boo#1189879)
  * Import kernel scriptlets from kernel-source.
    (bsc#1189841, bsc#1190598)
  * Provide "/suse-kernel-rpm-scriptlets"/
- Update to version 15.0.7:
  * 00-system.conf: move br_netfilter softdep to separate file
    (boo#1158817)
sysstat
- Don't hard require systemd, it works without,too. (bsc#1186827)
systemd
- Import commit d38785e9adcf79c9729b94ef9f21185dd5a6d35f
  e1e30f53f2 Revert "/core: rework how we connect to the bus"/ (bsc#1193521 bsc#1193481)
  3463e3178c sleep-config: partitions can't be deleted, only files can
  e9e021b3b9 shared/sleep-config: exclude zram devices from hibernation candidates
- Drop 0001-core-prevent-bus_init_api-from-being-called-recursiv.patch
  This patch is no more needed since it was a follow-up for "/core: rework how we
  connect to the bus"/, which has been reverted.
- Add 0001-core-prevent-bus_init_api-from-being-called-recursiv.patch
- Import commit 43e57122ef9856db4ec4a8a2758bc8f73d2d1835
  1a6747aa01 umount: show correct error message
  e4b8a01ca5 core/umount: fix unitialized fields in MountPoint in dm_list_get()
- Fix IO scheduler udev rules
  * 60-io-scheduler.rules: don't use BFQ for real multiqueue devices
    (jsc#SLE-21032, bsc#1192161)
  * 60-io-scheduler.rules: use "/none"/ for multipath components
    (bsc#1192161)
- Import commit d126915ede24b052216ca940155ea5531970aa95
  f2cf0ac034 busctl: use usec granularity for the timestamp printed by the busctl monitor command (jsc#SLE-21862 jsc#SLE-18102 jsc#SLE-18103)
- Import commit 5acd9826521306d7b312826135afe491bd889a29
  df05d5b906 shutdown: Reduce log level of unmounts (bsc#1191252)
  31f2b51c18 umount: Don't bother remounting api and ro filesystems read-only
  4914963481 umount: Provide the same mount flags too when remounting read-only
  04463997a7 umount: Decide whether to remount read-only earlier
  143aed644f umount: Add more asserts and remove some unused arguments
  09c7ad555d umount: Fix memory leak
  1899743f50 shutdown: explicitly set a log target in shutdown.c
  a66287c2fe test: add tests for mount_option_mangle()
  036077c2a0 mount-util: add mount_option_mangle()
  e90a30bc86 dissect: automatically mark partitions read-only that have a read-only file system
  b09a5f1835 build-sys: require libmount >= 2.30 (#6795)
  2679668b86 systemd-shutdown: use log_set_prohibit_ipc(true)
  32625253bc rationalize interface for opening/closing logging
  46774b1d21 pid1: when we can't log to journal, remember our fallback log target
  cd994c1e81 log: remove LOG_TARGET_SAFE pseudo log target
  8d4ec9ec2e log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
  a914dd2003 pid1: make use of new "/prohibit_ipc"/ logging flag in PID 1 (bsc#1189803)
  496668c670 log: add new "/prohibit_ipc"/ flag to logging system
  9df8261e38 log: make log_set_upgrade_syslog_to_journal() take effect immediately
  15b3fcf953 mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
  1898f668dd core: rework how we connect to the bus (bsc#1190325)
  22a4287477 dbus: split up bus_done() into seperate functions
  42ce096d80 machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
  39ea02b718 virt: detect Amazon EC2 Nitro instance (bsc#1190440)
  ef0253c6e5 virt: if we detect Xen by DMI, trust that over CPUID
- Import commit dc982a577e6d3eea8832083f470e48f6fbf227cc
  ddc6c90310 basic/unit-name: adjust comments
  390bc4e04f basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
  b83b235cac unit-name: generate a clear error code when converting an overly long fs path to a unit name
  4fd60931a5 unit-name: tighten checks for building valid unit names
  513c103faf manager: reexecute on SIGRTMIN+25, user instances only
  ff761f71a9 logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018)
  b236f23d9d units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
- Dropped 1001-unit-name-tighten-checks-for-building-valid-unit-nam.patch
  Dropped 1002-unit-name-generate-a-clear-error-code-when-convertin.patch
  Dropped 1003-basic-unit-name-do-not-use-strdupa-on-a-path.patch
  Dropped 1004-basic-unit-name-adjust-comments.patch
  These patches have been merged in branch SUSE/v234.
- Update 60-io-scheduler.rules (jsc#SLE-21032, bsc#1134353)
  * rules weren't applied to dm devices (multipath), fix it
    (bsc#1188713)
  * ignore obsolete "/elevator"/ kernel parameter (bsc#1184994, bsc#1190234)
    ("/elevator"/ did falsely overide settings even for blk-mq, fixed).
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480)
- Avoid the error message when udev is updated due to udev being
  already active when the sockets are started again (bsc#1188291)
- Allow the systemd sysusers config files to be overriden during
  system installation (bsc#1171962).
- While at it, add a comment to explain why we don't use
  %sysusers_create in %pre and why it should be safe in %post.
- Added patches to fix CVE-2021-33910 (bsc#1188063)
  Added 1001-unit-name-tighten-checks-for-building-valid-unit-nam.patch
  Added 1002-unit-name-generate-a-clear-error-code-when-convertin.patch
  Added 1003-basic-unit-name-do-not-use-strdupa-on-a-path.patch
  Added 1004-basic-unit-name-adjust-comments.patch
  These patches will be moved to the git repo once the bug will become
  public.
- Added fix for bsc#1184994 to skip udev rules if 'elevator=' is used
- Create /run/lock/subsys again (bsc#1187292)
  The creation of this directory was mistakenly dropped when
  'filesystem' package took the initialization of the generic paths
  over.
  Paths under /run/lock are still managed by systemd for lack of
  better place.
- Import commit f6f87c1cb4119c41f6fb93702e03cec794829b7c
  d7ed4af259 mount-util: shorten the loop a bit (#7545)
  cdf9cbb509 mount-util: do not use the official MAX_HANDLE_SZ (#7523)
  bbcc63a032 mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
  d44adc63ab test: fix test-mount-util when handling duplicate mounts on the same location
  7c74260899 mount-util: fix bad indenting
  c4ef3248e2 mount-util: EOVERFLOW might have other causes than buffer size issues
  3f3eb23ccb mount-util: fix error propagation in fd_fdinfo_mnt_id()
  9f170ee221 mount-util: drop exponential buffer growing in name_to_handle_at_loop()
  5c709e7b31 udev: port udev_has_devtmpfs() to use path_get_mnt_id()
  ac57cefcb9 mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
  e49d88b898 mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
  060b1db043 core: fix output (logging) for mount units (#7603) (bsc#1187400)
- Import commit 93910b81b809729afa7ff9529b45b1e67f229232
  c289e1e5ae sysusers: use the usual comment style
  f11535886f test/TEST-21-SYSUSERS: add tests for new functionality
  2f2bfa731c sysusers: allow admin/runtime overrides to command-line config
  dbd190cd3b basic/strv: add function to insert items at position
  3c7b4c67fa sysusers: allow the shell to be specified
  f316974ebe man: reformat table in sysusers.d(5)
  24113b7f00 sysusers: take configuration as positional arguments
  8232e059d8 sysusers: emit a bit more info at debug level when locking fails
  461356cfe9 sysusers: allow force reusing existing user/group IDs (#8037)
  dd9349e71a sysusers: ensure GID in uid:gid syntax exists
  5e0ab33e59 sysusers: make ADD_GROUP always create a group
  0dd4a69687 test: add TEST-21-SYSUSERS test
  4dea8a2774 sysuser: use OrderedHashmap
  de09744500 sysusers: allow uid:gid in sysusers.conf files
  9271c17657 meson: "/conf.get(condition)"/ fails if condition was not defined
  These commits implement the option '--replace' for systemd-sysusers
  so %sysusers_create_package can be introduced in SLE and packages
  can rely on this rpm macro without wondering whether the macro is
  available on the different target the package is submitted to.
- udev requires systemd in its %post (bsc#1185958)
  udevadm, called in udev's %post, requires libsystemd-shared-xxx.so.
- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
- Import commit ca070cf0125f3b83fb3d7300ef4f524af47c49a3
  3daea193a1 cgroup: Parse infinity properly for memory protections (bsc#1167471)
  a3f4d2980e cgroup: Make empty assignments reset to default (bsc#1167471)
  72bbd3928c cgroup: Support 0-value for memory protection directives (bsc#1167471)
  9c192a00a4 core/cgroup: accepts MemorySwapMax=0 (#8366) (bsc#1154935)
  d64f691eb7 bus-unit-util: add proper MemorySwapMax= serialization
  98af04a71c core: accept MemorySwapMax= properties that are scaled, too
  d4528bcaa3 execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
  7fb1ab4f38 rlimit-util: introduce setrlimit_closest_all()
  c0d1ae3086 system-conf: drop reference to ShutdownWatchdogUsec=
  9f66f43082 core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
  82a5f215a3 Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
- Drop 0010-core-accept-MemorySwapMax-properties-that-are-scaled.patch
  Drop 0011-bus-unit-util-add-proper-MemorySwapMax-serialization.patch
  Drop 0012-core-cgroup-accepts-MemorySwapMax-0-8366.patch
  Drop 0013-cgroup-Support-0-value-for-memory-protection-directi.patch
  Drop 0014-cgroup-Make-empty-assignments-reset-to-default.patch
  Drop 0015-cgroup-Parse-infinity-properly-for-memory-protection.patch
  These patches have been merged in SUSE/v234 branch.
- Import commit bb23f007799c0ad2b14a6da7f74ee242e10b00b9
  611376f830 rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
  65f4fa852e write_net_rules: set execute bits (bsc#1178561)
  f60153e565 udev: rework network device renaming
  df31eb968a Revert "/Revert "/udev: network device renaming - immediately give up if the target name isn't available"/"/
- Import commit a9d8f7b4aa917ad28bc8c2622e77cb10c78b6b64
  1130a2a712 shutdown: bump kmsg log level to LOG_WARNING only
  188fb8b6ed shutdown: rework bump_sysctl_printk_log_level() to use sysctl_writef()
  8f718ea1ea sysctl: add sysctl_writef() helper
  cfaa3afb20 shutdown: use "/int"/ for log level type
  112b8553dc killall: bump log message about unkilled processes to LOG_WARNING
  5a9628e4d9 core/killall: Log the process names not killed after 10s
  26a073c9cf shutdown: Bump sysctl kernel.printk log level in order to see info msg
  a72f23faaa core/killall: Propagate errors and return the number of process left
  13092aa300 shutdown: always pass errno to logging functions
  62f0cbad46 umount: beef up logging when umount/remount child processes fail
  c04232cd6c umount: Try unmounting even if remounting read-only failed
  9cf5376ff5 core: Implement sync_with_progress() (bsc#1178219)
  160ef4200a core: Implement timeout based umount/remount limit (bsc#1178219)
  4a38837448 core: remove "/misuse"/ of getpgid() in systemd-shutdown
  6427ab4adf core: systemd-shutdown: avoid confusingly redundant messages
  c069ee55de core: systemd-shutdown: add missing check for umount_changed
  d28bde105a umount: always use MNT_FORCE in umount_all() (#7213)
  2c592670f0 signal-util: use a slightly less likely to conflict variable name instead of 't'
  b7e22d4712 meson: rename -Ddebug to -Ddebug-extra
  063f26c13b meson: drop misplaced -Wl,--undefined argument
  A bunch of commits which should improve the logs emitted by
  systemd-shutdown during the shutdown process when some badly written
  applications cannot be stopped properly and prevents some mount
  points to be unmounted properly. See bsc#1178219 for an example of
  such case.
- fix-machines-btrfs-subvol.sh is only shipped when machined is built
- Don't use shell redirections when calling a rpm macro (bsc#1183094)
  It's broken since the redirection is expanded where the parameters
  of the macro are, which can be anywhere in the body of macro.
- systemd requires aaa_base >= 13.2
  This dependency is required because 'systemctl
  {is-enabled,enable,disable} [initscript]"/ ends up calling
  systemd-sysv-install which in its turn calls "/chkconfig
  - -no-systemctl"/.
  aaa_base package has a weird versioning but the '--no-systemctl'
  option has been introduced starting from SLE12-SP2-GA, which shipped
  version "/13.2+git20140911.61c1681"/.
  Spotted in bsc#1180083.
- Import commit 05690b706a7c93e595280789f7b066afc1e3dcc4
  963377e674 PATCH] Always free deserialized_subscribed on reload (bsc#1180020)
  c77d75305a core: Fix edge case when processing /proc/self/mountinfo (#7811) (bsc#1180596)
  07a5ede612 cgroup: actually reset the cgroup invalidation mask after we made our changes (bsc#1178775)
- Drop 0001-cgroup-actually-reset-the-cgroup-invalidation-mask-a.patch
  This patch have been imported in SUSE/v234 branch
- Drop most of the tmpfiles that deal with generic paths (bsc#1078466 bsc#1181831)
  They are problematic because some of them conflict with SUSE
  defaults. Therefore it seems better to let the revelant packages
  owning these paths to provide their own definitions instead.
- Create and own /usr/lib/systemd/system-environment-generators
  just like /usr/lib/systemd/user-environment-generators.
tar
- Link /var/lib/tests/tar/bin/genfile as Position-Independent Executable
  (bsc#1184124).
  + tar-PIE.patch
- security update
- added patches
  fix CVE-2021-20193 [bsc#1181131], Memory leak in read_header() in list.c
  + tar-CVE-2021-20193.patch
tcpdump
- Disable 5 regression tests that fail with libpcap > 1.8.1
  * These test pcap files have been updated in later versions:
    arp-too-long-tha, juniper_header-heapoverflow,
    tftp-heapoverflow, relts-0x80000000, stp-v4-length-sigsegv.
- Add tcpdump-disable-failing-tests.patch [bsc#1183800]
tcsh
- Add patch tcsh-6.20.00-toolong.patch which is an upstream commit
  ported back to 6.20.00 to fix bsc#1179316 about history file growing
telnet
- Update Source location to use Gentoo mirror, fixes bsc#1129925
thin-provisioning-tools
- Link as position-independent executable (bsc#1184124).
tigervnc
- tigervnc-FIPS-use-RFC7919.patch
  * Enable GnuTLS 3.6.0 and later to use Diffie-Hellman parameters
    from RFC7919 instead of generating our own, for FIPS compliance.
  * Specify RFC7919 parameters for GnuTLS older than 3.6.0.
  * bsc#1179809
timezone
- timezone update 2021e (bsc#1177460):
  * Palestine will fall back 10-29 (not 10-30) at 01:00
- timezone update 2021d:
  * Fiji suspends DST for the 2021/2022 season
  * 'zic -r' marks unspecified timestamps with "/-00"/
- timezone update 2021c:
  * Revert almost all of 2021b's changes to the 'backward' file
  * Fix a bug in 'zic -b fat' that caused old timestamps to be
    mishandled in 32-bit-only readers
- timezone update 2021b:
  * Jordan now starts DST on February's last Thursday.
  * Samoa no longer observes DST.
  * Move some backward-compatibility links to 'backward'.
  * Rename Pacific/Enderbury to Pacific/Kanton.
  * Correct many pre-1993 transitions in Malawi, Portugal, etc.
  * zic now creates each output file or link atomically.
  * zic -L no longer omits the POSIX TZ string in its output.
  * zic fixes for truncation and leap second table expiration.
  * zic now follows POSIX for TZ strings using all-year DST.
  * Fix some localtime crashes and bugs in obscure cases.
  * zdump -v now outputs more-useful boundary cases.
  * tzfile.5 better matches a draft successor to RFC 8536.
- Refresh tzdata-china.patch
- Install tzdata.zi (bsc#1188127)
vim
- install suse vimrc in /usr (boo#1182324, vim-8.0.1568-globalvimrc.patch)
- source correct suse.vimrc file (boo#1182324)
  doesn't leave not owned directories (boo#1173256).
  build against Tumbleweed repo.
wget
- When running recursively, wget will verify the length of the whole
  URL when saving the files. This will make it overwrite files with
  truncated names, throwing the "/The name is too long, ... trying to
  shorten"/ messages. The patch moves the length check code to a
  separate function and call it from the append_dir_structure() for each
  path element.
  [ bsc#1181173, 0001-possibly-truncate-pathname-components.patch]
xen
- bsc#1192554 - VUL-0: CVE-2021-28706: xen: guests may exceed their
  designated memory limit (XSA-385)
  xsa385.patch
- bsc#1192557 - VUL-0: CVE-2021-28704,CVE-2021-28707,CVE-2021-28708:
  xen: PoD operations on misaligned GFNs (XSA-388)
  xsa388-1.patch
  xsa388-2.patch
- bsc#1192559 - VUL-0: CVE-2021-28705,CVE-2021-28709: xen: issues
  with partially successful P2M updates on x86 (XSA-389)
  xsa389.patch
- bsc#1189632 - VUL-0: CVE-2021-28701: xen: Another race in
  XENMAPSPACE_grant_table handling (XSA-384)
  xsa384.patch
- xsa378-3.patch, xsa380-2.patch: Integrate bugfixes. (bsc#1189373
  and bsc#1189378)
- xsa382.patch: Refresh.
- bsc#1189882 - refresh libxc.sr.superpage.patch
  prevent superpage allocation in the LAPIC and ACPI_INFO range
- bsc#1189373 - VUL-0: CVE-2021-28694,CVE-2021-28695,
  CVE-2021-28696: xen: IOMMU page mapping issues on x86 (XSA-378)
  xsa378-0a.patch
  xsa378-0b.patch
  xsa378-0c.patch
  xsa378-0d.patch
  xsa378-1.patch
  xsa378-2.patch
  xsa378-3.patch
  xsa378-4.patch
  xsa378-5.patch
  xsa378-6.patch
  xsa378-7.patch
  xsa378-8.patch
- bsc#1189376 - VUL-0: CVE-2021-28697: xen: grant table v2 status
  pages may remain accessible after de-allocation. (XSA-379)
  xsa379.patch
- bsc#1189378 - VUL-0: CVE-2021-28698: xen: long running loops in
  grant table handling. (XSA-380)
  xsa380-0.patch
  xsa380-1.patch
  xsa380-2.patch
- bsc#1189380 - VUL-0: CVE-2021-28699: xen: inadequate grant-v2
  status frames array bounds check. (XSA-382)
  xsa382.patch
- Drop aarch64-maybe-uninitialized.patch as the fix is in tarball.
- bsc#1186429 - VUL-0: CVE-2021-28692: xen: inappropriate x86 IOMMU
  timeout detection / handling (XSA-373)
  xsa373-0.patch
  xsa373-1.patch
  xsa373-2.patch
  xsa373-3.patch
  xsa373-4.patch
  xsa373-5.patch
- bsc#1186433 - VUL-0: CVE-2021-0089: xen: Speculative Code Store
  Bypass (XSA-375)
  xsa375.patch
- bsc#1186434 - VUL-0: CVE-2021-28690: xen: x86: TSX Async Abort
  protections not restored after S3 (XSA-377)
  xsa377.patch
- bsc#1182431 - VUL-0: CVE-2021-27379: xen: missed flush in XSA-321
  backport (XSA-366)
  xsa366.patch
- bsc#1178591 - fix bad backport
  xsa351-1.patch
  xsa351-2.patch
xfsprogs
- xfsprogs-devel: add libhandle1 dependency following split
  (bsc#1191566)
- xfs_admin: support external log devices (bsc#1189984)
  * Add xfsprogs-xfs_admin-support-external-log-devices.patch
- xfs_quota: state command should report ugp grace times (bsc#1189983)
  * Add xfsprogs-xfs_quota-display-warning-limits-when-printing-quota.patch
  * Add xfsprogs-xfs_quota-state-command-should-report-ugp-grace-time.patch
- xfsprogs: Remove barrier/nobarrier mount options from xfs.5
  (bsc#1191675)
  * Add xfsprogs-man-Remove-barrier-nobarrier-mount-options-from.patch
- xfs_io: add label command (bsc#1191500)
  * Add xfsprogs-xfs_io-add-label-command.patch
- xfs_bmap: remove -c from manpage (bsc#1189552)
- xfs_bmap: don't reject -e (bsc#1189552)
  * Add xfsprogs-xfs_bmap-remove-c-from-manpage.patch
  * Add xfsprogs-xfs_bmap-don-t-reject-e.patch
- xfs_repair: check plausibility of root dir pointer before trashing it
  (bsc#1188651)
  * Add xfsprogs-xfs_repair-refactor-fixed-inode-location-checks.patch
  * Add xfsprogs-xfs_repair-check-plausibility-of-root-dir-pointer-be.patch
- xfsprogs: split libhandle1 into a separate package, since nothing
  within xfsprogs dynamically links against it. The shared library
  is still required by xfsdump as a runtime dependency.
- mkfs.xfs: fix ASSERT on too-small device with stripe geometry
  (bsc#1181536)
  * Add xfsprogs-mkfs.xfs-fix-ASSERT-on-too-small-device-with-stripe-.patch
- mkfs.xfs: if either sunit or swidth is nonzero, the other must be as
  well (bsc#1085917, bsc#1181535)
  * Add xfsprogs-mkfs.xfs-if-either-sunit-or-swidth-is-nonzero-the-ot.patch
- xfs_growfs: refactor geometry reporting (bsc#1181306)
  * Add xfsprogs-xfs_growfs-refactor-geometry-reporting.patch
- xfs_growfs: allow mounted device node as argument (bsc#1181299)
  * Add xfsprogs-libfrog-fs_table_lookup_mount-should-realpath-the-ar.patch
  * Add xfsprogs-xfs_fsr-refactor-mountpoint-finding-to-use-libfrog-p.patch
  * Add xfsprogs-xfs_growfs-allow-mounted-device-node-as-argument.patch
- xfs_repair: rebuild directory when non-root leafn blocks claim block 0
  (bsc#1181309)
  * Add xfsprogs-xfs_repair-rebuild-directory-when-non-root-leafn-blo.patch
xkeyboard-config
- U_Fix-media-keys-lag-on-ABNT2-keyboard.patch
  * fixes wrong keyboard mapping causing input delays with ABNT2
    keyboards (bsc#1191242)
xterm
- xterm-CVE-2021-27135.patch: Fixed buffer-overflow when clicking
  on selected utf8 text. (bsc#1182091 CVE-2021-27135)
- Add Recommends: xorg-x11-fonts-legacy, since the default font
  is now available in that package. If the font is not available
  it will fall back to use a font installed in xorg-x11-fonts
  and it can also use truetype fonts, thus the Recommends instead
  of a Requires (related to boo#1169444)
yast2
- Do not use the 'installation-helper' binary to create snapshots
  during installation or offline upgrade (bsc#1180142).
- Add a new exception to properly handle exceptions
  when reading/writing snapshots numbers (related to bsc#1180142).
- 4.0.105
yast2-installation
- Do not crash when it is not possible to create a snapshot after
  installing or upgrading the system (bsc#1180142).
- 4.0.79
- Clean-up the unneeded installer updates (bsc#1182928).
- 4.0.78
- Do not cleanup the libzypp cache when the system has low memory,
  incomplete cache confuses libzypp later (bsc#1179415)
- 4.0.77
yast2-saptune
- version update from 1.3 to 1.4 to include the following fixes:
- Fixes for bsc#1188321
  Exchange the tuned daemon handling with the new saptune service
  handling for saptune version 3, but stay with the old behaviour
  for systems running saptune version 2.
  Add information, if the service is enabled or disabled.
yast2-update
- Do not rely on the 'installation-helper' binary to create
  snapshots after installation or offline upgrade (bsc#1180142).
- Do not crash when it is not possible to create a snapshot before
  upgrading the system (related to bsc#1180142).
- 4.0.19
zlib
- Update 410.patch to include new fixes from upstream,
  fixes bsc#1192688
- Refresh bsc1174736-DFLTCC_LEVEL_MASK-set-to-0x1ff.patch
  to match upstream commit
- Drop patches which changes have been merged in 410.patch:
  * zlib-compression-switching.patch
  * zlib-390x-z15-fix-hw-compression.patch
  * bsc1174551-fxi-imcomplete-raw-streams.patch
- Fix hw compression on z15 bsc#1176201
- Add zlib-s390x-z15-fix-hw-compression.patch
zstd
- Add 0001-PATCH-Use-umask-to-Constrain-Created-File-Permission.patch
  fixing (CVE-2021-24031, bsc#1183371) and (CVE-2021-24032, bsc#1183370).
  Use umask() to constrain created file permission.
zypper
- Fix compiler warning.
- zypper.conf: New option whether to collect subcommands found in
  $PATH (fixes #379)
  +[subcommand] i
  +
  +##  Whether to look for subcommands in $PATH
  +##
  +## If a subcommand is not found in the zypper_execdir, the wrapper
  +## will look in the rest of your $PATH for it. Thus, it's possible
  +## to write local zypper extensions that don't live in system space.
  +## See section SUBCOMMANDS in the zypper manpage.
  +##
  +## Valid values: boolean
  +## Default value: yes
  +##
  +# seachSubcommandInPath = yes.
- help subcommand: show path of command found in $PATH.
- version 1.14.50
- Avoid calling 'su' to detect a too restrictive sudo user umask
  (bsc#1186602)
- Fix typo in German translation (fixes #395)
- BuildRequires:  libzypp-devel >= 17.28.3.
- version 1.14.49
- Support new reports for singletrans rpm commit.
- BuildRequires:  libzypp-devel >= 17.27.1.
  For lock/query comments.
- Prompt: choose exact match if prompt options are not prefix
  free (bsc#1188156)
- Install summary: Show new and removed packages closer to the
  prompt (fixes #403)
  These packages are usually more interesting than the updated
  ones. In case of doubt less scrolling is needed to see them.
- Add need reboot/restart hint to XML install summary
  (bsc#1188435)
- Add comment option for lock command (fixes #388).
- version 1.14.48
- Quick fix obs:// platform guessing for Leap (bsc#1187425)
- man: point out more clearly that patches update affected
  packages to the latest version (bsc#1187466)
- version 1.14.47
- Link all executables with -pie (bsc#1186447)
- Tag PTF packages in the status column (bsc#1186503)
  Like retracted packages, a program temporary fix must be
  explicitly selected and will otherwise not be considered in
  dependency resolution.
- BuildRequires:  libzypp-devel >= 17.26.1.
- version 1.14.46
- Add hints to 'trust GPG key' prompt.
- Add report when receiving new package signing keys from a
  trusted repo (bsc#1184326)
- Added translation using Weblate (Kabyle)
- version 1.14.45
- Rephrase needs-rebooting help and messages.
  Try to point out that the need to reboot was not necessarily
  triggered by the current transaction.
- man page: Recommend the needs-rebooting command to test whether
  a system reboot is suggested.
- patch: Let a patch's reboot-needed flag overrule included packages
  (bsc#1183268)
- Quickfix setting "/openSUSE_Tumbleweed"/ as default platform for
  "/MicroOS"/ (bsc#1153687)
  This fixes the guessed platform for "/obs://<project>/"/ URLs.
- Protect against strict/relaxed user umask via sudo (bsc#1183589)
- zypper-log: protect against thread name indicators in a log.
- xml summary: add solvables repository alias (bsc#1182372)
- version 1.14.44
- doc: give more details about creating versioned package locks
  (bsc#1181622)
- man: Document synonymously used patch categories (bsc#1179847)
- version 1.14.43
- Fix source-download commnds help (bsc#1180663)
- man: Recommend to use the --non-interactive global option
  rather than the command option -y (bsc#1179816)
- Extend apt packagemap (fixes #366)
- --quitet: Fix install summary to write nothing if there's
  nothing todo (bsc#1180077)
- Prefer /run over /var/run.
- version 1.14.42
- Avoid translated text in xml attributes ( fixes #361 )
- BuildRequires:  libzypp-devel >= 17.25.3.
  Adapt to new LoadTestcase API.
- version 1.14.41