HANA-Firewall
- Adaption to new go compiler behavior regarding test and build
  (bsc#1197697)
NetworkManager
- Add 0001-supplicant-interface-Match-more-ciphers-to-determine.patch:
  supplicant/interface: Match more ciphers todetermine AP security
  (glfo#NetworkManager/NetworkManager/commit/e0191320, bsc#1198381);
- Add 0001-rdisc-fix-parsing-ndp_msg_opt_dnssl_lifetime-from-IP.patch:
  rdisc: fix parsing ndp_msg_opt_dnssl_lifetime() from IPv6 RA
  (bsc#1195222).
- Add 0001-ndisc-don-t-artificially-extend-the-lifetime-of-DNSS.patch:
  ndisc: don't artificially extend the lifetime of DNSSL/RDNSS
  options (bsc#1195222).
- Add NetworkManager-RFC8106.patch: Backport upstream fixes to
  implement RFC 8106(glfo#NetworkManager/NetworkManager#874,
  bsc#1195173).
SAPHanaSR
- Version bump to 0.155.0
- Add systemd support for the resource agent to interact with the
  new SAP unit files for sapstartsrv.
  As the new version of the SAP Startup Framework will use systemd
  unit files to control the sapstartsrv process instead of the
  previous used SysV init script, we need to adapt the handling of
  sapstartsrv inside the resource agents to support both ways.
  (bsc#1189530, bsc#1189531)
- The resource start and stop timeout is now configurable by
  increasing the timeout for the action 'start' and/or 'stop'.
  We will use 95% of this action timeouts to calculate the new
  resource start and stop timeout for the 'WaitforStarted' and
  'WaitforStopped' functions. If the new, calculated timeout value
  is less than '3600', it will be set to '3600', so that we do not
  decrease this timeout by accident
  (bsc#1182545)
- change promotion scoring during maintenance procedure to prevent
  that both sides have an equal promotion scoring after refresh
  which might result in a critical promotion of the secondary.
  (bsc#1174557)
- update of man page SAPHanaSR.py.7 - correct the supported HANA
  version.
  (bsc#1182201)
- if the $hdbState command fails to retrieve the current state of
  the System Replication, the resource agent now uses the
  system_replication/actual_mode attribute (if available) from the
  global.ini file as a fallback.
  This should prevent some confusing and misleading log messages
  during a takeover and solves the problem of a not working
  takeover back (after a successful first takeover)
  (bsc#1181765)
- add dedicated logging of HANA_CALL problems. So it will be now
  possible to identify, if the called hana command or the needed
  su command throws the error and for further hints we log the
  stderr output.
  Additional it is possible to get regular log messages for the
  used commands, their return code and their stderr output by
  enabling the 'debug' mode of the resource agents.
  (bsc#1182774)
aaa_base
- fix (bsc#1194883) - aaa_base: Set net.ipv4.ping_group_range to
  allow ICMP ping
- added patches
  + git-40-d004657a244d75b372a107c4f6097b42ba1992d5.patch
- Port change from Thu Sep 30 08:51:55 UTC 2022 forword to
  current version which includes a rename of patch
    git-13-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
  to
    git-43-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
  as otherwise autopatch macro does not work anymore
- Include all fixes and changes for systemwide inputrc to remove
  the 8 bit escape sequence which interfere with UTF-8 multi byte
  characters as well as support the vi mode of readline library.
  This is done with the patches
  * git-41-f00ca2600331602241954533a1b1610d1da57edf.patch
  * git-42-f39a8d18719c3b34373e0e36098f0f404121b5c5.patch
  before the changed patch
    git-13-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
  rename it to
    git-43-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
  and also add the patches
  * git-44-425f3e9b44ba9ead865d70ff6690d5f2869442dc.patch
  * git-45-bf0a31597d0ed3562bfc5e6be0ade2fe5dc1f7a1.patch
amazon-ssm-agent
- Fix mangled ExlusiveArch field
- Update to version 3.1.1260.0
  + Added missing check for invalid S3 path parameter
  + Added support for domain join using a non-local username
  + Fixed broken links in README.md
  + Fixed ECS Exec issue where agent was using environment variables for credentials
  + Updated Ec2Detector test to query smbios directly for system information
- from version 3.1.1208.0
  + Updated ec2detector module to use Get-CmiInstance instead of wmic.exe
  + Fixed file creation mode of ssm-agent-users sudoer file (bsc#1196556, CVE-2022-29527)
- from version 3.1.1188.0
  + Added new ec2detector module to determine if agent is on EC2
  + Added support for port forwarding to remote host
  + Added quotes around inventory parameter ValueName on Windows
  + Fix for domain join DNS IP assignments in shared directories
  + Replaced namedpipe updater test with ec2detector test
- from version 3.1.1141.0
  + Add application inventory by file for Bottlerocket
  + Fix infinite retry logic to send failed replies in MGSInteractor
  + Remove usage of io/fs package
- from version 3.1.1080.0
  + (windows only) Remove symlink scan during update
- from version 3.1.1045.0
  + Fixed sourceHash validation for aws:application document plugin
  + Added document parameter validation for values passed to target document of aws:runDocument plugin
  + (windows only) Fix process leak when legacy cloudwatch plugin is enabled
  + (windows only) Fail installation if C:ProgramDataAmazonSSM has symlinks
- from version 3.1.1004.0
  + Added platform detection for Bottlerocket OS
  + Consolidated regional endpoint generation to common endpoint module
- from version 3.1.941.0
  + Added support for Rocky linux
  + Fixed sharefile/shareprofile not being propagated to updateutil
  + Fixed incorrect darwin platform detection post BigSur
  + Fixed log flush issue in updater
  + Updated .NET dependencies for domainjoin and cloudwatch (windows only)
  + Updated go version to 1.17.6
- from version 3.1.821.0
  + Implement new core module named MessageService to start processing commands from both MGS and MDS
  * Merge functionalities from RunCommandService core module and Session core module.
  * Receive run command documents through MGS if connected and fallback to MDS otherwise.
    This functionality requires appropriate permissions for both endpoints and will be rolled
    out gradually to end users.
  * Provide filesystem based idempotency check to avoid duplicate run command document execution.
  * Increase default run command pool buffer size from 1 to 5 to load additional documents
    before-hand for processing.
  + Fix nil pointer deference panic produced in named pipe test case during agent update
  + Remove StopType concept in ssm-agent-worker and add different waits for reboot and shutdown stop
- from version 3.1.804.0
  + Add support for upstart when running get-diagnostic command using ssm-cli
  + Fix systemctl service name to support older versions of systemctl
  + Include changes to facilitate testing
  + Update DNS server selection logic for seamless domain join on linux and darwin
  + Update go version to go1.17.5
  + Update golang sys package dependency
- from version 3.1.715.0
  + Derive default directories from appconfig on Darwin
  + Set x-bit on newly-created directories
- from version 3.1.634.0
  + Fix for ssm-setup-cli to be able to select service manager without the agent being installed
- from version 3.1.630.0
  + Added greengrass component recipe for the new SystemsManagerAgent component
  + Added support for registering agent on a greengrass device
  + Added support for downloading more than 1000 objects in downloadContent
  + Fixed retry logic for onprem and s3 upload
  + Fixed unit tests when running on Mac
  + Update AWS SDK to v1.41.4
  + Update logic to retrieve platform details for Rocky Linux
- from version 3.1.501.0
  + Add diagnostics command to ssm-cli
  + Fix caching for onprem credentials
  + Additional configuration options for Seamless Domain Join
  + Gracefully exit session if group of runas user is modified
  + Skip retries for cert validation errors in S3 HEAD requests
  + Fix DNS failures on CentOS 8.2
  + Update several dependencies
- from version 3.1.459.0
  + Fixed a bug with powershell command for Inventory
- from version 3.1.426.0
  + Fixed cpu spike issue manifesting on snap
  + Fixed issue with version comparison in EC2Config update plugin
  + Fixed panic when command output was being truncated
  + Updated build to use go1.16.8
  + Removed Profile from inventory powershell commands on Windows
- from version 3.1.338.0
  + Fix to eliminate WaitGroup reuse panic triggered during agent reboot
  + Fix to include applications without UninstallString in Inventory for Windows
  + Fixed a bug where multi-plugin documents with large outputs would timeout RunCommand
  + Fixed a bug where RunCommand could delay executions for up to 15 minutes
- from version 3.1.282.0
  + Add serial port logging of AwsNitroEnclaves package version on windows during startup
  + Allow usage of existing loggroup/logstream when the user does not have create permission
  + Change service interrogate request log to debug
  + Cleanup old surveyor channel files on startup
  + Fix filehandle leak in windows leading to agent going offline
  + Fix to schedule correct next run time during orchestration directories cleanup
  + Fix to sequentially update correct runcount value in the document bookkeeping file
  + Fix a bug with version parsing EC2Config updater
  + Updated rpm packaging for fips compliance
- from version 3.1.192.0
  + Added darwin arm64 to makefile
  + Added logic to limit orchestration directory cleanup
  + Added packaging for public SSM Agent container image
  + Fixed cloudwatch endpoint for telemetry metrics requests
  + Fixed handling of Windows filepaths and mutex locks
  + Fixed agent worker handling of OS signals and termination channel requests
  + Updated datachannel retry strategy to not retry for a specific error scenario
  + Updated default gomaxproc value for Windows
  + Update build to use go1.16.6
- from version 3.1.127.0
  + Added a workaround for windows random halts
  + Fixed race condition during reboot document execution
- from version 3.1.90.0
  + Updated to version 3.1
  + Updated build to build statically linked binaries for linux 64bit
  * Minimum supported linux kernel version for linux 64bit is 3.2+
  + Fixed permissions for docker config file
  + Fixed issue with ubuntu prerm and postinst scripts
  + Fixed issue where processor stop was being called twice
- from version 3.0.1390.0
  + Added config option to delete orchestration folder
  + Added snapcraft packaging config
  + Added workaround for aws:runDocument status bug
  + Added improved handling of file closure
  + Added support for go mod and updated build to use go 1.16.4
  + Fixed bug parsing vpce s3 urls
  + Refactored use of agent identity in agent cli
  + Updated check if agent is running as windows service
  + Updated handling of session cancellation to still send output to client side
  + Updated interactive session exit code logic to match non-interactive mode
  + Updated vendor dependencies
- Update directory path for GOPATH
- Update to version 3.0.1295.0
  + Added configurable custom identity and identity consumption order
  + Added cross-account domain join
  + Added cleanup for older versions of updater artifacts
  + Added a workaround for MacOS kernel bug that sometimes kept RunCommand from launching
  + Added a workaround for log file contention on Windows
  + Added synchronization to RunCommand service stop
  + Changed hibernation log level
  + MacOS executables are now signed
  + Removed delay in non-interactive session type
augeas
- add augeas-sysctl_parsing.patch (bsc#1197443)
  * backport original patch and rebase
- support new chrony 4.1 options (jsc#SLE-17334)
  augeas-new_options_for_chrony.patch
autofs
- autofs-5.1.6-fix-quoted-string-length-calc-in-expand.patch
  Fix problem with quote handling
  (bsc#1181715)
- 0005-autofs-5.1.4-fix-incorrect-locking-in-sss-lookup.patch
  Fix locking problem that causes deadlock when sss used.
  (bsc#1196485)
- 0004-autofs-5.1.3-add-port-parameter-to-rpc_ping.patch
  Suppress portmap calls when port explicitly given
  (bsc#1195697)
avahi
- Downgrade python3-Twisted to a Recommends. It is not available
  on SLED or PackageHub, and it is only needed by avahi-bookmarks
  (bsc#1196282).
- Add avahi-bookmarks-import-warning.patch: fix warning when
  twisted is not available.
- Replace avahi-0.6.31-systemd-order.patch with
  avahi-add-resolv-conf-to-inotify.patch: re-read configuration
  when resolv.conf changes, per discussion on the bug
  (boo#1194561).
- Have python3-avahi require python3-dbus-python, not the
  python 2 dbus-1-python package (bsc#1195614).
- Reinstate avahi-0.6.31-systemd-order.patch (boo#1194561).
  This can probably go away if/when gh#lathiat/avahi#118 is fixed.
- Drop avahi-0.6.32-suppress-resolv-conf-warning.patch: we should
  no longer need this given the above patch.
- Move sftp-ssh and ssh services to the doc directory. They allow
  a host's up/down status to be easily discovered and should not
  be enabled by default (boo#1179060).
bind
- When using forwarders, bogus NS records supplied by, or via, those
  forwarders may be cached and used by named if it needs to recurse
  for any reason, causing it to obtain and pass on potentially
  incorrect answers.
  [CVE-2021-25220, bsc#1197135, bind-9.16.27-0001-CVE-2021-25220.patch]
binutils
- For building shim 15.6~rc1 (and later versions) aarch64 image, objcopy
  needs to support efi-app-aarch64 target. (bsc#1198458)
  Adds binutils-add-efi-aarch64-1.diff,
  binutils-add-efi-aarch64-2.diff, binutils-add-efi-aarch64-3.diff .
- Add binutils-fix-keepdebug.diff for fix bsc#1191908, a problem
  in crash not accepting some of our .ko.debug files.
- Add binutils-revert-rela.diff to revert back to old behaviour
  of not ignoring the in-section content of to be relocated
  fields on x86-64, even though that's a RELA architecture.
  Compatibility with buggy object files generated by old tools.
  [bsc#1198422]
- Add binutils-add-z16-name.diff so that the now official name
  z16 for arch14 is recognized.  [bsc#1198237]
cifs-utils
- CVE-2022-27239: mount.cifs: fix length check for ip option
  parsing; (bsc#1197216) (bso#15025); CVE-2022-27239.
  * add 0016-CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch
cloud-init
- Update to version 21.4 (bsc#1192343, jsc#PM-3181)
  + Also include VMWare functionality for (jsc#PM-3175)
  + Remove patches included upstream:
  - cloud-init-purge-cache-py-ver-change.patch
  - cloud-init-update-test-characters-in-substitution-unit-test.patch
  + Forward port:
  - cloud-init-write-routes.patch
  - cloud-init-no-tempnet-oci.patch
  + Add cloud-init-vmware-test.patch
  - Test is system dependend, not properly mocked
  + Azure: fallback nic needs to be reevaluated during reprovisioning
    (#1094) [Anh Vo]
  + azure: pps imds (#1093) [Anh Vo]
  + testing: Remove calls to 'install_new_cloud_init' (#1092)
  + Add LXD datasource (#1040)
  + Fix unhandled apt_configure case. (#1065) [Brett Holman]
  + Allow libexec for hotplug (#1088)
  + Add necessary mocks to test_ovf unit tests (#1087)
  + Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336)
  + distros: Remove a completed "/TODO"/ comment (#1086)
  + cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083)
    [dermotbradley]
  + Add "/install hotplug"/ module (SC-476) (#1069) (LP: #1946003)
  + hosts.alpine.tmpl: rearrange the order of short and long hostnames
    (#1084) [dermotbradley]
  + Add max version to docutils
  + cloudinit/dmi.py: Change warning to debug to prevent console display
    (#1082) [dermotbradley]
  + remove unnecessary EOF string in
    disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele
    Giuseppe Esposito]
  + Add module 'write-files-deferred' executed in stage 'final' (#916)
    [Lucendio]
  + Bump pycloudlib to fix CI (#1080)
  + Remove pin in dependencies for jsonschema (#1078)
  + Add "/Google"/ as possible system-product-name (#1077) [vteratipally]
  + Update Debian security suite for bullseye (#1076) [Johann Queuniet]
  + Leave the details of service management to the distro (#1074)
    [Andy Fiddaman]
  + Fix typos in setup.py (#1059) [Christian Clauss]
  + Update Azure _unpickle (SC-500) (#1067) (LP: #1946644)
  + cc_ssh.py: fix private key group owner and permissions (#1070)
    [Emanuele Giuseppe Esposito]
  + VMware: read network-config from ISO (#1066) [Thomas Weißschuh]
  + testing: mock sleep in gce unit tests (#1072)
  + CloudStack: fix data-server DNS resolution (#1004)
    [Olivier Lemasle] (LP: #1942232)
  + Fix unit test broken by pyyaml upgrade (#1071)
  + testing: add get_cloud function (SC-461) (#1038)
  + Inhibit sshd-keygen@.service if cloud-init is active (#1028)
    [Ryan Harper]
  + VMWARE: search the deployPkg plugin in multiarch dir (#1061)
    [xiaofengw-vmware] (LP: #1944946)
  + Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493)
  + Use specified tmp location for growpart (#1046) [jshen28]
  + .gitignore: ignore tags file for ctags users (#1057) [Brett Holman]
  + Allow comments in runcmd and report failed commands correctly (#1049)
    [Brett Holman] (LP: #1853146)
  + tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050)
    [Paride Legovini]
  + Allow disabling of network activation (SC-307) (#1048) (LP: #1938299)
  + renderer: convert relative imports to absolute (#1052) [Paride Legovini]
  + Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045)
    [Vlastimil Holer]
  + integration-requirements: bump the pycloudlib commit (#1047)
    [Paride Legovini]
  + Allow Vultr to set MTU and use as-is configs (#1037) [eb3095]
  + pin jsonschema in requirements.txt (#1043)
  + testing: remove cloud_tests (#1020)
  + Add andgein as contributor (#1042) [Andrew Gein]
  + Make wording for module frequency consistent (#1039) [Nicolas Bock]
  + Use ascii code for growpart (#1036) [jshen28]
  + Add jshen28 as contributor (#1035) [jshen28]
  + Skip test_cache_purged_on_version_change on Azure (#1033)
  + Remove invalid ssh_import_id from examples (#1031)
  + Cleanup Vultr support (#987) [eb3095]
  + docs: update cc_disk_setup for fs to raw disk (#1017)
  + HACKING.rst: change contact info to James Falcon (#1030)
  + tox: bump the pinned flake8 and pylint version (#1029)
    [Paride Legovini] (LP: #1944414)
  + Add retries to DataSourceGCE.py when connecting to GCE (#1005)
    [vteratipally]
  + Set Azure to apply networking config every BOOT (#1023)
  + Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603)
  + docs: fix typo and include sudo for report bugs commands (#1022)
    [Renan Rodrigo] (LP: #1940236)
  + VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun]
  + Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798)
  + Integration test upgrades for the 21.3-1 SRU (#1001)
  + Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans]
  + Improve ug_util.py (#1013) [Shreenidhi Shedi]
  + Support openEuler OS (#1012) [zhuzaifangxuele]
  + ssh_utils.py: ignore when sshd_config options are not key/value pairs
    (#1007) [Emanuele Giuseppe Esposito]
  + Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006)
  + cc_update_etc_hosts: Use the distribution-defined path for the hosts
    file (#983) [Andy Fiddaman]
  + Add CloudLinux OS support (#1003) [Alexandr Kravchenko]
  + puppet config: add the start_agent option (#1002) [Andrew Bogott]
  + Fix `make style-check` errors (#1000) [Shreenidhi Shedi]
  + Make cloud-id copyright year (#991) [Andrii Podanenko]
  + Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi]
  + Update ds-identify to pass shellcheck (#979) [Andrew Kutz]
  + Azure: Retry dhcp on timeouts when polling reprovisiondata (#998)
    [aswinrajamannar]
  + testing: Fix ssh keys integration test (#992)
- From 21.3
  + Azure: During primary nic detection, check interface status continuously
    before rebinding again (#990) [aswinrajamannar]
  + Fix home permissions modified by ssh module (SC-338) (#984)
    (LP: #1940233)
  + Add integration test for sensitive jinja substitution (#986)
  + Ignore hotplug socket when collecting logs (#985) (LP: #1940235)
  + testing: Add missing mocks to test_vmware.py (#982)
  + add Zadara Edge Cloud Platform to the supported clouds list (#963)
    [sarahwzadara]
  + testing: skip upgrade tests on LXD VMs (#980)
  + Only invoke hotplug socket when functionality is enabled (#952)
  + Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz]
  + cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi]
  + Replace broken httpretty tests with mock (SC-324) (#973)
  + Azure: Check if interface is up after sleep when trying to bring it up
    (#972) [aswinrajamannar]
  + Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi]
  + Azure: Logging the detected interfaces (#968) [Moustafa Moustafa]
  + Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz]
  + Azure: Limit polling network metadata on connection errors (#961)
    [aswinrajamannar]
  + Update inconsistent indentation (#962) [Andrew Kutz]
  + cc_puppet: support AIO installations and more (#960) [Gabriel Nagy]
  + Add Puppet contributors to CLA signers (#964) [Noah Fontes]
  + Datasource for VMware (#953) [Andrew Kutz]
  + photon: refactor hostname handling and add networkd activator (#958)
    [sshedi]
  + Stop copying ssh system keys and check folder permissions (#956)
    [Emanuele Giuseppe Esposito]
  + testing: port remaining cloud tests to integration testing framework
    (SC-191) (#955)
  + generate contents for ovf-env.xml when provisioning via IMDS (#959)
    [Anh Vo]
  + Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski]
  + Implementing device_aliases as described in docs (#945)
    [Mal Graty] (LP: #1867532)
  + testing: fix test_ssh_import_id.py (#954)
  + Add ability to manage fallback network config on PhotonOS (#941) [sshedi]
  + Add VZLinux support (#951) [eb3095]
  + VMware: add network-config support in ovf-env.xml (#947) [PengpengSun]
  + Update pylint to v2.9.3 and fix the new issues it spots (#946)
    [Paride Legovini]
  + Azure: mount default provisioning iso before try device listing (#870)
    [Anh Vo]
  + Document known hotplug limitations (#950)
  + Initial hotplug support (#936)
  + Fix MIME policy failure on python version upgrade (#934)
  + run-container: fixup the centos repos baseurls when using http_proxy
    (#944) [Paride Legovini]
  + tools: add support for building rpms on rocky linux (#940)
  + ssh-util: allow cloudinit to merge all ssh keys into a custom user
    file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito]
    (LP: #1911680)
  + VMware: new "/allow_raw_data"/ switch (#939) [xiaofengw-vmware]
  + bump pycloudlib version (#935)
  + add renanrodrigo as a contributor (#938) [Renan Rodrigo]
  + testing: simplify test_upgrade.py (#932)
  + freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder]
  + Add new network activators to bring up interfaces (#919)
  + Detect a Python version change and clear the cache (#857)
    [Robert Schweikert]
  + cloud_tests: fix the Impish release name (#931) [Paride Legovini]
  + Removed distro specific network code from Photon (#929) [sshedi]
  + Add support for VMware PhotonOS (#909) [sshedi]
  + cloud_tests: add impish release definition (#927) [Paride Legovini]
  + docs: fix stale links rename master branch to main (#926)
  + Fix DNS in NetworkState (SC-133) (#923)
  + tests: Add 'adhoc' mark for integration tests (#925)
  + Fix the spelling of "/DigitalOcean"/ (#924) [Mark Mercado]
  + Small Doc Update for ReportEventStack and Test (#920) [Mike Russell]
  + Replace deprecated collections.Iterable with abc replacement (#922)
    (LP: #1932048)
  + testing: OCI availability domain is now required (SC-59) (#910)
  + add DragonFlyBSD support (#904) [Gonéri Le Bouder]
  + Use instance-data-sensitive.json in jinja templates (SC-117) (#917)
    (LP: #1931392)
  + doc: Update NoCloud docs stating required files (#918) (LP: #1931577)
  + build-on-netbsd: don't pin a specific py3 version (#913)
    [Gonéri Le Bouder]
  + Create the log file with 640 permissions (#858) [Robert Schweikert]
  + Allow braces to appear in dhclient output (#911) [eb3095]
  + Docs: Replace all freenode references with libera (#912)
  + openbsd/net: flush the route table on net restart (#908)
    [Gonéri Le Bouder]
  + Add Rocky Linux support to cloud-init (#906) [Louis Abel]
  + Add "/esposem"/ as contributor (#907) [Emanuele Giuseppe Esposito]
  + Add integration test for #868 (#901)
  + Added support for importing keys via primary/security mirror clauses
    (#882) [Paul Goins] (LP: #1925395)
  + [examples] config-user-groups expire in the future (#902)
    [Geert Stappers]
  + BSD: static network, set the mtu (#894) [Gonéri Le Bouder]
  + Add integration test for lp-1920939 (#891)
  + Fix unit tests breaking from new httpretty version (#903)
  + Allow user control over update events (#834)
  + Update test characters in substitution unit test (#893)
  + cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886)
    [dermotbradley]
  + Add AlmaLinux OS support (#872) [Andrew Lukoshko]
- systemctl location (bsc#1193531)
  - Add cloud-init-sysctl-not-in-bin.patch
  - The sytemctl executable is not necessarily in '/bin'
- Remove unneeded BuildRequires on python3-nose.
  + Still need to consider the "/network"/ configuration option
cloud-regionsrv-client
- Update to version 10.0.3 (bsc#1198389)
  - Descend into the extension tree even if top level module is recommended
  - Cache license state for AHB support to detect type switch
  - Properly clean suse.com credentials when switching from SCC to update
    infrastructure
  - New log message to indicate base product registration success
- Update to version 10.0.2
  + Fix name of logfile in error message
  + Fix variable scoping to properly detect registration error
  + Cleanup any artifacts on registration failure
  + Fix latent bug with /etc/hosts population
  + Do not throw error when attemting to unregister a system that is not
    registered
  + Skip extension registration if the extension is recommended by the
    baseproduct as it gets automatically installed
- Update to version 10.0.1 (bsc#1197113)
  + Provide status feedback on registration, success or failure
  + Log warning message if data provider is configured but no data
    can be retrieved
- Update -addon-azure to 1.0.3 follow up fix for (bsc#1195414, bsc#1195564)
  + The repo enablement timer cannot depend on guestregister.service
- Update -addon-azure to 1.0.2 (bsc#1196305)
  + The is-registered() function expects a string of the update server FQDN.
    The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
    in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
  + Lower case the region hint to reduce issues with Azure region name
    case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
  + Refactor removes check_registration() function in utils implementation
  + Only start the registration service for PAYG images
  - addon-azure sub-package to version 1.0.1
cluster-glue
- Requesting cluster-glue bugfix (bsc#1197681)
  * Add upstream patch:
    0002-bugfix-for-comment-in-external-ec2.patch
- (jsc#SLE-23490) (jsc#SLE-23491) (jsc#SLE-23492) (jsc#SLE-23494)
  IMDSv2 support in ec2 stonith agent
  * add upstream patch:
    0001-Update-external-ec2-to-support-IMDSv2.patch
containerd
- Update to containerd v1.6.6 to fix CVE-2022-31030 and meet the requirements
  of Docker v20.10.17-ce. bsc#1200145
- Remove upstreamed patches:
  - bsc1200145-Limit-the-response-size-of-ExecSync.patch
[ This patch was only released in SLES and Leap. ]
- Backport patch to fix GHSA-5ffw-gxpp-mxpf CVE-2022-31030. bsc#1200145
  + bsc1200145-Limit-the-response-size-of-ExecSync.patch
- Update to containerd v1.5.12. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.5.12>
- Update to containerd v1.5.11 to fix CVE-2022-24769. bsc#1197517
- Update to containerd v1.4.13 to fix CVE-2022-23648. bsc#1196441
- Remove upstreamed patch:
  - CVE-2022-23648.patch
[ This patch was only released in SLES and Leap. ]
- Add patch for CVE-2022-23648. bsc#1196441
  + CVE-2022-23648.patch
- Update to containerd v1.4.12 for Docker 20.10.11-ce. bsc#1192814
  bsc#1193273 CVE-2021-41190
- Update to containerd v1.4.11, to fix CVE-2021-41103. bsc#1191355
- Switch to Go 1.16.x compiler, in line with upstream.
coreutils
- coreutils-df-fuse-portal-dummy.patch:
  df: Add "/fuse.portal"/ as a dummy file system (used in flatpak
  implementations). (bsc#1189152)
crash
- Fix module loading (bsc#1190743 ltc#194414).
  + crash-mod-fix-module-object-file-lookup.patch
crmsh
- Update to version 4.3.1+20220505.cf4ab649:
  * Fix: hb_report: Read data in a save way, to avoid UnicodeDecodeError (bsc#1198180)
  * Dev: ocfs2: Fix running ocfs2 stage on cluster with diskless-sbd
  * Fix: ui_configure: Give a deprecated warning when using "/ms"/ subcommand (bsc#1194125)
  * Fix: xmlutil: Parse promotable clone correctly and also consider compatibility (bsc#1194125)
  * Fix: bootstrap: Change default transport type as udpu(unicast) (bsc#1132375)
- Update to version 4.3.1+20220321.bd33abac:
  * Dev: Parametrize the log dir
  * medium: utils: update detect_cloud pattern for aws (bsc#1197351)
  * Fix: utils: Only raise exception when return code of systemctl command over ssh larger than 4 (bsc#1196726)
- Update to version 4.3.1+20220208.73603501:
  * Fix: sbd: not overwrite SYSCONFIG_SBD and sbd-disk-metadata if input 'n'(bsc#1194870)
  * Fix: crash_test: Adjust help output of 'crm cluster crash_test -h'(bsc#1194615)
  * Fix: bootstrap: Change log info when need to change user login shell (bsc#1194026)
cups
- cups-2.2.7-CVE-2022-26691.patch fixes CVE-2022-26691
  cups: authentication bypass and code execution (bsc#1199474)
- SUSE_bsc_1189517.patch is
  https://github.com/apple/cups/commit/821b3cc956d46b811facd50986acc9f24f0e1c79
  which belongs to https://github.com/apple/cups/issues/5288
  that fixes bsc#1189517
  "/cups printservice takes much longer than before
  with a big number of printers"/
  see in particular
  https://github.com/apple/cups/issues/5288#issuecomment-921626381
- SUSE_bsc_1195115.patch is
  https://github.com/apple/cups/commit/ba9d68cc7467a7a47ef219071902b9e9eb6dbc44
  which belongs to https://github.com/apple/cups/issues/5538
  that fixes bsc#1195115
  "/CUPS PreserveJobHistory doesn't work with seconds"/
curl
- Security fix: [bsc#1200735, CVE-2022-32206]
  * HTTP compression denial of service
  * Add curl-CVE-2022-32206.patch
- Security fix: [bsc#1200737, CVE-2022-32208]
  * FTP-KRB bad message verification
  * Add curl-CVE-2022-32208.patch
- Securiy fix: [bsc#1199223, CVE-2022-27781]
  * CERTINFO never-ending busy-loop
  * Add curl-CVE-2022-27781.patch
- Securiy fix: [bsc#1199224, CVE-2022-27782]
  * TLS and SSH connection too eager reuse
  * Add curl-CVE-2022-27782.patch
- Security fix: [bsc#1198766, CVE-2022-27776]
  * Auth/cookie leak on redirect
  * Add backported curl-CVE-2022-27776.patch
- Security fix: [bsc#1198723, CVE-2022-27775]
  * Bad local IPv6 connection reuse
  * Add backported curl-CVE-2022-27775.patch
- Security fix: [bsc#1198614, CVE-2022-22576]
  * OAUTH2 bearer bypass in connection re-use
  * Add backported curl-CVE-2022-22576.patch
cyrus-sasl
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
cyrus-sasl-saslauthd
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
  in plugins/sql.c (bsc#1196036)
  o add upstream patch:
    0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
dhcp
- bsc#1198657: properly handle DHCRELAY(6)_OPTIONS.
docker
- Update to Docker 20.10.17-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201017>. bsc#1200145
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
  * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- Add patch to update golang.org/x/crypto for CVE-2021-43565 and CVE-2022-27191.
  bsc#1193930 bsc#1197284
  * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Update to Docker 20.10.14-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201014>. bsc#1197517
  CVE-2022-24769
- Update to Docker 20.10.12-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201012>.
- Remove CHANGELOG.md. It hasn't been maintained since 2017, and all of the
  changelogs are currently only available online.
- Update to Docker 20.10.11-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201011>. bsc#1192814
  bsc#1193273 CVE-2021-41190
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
  - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Update to Docker 20.10.9-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20109>. bsc#1191355
  CVE-2021-41089 bsc#1191015 CVE-2021-41091 bsc#1191434
  CVE-2021-41092 bsc#1191334 CVE-2021-41103 bsc#1191121
- Update to Docker 20.10.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20106>. bsc#1184768
- Update to Docker 20.10.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#20105>. bsc#1182947
dracut
- Update to version 049.1+suse.234.g902e489c:
  * fix(dracut-install): copy files preserving ownership attributes (bsc#1197967)
- Update to version 049.1+suse.232.g2ccee559:
  * fix(dracut-systemd): do not require vconsole-setup.service (bsc#1195508)
  * fix(dracut-functions.sh): ip route parsing (bsc#1195011)
- Update to version 049.1+suse.228.g07676562:
  * fix(network): consistent use of "/$gw"/ for gateway (bsc#1192685)
  * fix(install): handle builtin modules (bsc#1194716)
e2fsprogs
- libext2fs-add-sanity-check-to-extent-manipulation.patch: libext2fs: add
  sanity check to extent manipulation (bsc#1198446 CVE-2022-1304)
- libss-add-newer-libreadline.so.7-to-dlopen-path.patch: libss: Add support
  for libreadline.so.7 for Leap 15.3 (bsc#1196939)
expat
- Security fixes:
  * (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
    breaks biboumi, ClairMeta, jxmlease, libwbxml,
    openleadr-python, rnv, xmltodict
  - Added expat-CVE-2022-25236-relax-fix.patch
- Security fixes:
  * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
    attackers to insert namespace-separator characters into
    namespace URIs
  - Added expat-CVE-2022-25236.patch
  * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
    2.4.5 does not check whether a UTF-8 character is valid in a
    certain context.
  - Added expat-CVE-2022-25235.patch
  * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
    build_model() via uncontrolled recursion
  - Added expat-CVE-2022-25313.patch
  - The fix upstream introduced a regression that was later
    amended in 2.4.6 version
    + Added expat-CVE-2022-25313-fix-regression.patch
  * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
  - Added expat-CVE-2022-25314.patch
  * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
  - Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
  * Expat (aka libexpat) before 2.4.4 has a signed integer overflow
    in XML_GetBuffer, for configurations with a nonzero
    XML_CONTEXT_BYTES
  * Add tests for CVE-2022-23852.
  * Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
  * Fix unsigned integer overflow in function doProlog triggered
    by large content in element type declarations when there is
    an element declaration handler present (from a prior call to
    XML_SetElementDeclHandler).
  * Add expat-CVE-2022-23990.patch
  * Added expat-CVE-2022-22827.patch
fence-agents
- fence-agents-4.9.0+git.1624456340.8d746be9-150300.3.8.1 broken in
  GCP due to missing "/--zone"/ parameter (bsc#1198872)
  - Apply proposed patch
    0001-fence_gce-Make-zone-optional-for-get_nodes_list-487.patch
- (bsc#1196350) fence_gce updates pull from Clusterlabs repo
  - Apply proposed upstream patch
    0001-fence_gce-Add-timeouts-and-failure-options-458.patch
filesystem
- Add /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)
fribidi
- Add fribidi-CVE-2022-25308.patch: fix a stack overflow (boo#1196147
  CVE-2022-25308).
- Add fribidi-CVE-2022-25309.patch: protect against garbage in the
  CapRTL encoder (boo#1196148 CVE-2022-25309).
- Add fribidi-CVE-2022-25310.patch: fix a SEGV in
  fribidi_remove_bidi_marks (boo#1196150 CVE-2022-25310).
gcc11
- Update to the GCC 11.3.0 release.
  * includes SLS hardening backport on x86_64.  [bsc#1195283]
- Update to gcc-11 branch head (691af15031e00227ba6d5935c), git1635
  * includes gcc11-pr104931.patch
  * includes fix for Firefox ICE  [gcc#105256]
- Add provides/conflicts to glibc crosses since only one GCC version
  for the same target can be installed at the same time.
- Add provides/conflicts to libgccjit.
- Update to gcc-11 branch head (6a1150d1524aeda3381b21717), git1406
  * includes change to adjust gnats idea of the target, fixing
    the build of gprbuild.  [bsc#1196861]
- Add gcc11-pr104931.patch to fix miscompile of embedded premake
  in 0ad on i586.  [bsc#1197065]
- drop armv5tel, merge arm and armv6hl
- use --with-cpu rather than specifying --with-arch/--with-tune
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recoomends.
- Remove sys/rseq.h from include-fixed
- Update to gcc-11 branch head (d4a1d3c4b377f1d4acb), git1173
  * Fix D memory corruption in -M output.
  * Fix ICE in is_this_parameter with coroutines.  [boo#1193659]
- Enable the cross compilers also on i586
- Enable some cross compilers also in rings
- Remove cross compilers for i386 target
- Update to gcc-11 branch head (7510c23c1ec53aa4a62705f03), git1018
  * fixes issue with debug dumping together with -o /dev/null
  * fixes libgccjit issue showing up in emacs build  [boo#1192951]
- Package mwaitintrin.h
- Remove spurious exit from change_spec.
- Enable the full cross compiler, cross-aarch64-gcc11 and
  cross-riscv64-gcc11 now provide a fully hosted C (and C++)
  cross compiler, not just a freestanding one.  I.e. with a cross
  glibc.  They don't yet support the sanitizer libraries.
  Part of [jsc#OBS-124].
glib2
- Add glib2-CVE-2021-28153.patch: fix CREATE_REPLACE_DESTINATION
  with symlinks (boo#1183533 glgo#GNOME/glib#2325 CVE-2021-28153).
glibc
- pthread-rwlock-trylock-stalls.patch: nptl: Fix pthread_rwlock_try*lock
  stalls (bsc#1195560, BZ #23844)
- clnt-create-unix-overflow.patch: Buffer overflow in sunrpc clnt_create
  for "/unix"/ (CVE-2022-23219, bsc#1194768, BZ #22542)
- svcunix-create-overflow.patch: Buffer overflow in sunrpc svcunix_create
  (CVE-2022-23218, bsc#1194770, BZ #28768)
- getcwd-erange.patch: getcwd: Set errno to ERANGE for size == 1
  (CVE-2021-3999, bsc#1194640, BZ #28769)
- pop-fail-stack.patch: Assertion failure in pop_fail_stack when executing
  a malformed regexp (CVE-2015-8985, bsc#1193625, BZ #21163)
gnutls
- Security fix: [bsc#1196167, CVE-2021-4209]
  * Null pointer dereference in MD_UPDATE
  * Add gnutls-CVE-2021-4209.patch
grep
- Make profiling deterministic (bsc#1040589, SLE-24115)
grub2
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
  * 0001-video-Remove-trailing-whitespaces.patch
  * 0002-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
  * 0003-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
  * 0004-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
  * 0005-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
  * 0006-misc-Format-string-for-grub_error-should-be-a-litera.patch
  * 0007-loader-efi-chainloader-Simplify-the-loader-state.patch
  * 0008-commands-boot-Add-API-to-pass-context-to-loader.patch
- Fix CVE-2022-28736 (bsc#1198496)
  * 0009-loader-efi-chainloader-Use-grub_loader_set_ex.patch
- Fix CVE-2022-28735 (bsc#1198495)
  * 0010-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
  * 0011-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
  * 0012-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
  * 0013-video-readers-png-Refuse-to-handle-multiple-image-he.patch
- Fix CVE-2021-3695 (bsc#1191184)
  * 0014-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
- Fix CVE-2021-3696 (bsc#1191185)
  * 0015-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
  * 0016-video-readers-png-Sanity-check-some-huffman-codes.patch
  * 0017-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
  * 0018-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
  * 0019-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
- Fix CVE-2021-3697 (bsc#1191186)
  * 0020-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
  * 0021-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
- Fix CVE-2022-28733 (bsc#1198460)
  * 0022-net-ip-Do-IP-fragment-maths-safely.patch
  * 0023-net-netbuff-Block-overly-large-netbuff-allocs.patch
  * 0024-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
  * 0025-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
  * 0026-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
  * 0027-net-tftp-Avoid-a-trivial-UAF.patch
  * 0028-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
- Fix CVE-2022-28734 (bsc#1198493)
  * 0029-net-http-Fix-OOB-write-for-split-http-headers.patch
- Fix CVE-2022-28734 (bsc#1198493)
  * 0030-net-http-Error-out-on-headers-with-LF-without-CR.patch
  * 0031-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch
  * 0032-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch
  * 0033-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch
  * 0034-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
  * 0035-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
  * 0036-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
  * 0037-Use-grub_loader_set_ex-for-secureboot-chainloader.patch
- Update SBAT security contact (boo#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused by
  0001-ieee1275-implement-FCP-methods-for-WWPN-and-LUNs.patch, when
  the root LV is completely in the boot LUN (bsc#1197948)
  * 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
- Fix grub-install error when efi system partition is created as mdadm software
  raid1 device (bsc#1179981) (bsc#1195204)
  * 0001-install-fix-software-raid1-on-esp.patch
- Fix error in grub-install when linux root device is on lvm thin volume
  (bsc#1192622) (bsc#1191974)
  * 0001-grub-install-bailout-root-device-probing.patch
- Fix error not a btrfs filesystem on s390x (bsc#1187645)
  * 80_suse_btrfs_snapshot
- Add support for simplefb (boo#1193532).
  * grub2-simplefb.patch
gzip
- Add support to zstd in zgrep, fixes bsc#1198922
  * xz_lzma.patch -> xz_lzma_zstd.patch
- Fix escaping of malicious filenames (CVE-2022-1271 bsc#1198062)
  * bsc1198062.patch
  * bsc1198062-2.patch
icewm
- Add icewm-build-with-glib2-ver-gt-2.67.3.patch:
  A later glib2 update will cause icewm failed to build by including
  gdk-pixbuf-xlib with extern "/C"/ annotation:
  https://gitlab.gnome.org/GNOME/glib/-/commit/51003d409bb4b6c9a8540f70b92f8045abc4f0c9?merge_request_iid=1715
  The patch aims to remove the annotation caused the issue
  (bsc#1197729).
icewm-theme-branding
- Add fix-font-configuration.patch:
  Fix font configuration after google-droid-fonts update
  (boo#1195328 bsc#1196336)
java-1_8_0-ibm
- Update to Java 8.0 Service Refresh 7 Fix Pack 5 [bsc#1197126]
  * https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities
    [bsc#1194927, CVE-2022-21366] [bsc#1194928, CVE-2022-21365]
    [bsc#1194929, CVE-2022-21360] [bsc#1196500, CVE-2022-21349]
    [bsc#1194941, CVE-2022-21341] [bsc#1194940, CVE-2022-21340]
    [bsc#1194939, CVE-2022-21305] [bsc#1194930, CVE-2022-21277]
    [bsc#1194931, CVE-2022-21299] [bsc#1194932, CVE-2022-21296]
    [bsc#1194933, CVE-2022-21282] [bsc#1194934, CVE-2022-21294]
    [bsc#1194935, CVE-2022-21293] [bsc#1194925, CVE-2022-21291]
    [bsc#1194937, CVE-2022-21283] [bsc#1194926, CVE-2022-21248]
    [CVE-2022-21271]
- Fix a javaws broken symlink [bsc#1195146]
kernel-default
- x86/kexec: Disable RET on kexec (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 307fbca
- x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 1765272
- x86/cpu/amd: Enumerate BTC_NO (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit d929744
- x86/common: Stamp out the stepping madness (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 2c755e4
- KVM: VMX: Prevent RSB underflow before vmenter (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 9a79f2f
- x86/speculation: Fill RSB on vmexit for IBRS (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 0b69b8a
- KVM: VMX: Fix IBRS handling after vmexit (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 07ac9e9
- KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 1e6246d
- KVM: VMX: Convert launched argument to flags (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit c6cb889
- KVM: VMX: Flatten __vmx_vcpu_run() (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 7be7aa8
- KVM/nVMX: Use __vmx_vcpu_run in nested_vmx_check_vmentry_hw
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit fa67a49
- x86/speculation: Remove x86_spec_ctrl_mask (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 65ae6ff
- x86/speculation: Use cached host SPEC_CTRL value for guest
  entry/exit (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit f9804f2
- x86/speculation: Fix SPEC_CTRL write on SMT state change
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 5f2a343
- x86/speculation: Fix firmware entry SPEC_CTRL handling
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit f2239f3
- x86/cpu/amd: Add Spectral Chicken (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 947cd5f
- x86/bugs: Do IBPB fallback check only once (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 1a61b75
- x86/bugs: Add retbleed=ibpb (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 0cc24ff
- x86/xen: Rename SYS* entry points (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 006e283
- intel_idle: Disable IBRS during long idle (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit be76ad2
- x86/bugs: Report Intel retbleed vulnerability (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit f305bb6
- x86/bugs: Split spectre_v2_select_mitigation() and
  spectre_v2_user_select_mitigation() (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit ea9c198
- x86/speculation: Add spectre_v2=ibrs option to support Kernel
  IBRS (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit f446cce
- x86/bugs: Optimize SPEC_CTRL MSR writes (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit c6d4bce
- x86/entry: Add kernel IBRS implementation (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 177b58c
- x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 09deb3c
- x86/bugs: Enable STIBP for JMP2RET (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit f81a4dd
- x86/bugs: Add AMD retbleed= boot parameter (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- Update config files.
- commit d01bb91
- x86/bugs: Report AMD retbleed vulnerability (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 0f3415d
- x86: Add magic AMD return-thunk (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit c07f56b
- x86: Use return-thunk in asm code (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit ca39a43
- x86/sev: Avoid using __x86_return_thunk (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 10587ca
- x86/vsyscall_emu/64: Don't use RET in vsyscall emulation
  (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 5767b0f
- x86/kvm: Fix SETcc emulation for return thunks (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 720497e
- x86/bpf: Use alternative RET encoding (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 2b357b7
- x86: Undo return-thunk damage (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 83262bf
- x86/retpoline: Use -mfunction-return (bsc#1199657 CVE-2022-29900
  CVE-2022-29901).
- commit 15c2b41
- x86/cpufeatures: Move RETPOLINE flags to word 11 (bsc#1199657
  CVE-2022-29900 CVE-2022-29901).
- commit 115e0f2
- crypto: x86/poly1305 - Fixup SLS (bsc#1201050 CVE-2021-26341).
- commit 2d201f6
- x86: Add straight-line-speculation mitigation (bsc#1201050
  CVE-2021-26341).
- Update config files.
- Refresh
  patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- commit 928abdb
- x86: Prepare inline-asm for straight-line-speculation
  (bsc#1201050 CVE-2021-26341).
- commit 5a87fe7
- x86: Prepare asm files for straight-line-speculation
  (bsc#1201050 CVE-2021-26341).
- commit cbb5495
- x86/lib/atomic64_386_32: Rename things (bsc#1201050
  CVE-2021-26341).
- commit 2201ded
- x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
  (bsc#1201050 CVE-2021-26341).
- commit beba436
- bcache: avoid unnecessary soft lockup in kworker
  update_writeback_rate() (bsc#1197362).
- commit 23f1946
- sctp: handle kABI change in struct sctp_endpoint (CVE-2022-20154
  bsc#1200599).
- commit b1e8eec
- sctp: use call_rcu to free endpoint (CVE-2022-20154
  bsc#1200599).
- commit 44ec44b
- vmxnet3: fix minimum vectors alloc issue (bsc#1199489).
- commit e96d754
- blk-mq: clear active_queues before clearing
  BLK_MQ_F_TAG_QUEUE_SHARED (bsc#1200263).
- commit d497e61
- rpm/check-for-config-changes: ignore GCC12/CC_NO_ARRAY_BOUNDS
  Upstream commit f0be87c42cbd (gcc-12: disable '-Warray-bounds'
  universally for now) added two new compiler-dependent configs:
  * CC_NO_ARRAY_BOUNDS
  * GCC12_NO_ARRAY_BOUNDS
  Ignore them -- they are unset by dummy tools (they depend on gcc version
  == 12), but set as needed during real compilation.
- commit a14607c
- ath9k: fix use-after-free in ath9k_hif_usb_rx_cb (CVE-2022-1679
  bsc#1199487).
- commit 1ae14c9
- Update patches.suse/pNFS-flexfiles-fix-incorrect-size-check-in-decode_nf.patch
  (git-fixes CVE-2021-4157 bnc#1194013).
- commit fccebe3
- exec: Force single empty string when argv is empty
  (bsc#1200571).
- commit dffa04e
- HID: add USB_HID dependancy to hid-prodikeys (CVE-2022-20132
  bsc#1200619).
- HID: add USB_HID dependancy to hid-chicony (CVE-2022-20132
  bsc#1200619).
- HID: bigbenff: prevent null pointer dereference (CVE-2022-20132
  bsc#1200619).
- HID: add USB_HID dependancy on some USB HID drivers
  (CVE-2022-20132 bsc#1200619).
- commit f2f08be
- HID: holtek: fix mouse probing (CVE-2022-20132 bsc#1200619).
- commit f8ff78e
- HID: check for valid USB device for many HID drivers
  (CVE-2022-20132 bsc#1200619).
- HID: add hid_is_usb() function to make it simpler for USB
  detection (CVE-2022-20132 bsc#1200619).
- commit 3fe30db
- igmp: Add ip_mc_list lock in ip_check_mc_rcu (bsc#1200604
  CVE-2022-20141).
- commit 34bf464
- kernel-binary.spec: check s390x vmlinux location
  As a side effect of mainline commit edd4a8667355 ("/s390/boot: get rid of
  startup archive"/), vmlinux on s390x moved from "/compressed"/ subdirectory
  directly into arch/s390/boot. As the specfile is shared among branches,
  check both locations and let objcopy use one that exists.
- commit cd15543
- Add missing recommends of kernel-install-tools to kernel-source-vanilla (bsc#1200442)
- commit 93b1375
- blk-mq: Fix wrong wakeup batch configuration which will cause
  hang (bsc#1200263).
- commit 94fe3d6
- blk-mq: fix tag_get wait task can't be awakened (bsc#1200263).
- commit 6b5ea17
- floppy: disable FDRAWCMD by default (bsc#1198866 CVE-2022-1836).
- Update config files.
- commit f9d0532
- add mainline tag for a pci-hyperv change
- commit 32deed8
- netfilter: nf_tables: disallow non-stateful expression in sets
  earlier (CVE-2022-1966 bsc#1200015).
- commit 41de480
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- commit 9d94c81
- NFC: netlink: fix sleep in atomic bug when firmware download
  timeout (CVE-2022-1975 bsc#1200143).
- commit bcae1e0
- nfc: replace improper check device_is_registered() in netlink
  related functions (CVE-2022-1974 bsc#1200144).
- Refresh
  patches.suse/NFC-SUSE-specific-brutal-fix-for-runtime-PM.patch.
- commit 8ab4a08
- certs: Add EFI_CERT_X509_GUID support for dbx entries
  (bsc#1177282 CVE-2020-26541).
- Update config files.
- commit 6bf28b7
- Refresh
  patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch.
  In this case, we can not simply use __GENKSYMS__ to wrap new
  LOCKDOWN_DBG_WRITE/READ_KERNEL fields in enum lockdown_reason
  struct. So let's remove __GENKSYMS__ and add a kabi workaround
  patch. (bsc#1199426 CVE-2022-21499)
- commit 88eddb5
- lockdown: kABI workaround for lockdown_reason changes
  (bsc#1199426, CVE-2022-21499).
- commit fe7a29a
- btrfs: extent-tree: kill the BUG_ON() in
  insert_inline_extent_backref() (CVE-2019-19377 bsc#1158266).
- commit 31a8792
- btrfs: extent-tree: kill BUG_ON() in  __btrfs_free_extent()
  (CVE-2019-19377 bsc#1158266).
- commit 75b17c1
- sched/rt: Disable RT_RUNTIME_SHARE by default (bnc#1197895).
- commit b949091
- KVM: x86/speculation: Disable Fill buffer clear within guests (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 5a5e587
- lockdown: also lock down previous kgdb use (bsc#1199426
  CVE-2022-21499).
- commit 090b59e
- kernel-binary.spec: Support radio selection for debuginfo.
  To disable debuginfo on 5.18 kernel a radio selection needs to be
  switched to a different selection. This requires disabling the currently
  active option and selecting NONE as debuginfo type.
- commit 43b5dd3
- perf: Fix sys_perf_event_open() race against self
  (CVE-2022-1729, bsc#1199507).
- commit feaf8f1
- x86/speculation/mmio: Reuse SRBDS mitigation for SBDS (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 26884d9
- ext4: avoid cycles in directory h-tree (bsc#1198577
  CVE-2022-1184).
- commit b98a7a0
- ext4: verify dir block before splitting it (bsc#1198577
  CVE-2022-1184).
- commit 1b10a51
- x86/speculation/srbds: Update SRBDS mitigation selection (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit d537aef
- x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit b3703f5
- x86/speculation/mmio: Enable CPU Fill buffer clearing on idle (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 66ff392
- x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 155be7c
- x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit f3a7e3f
- x86/speculation: Add a common function for MD_CLEAR mitigation update (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit a863a71
- x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 70a86e2
- ping: fix the sk_bound_dev_if match in ping_lookup
  (bsc#1199918).
- commit 6a58950
- kABI: Fix kABI after CVE-2022-0171 backport (CVE-2022-0171
  bsc#1199509).
- commit da4b250
- KVM: SEV: add cache flush to solve SEV cache incoherency issues
  (CVE-2022-0171 bsc#1199509).
- commit b851a8d
- ping: remove pr_err from ping_lookup (bsc#1199918).
- commit db3c60d
- patches.suse/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch:
  (bsc#1199918).
- commit f3f3a96
- floppy: use a statically allocated error counter (bsc#1199063
  CVE-2022-1652).
- commit 3cde83e
- nfc: nfcmrvl: main: reorder destructive operations in
  nfcmrvl_nci_unregister_dev to avoid bugs (CVE-2022-1734
  bsc#1199605 git-fixes).
- commit 4841312
- NFS: limit use of ACCESS cache for negative responses
  (bsc#1196570).
- Refresh
  patches.kabi/NFS-pass-cred-explicitly-for-access-tests.patch.
- commit d1ca538
- Update
  patches.suse/sctp-delay-auto_asconf-init-until-binding-the-first-.patch
  headers (CVE-2021-23133 bsc#1184675).
  Remove unwanted patch headers which have hidden intended CVE and bugzilla
  references (shown above) when the patch was added. The primary purpose of
  this commit is to get the CVE/bugzilla references to git and rpm changelog.
- commit 33c2a2f
- Fix build warning
  Refreshed:
  patches.suse/PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch
- commit ba12cc4
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
  PTRACE_SEIZE (CVE-2022-30594 bsc#1199505 bsc#1198413).
- commit fd4d93d
- NFSv4: nfs_atomic_open() can race when looking up a non-regular
  file (bsc#1195612 CVE-2022-24448).
- commit db3a8ef
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- commit bdb23bb
- series.conf: cleanup
  - Move submitted patch to "/sorted"/ section
    patches.suse/0001-SUNRPC-change-locking-for-xs_swap_enable-disable.patch
- commit cacd83b
- cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
  (CVE-2022-0168 bsc#1197472).
- commit 5256a40
- cifs: prevent bad output lengths in smb2_ioctl_query_info()
  (CVE-2022-0168 bsc#1197472).
- commit 3989909
- rpm/kernel-obs-build.spec.in: Also depend on dracut-systemd (bsc#1195775)
- commit 5d4e32c
- ixgbevf: add disable link state (bsc#1196426 CVE-2021-33061).
- ixgbe: add improvement for MDD response functionality
  (bsc#1196426 CVE-2021-33061).
- ixgbe: add the ability for the PF to disable VF link state
  (bsc#1196426 CVE-2021-33061).
- commit c5d1777
- net: mana: Remove unnecessary check of cqe_type in
  mana_process_rx_cqe() (bsc#1195651).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Reuse XDP dropped page (bsc#1195651).
- net: mana: Add counter for XDP_TX (bsc#1195651).
- net: mana: Add counter for packet dropped by XDP (bsc#1195651).
- net: mana: Use struct_size() helper in
  mana_gd_create_dma_region() (bsc#1195651).
- commit 9f064ea
- net/x25: Fix null-ptr-deref caused by x25_disconnect
  (CVE-2022-1516 bsc#1199012).
- commit bd2f1ec
- net: ena: Extract recurring driver reset code into a function
  (bsc#1198778).
- net: ena: Change the name of bad_csum variable (bsc#1198778).
- net: ena: Add debug prints for invalid req_id resets
  (bsc#1198778).
- net: ena: Remove ena_calc_queue_size_ctx struct (bsc#1198778).
- net: ena: Move reset completion print to the reset function
  (bsc#1198778).
- net: ena: Remove redundant return code check (bsc#1198778).
- net: ena: Change ENI stats support check to use capabilities
  field (bsc#1198778).
- net: ena: Add capabilities field with support for ENI stats
  capability (bsc#1198778).
- net: ena: Change return value of ena_calc_io_queue_size()
  to void (bsc#1198778).
- net: ena: Fix error handling when calculating max IO queues
  number (bsc#1198778).
- net: ena: Fix wrong rx request id by resetting device
  (bsc#1198778).
- net: ena: Fix undefined state when tx request id is out of
  bounds (bsc#1198778).
- ena: Remove rcu_read_lock() around XDP program invocation
  (bsc#1198778).
- net: ena: make symbol 'ena_alloc_map_page' static (bsc#1198778).
- net: ena: re-organize code to improve readability (bsc#1198778).
- net: ena: Use dev_alloc() in RX buffer allocation (bsc#1198778).
- net: ena: aggregate doorbell common operations into a function
  (bsc#1198778).
- net: ena: Remove module param and change message severity
  (bsc#1198778).
- net: ena: add jiffies of last napi call to stats (bsc#1198778).
- net: ena: use build_skb() in RX path (bsc#1198778).
- net: ena: Improve error logging in driver (bsc#1198778).
- net: ena: Remove unused code (bsc#1198778).
- net: ena: optimize data access in fast-path code (bsc#1198778).
- net: ena: fix DMA mapping function issues in XDP (bsc#1198778).
- net: ena: remove extra words from comments (bsc#1198778).
- net: ena: fix inaccurate print type (bsc#1198778).
- ethernet: amazon: ena: A typo fix in the file ena_com.h
  (bsc#1198778).
- net: ena: Update XDP verdict upon failure (bsc#1198778).
- net: ena: introduce ndo_xdp_xmit() function for XDP_REDIRECT
  (bsc#1198778).
- net: ena: use xdp_return_frame() to free xdp frames
  (bsc#1198778).
- net: ena: introduce XDP redirect implementation (bsc#1198778).
- net: ena: use xdp_frame in XDP TX flow (bsc#1198778).
- net: ena: aggregate stats increase into a function
  (bsc#1198778).
- net: ena: fix coding style nits (bsc#1198778).
- net: ena: store values in their appropriate variables types
  (bsc#1198778).
- net: ena: add device distinct log prefix to files (bsc#1198778).
- net: ena: use constant value for net_device allocation
  (bsc#1198778).
- commit f2320f9
- ovl: fix missing negative dentry check in ovl_rename()
  (CVE-2021-20321 bsc#1191647).
- commit 14422d8
- SUNRPC: change locking for xs_swap_enable/disable (bsc#1196367).
- commit 8562a15
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
  (bsc#1028340 bsc#1198825).
- commit f04215d
- pahole 1.22 required for full BTF features.
  also recommend pahole for kernel-source to make the kernel buildable
  with standard config
- commit 364f54b
- Update
  patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
  (bsc#1196018 CVE-2022-28748).
  added CVE number
- commit dfbe27e
- use jobs not processors in the constraints
  jobs is the number of vcpus available to the build, while processors
  is the total processor count of the machine the VM is running on.
- commit a6e141d
- Update patch reference for drm fix (CVE-2022-1419 bsc#1198742)
- commit 5c0501b
- KVM: x86/mmu: do compare-and-exchange of gPTE via the user address (CVE-2022-1158 bsc#1197660).
- commit 0581a66
- powerpc/pseries: Fix use after free in remove_phb_dynamic()
  (bsc#1065729 bsc#1198660 ltc#197803).
- commit 4723baf
- af_key: add __GFP_ZERO flag for compose_sadb_supported in
  function pfkey_register (CVE-2022-1353 bsc#1198516).
- commit 981f1ec
- SUNRPC: Ensure we flush any closed sockets before
  xs_xprt_free() (bsc#1198330 CVE-2022-28893).
- commit f607730
- Update patches.suse/cgroup-verify-that-source-is-a-string.patch
  (bsc#1190131 bsc#1193842 CVE-2021-4154).
- commit 0f6b5cd
- Update patch references of drm fixes (CVE-2022-1280 bsc#1197914)
- commit c917eda
- Update patch reference for DRM fix (CVE-2021-20292 bsc#1183723)
- commit f6cdff5
- fuse: handle kABI change in struct fuse_req (bsc#1197343
  CVE-2022-1011).
- fuse: fix pipe buffer lifetime for direct_io (bsc#1197343
  CVE-2022-1011).
- commit 5920a58
- Update patch reference for NFS/RDMA fix (CVE-2022-0812 bsc#1196639)
- commit 7e276c6
- livepatch: Don't block removal of patches that are safe to
  unload (bsc#1071995).
- commit 768b9d1
- x86/speculation: Restore speculation related MSRs during S3
  resume (bsc#1198400).
- commit aece496
- x86/pm: Save the MSR validity status at context setup
  (bsc#1198400).
- commit 2364cfa
- direct-io: defer alignment check until after the EOF check
  (bsc#1197656).
- commit 90d08aa
- direct-io: don't force writeback for reads beyond EOF
  (bsc#1197656).
- commit f8a2691
- direct-io: clean up error paths of do_blockdev_direct_IO
  (bsc#1197656).
- commit 4781e89
- Update
  patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch
  references (add CVE-2022-28356 bsc#1197391).
- commit bf5ad66
- cifs: fix bad fids sent over wire (bsc#1197157).
- commit 3e7e3c4
- drm: drm_file struct kABI compatibility workaround
  (bsc#1197914).
- commit dd24982
- drm: use the lookup lock in drm_is_current_master (bsc#1197914).
- drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
- drm: serialize drm_file.master with a new spinlock
  (bsc#1197914).
- drm: add a locked version of drm_is_current_master
  (bsc#1197914).
- commit 82a498a
- blacklist.conf: Add reverted/reverting swiotlb change (CVE-2022-0854 bsc#1196823 bsc#1197460)
- commit 8d52c36
- Reinstate some of "/swiotlb: rework "/fix info leak with
  DMA_FROM_DEVICE"/"/ (CVE-2022-0854 bsc#1196823).
- swiotlb: fix info leak with DMA_FROM_DEVICE (CVE-2022-0854
  bsc#1196823).
- commit ff554b5
- netfilter: nf_tables: initialize registers in nft_do_chain()
  (CVE-2022-1016 bsc#1197227).
- commit 7111961
- Delete
  patches.suse/net-tipc-validate-domain-record-count-on-input.patch.
  This was the original work-in-progress patch for CVE-2022-0435 /
  bsc#1195254. Later, a proper backport of mainline commit 9aa422ad3266
  ("/tipc: improve size validations for received domain records"/) was added as
  patches.suse/tipc-improve-size-validations-for-received-domain-re.patch but
  this patch was left in place. As it adds the check a bit later than
  upstream fix, it did not cause a conflict so nobody noticed the duplicity.
- commit ef08708
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- commit 2237578
- can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb
  in error path (CVE-2022-28389 bsc#1198033).
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28388 bsc#1198032).
- can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()
  in error path (CVE-2022-28390 bsc#1198031).
- commit d6e6523
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
  mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
  patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit db7647d
- net: sched: fix use-after-free in tc_new_tfilter()
  (CVE-2022-1055 bsc#1197702).
- commit 4c7dc78
- Add CVE tags to
  patches.suse/ext4-fix-kernel-infoleak-via-ext4_extent_header.patch
  (bsc#1189562 bsc#1196761 CVE-2022-0850).
- commit f3cb08f
- powerpc/mm/numa: skip NUMA_NO_NODE onlining in
  parse_numa_properties() (bsc#1179639 ltc#189002 git-fixes).
- commit 73583c9
- esp: Fix possible buffer overflow in ESP transformation
  (bsc#1197131 CVE-2022-0886 CVE-2022-27666).
- commit 39a5891
- cifs: use the correct max-length for dentry_path_raw()
  (bsc1196196).
- commit 10cddb2
- quota: check block number when reading the block in quota file
  (bsc#1197366 CVE-2021-45868).
- commit a7d4915
- netfilter: conntrack: don't refresh sctp entries in closed state
  (bsc#1197389).
- commit c3afd15
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
  bsc#1197331).
- commit 12628f8
- ALSA: pcm: Fix races among concurrent prealloc proc writes
  (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
  hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
  changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
  calls (CVE-2022-1048 bsc#1197331).
- commit aee063f
- rpm/constraints.in: skip SLOW_DISK workers for kernel-source
- commit e84694f
- macros.kernel-source: Fix conditional expansion.
  Fixes: bb95fef3cf19 ("/rpm: Use bash for %() expansion (jsc#SLE-18234)."/)
- commit 7e857f7
- rpm: Use bash for %() expansion (jsc#SLE-18234).
  Since 15.4 alternatives for /bin/sh are provided by packages
  <something>-sh. While the interpreter for the build script can be
  selected the interpreter for %() cannot.
  The kernel spec files use bashisms in %().
  While this could technically be fixed there is more serious underlying
  problem: neither bash nor any of the alternatives are 100% POSIX
  compliant nor bug-free.
  It is not my intent to maintain bug compatibility with any number of
  shells for shell scripts embedded in the kernel spec file. The spec file
  syntax is not documented so embedding the shell script in it causes some
  unspecified transformation to be applied to it. That means that
  ultimately any changes must be tested by building the kernel, n times if
  n shells are supported.
  To reduce maintenance effort require that bash is used for kernel build
  always.
- commit bb95fef
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
  (bsc#1196018).
- commit 1580ab2
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32
  (bsc#1196018).
- commit 1cdc779
- rpm: Run external scriptlets on uninstall only when available
  (bsc#1196514 bsc#1196114 bsc#1196942).
  When dependency cycles are encountered package dependencies may not be
  fulfilled during zypper transaction at the time scriptlets are run.
  This is a problem for kernel scriptlets provided by suse-module-tools
  when migrating to a SLE release that provides these scriptlets only as
  part of LTSS. The suse-module-tools that provides kernel scriptlets may
  be removed early causing migration to fail.
- commit ab8dd2d
- sr9700: sanity check for packet length (bsc#1196836
  CVE-2022-26966).
- commit edaafdd
- rpm/*.spec.in: remove backtick usage
- commit 87ca1fb
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- commit f0d0e90
- aio: fix use-after-free due to missing POLLFREE handling
  (CVE-2021-39698 bsc#1196956).
- aio: keep poll requests on waitqueue until completed
  (CVE-2021-39698 bsc#1196956).
- signalfd: use wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- binder: use wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- wait: add wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- commit b026506
- rpm/kernel-source.spec.in: call fdupes per subpackage
  It is a waste of time to do a global fdupes when we have
  subpackages.
- commit 1da8439
- af_unix: fix garbage collect vs MSG_PEEK (CVE-2021-0920
  bsc#1193731).
- commit 7040fdd
- Refresh patches.suse/xfrm-fix-mtu-regression.patch.
- commit 8d867d6
- xen/netfront: react properly to failing
  gnttab_end_foreign_access_ref() (bsc#1196488, XSA-396,
  CVE-2022-23042).
- commit fe0a923
- xen/gnttab: fix gnttab_end_foreign_access() without page
  specified (bsc#1196488, XSA-396, CVE-2022-23041).
- commit 58c801b
- xen/pvcalls: use alloc/free_pages_exact() (bsc#1196488,
  XSA-396, CVE-2022-23041).
- commit afb2dba
- xen/9p: use alloc/free_pages_exact() (bsc#1196488, XSA-396,
  CVE-2022-23041).
- commit cee63b9
- xen/usb: don't use gnttab_end_foreign_access() in
  xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- commit b1d434d
- xen/gntalloc: don't use gnttab_query_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23039).
- commit a4ec4aa
- xen/scsifront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23038).
- commit fd9cb30
- xen/netfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23037).
- commit 4e33999
- xen/blkfront: don't use gnttab_query_foreign_access() for
  mapped status (bsc#1196488, XSA-396, CVE-2022-23036).
- commit 4334af7
- xen/grant-table: add gnttab_try_end_foreign_access()
  (bsc#1196488, XSA-396, CVE-2022-23036, CVE-2022-23038).
- commit 19b769a
- xen/xenbus: don't let xenbus_grant_ring() remove grants in
  error case (bsc#1196488, XSA-396, CVE-2022-23040).
- commit 5aacf1f
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- commit 174a64f
- usb: host: xen-hcd: add missing unlock in error path
  (git-fixes).
- commit daa9ea7
- Refresh
  patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch.
- commit d9066f6
- Refresh
  patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch.
- commit 5c41eb3
- rpm/kernel-docs.spec.in: use %%license for license declarations
  Limited to SLE15+ to avoid compatibility nightmares.
- commit 73d560e
- rpm/*.spec.in: Use https:// urls
- commit 77b5f8e
- powerpc/powernv/memtrace: Fix dcache flushing (bsc#1196433
  ltc#196449).
- commit 9f96679
- Hand over the maintainership to SLE15-SP3 maintainers
- commit 0c92742
- SUNRPC: avoid race between mod_timer() and del_timer_sync()
  (bnc#1195403).
- commit fffe0fc
- nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
  (CVE-2022-26490 bsc#1196830).
- commit fd10ace
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 1dafeb6
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- commit 8c8ae13
- kernel-binary.spec: Also exclude the kernel signing key from devel package.
  There is a check in OBS that fails when it is included. Also the key is
  not reproducible.
  Fixes: bb988d4625a3 ("/kernel-binary: Do not include sourcedir in certificate path."/)
- commit 68fa069
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- commit 88ba5ec
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
  (bsc#1196584).
- commit 4f3bbf5
- x86/speculation: Use generic retpoline by default on AMD
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit bed48b1
- rpm/kernel-obs-build.spec.in: add systemd-initrd and terminfo dracut module (bsc#1195775)
- commit d9a821b
- powerpc/mm: Remove dcache flush from memory remove (bsc#1196433
  ltc#196449).
- commit ec198ed
- gve: Recording rx queue before sending to napi (jsc#SLE-23652).
- gve: fix the wrong AdminQ buffer queue index check
  (jsc#SLE-23652).
- gve: Fix GFP flags when allocing pages (jsc#SLE-23652).
- gve: Add consumed counts to ethtool stats (jsc#SLE-23652).
- gve: Implement suspend/resume/shutdown (jsc#SLE-23652).
- gve: Add optional metadata descriptor type GVE_TXD_MTD
  (jsc#SLE-23652).
- gve: remove memory barrier around seqno (jsc#SLE-23652).
- gve: Update gve_free_queue_page_list signature (jsc#SLE-23652).
- gve: Move the irq db indexes out of the ntfy block struct
  (jsc#SLE-23652).
- gve: Correct order of processing device options (jsc#SLE-23652).
- gve: fix for null pointer dereference (jsc#SLE-23652).
- gve: fix unmatched u64_stats_update_end() (jsc#SLE-23652).
- gve: Add a jumbo-frame device option (jsc#SLE-23652).
- gve: Implement packet continuation for RX (jsc#SLE-23652).
- gve: Add RX context (jsc#SLE-23652).
- gve: Use kvcalloc() instead of kvzalloc() (jsc#SLE-23652).
- commit e1a9cfc
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1196079
  CVE-2022-0617).
- commit a1deb2a
- udf: Fix NULL ptr deref when converting from inline format
  (bsc#1196079 CVE-2022-0617).
- commit 43cd4ed
- x86/speculation: Include unprivileged eBPF status in Spectre v2
  mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit d42fa20
- Documentation/hw-vuln: Update spectre doc (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit a48cfcc
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
  CVE-2022-0001 CVE-2022-0002).
- commit 1a20a7e
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 80f47a3
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
  (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 1f9dd65
- usb: gadget: rndis: check size of RNDIS_MSG_SET command
  (CVE-2022-25375 bsc#1196235).
- commit 4e7d746
- Update patch reference for vfs fix (CVE-2022-0644 bsc#1196155)
- commit 900b4f0
- USB: gadget: validate interface OS descriptor requests
  (CVE-2022-25258 bsc#1196095).
- commit 4c69367
- scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
- commit 6aa037a
- rpm/kernel-obs-build.spec.in: use default dracut modules (bsc#1195926,
  bsc#1198484)
  Let's iron out the reduced initrd optimisation in Tumbleweed.
  Build full blown dracut initrd with systemd for SLE15 SP4.
- commit ea76821
- powerpc/pseries/ddw: Revert "/Extend upper limit for huge DMA
  window for persistent memory"/ (bsc#1195995 ltc#196394).
- commit 7be7563
- f2fs: fix to do sanity check on inode type during garbage
  collection (CVE-2021-44879 bsc#1195987).
- commit 139271b
- tipc: improve size validations for received domain records
  (bsc#1195254, CVE-2022-0435).
- commit 48911da
- yam: fix a memory leak in yam_siocdevprivate() (CVE-2022-24959
  bsc#1195897).
- commit 60220af
- usb: gadget: clear related members when goto fail
  (CVE-2022-24958 bsc#1195905).
- usb: gadget: don't release an existing dev->buf (CVE-2022-24958
  bsc#1195905).
- commit 96dda76
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487).
- commit f68f189
- nfsd: don't admin-revoke NSv4.0 state ids (bsc#1192483).
- nfsd: allow delegation state ids to be revoked and then freed
  (bsc#1192483).
- nfsd: allow lock state ids to be revoked and then freed
  (bsc#1192483).
- nfsd: allow open state ids to be revoked and then freed
  (bsc#1192483).
- nfsd: prepare for supporting admin-revocation of state
  (bsc#1192483).
- commit 4fab2c0
- kernel-binary: Do not include sourcedir in certificate path.
  The certs macro runs before build directory is set up so it creates the
  aggregate of supplied certificates in the source directory.
  Using this file directly as the certificate in kernel config works but
  embeds the source directory path in the kernel config.
  To avoid this symlink the certificate to the build directory and use
  relative path to refer to it.
  Also fabricate a certificate in the same location in build directory
  when none is provided.
- commit bb988d4
- constraints: Also adjust disk requirement for x86 and s390.
- commit 9719db0
- constraints: Increase disk space for aarch64
- commit 09c2882
- KVM: s390: Return error on SIDA memop on normal guest
  (bsc#1195516 CVE-2022-0516).
- commit d46602b
- NFSv4: Handle case where the lookup of a directory fails
  (bsc#1195612 CVE-2022-24448).
- commit 1023a28
- btrfs: check for missing device in btrfs_trim_fs (bsc#1195701).
- commit be8e591
- cgroup-v1: Require capabilities to set release_agent
  (bsc#1195543 CVE-2022-0492).
- commit 413d689
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit 5ec67f9
- scsi: target: iscsi: Fix cmd abort fabric stop race
  (bsc#1195286).
- commit 79c1016
- Update kabi files.
- update from February 2022 maintenance update submission (commit 49453fa0b26b)
- commit 10d28a1
- kernel-obs-build: include 9p (boo#1195353)
  To be able to share files between host and the qemu vm of the build
  script, the 9p and 9p_virtio kernel modules need to be included in
  the initrd of kernel-obs-build.
- commit 0cfe67a
- video: hyperv_fb: Fix validation of screen resolution
  (git-fixes).
- commit fcb02f5
- net: tipc: validate domain record count on input (bsc#1195254).
- commit 5e4e31e
- series.conf: sort
  Fix patch ordering in sorted section.
- commit f4bbbbf
- fix patches metadata
- fix Patch-mainline, mark partial backport, add a note to commit message
  - patches.suse/net-xdp-Introduce-xdp_init_buff-utility-routine.patch
  - patches.suse/net-xdp-Introduce-xdp_prepare_buff-utility-routine.patch
- commit c8555c7
- Update kabi files.
- update from out of order January 2022 maintenance update (commit 712a8e6dffc3)
- commit d4e500b
- update
- commit 8000467
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
  CVE-2021-45095).
- commit 98c27cb
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- Delete
  patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch.
  which caused a regression (bsc#1194048).
- fix patches.kabi/revert-xfrm-xfrm_state_mtu-should-return-at-least-1280.patch
  fixes the resulting KABI change
- Replace with an alternative fix for bsc#1185377
- commit ccdfbb9
- net: tipc: validate domain record count on input (bsc#1195254).
- commit 96de11b
- SLE15-SP2 went to LTSS, hand over to L3
- commit 1e60178
- drm/vmwgfx: Fix stale file descriptors on failed usercopy
  (CVE-2022-22942 bsc#1195065).
- commit b93c2a4
- nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
- commit 92fcdfb
- bpf: Verifer, adjust_scalar_min_max_vals to always call
  update_reg_bounds() (bsc#1194227).
- commit bf95985
- net/packet: rx_owner_map depends on pg_vec (bsc#1195184
  CVE-2021-22600).
- commit ef975a8
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
  callback (bsc#1193864 CVE-2021-39657).
- commit a954734
- Update
  patches.suse/usb-gadget-configfs-Fix-use-after-free-issue-with-ud.patch
  (bsc#1193861 CVE-2021-39648).
  updated references for a CVE that became known after the fix
  had been applied for other reasons
- commit 2372cca
- net: mana: Add RX fencing (bsc#1193506).
- commit 86ca026
- net: mana: Add XDP support (bsc#1193506).
- commit 8a8d94e
- hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
- commit 2ce60c3
- net, xdp: Introduce xdp_prepare_buff utility routine
  (bsc#1193506).
- commit f1f2607
- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
- commit d81f88a
- btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set improperly (bsc#1195009).
- commit 472ff50
- btrfs: tree-checker: annotate all error branches as unlikely (bsc#1195009).
- commit ac668ff
- btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check (bsc#1195009).
- commit 38bf9aa
- kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr
  directory (bsc#1195051).
- commit c80b5de
- drm/i915: Flush TLBs before releasing backing store
  (CVE-2022-0330 bsc#1194880).
- commit 34a8919
- net: allow retransmitting a TCP packet if original is still
  in queue (bsc#1188605 bsc#1187428).
- commit 07dea3c
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
  Using the the default path is broken since Linux 5.17
- commit 68b36f0
- fix rpm build warning
  tumbleweed rpm is adding these warnings to the log:
  It's not recommended to have unversioned Obsoletes: Obsoletes:      microcode_ctl
- commit 3ba8941
- build initrd without systemd
  This reduces the size of the initrd by over 25%, which
  improves startup time of the virtual machine by 0.5-0.6s on
  very fast machines, more on slower ones.
- commit ef4c569
- Revert "/net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)"/
  This reverts commit 3aa0c01fad38360cc9cd840d49bdfdc565e2e718.
  With the backport of the upstream fix for bsc#1183405 race, this workaround
  is no longer needed.
- commit e063337
- net: sched: add barrier to ensure correct ordering for lockless
  qdisc (bsc#1183405).
- net: sched: avoid unnecessary seqcount operation for lockless
  qdisc (bsc#1183405).
- net: sched: fix tx action reschedule issue with stopped queue
  (bsc#1183405).
- net: sched: fix tx action rescheduling issue during deactivation
  (bsc#1183405).
- net: sched: fix packet stuck problem for lockless qdisc
  (bsc#1183405).
- net: sched: replaced invalid qdisc tree flush helper in
  qdisc_replace (bsc#1183405).
- net: sch_generic: aviod concurrent reset and enqueue op for
  lockless qdisc (bsc#1183405).
- net_sched: get rid of unnecessary dev_qdisc_reset()
  (bsc#1183405).
- net_sched: avoid resetting active qdisc for multiple times
  (bsc#1183405).
- net_sched: use qdisc_reset() in qdisc_destroy() (bsc#1183405).
- commit abc4d94
libinput
- Add libinput-CVE_2022-1215.patch: strip the device name of
  format directives (boo#1198111 CVE-2022-1215).
libpsl
- fix [bsc#1197771] - FTBFS: libpsl won't compile on SP4
- added patches
  https://github.com/rockdaboot/libpsl/commit/f364cea73e351ce62e0b337fd1fbc21e70b52d56
  + libpsl-fix-test-data.patch
libqb
- IPC: server: avoid temporary channel priority loss, up to deadlock-worth (gh#ClusterLabs/libqb#352, rh#1718773, bsc#1188212)
  * bsc#1188212-0001-IPC-server-avoid-temporary-channel-priority-loss-up-.patch
libqt5-qtbase
- Update patch after it was merged to dev upstream and fix another
  place missed in the first version (boo#1195386, CVE-2022-23853,
  boo#1196501, CVE-2022-25255):
  * 0001-QProcess-Unix-ensure-we-don-t-accidentally-execute-s.patch
- Add patch to avoid unintentionally using binaries from CWD
  (boo#1195386, CVE-2022-23853, boo#1196501, CVE-2022-25255):
  * 0001-QProcess-Unix-ensure-we-don-t-accidentally-execute-s.patch
libsolv
- reworked choice rule generation to cover more usecases
- support SOLVABLE_PREREQ_IGNOREINST in the ordering code
  [bsc#1196514]
- support parsing of Debian's Multi-Arch indicator
- bump version to 0.7.22
- fix segfault on conflict resolution when using bindings
- fix split provides not working if the update includes a forbidden
  vendor change
- support strict repository priorities
  new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
- support zstd compressed control files in debian packages
- add an ifdef allowing to rename Solvable dependency members
  ("/requires"/ is a keyword in C++20)
- support setting/reading userdata in solv files
  new functions: repowriter_set_userdata, solv_read_userdata
- support queying of the custom vendor check function
  new function: pool_get_custom_vendorcheck
- support solv files with an idarray block
- allow accessing the toolversion at runtime
- bump version to 0.7.21
libtirpc
- fix memory leak in client protocol version 2 code (bsc#1193805)
  - update: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
libxml2
- Security fix: [bsc#1199132, CVE-2022-29824]
  * Integer overflow leading to out-of-bounds write in buf.c
    (xmlBuf*) and tree.c (xmlBuffer*)
  * Add libxml2-CVE-2022-29824.patch
- Security fix: [bsc#1196490, CVE-2022-23308]
  * Use-after-free of ID and IDREF attributes.
  * Add libxml2-CVE-2022-23308.patch
  * Add libxml2-CVE-2021-3541.patch
libzypp
- ZConfig: Update solver settings if target changes (bsc#1196368)
- version 17.30.0 (22)
- Fix possible hang in singletrans mode (bsc#1197134)
- Do 2 retries if mount is still busy.
- version 17.29.7 (22)
- Fix package signature check (bsc#1184501)
  Pay attention that header and payload are secured by a valid
  signature and report more detailed which signature is missing.
- Retry umount if device is busy (bsc#1196061, closes #381)
  A previously released ISO image may need a bit more time to
  release it's loop device. So we wait a bit and retry.
- Fix serializing/deserializing type mismatch in zypp-rpm
  protocol (bsc#1196925)
- Fix handling of ISO media in releaseAll (bsc#1196061)
- Hint on common ptf resolver conflicts (bsc#1194848)
- version 17.29.6 (22)
- Hint on ptf<>patch resolver conflicts (bsc#1194848)
- version 17.29.5 (22)
- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.
- version 17.29.4 (22)
- Public header files on older distros must use c++11
  (bsc#1194597)
- Fix exception handling when reading or writing credentials
  (bsc#1194898)
- version 17.29.3 (22)
- Fix Legacy include (bsc#1194597)
- version 17.29.2 (22)
- Fix broken install path for parser compat headers (fixes #372,
  bsc#1194597)
- RepoManager: remember exec errors in exception history
  (bsc#1193007)
- version 17.29.1 (22)
- Use the default zypp.conf settings if no zypp.conf exists
  (bsc#1193488)
- Fix wrong encoding of iso: URL components (bsc#954813)
- Handle armv8l as armv7hl compatible userland.
- Introduce zypp-curl a sublibrary for CURL related code.
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set.
- Save all signatures associated with a public key in its
  PublicKeyData.
- version 17.29.0 (22)
lvm2
- udev: create symlinks and watch even in suspended state (bsc#1195231)
  + bug-1195231-udev-create-symlinks-and-watch-even-in-suspended-sta.patch
mlocate
- require apparmor-abstractions, because apparmor.service fails with
  Could not open 'tunables/global' error otherwise (bsc#1195144)
mozilla-nss
- Mozilla NSS 3.68.3 (bsc#1197903)
  This release improves the stability of NSS when used in a multi-threaded
  environment. In particular, it fixes memory safety violations that
  can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
  We presume that with enough effort these memory safety violations are exploitable.
  * Remove token member from NSSSlot struct (bmo#1756271).
  * Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
    (bmo#1755555).
  * Check return value of PK11Slot_GetNSSToken (bmo#1370866).
net-snmp
- Decouple snmp-mibs from net-snmp version to allow major version
  upgrade (bsc#1196955).
nfs-utils
- Add 0023-cache.c-removed-a-couple-warning.patch
  Fix compilation with new glibc (SLE15-SP4)
  (bsc#1197788)
- Add 0021-mount.nfs-insert-sloppy-at-beginning-of-the-options.patch
  Add 0022-mount.nfs-Fix-the-sloppy-option-processing.patch
  Ensure "/sloppy"/ is added correctly for newer kernels.  Particularly
  required for kernels since 5.6 (so SLE15-SP4), and safe for all kernels.
  (boo#1197297)
- Add 0020-mountd-Initialize-logging-early.patch
  If an error or warning message is produced before
  closeall() is called, mountd gets confused and doesn't work.
  (bsc#1194661)
ocfs2-tools
- fsck.ocfs2: do not try locking after replaying journals if -F is given (bsc#1196705)
  + fsck.ocfs2-do-not-try-locking-after-replaying-journa.patch
openldap2
- bsc#1199240 - CVE-2022-29155 - Resolve sql injection in back-sql
  * 0242-ITS-9815-slapd-sql-escape-filter-values.patch
- bsc#1191157 - Correct version specification in ppolicy to allow
  submission to SP3 for TLS1.3
- bsc#1191157 - allow specification of max/min TLS version with TLS1.3
  * 0239-ITS-9422-Update-for-TLS-v1.3.patch
  * 0240-ITS-9518-add-LDAP_OPT_X_TLS_PROTOCOL_MAX-option.patch
  * 0241-TLS-set-protocol-version.patch
- bsc#1197004 - libldap was able to be out of step with openldap in
  some cases which could cause incorrect installations and symbol
  resolution failures. openldap2 and libldap now are locked to their
  related release versions.
- jsc#PM-3288 - restore CLDAP functionality in CLI tools
- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression
  reporting is bsc#1197004 causing SSSD to have faults.
- jsc#PM-3288 - restore CLDAP functionality in CLI tools
openssh
- Add openssh-do-not-send-empty-message.patch: Prevent empty
  messages from being sent. This avoids a superfluous new line
  (bsc#1192439).
- Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: Make ssh
  connections update their dbus environment (bsc#1179465).
- Add openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch
  (bsc#1190975, CVE-2021-41617), backported from upstream by
  Ali Abdallah.
openssl-1_1
- Encrypt the sixteen bytes that were unencrypted in some circumstances
  on 32-bit x86 platforms.
  * [bsc#1201099, CVE-2022-2097]
  * added openssl-CVE-2022-2097.patch
- Added	openssl-1_1-Fix-file-operations-in-c_rehash.patch
  * bsc#1200550
  * CVE-2022-2068
  * Fixed more shell code injection issues in c_rehash
- Added openssl-update_expired_certificates.patch
  * Openssl failed tests because of expired certificates.
  * bsc#1185637
  * Sourced from https://github.com/openssl/openssl/pull/18446/commits
- Security fix: [bsc#1199166, CVE-2022-1292]
  * Added: openssl-CVE-2022-1292.patch
  * properly sanitise shell metacharacters in c_rehash script.
- Security Fix: [bsc#1196877, CVE-2022-0778]
  * Infinite loop in BN_mod_sqrt() reachable when parsing certificates
  * Add openssl-CVE-2022-0778.patch openssl-CVE-2022-0778-tests.patch
- Fix PAC pointer authentication in ARM [bsc#1195856]
  * PAC pointer authentication signs the return address against the
    value of the stack pointer, to prevent stack overrun exploits
    from corrupting the control flow. The Poly1305 armv8 code got
    this wrong, resulting in crashes on PAC capable hardware.
  * Add openssl-1_1-ARM-PAC.patch
- Pull libopenssl-1_1 when updating openssl-1_1 with the same
  version. [bsc#1195792]
- FIPS: Fix function and reason error codes [bsc#1182959]
  * Add openssl-1_1-FIPS-fix-error-reason-codes.patch
- Enable zlib compression support [bsc#1195149]
  * Add openssl-fix-BIO_f_zlib.patch to fix BIO_f_zlib: Properly
    handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls.
p11-kit
- CVE-2020-29362: Fixed a 4 byte overread (bsc#1180065)
  Added p11-kit-CVE-2020-29362.patch:
pacemaker
- attrd: check election status upon loss of a voter to prevent unexpected pending (bsc#1191676)
  * bsc#1191676-0001-Fix-attrd-check-election-status-upon-loss-of-a-voter.patch
- stonith-ng's function cannot be blocked with CIB updates forever (bsc#1188212)
pam
- Do not include obsolete libselinux header files flask.h and
  av_permissions.h.
  [bsc#1197794, pam-bsc1197794-do-not-include-obsolete-header-files.patch]
- Between allocating the variable "/ai"/ and free'ing them, there are
  two "/return NO"/ were we don't free this variable. This patch
  inserts freaddrinfo() calls before the "/return NO;"/s.
  [bsc#1197024, pam-bsc1197024-free-addrinfo-before-return.patch]
- Define _pam_vendordir as "//%{_sysconfdir}/pam.d"/
  The variable is needed by systemd and others.
  [bsc#1196093, macros.pam]
pcre
- Added pcre-8.45-bsc1199232-unicode-property-matching.patch
  * bsc#1199232
  * CVE-2022-1586
  * Fixes unicode property matching issue
pcre2
- Added pcre2-10.31-bsc1199232-unicode-property-matching.patch
  * bsc#1199232 / CVE-2022-1586
  * Fixes unicode property matching issue
perl
- Stabilize Socket::VERSION comparisons [bnc#1193489]
  new patch: perl-Stabilize-Socket-VERSION-comparisons.patch
perl-XML-LibXML
- (bsc#1197798) FTBFS: compile against latest version available of
  libxml in SP4 so perl-XML-LibXSLT compiles cleanly.
polkit
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
  added CVE-2021-4115.patch
procps
- Add patch bsc1195468-23da4f40.patch to fix bsc#1195468 that is
  ignore SIGURG
protobuf
- Fix incorrect parsing of nullchar in the proto symbol, CVE-2021-22570,
  bsc#1195258
  * Add protobuf-CVE-2021-22570.patch
psmisc
  * Add a fallback if the system call name_to_handle_at() is
    not supported by the used file system.
- Add patch psmisc-22.21-semaphores.patch
  * Replace the synchronizing over pipes of the sub process for the
    stat(2) system call with mutex and conditions from pthreads(7)
    (bsc#1194172)
- Add patch psmisc-22.21-statx.patch
  * Use statx(2) or SYS_statx system call to replace the stat(2)
    system call and avoid the sub process at all (bsc#1194172)
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
  * Determine the namespace of a process only once to speed
    up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
python-PyJWT
- Add CVE-2022-29217-non-blocked-pubkeys.patch fixing
  CVE-2022-29217 (bsc#1199756), which disallows use of blocked
  pubkeys (heavily modified from upstream).
python-base
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
  (bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
  (bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
  containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
  has been moved there. rpm-build pulls rpm-build-python
  automatically in when building anything against python3-base, but
  this implies that the initial build of python3-base does not
  trigger the automatic installation.
python-jsonschema
- Add patch to fix build with new webcolors:
  * webcolors.patch
- update to version 3.2.0 (jsc#SLE-18756):
  * Added a format_nongpl setuptools extra, which installs only format
    dependencies that are non-GPL (#619).
- specfile:
  * be more explicit in %files section
  * require python-importlib-metadata
- update to version 3.1.1:
  * Temporarily revert the switch to js-regex until #611 and #612 are
    resolved.
- changes from version 3.1.0:
  * Regular expressions throughout schemas now respect the ECMA 262
    dialect, as recommended by the specification (#609).
- Replace %fdupes -s with plain %fdupes; hardlinks are better.
- Activate more of the test suite
- Remove tests and benchmarking from the runtime package
- Update to v3.0.2
  * Fixed a bug where 0 and False were considered equal by
    const and enum
- from v3.0.1
  * Fixed a bug where extending validators did not preserve their
    notion of which validator property contains $id information.
- from v3.0.0
  * Support for Draft 6 and Draft 7
  * Draft 7 is now the default
  * New TypeChecker object for more complex type definitions
    (and overrides)
  * Falling back to isodate for the date-time format checker is
    no longer attempted, in accordance with the specification
- Add non-updating note to the SPEC file
- downgrade to < 3.0.0 again to fix all openstack clients
- Update to 3.0.1:
  * Support for Draft 6 and Draft 7
  * Draft 7 is now the default
  * New TypeChecker object for more complex type definitions (and overrides)
  * Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification
- Use %license instead of %doc [bsc#1082318]
python-lxml
- With the new update to 4.7.1, the old Bugzilla entries are also
  fixed:
  - bsc#1118088 (related to CVE-2018-19787)
  - bsc#1184177 (related to CVE-2021-28957)
- Update to 4.7.1 (officially released 2021-12-13)
  Features added
  - Chunked Unicode string parsing via parser.feed() now encodes the input
    data to the native UTF-8 encoding directly, instead of going through
    Py_UNICODE / wchar_t encoding first, which previously required duplicate
    recoding in most cases.
  Bugs fixed
  - The standard namespace prefixes were mishandled during "/C14N2"/
  serialisation
    on Python 3.
    See
  https://mail.python.org/archives/list/lxml@python.org/thread/
  6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/
  - lxml.objectify previously accepted non-XML numbers with underscores
    (like "/1_000"/) as integers or float values in Python 3.6 and later.
    It now adheres to the number format of the XML spec again.
  - LP#1939031: Static wheels of lxml now contain the header files of zlib
    and libiconv (in addition to the already provided headers of
    libxml2/libxslt/libexslt).
  Other changes
  - Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).
- Update to 4.7.0 (2021-12-13)
  - Release retracted due to missing files in lxml/includes/.
- UPdate to 4.6.5 (2021-12-12)
  Bugs fixed
  - A vulnerability (GHSL-2021-1038) in the HTML cleaner
  - allowed sneaking script content through SVG images
  - (bnc#1193752, CVE-2021-43818).
  - A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed
  - sneaking script content through CSS imports and other crafted
  - constructs (CVE-2021-43818).
- Update 4.6.4 (2021-11-01)
  Features added
  - GH#317: A new property system_url was added to DTD entities.
  - Patch by Thirdegree.
  - GH#314: The STATIC_* variables in setup.py can now be passed
  - via env vars.
  - Patch by Isaac Jurado.
- Update 4.6.3 (2021-03-21)
  Bugs fixed
  - A vulnerability (CVE-2021-28957) was discovered in the HTML
  - Cleaner by Kevin Chung, which allowed JavaScript to pass through.
  - The cleaner now removes the HTML5 formaction attribute.
- Update 4.6.2 (2020-11-26)
  Bugs fixed
  - A vulnerability (bnc#1179534, CVE-2020-27783) was discovered in the HTML
    Cleaner
  - by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner
  - now removes more sneaky "/style"/ content.
- Update 4.6.1 (2020-10-18)
  Bugs fixed
  - A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry,
  - which allowed JavaScript to pass through. The cleaner now removes
  - more sneaky "/style"/ content.
- Update 4.6.0 (2020-10-17)
  Features added
  - GH#310: lxml.html.InputGetter supports __len__() to count the number
  - of input fields. Patch by Aidan Woolley.
  - lxml.html.InputGetter has a new .items() method to ease processing
  - all input fields.
  - lxml.html.InputGetter.keys() now returns the field names in document
  - order.
  - GH-309: The API documentation is now generated using sphinx-apidoc.
  - Patch by Chris Mayo.
  Bugs fixed
  - LP#1869455: C14N 2.0 serialisation failed for unprefixed attributes
  - when a default namespace was defined.
  - TreeBuilder.close() raised AssertionError in some error cases where
  - it should have raised XMLSyntaxError. It now raises a combined
  - exception to keep up backwards compatibility, while switching to
  - XMLSyntaxError as an interface.
- Update 4.5.2 (2020-07-09)
  Bugs fixed
  - Cleaner() now validates that only known configuration options
  - can be set.
  - LP#1882606: Cleaner.clean_html() discarded comments and PIs
  - regardless of the corresponding configuration option, if
  - remove_unknown_tags was set.
  - LP#1880251: Instead of globally overwriting the document loader
  - in libxml2, lxml now sets it per parser run, which improves the
  - interoperability with other users of libxml2 such as libxmlsec.
  - LP#1881960: Fix build in CPython 3.10 by using Cython 0.29.21.
  - The setup options "/--with-xml2-config"/ and "/--with-xslt-config"/
  - were accidentally renamed to "/--xml2-config"/ and "/--xslt-config"/
  - in 4.5.1 and are now available again.
- Update 4.5.1 (2020-05-19)
  Bugs fixed
  - LP#1570388: Fix failures when serialising documents larger than
  - 2GB in some cases.
  - LP#1865141, GH#298: QName values were not accepted by the
  - el.iter() method. Patch by xmo-odoo.
  - LP#1863413, GH#297: The build failed to detect libraries on Linux
  - that are only configured via pkg-config. Patch by Hugh McMaster.
- Update 4.5.0 (2020-01-29)
  Features added
  - A new function indent() was added to insert tail whitespace for
  - pretty-printing an XML tree.
  Bugs fixed
  - LP#1857794: Tail text of nodes that get removed from a document
    using item deletion disappeared silently instead of sticking with
    the node that was removed.
  Other changes
  - MacOS builds are 64-bit-only by default. Set CFLAGS and LDFLAGS
    explicitly to override it.
  - Linux/MacOS Binary wheels now use libxml2 2.9.10 and libxslt 1.1.34.
  - LP#1840234: The package version number is now available as
    lxml.__version__.
- Update 4.4.3 (2020-01-28)
  Bugs fixed
  - LP#1844674: itertext() was missing tail text of comments and PIs
    since 4.4.0.
python-paramiko
- Add CVE-2022-24302-race-condition.patch:
  * Fix a race condition between creation and chmod when writing private
    keys. (bsc#1197279)
python3
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Rename support-expat-245.patch to
  support-expat-CVE-2022-25236-patched.patch to unify the patch
  with other packages.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
  on s390x.
- Update bundled pip wheel to the latest SLE version patched
  against bsc#1186819 (CVE-2021-3572).
- Add patch support-expat-245.patch:
  * Support Expat >= 2.4.5
- Rename 22198.patch into more descriptive remove-sphinx40-warning.patch.
- Don't use appstream-glib on SLE-12.
- Use Python 2-based Sphinx on SLE-12.
- No documentation on SLE-12.
- Add skip_SSL_tests.patch skipping tests because of patched
  OpenSSL (bpo#9425).
- Don't use appstream-glib on SLE-12.
- Use Python 2-based Sphinx on SLE-12.
- No documentation on SLE-12.
- Add skip_SSL_tests.patch skipping tests because of patched
  OpenSSL (bpo#9425).
- Don't use OpenSSL 1.1 on platforms which don't have it.
- Remove shebangs from from python-base libraries in _libdir
  (bsc#1193179, bsc#1192249).
- Readjust patches:
  - bpo-31046_ensurepip_honours_prefix.patch
  - decimal.patch
  - python-3.3.0b1-fix_date_time_compiler.patch
- build against openssl 1.1 as it is incompatible with openssl 3.0+  (bsc#1190566)
- 0001-allow-for-reproducible-builds-of-python-packages.patch: ignore
  permission error when changing the mtime of the source file in presence
  of SOURCE_DATE_EPOCH
  - CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch
- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch and
  CRLF_injection_via_host_part.patch.
release-notes-sles-for-sap
15.2.20220712 (tracked in bsc#1201315)
- Trento is fully supported remove it from tech preview
  section (bsc#1201315)
- 15.2.20220202 (tracked in bsc#933411)
- Added Trento disclaimer (jsc#SLE-22809)
- Updated support length to 3.5 years (bsc#1188003)
resource-agents
- AUDIT-FIND: resource-agents: Predictable log file in /tmp in mariadb.in
  (bsc#1146691)
  Add patch:
    0001-mariadb-Remove-obsolete-DEBUG_LOG-functionality-1191.patch
- RA aws-vpc-move-ip is lacking the possibility to assign a label to an interface.
  (bsc#1199766)  Include upsteam patch:
    0001-aws-vpc-move-ip-Allow-to-set-the-interface-label.patch
- Can IPaddr2 run ARP for IPV6 in background during start operation
  (bsc#1196164)
  Include upstream patches:
    0001-IPaddr2-Allow-to-disable-Duplicate-Address-Detection.patch
    0002-IPaddr2-Allow-to-send-IPv6-Neighbor-Advertisements-i.patch
    0003-IPaddr2-Log-ip-addr-add-options-together.patch
    0004-IPaddr2-Clarify-behavior-of-arp_-parameters-for-IPv4.patch
- oracle RA lists monpassword as optional but fails unless provided
  (bsc#1197956)
  Add upstream patch:
    0001-Improve-the-error-message-if-monpassword-was-not-set.patch
- Use safe tmp files. Use the variable ${HA_RSCTMP} of the resource
  agents instead of /tmp. ${HA_RSCTMP} points to a safe directory
  in /var/run or /run. This patch fix following issues:
  bsc#1146690 bsc#1146691 bsc#1146692 bsc#1146766 bsc#1146776
  bsc#1146784 bsc#1146785 bsc#1146787
- ocfmon user created with "/OCFMON"/ as default password
  If no password is set the user will not be created.
  bsc#1021689 bsc#1146687
- Included following upstream patches:
  0001-make-secure-tmp-files.patch
  0001-increase-the-security-of-monitor-user-in-oracle.patch
- RA reports "/string indices must be integers"/ to stderr after
  "/WARNING: Failed to reach the server: Gone"/ (bsc#1194502)
  Add upstream patch:
  0001-azure-events-report-error-if-jsondata-not-received.patch
rsyslog
- Remove inotify watch descriptor in imfile on inode change detected
  (bsc#1198939)
  * add 0001-imfile-Remove-inotify-watch-descriptor-on-inode-chan.patch
- (CVE-2022-24903) fix potential heap buffer overflow in modules for TCP
  syslog reception (bsc#1199061)
  * add CVE-2022-24903.patch
- add service dependencies for remote logging (bsc#1194669)
- update config example in remote.conf to match upstream documentation
ruby2
- Update suse.patch:
  - backport fix for CVE-2022-28739: ruby: Buffer overrun in
    String-to-Float conversion (boo#1198441)
  - back port date 2.0.3 CVE-2021-41817 (boo#1193035)
  - merge the previous bug fixes into suse.patch
  - CVE-2021-32066.patch
  - CVE-2021-31810.patch
  - CVE-2021-31799.patch
- Add Requires to make and gcc to ruby-devel to make the default
  extconf.rb work
rubygem-actionpack-5_1
- Added patch 0005-CVE-2021-22904.patch to fix CVE-2021-22904
  (bsc#1185780)
- Added patch 0004-CVE-2022-23633.patch to fix CVE-2022-23633
  (bsc#1196182)
rubygem-activesupport-5_1
- Added patch CVE-2022-23633.patch to fix CVE-2022-23633 (bsc#1196182)
rubygem-puma
- updated to version 4.3.11
  * fix bsc#1196222, CVE-2022-23634
  rubygem-puma: puma would not always call 'close' on the response body
  * fix bsc#1191681, CVE-2021-41136
  * fix bsc#1188527, CVE-2021-29509
rubygem-rack
- security update
- added patches
  fix CVE-2022-30122 [bsc#1200748], crafted multipart POST request may cause a DoS
  + rubygem-rack-CVE-2022-30122.patch
  fix CVE-2022-30123 [bsc#1200750], crafted requests can cause shell escape sequences
  + rubygem-rack-CVE-2022-30123.patch
runc
- Update to runc v1.1.3. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.3.
  (Includes a fix for bsc#1200088.)
  * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
    s390 and s390x. This solves the issue where syscalls the host kernel did not
    support would return `-EPERM` despite the existence of the `-ENOSYS` stub
    code (this was due to how s390x does syscall multiplexing).
  * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
    intended; this fix does not affect runc binary itself but is important for
    libcontainer users such as Kubernetes.
  * Inability to compile with recent clang due to an issue with duplicate
    constants in libseccomp-golang.
  * When using systemd cgroup driver, skip adding device paths that don't exist,
    to stop systemd from emitting warnings about those paths.
  * Socket activation was failing when more than 3 sockets were used.
  * Various CI fixes.
  * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
  * runc static binaries are now linked against libseccomp v2.5.4.
- Remove upstreamed patches:
  - bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
- Backport <https://github.com/opencontainers/runc/pull/3474> to fix issues
  with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
  that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565
  + bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
- Add ExcludeArch for s390 (not s390x) since we've never supported it.
- Update to runc v1.1.2. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.2.
  CVE-2022-29162 bsc#1199460
  * A bug was found in runc where runc exec --cap executed processes with
    non-empty inheritable Linux process capabilities, creating an atypical Linux
    environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
    CVE-2022-29162. bsc#1199460
  * `runc spec` no longer sets any inheritable capabilities in the created
    example OCI spec (`config.json`) file.
- Update to runc v1.1.1. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.1.
  * runc run/start can now run a container with read-only /dev in OCI spec,
    rather than error out. (#3355)
  * runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
    libcontainer systemd v2 manager no longer errors out if one of the files
    listed in /sys/kernel/cgroup/delegate do not exist in container's
    cgroup. (#3387, #3404)
  * Loosen OCI spec validation to avoid bogus "/Intel RDT is not supported"/
    error. (#3406)
  * libcontainer/cgroups no longer panics in cgroup v1 managers if stat
    of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)
- Update to runc v1.1.0. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.0.
  - libcontainer will now refuse to build without the nsenter package being
    correctly compiled (specifically this requires CGO to be enabled). This
    should avoid folks accidentally creating broken runc binaries (and
    incorrectly importing our internal libraries into their projects). (#3331)
- Update to runc v1.1.0~rc1. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.
  + Add support for RDMA cgroup added in Linux 4.11.
  * runc exec now produces exit code of 255 when the exec failed.
    This may help in distinguishing between runc exec failures
    (such as invalid options, non-running container or non-existent
    binary etc.) and failures of the command being executed.
  + runc run: new --keep option to skip removal exited containers artefacts.
    This might be useful to check the state (e.g. of cgroup controllers) after
    the container hasexited.
  + seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
    (the latter is just an alias for SCMP_ACT_KILL).
  + seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
    users to create sophisticated seccomp filters where syscalls can be
    efficiently emulated by privileged processes on the host.
  + checkpoint/restore: add an option (--lsm-mount-context) to set
    a different LSM mount context on restore.
  + intelrdt: support ClosID parameter.
  + runc exec --cgroup: an option to specify a (non-top) in-container cgroup
    to use for the process being executed.
  + cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
    machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
    run/exec now adds the container to the appropriate cgroup under it).
  + sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
    behaviour.
  + mounts: add support for bind-mounts which are inaccessible after switching
    the user namespace. Note that this does not permit the container any
    additional access to the host filesystem, it simply allows containers to
    have bind-mounts configured for paths the user can access but have
    restrictive access control settings for other users.
  + Add support for recursive mount attributes using mount_setattr(2). These
    have the same names as the proposed mount(8) options -- just prepend r
    to the option name (such as rro).
  + Add runc features subcommand to allow runc users to detect what features
    runc has been built with. This includes critical information such as
    supported mount flags, hook names, and so on. Note that the output of this
    command is subject to change and will not be considered stable until runc
    1.2 at the earliest. The runtime-spec specification for this feature is
    being developed in opencontainers/runtime-spec#1130.
  * system: improve performance of /proc/$pid/stat parsing.
  * cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
    the ownership of certain cgroup control files (as per
    /sys/kernel/cgroup/delegate) to allow for proper deferral to the container
    process.
  * runc checkpoint/restore: fixed for containers with an external bind mount
    which destination is a symlink.
  * cgroup: improve openat2 handling for cgroup directory handle hardening.
    runc delete -f now succeeds (rather than timing out) on a paused
    container.
  * runc run/start/exec now refuses a frozen cgroup (paused container in case of
    exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of
  the release.
- Drop runc-rpmlintrc because we don't have runc-test anymore.
  bsc#1193436
salt
- Fix for CVE-2022-22967 (bsc#1200566)
- Added:
  * fix-for-cve-2022-22967-bsc-1200566.patch
- Make sure SaltCacheLoader use correct fileclient (bsc#1199149)
- Added:
  * make-sure-saltcacheloader-use-correct-fileclient-519.patch
- Update to version 3004 (jsc#SLE-24223) (jsc#SLE-23672)
  * See release notes: https://docs.saltproject.io/en/master/topics/releases/3004.html
- Expose missing "/ansible"/ module functions in Salt 3004 (bsc#1195625)
- Fixes for Python 3.10
- Fix issues found around pre_flight_script_args
- Fix salt-call event.send with pillar or grains
- Fix exception in batch_async caused by a bad function call
- Fix print regression for yumnotify plugin
- Fix issues with salt-ssh's extra-filerefs
- Fix crash when calling manage.not_alive runners
- Added:
  * add-missing-ansible-module-functions-to-whitelist-in.patch
  * drop-serial-from-event.unpack-in-cli.batch_async.patch
  * fix-crash-when-calling-manage.not_alive-runners.patch
  * fix-issues-with-salt-ssh-s-extra-filerefs.patch
  * fix-salt-call-event.send-call-with-grains-and-pillar.patch
  * fix-the-regression-for-yumnotify-plugin-456.patch
  * fixes-for-python-3.10-502.patch
  * prevent-shell-injection-via-pre_flight_script_args-4.patch
- Modified:
  * add-custom-suse-capabilities-as-grains.patch
  * add-environment-variable-to-know-if-yum-is-invoked-f.patch
  * add-migrated-state-and-gpg-key-management-functions-.patch
  * add-rpm_vercmp-python-library-for-version-comparison.patch
  * adds-explicit-type-cast-for-port.patch
  * async-batch-implementation.patch
  * debian-info_installed-compatibility-50453.patch
  * dnfnotify-pkgset-plugin-implementation-3002.2-450.patch
  * do-not-crash-when-unexpected-cmd-output-at-listing-p.patch
  * do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch
  * early-feature-support-config.patch
  * enable-passing-a-unix_socket-for-mysql-returners-bsc.patch
  * enhance-openscap-module-add-xccdf_eval-call-386.patch
  * fix-bsc-1065792.patch
  * fix-exception-in-yumpkg.remove-for-not-installed-pac.patch
  * fix-ip6_interface-grain-to-not-leak-secondary-ipv4-a.patch
  * fix-multiple-security-issues-bsc-1197417.patch
  * fix-regression-with-depending-client.ssh-on-psutil-b.patch
  * fix-wrong-test_mod_del_repo_multiline_values-test-af.patch
  * fixes-56144-to-enable-hotadd-profile-support.patch
  * implementation-of-held-unheld-functions-for-state-pk.patch
  * implementation-of-suse_ip-execution-module-bsc-10999.patch
  * improvements-on-ansiblegate-module-354.patch
  * include-aliases-in-the-fqdns-grains.patch
  * info_installed-works-without-status-attr-now.patch
  * make-aptpkg.list_repos-compatible-on-enabled-disable.patch
  * prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
  * prevent-pkg-plugins-errors-on-missing-cookie-path-bs.patch
  * refactor-and-improvements-for-transactional-updates-.patch
  * restore-default-behaviour-of-pkg-list-return.patch
  * return-the-expected-powerpc-os-arch-bsc-1117995.patch
  * revert-fixing-a-use-case-when-multiple-inotify-beaco.patch
  * run-salt-master-as-dedicated-salt-user.patch
  * state.apply-don-t-check-for-cached-pillar-errors.patch
  * switch-firewalld-state-to-use-change_interface.patch
  * temporary-fix-extend-the-whitelist-of-allowed-comman.patch
  * update-target-fix-for-salt-ssh-to-process-targets-li.patch
  * use-adler32-algorithm-to-compute-string-checksums.patch
  * wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
  * x509-fixes-111.patch
  * zypperpkg-ignore-retcode-104-for-search-bsc-1176697-.patch
- Removed:
  * 3002-set-distro-requirement-to-oldest-supported-vers.patch
  * 3002.2-do-not-consider-skipped-targets-as-failed-for.patch
  * 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch
  * accumulated-changes-from-yomi-167.patch
  * accumulated-changes-required-for-yomi-165.patch
  * add-alibaba-cloud-linux-2-by-backporting-upstream-s-.patch
  * add-all-ssh-kwargs-to-sanitize_kwargs-method-3002.2-.patch
  * add-all_versions-parameter-to-include-all-installed-.patch
  * add-almalinux-and-alibaba-cloud-linux-to-the-os-fami.patch
  * add-astra-linux-common-edition-to-the-os-family-list.patch
  * add-batch_presence_ping_timeout-and-batch_presence_p.patch
  * add-cpe_name-for-osversion-grain-parsing-u-49946.patch
  * add-docker-logout-237.patch
  * add-hold-unhold-functions.patch
  * add-missing-aarch64-to-rpm-package-architectures-405.patch
  * add-multi-file-support-and-globbing-to-the-filetree-.patch
  * add-new-custom-suse-capability-for-saltutil-state-mo.patch
  * add-patch-support-for-allow-vendor-change-option-wit.patch
  * add-pkg.services_need_restart-302.patch
  * add-saltssh-multi-version-support-across-python-inte.patch
  * add-supportconfig-module-for-remote-calls-and-saltss.patch
  * add-virt.all_capabilities.patch
  * adding-preliminary-support-for-rocky.-59682-391.patch
  * allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch
  * allow-passing-kwargs-to-pkg.list_downloaded-bsc-1140.patch
  * ansiblegate-take-care-of-failed-skipped-and-unreacha.patch
  * apply-patch-from-upstream-to-support-python-3.8.patch
  * async-batch-implementation-fix-320.patch
  * avoid-traceback-when-http.query-request-cannot-be-pe.patch
  * backport-a-few-virt-prs-272.patch
  * backport-of-upstream-pr59492-to-3002.2-404.patch
  * backport-thread.is_alive-fix-390.patch
  * backport-virt-patches-from-3001-256.patch
  * batch-async-catch-exceptions-and-safety-unregister-a.patch
  * batch_async-avoid-using-fnmatch-to-match-event-217.patch
  * better-handling-of-bad-public-keys-from-minions-bsc-.patch
  * calculate-fqdns-in-parallel-to-avoid-blockings-bsc-1.patch
  * changed-imports-to-vendored-tornado.patch
  * clear-network-interface-cache-when-grains-are-reques.patch
  * do-noop-for-services-states-when-running-systemd-in-.patch
  * do-not-break-repo-files-with-multiple-line-values-on.patch
  * do-not-crash-when-there-are-ipv6-established-connect.patch
  * do-not-make-ansiblegate-to-crash-on-python3-minions.patch
  * do-not-monkey-patch-yaml-bsc-1177474.patch
  * do-not-raise-streamclosederror-traceback-but-only-lo.patch
  * don-t-call-zypper-with-more-than-one-no-refresh.patch
  * drop-wrong-mock-from-chroot-unit-test.patch
  * drop-wrong-virt-capabilities-code-after-rebasing-pat.patch
  * ensure-virt.update-stop_on_reboot-is-updated-with-it.patch
  * exclude-the-full-path-of-a-download-url-to-prevent-i.patch
  * fall-back-to-pymysql.patch
  * figure-out-python-interpreter-to-use-inside-containe.patch
  * fix-__mount_device-wrapper-254.patch
  * fix-a-test-and-some-variable-names-229.patch
  * fix-a-wrong-rebase-in-test_core.py-180.patch
  * fix-aptpkg-systemd-call-bsc-1143301.patch
  * fix-aptpkg.normalize_name-when-package-arch-is-all.patch
  * fix-async-batch-multiple-done-events.patch
  * fix-async-batch-race-conditions.patch
  * fix-batch_async-obsolete-test.patch
  * fix-cve-2020-25592-and-add-tests-bsc-1178319.patch
  * fix-error-handling-in-openscap-module-bsc-1188647-40.patch
  * fix-failing-unit-tests-for-batch-async.patch
  * fix-failing-unit-tests-for-systemd.patch
  * fix-for-log-checking-in-x509-test.patch
  * fix-for-some-cves-bsc1181550.patch
  * fix-for-temp-folder-definition-in-loader-unit-test.patch
  * fix-git_pillar-merging-across-multiple-__env__-repos.patch
  * fix-grains.test_core-unit-test-277.patch
  * fix-ipv6-scope-bsc-1108557.patch
  * fix-issue-parsing-errors-in-ansiblegate-state-module.patch
  * fix-memory-leak-produced-by-batch-async-find_jobs-me.patch
  * fix-novendorchange-option-284.patch
  * fix-onlyif-unless-when-multiple-conditions-bsc-11808.patch
  * fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch
  * fix-save-for-iptables-state-module-bsc-1185131-372.patch
  * fix-the-removed-six.itermitems-and-six.-_type-262.patch
  * fix-unit-test-for-grains-core.patch
  * fix-unit-tests-for-batch-async-after-refactor.patch
  * fix-virt.update-with-cpu-defined-263.patch
  * fix-zypper-pkg.list_pkgs-expectation-and-dpkg-mockin.patch
  * fix-zypper.list_pkgs-to-be-aligned-with-pkg-state.patch
  * fixed-bug-lvm-has-no-parttion-type.-the-scipt-later-.patch
  * fixes-cve-2018-15750-cve-2018-15751.patch
  * fixing-streamclosed-issue.patch
  * get-os_arch-also-without-rpm-package-installed.patch
  * grains-master-can-read-grains.patch
  * grains.extra-support-old-non-intel-kernels-bsc-11806.patch
  * handle-master-tops-data-when-states-are-applied-by-t.patch
  * handle-volumes-on-stopped-pools-in-virt.vm_info-373.patch
  * implement-network.fqdns-module-function-bsc-1134860-.patch
  * improve-batch_async-to-release-consumed-memory-bsc-1.patch
  * integration-of-msi-authentication-with-azurearm-clou.patch
  * invalidate-file-list-cache-when-cache-file-modified-.patch
  * loop-fix-variable-names-for-until_no_eval.patch
  * loosen-azure-sdk-dependencies-in-azurearm-cloud-driv.patch
  * make-profiles-a-package.patch
  * move-server_id-deprecation-warning-to-reduce-log-spa.patch
  * move-vendor-change-logic-to-zypper-class-355.patch
  * open-suse-3002.2-bigvm-310.patch
  * open-suse-3002.2-virt-network-311.patch
  * open-suse-3002.2-xen-grub-316.patch
  * opensuse-3000-libvirt-engine-fixes-251.patch
  * opensuse-3000-virt-defined-states-222.patch
  * opensuse-3000.2-virt-backports-236-257.patch
  * opensuse-3000.3-spacewalk-runner-parse-command-250.patch
  * option-to-en-disable-force-refresh-in-zypper-215.patch
  * parsing-epoch-out-of-version-provided-during-pkg-rem.patch
  * path-replace-functools.wraps-with-six.wraps-bsc-1177.patch
  * pkgrepo-support-python-2.7-function-call-295.patch
  * prevent-ansiblegate-unit-tests-to-fail-on-ubuntu.patch
  * prevent-command-injection-in-the-snapper-module-bsc-.patch
  * prevent-import-errors-when-running-test_btrfs-unit-t.patch
  * prevent-logging-deadlock-on-salt-api-subprocesses-bs.patch
  * prevent-race-condition-on-sigterm-for-the-minion-bsc.patch
  * prevent-systemd-run-description-issue-when-running-a.patch
  * prevent-test_mod_del_repo_multiline_values-to-fail.patch
  * provide-the-missing-features-required-for-yomi-yet-o.patch
  * python3.8-compatibility-pr-s-235.patch
  * re-adding-function-to-test-for-root.patch
  * regression-fix-of-salt-ssh-on-processing-targets-353.patch
  * reintroducing-reverted-changes.patch
  * remove-arch-from-name-when-pkg.list_pkgs-is-called-w.patch
  * remove-deprecated-usage-of-no_mock-and-no_mock_reaso.patch
  * remove-deprecated-warning-that-breaks-miniion-execut.patch
  * remove-duplicated-method-definitions-in-salt.netapi-.patch
  * remove-msgpack-1.0.0-requirement-in-the-installed-me.patch
  * remove-unnecessary-yield-causing-badyielderror-bsc-1.patch
  * remove-vendored-backports-abc-from-requirements.patch
  * remove-wrong-_parse_cpe_name-from-grains.core-452.patch
  * revert-add-patch-support-for-allow-vendor-change-opt.patch
  * sanitize-grains-loaded-from-roster_grains.json.patch
  * strip-trailing-from-repo.uri-when-comparing-repos-in.patch
  * support-config-non-root-permission-issues-fixes-u-50.patch
  * support-for-btrfs-and-xfs-in-parted-and-mkfs.patch
  * support-transactional-systems-microos-271.patch
  * templates-move-the-globals-up-to-the-environment-jin.patch
  * transactional_update-detect-recursion-in-the-executo.patch
  * transactional_update-unify-with-chroot.call.patch
  * use-current-ioloop-for-the-localclient-instance-of-b.patch
  * use-threadpool-from-multiprocessing.pool-to-avoid-le.patch
  * vendor-stateresult.patch
  * virt-adding-kernel-boot-parameters-to-libvirt-xml-55.patch
  * virt-pass-emulator-when-getting-domain-capabilities-.patch
  * virt-uefi-fix-backport-312.patch
  * virt-use-dev-kvm-to-detect-kvm-383.patch
  * virt._get_domain-don-t-raise-an-exception-if-there-i.patch
  * virt.network_update-handle-missing-ipv4-netmask-attr.patch
  * xen-disk-fixes-264.patch
  * xfs-do-not-fails-if-type-is-not-present.patch
  * zypperpkg-filter-patterns-that-start-with-dot-244.patch
- Renamed and modified:
  * 3002.2-do-not-consider-skipped-targets-as-failed-for.patch -> 3003.3-do-not-consider-skipped-targets-as-failed-for.patch
  * 3002.2-postgresql-json-support-in-pillar-424.patch -> 3003.3-postgresql-json-support-in-pillar-423.patch
  * add-salt-ssh-support-with-venv-salt-minion-3002.2-47.patch -> add-salt-ssh-support-with-venv-salt-minion-3004-493.patch
  * allow-vendor-change-option-with-zypper-313.patch -> allow-vendor-change-option-with-zypper.patch
  * fix-inspector-module-export-function-bsc-1097531-480.patch -> fix-inspector-module-export-function-bsc-1097531-481.patch
  * fix-salt-ssh-opts-poisoning-bsc-1197637-3002.2-500.patch -> fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch
  * fix-state.orchestrate_single-to-not-pass-pillar-none.patch -> state.orchestrate_single-does-not-pass-pillar-none-4.patch
  * fix-traceback.-_exc-calls-429.patch -> fix-traceback.print_exc-calls-for-test_pip_state-432.patch
  * mock-ip_addrs-in-utils-minions.py-unit-test-444.patch -> mock-ip_addrs-in-utils-minions.py-unit-test-443.patch
  * support-transactional-systems-microos-271.patch -> support-transactional-systems-microos.patch
- Fix regression preventing bootstrapping new clients caused by
  redundant dependency on psutil (bsc#1197533)
- Prevent data pollution between actions proceesed at the same time (bsc#1197637)
- Added:
  * fix-regression-with-depending-client.ssh-on-psutil-b.patch
  * prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
- Fix salt-ssh opts poisoning (bsc#1197637)
- Clear network interfaces cache on grains request (bsc#1196050)
- Add salt-ssh with Salt Bundle support (venv-salt-minion)
- (bsc#1182851, bsc#1196432)
- Remove duplicated method definitions in salt.netapi
- Restrict "/state.orchestrate_single"/ to pass a pillar value if it exists (bsc#1194632)
- Added:
  * clear-network-interface-cache-when-grains-are-reques.patch
  * remove-duplicated-method-definitions-in-salt.netapi-.patch
  * fix-salt-ssh-opts-poisoning-bsc-1197637-3002.2-500.patch
  * add-salt-ssh-support-with-venv-salt-minion-3002.2-47.patch
  * fix-state.orchestrate_single-to-not-pass-pillar-none.patch
- Renamed:
  * patch_for_cve_bsc1197417.patch -> fix-multiple-security-issues-bsc-1197417.patch
- Fix multiple security issues (bsc#1197417)
  * Sign authentication replies to prevent MiTM (CVE-2022-22935)
  * Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
  * Prevent job and fileserver replays (CVE-2022-22936)
  * Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
- Added:
  * patch_for_cve_bsc1197417.patch
- Fix inspector module export function (bsc#1097531)
- Add all ssh kwargs to sanitize_kwargs method
- Wipe NOTIFY_SOCKET from env in cmdmod (bsc#1193357)
- Don't check for cached pillar errors on state.apply (bsc#1190781)
- Simplify "/transactional_update"/ module to not use SSH wrapper and allow more flexible execution
- Add "/--no-return-event"/ option to salt-call to prevent sending return event back to master.
- Make "/state.highstate"/ to acts on concurrent flag.
- Added:
  * fix-inspector-module-export-function-bsc-1097531-480.patch
  * vendor-stateresult.patch
  * wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
  * add-all-ssh-kwargs-to-sanitize_kwargs-method-3002.2-.patch
  * refactor-and-improvements-for-transactional-updates-.patch
  * state.apply-don-t-check-for-cached-pillar-errors.patch
samba
- Adjust systemd tmpfiles.d configuration, use /run/samba instead of
  /var/run/samba; (bsc#1134046);
- CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
  module; (bsc#1194859); (bso#14914).
sapconf
- version update from 5.0.3 to 5.0.4
- change block device handling to handle multipath devices
  correctly. Only the DM multipath devices (mpath) will be used for
  the settings, but not its paths.
  (bsc#1188743)
- fixed wrong comparison used for setting force_latency
  (bsc#1185702)
- SAP Note 1771258 v6 updates nofile values to 1048576
  (bsc#1192841)
sudo
- Add support in the LDAP filter for negated users, patch taken
  from upstream (jsc#20068)
  * Adds sudo-feature-negated-LDAP-users.patch
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)
  * feature-upstream-restrict-sudo-U-other-l.patch
supportutils
- Spec file adjusted for usr-merge
- Changes to version 3.1.20
  + Added command blkid #114
  + Added s390x specific files and output #115
  + Fix for invalid argument during updates (bsc#1193204)
  + Optimized conf_files, conf_files_text and log_cmd functions #118
  + Fixed iscsi initiator name (bsc#1195797)
  + Added rpcinfo -p output #116
  + Included /etc/sssd/conf.d configuration files #100
- Changes to version 3.1.19
  + Made /proc directory and network names spaces configurable (bsc#1193868)
- Changes to version 3.1.19
  + Removed chronyc DNS lookups with -n switch (bsc#1193732)
- Merged Include udev rules in /lib/udev/rules.d/ #113
- Merged Move localmessage/warm logs out of messages.txt to new localwarn.txt #87
- getappcore identifies compressed core files (bsc#1191794)
- Installing to /usr/sbin instead of /sbin (bsc#1191096)
- Added shared memory as a log directory for emergency use (bsc#1190943)
- Fixed cron package for RPM validation (bsc#1190315)
- Updated spec file with correct URL
- Changes to version 3.1.18
  + Added email.txt based on OPTION_EMAIL #108 (bsc#1189028)
  + Include 'multipath -t' output in mpio.txt #105
  + Improved lsblk readability with --ascsi #106
  + Removed duplicate commands in network.txt
  + Remove duplicate firewalld status output #109
supportutils-plugin-suse-public-cloud
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
  + Include cloud-init logs whenever they are present
  + Update the packages we track in AWS, Azure, and Google
  + Include the ecs logs for AWS ECS instances
suse-build-key
- still ship the old ptf key (was not added to documentation by mistake).
  (bsc#1198504)
- No longer install 1024bit keys by default. (bsc#1197293)
  - SLE11 key moved to documentation
  - old PTF (pre March 2022) moved to documentation only
- extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
- added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- extended expiry of SUSE SLES11 key (bsc#1194845)
- added SUSE Contaner signing key in PEM format for use e.g. by cosign.
- SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
sysstat
- Fix possible segfault in read_task_stats() [bsc#1194679]
- Add sysstat-fix-segfault-in-read_task_stats.patch
systemd
- Import commit 5e7db68eb43ec3733c56e98262973431f57e2265
  4f00efadc7 systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)
- Import commit c46bcb2df93c802f43e240ceb96eaf28027808a8
  28e379cc21 systemctl: exit with 1 if no unit files found (bsc#1193841)
* 60-io-scheduler.rules: add rules for virtual devices
    (boo#1193759)
  * 60-io-scheduler.rules: enforce "/none"/ for loop devices
    (boo#1193759)
systemd-presets-branding-SLE
- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)
systemd-presets-common-SUSE
- enable vgauthd service for VMWare by default (bsc#1195251)
tar
- tests-skip-time01-on-32bit-time_t.patch: Add patch to skip test
  'tests/time01.at' on platforms with 32-bit time_t for now.
- tar.spec: Reference it.
  (%check): Output the testsuite.log in case the testsuite failed.
- The following issues have already been fixed in this package but
  weren't previously mentioned in the changes file:
  * bsc#1181131, CVE-2021-20193
  * bsc#1120610
- GNU tar 1.34:
  * Fix extraction over pipe
  * Fix memory leak in read_header
  * Fix extraction when . and .. are unreadable
  * Gracefully handle duplicate symlinks when extracting
  * Re-initialize supplementary groups when switching to user
    privileges
- GNU tar 1.33:
  * POSIX extended format headers do not include PID by default
  * --delay-directory-restore works for archives with reversed
    member ordering
  * Fix extraction of a symbolic link hardlinked to another
    symbolic link
  * Wildcards in exclude-vcs-ignore mode don't match slash
  * Fix the --no-overwrite-dir option
  * Fix handling of chained renames in incremental backups
  * Link counting works for file names supplied with -T
  * Accept only position-sensitive (file-selection) options in file
    list files
- remove deprecated texinfo packaging macros
- prepare usrmerge (boo#1029961)
- Drop Requires(pre) info in the preamble: the main package does
  not contain any info files, and has not even a pre script. The
  - doc subpackage already has the correct deps.
- No longer recommend -lang: supplements are in use.
- update to version 1.32
  * Fix the use of --checkpoint without explicit --checkpoint-action
  * Fix extraction with the -U option
  * Fix iconv usage on BSD-based systems
  * Fix possible NULL dereference (savannah bug #55369)
    [bsc#1130496] [CVE-2019-9923]
  * Improve the testsuite
- remove tar-1.31-tests_dirrem.patch and
  tar-1.31-racy_compress_tests.patch that are no longer needed
  (applied usptream)
- Remove libattr-devel from buildrequires, tar no longer uses
  it but finds xattr functions in libc.
- update to version 1.31
  * Fix heap-buffer-overrun with --one-top-level, bug introduced
    with the addition of that option in 1.28
  * Support for zstd compression
  * New option '--zstd' instructs tar to use zstd as compression
    program. When listing, extractng and comparing, zstd compressed
    archives are recognized automatically. When '-a' option is in
    effect, zstd compression is selected if the destination archive
    name ends in '.zst' or '.tzst'.
  * The -K option interacts properly with member names given in the
    command line. Names of members to extract can be specified along
    with the "/-K NAME"/ option. In this case, tar will extract NAME
    and those of named members that appear in the archive after it,
    which is consistent with the semantics of the option. Previous
    versions of tar extracted NAME, those of named members that
    appeared before it, and everything after it.
  * Fix CVE-2018-20482 - When creating archives with the --sparse
    option, previous versions of tar would loop endlessly if a
    sparse file had been truncated while being archived.
- remove the following patches (upstreamed)
  * tar-1.30-tests-difflink.patch
  * tar-1.30-tests_dirrem_race.patch
- refresh add_readme-tests.patch
- add tar-1.31-tests_dirrem.patch to fix expected output in dirrem
  tests
- add tar-1.31-racy_compress_tests.patch to fix compression tests
tcpdump
- Security fix: [bsc#1195825, CVE-2018-16301]
  * Fix segfault when handling large files
  * Add tcpdump-CVE-2018-16301.patch
tiff
- security update
  * CVE-2022-0561 [bsc#1195964]
    + tiff-CVE-2022-0561.patch
  * CVE-2022-0562 [bsc#1195965]
    + tiff-CVE-2022-0562.patch
  * CVE-2022-0865 [bsc#1197066]
    + tiff-CVE-2022-0865.patch
  * CVE-2022-0909 [bsc#1197072]
    + tiff-CVE-2022-0909.patch
  * CVE-2022-0924 [bsc#1197073]
    + tiff-CVE-2022-0924.patch
  * CVE-2022-0908 [bsc#1197074]
    + tiff-CVE-2022-0908.patch
- security update
  * CVE-2022-1056 [bsc#1197631]
  * CVE-2022-0891 [bsc#1197068]
    + tiff-CVE-2022-1056,CVE-2022-0891.patch
- security update: Fix buffer overwrite
  * CVE-2019-17546[bsc#1154365]
    + tiff-CVE-2019-17546.patch
- security update: Fix heap based buffer overflow in pal2rgb
  * CVE-2017-17095[bsc#1071031]
    + tiff-CVE-2017-17095.patch
- security update: Fix OOB in _TIFFmemcpy
  * CVE-2022-22844[bsc#1194539]
    + tiff-CVE-2022-22844.patch
- security update: Fix memory allocation failure in tif_read.c
  * CVE-2020-35521[bsc#1182808] CVE-2020-35522[bsc#1182809]
    + tiff-CVE-2020-35521,CVE-2020-35522.patch
- security update: Fix DOS via invertImage()
  * CVE-2020-19131[bsc#1190312]
    + tiff-CVE-2020-19131.patch
- security update: Fix heap-based buffer overflow in TIFF2PDF tool
  * CVE-2020-35524[bsc#1182812]
    + tiff-CVE-2020-35524.patch
- security update: Fix integer overflow in tif_getimage
  * CVE-2020-35523 [bsc#1182811]
    + tiff-CVE-2020-35523.patch
tigervnc
- U_0003-Fix-rendering-on-big-endian-system.patch
  * Patch now handles properly endianness.
  * Patch modified from: 7ab92639848a6059e2b6b88499b008b9606f3af6
  * bsc#1197119
- U_0003-Fix-rendering-on-big-endian-system.patch
  * Backport to fix rendering on big endian systems.
  * bsc#1177758
timezone
- timezone update 2022a (bsc#1177460):
  * Palestine will spring forward on 2022-03-27, not -03-26*
  * zdump -v now outputs better failure indications
  * Bug fixes for code that reads corrupted TZif data
update-alternatives
- break bash <-> update-alternatives cycle by coolo's rewrite
  of %post in lua [bsc#1195654]
util-linux
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
  util-linux-libuuid-extend-cache.patch).
- Prevent root owning of /var/lib/libuuid/clock.txt
  (bsc#1194642, util-linux-uuidd-prevent-root-owning.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
  util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
  (bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
util-linux-systemd
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
  util-linux-libuuid-extend-cache.patch).
- Prevent root owning of /var/lib/libuuid/clock.txt
  (bsc#1194642, util-linux-uuidd-prevent-root-owning.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
  util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
  (bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
vim
- Deleted patches:
  * restrict-shell-commands.patch
  * source-check-sandbox.patch
  * vim-8.0.1568-CVE-2021-3778.patch
  * vim-8.0.1568-CVE-2021-3796.patch
  * vim-8.0.1568-CVE-2021-3872.patch
  * vim-8.0.1568-CVE-2021-3927.patch
  * vim-8.0.1568-CVE-2021-3928.patch
  * vim-8.0.1568-CVE-2021-3984.patch
  * vim-8.0.1568-CVE-2021-4019.patch
  * vim-8.0.1568-CVE-2021-4193.patch
  * vim-8.0.1568-CVE-2021-46059.patch
  * vim-8.0.1568-CVE-2022-0319.patch
  * vim-8.0.1568-CVE-2022-0351.patch
  * vim-8.0.1568-CVE-2022-0361.patch
  * vim-8.0.1568-CVE-2022-0413.patch
  * vim-8.0.1568-globalvimrc.patch
- Added patches:
  * vim-8.1.0297-dump3.patch
  * vim-8.2.2411-globalvimrc.patch
  * disable-unreliable-tests-arch.patch
- Updated patches:
  * disable-unreliable-tests.patch
  * vim-7.3-filetype_changes.patch
  * vim-7.3-filetype_ftl.patch
  * vim-7.3-filetype_spec.patch
  * vim-7.3-gvimrc_fontset.patch
  * vim-7.3-help_tags.patch
  * vim-7.3-mktemp_tutor.patch
  * vim-7.3-name_vimrc.patch
  * vim-7.3-sh_is_bash.patch
  * vim-7.3-use_awk.patch
  * vim-7.4-disable_lang_no.patch
  * vim-7.4-filetype_apparmor.patch
  * vim-7.4-filetype_mine.patch
  * vim-7.4-highlight_fstab.patch
  * vim-8.0-ttytype-test.patch
  * vim-8.0.1568-defaults.patch
  * vim73-no-static-libpython.patch
- Updated to version 8.2 with patch level 5038, fixes the following problems
  * Fixing bsc#1191770 VUL-0: CVE-2021-3875: vim: heap-based buffer overflow
  * Fixing bsc#1192167 VUL-0: CVE-2021-3903: vim: heap-based buffer overflow
  * Fixing bsc#1192902 VUL-0: CVE-2021-3968: vim: vim is vulnerable to
    Heap-based Buffer Overflow
  * Fixing bsc#1192903 VUL-0: CVE-2021-3973: vim: vim is vulnerable to
    Heap-based Buffer Overflow
  * Fixing bsc#1192904 VUL-0: CVE-2021-3974: vim: vim is vulnerable to Use
    After Free
  * Fixing bsc#1193466 VUL-1: CVE-2021-4069: vim: use-after-free in ex_open()
    in src/ex_docmd.c
  * Fixing bsc#1193905 VUL-0: CVE-2021-4136: vim: vim is vulnerable to
    Heap-based Buffer Overflow
  * Fixing bsc#1194093 VUL-1: CVE-2021-4166: vim: vim is vulnerable to
    Out-of-bounds Read
  * Fixing bsc#1194216 VUL-1: CVE-2021-4193: vim: vulnerable to
    Out-of-bounds Read
  * Fixing bsc#1194217 VUL-0: CVE-2021-4192: vim: vulnerable to Use After Free
  * Fixing bsc#1194872 VUL-0: CVE-2022-0261: vim: Heap-based Buffer Overflow
    in vim prior to 8.2.
  * Fixing bsc#1194885 VUL-0: CVE-2022-0213: vim: vim is vulnerable to
    Heap-based Buffer Overflow
  * Fixing bsc#1195004 VUL-0: CVE-2022-0318: vim: Heap-based Buffer Overflow in
    vim prior to 8.2.
  * Fixing bsc#1195203 VUL-0: CVE-2022-0359: vim: heap-based buffer overflow in
    init_ccline() in ex_getln.c
  * Fixing bsc#1195354 VUL-0: CVE-2022-0407: vim: Heap-based Buffer Overflow in
    Conda vim prior to 8.2.
  * Fixing bsc#1198596 VUL-0: CVE-2022-1381: vim: global heap buffer overflow
    in skip_range
  * Fixing bsc#1199331 VUL-0: CVE-2022-1616: vim: Use after free in
    append_command
  * Fixing bsc#1199333 VUL-0: CVE-2022-1619: vim: Heap-based Buffer Overflow in
    function cmdline_erase_chars
  * Fixing bsc#1199334 VUL-0: CVE-2022-1620: vim: NULL Pointer Dereference in
    function vim_regexec_string
  * Fixing bsc#1199747 VUL-0: CVE-2022-1796: vim: Use After in
    find_pattern_in_path
  * Fixing bsc#1200010 VUL-0: CVE-2022-1897: vim: Out-of-bounds Write in vim
  * Fixing bsc#1200011 VUL-0: CVE-2022-1898: vim: Use After Free in vim prior
    to 8.2
  * Fixing bsc#1200012 VUL-0: CVE-2022-1927: vim: Buffer Over-read in vim prior
    to 8.2
  * Fixing bsc#1070955 VUL-1: CVE-2017-17087: vim: Sets the group ownership of a
    .swp file to the editor's primary group, which allows local users to obtain
    sensitive information
  * Fixing bsc#1194388 VUL-1: CVE-2022-0128: vim: vim is vulnerable to
    Out-of-bounds Read
  * Fixing bsc#1195332 VUL-1: CVE-2022-0392: vim: Heap-based Buffer Overflow
    in vim prior to 8.2
  * Fixing bsc#1196361 VUL-1: CVE-2022-0696: vim: NULL Pointer Dereference in
    vim prior to 8.2
  * Fixing bsc#1198748 VUL-1: CVE-2022-1420: vim: Out-of-range Pointer Offset
  * Fixing bsc#1199651 VUL-1: CVE-2022-1735: vim: heap buffer overflow
  * Fixing bsc#1199655 VUL-1: CVE-2022-1733: vim: Heap-based Buffer Overflow in
    cindent.c
  * Fixing bsc#1199693 VUL-1: CVE-2022-1771: vim: stack exhaustion in vim prior
    to 8.2.
  * Fixing bsc#1199745 VUL-1: CVE-2022-1785: vim: Out-of-bounds Write
  * Fixing bsc#1199936 VUL-1: CVE-2022-1851: vim: out of bounds read
- Minimal fix for Bug 1195004 - (CVE-2022-0318) VUL-0: CVE-2022-0318: vim:
  Heap-based Buffer Overflow in vim prior to 8.2.
  / vim-8.0.1568-CVE-2022-0413.patch
- Fixing bsc#1190570 CVE-2021-3796: vim: use-after-free in nv_replace() in
  normal.c / vim-8.0.1568-CVE-2021-3796.patch
- Fixing bsc#1191893 CVE-2021-3872: vim: heap-based buffer overflow in
  win_redr_status() drawscreen.c / vim-8.0.1568-CVE-2021-3872.patch
- Fixing bsc#1192481 CVE-2021-3927: vim: vim is vulnerable to
  Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-3927.patch
- Fixing bsc#1192478 CVE-2021-3928: vim: vim is vulnerable to
  Stack-based Buffer Overflow / vim-8.0.1568-CVE-2021-3928.patch
- Fixing bsc#1193294 CVE-2021-4019: vim: vim is vulnerable to
  Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-4019.patch
- Fixing bsc#1193298 CVE-2021-3984: vim: illegal memory access when C-indenting
  could lead to Heap Buffer Overflow / vim-8.0.1568-CVE-2021-3984.patch
- Fixing bsc#1190533 CVE-2021-3778: vim: Heap-based Buffer Overflow in regexp_nfa.c
  / vim-8.0.1568-CVE-2021-3778.patch
- Fixing bsc#1194216 CVE-2021-4193: vim: vulnerable to Out-of-bounds Read
  / vim-8.0.1568-CVE-2021-4193.patch
- Fixing bsc#1194556 CVE-2021-46059: vim: A Pointer Dereference vulnerability
  exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which
  causes a denial of service. / vim-8.0.1568-CVE-2021-46059.patch
- Fixing bsc#1195066 CVE-2022-0319: vim: Out-of-bounds Read in vim/vim
  prior to 8.2. / vim-8.0.1568-CVE-2022-0319.patch
- Fixing bsc#1195126 CVE-2022-0351: vim: uncontrolled recursion in eval7()
  / vim-8.0.1568-CVE-2022-0351.patch
- Fixing bsc#1195202 CVE-2022-0361: vim: Heap-based Buffer Overflow in vim
  prior to 8.2. / vim-8.0.1568-CVE-2022-0361.patch
- Fixing bsc#1195356 CVE-2022-0413: vim: use after free in src/ex_cmds.c
  / vim-8.0.1568-CVE-2022-0413.patch
wicked
- fsm: fix device rename via yast (bsc#1194392)
  Reset worker config instead to reject a NULL/empty config
  xml node -- introduced in wicked 0.6.67 by commit c2a0385.
  [+ 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
- version 0.6.68
- sysctl: process sysctl.d directories as in sysctl --system
- sysctl: fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- dhcp4: add option to set route pref-src to dhcp IP (bsc#1192353)
- cleanup: warnings, time calculations and dhcp fixes (bsc#1188019)
- wireless: reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- tuntap: avoid sysfs attr read error (bsc#1192311)
- ifstatus: fix warning of unexpected interface flag combination (bsc#1192164)
- dbus: config files in /usr shouldn't be marked as config in spec
- version 0.6.67
- dbus: install bus config in /usr (bsc#1183407,jsc#SLE-9750)
- logging: log reaped sub-process command and as debug, not error
- ifstatus: Don't show link as "/up"/ without RUNNING flag set
- firewalld: Make the zone assignment permanent (boo#1189560)
- fsm: cleanup and improve ifconfig and ifpolicy access utils
- dbus: cleanup the dbus-service.h file and unused property makros
- cleanup: applied code-spell run typo corrections
- dracut: initial fixes and improved option handling (boo#1182227)
- version 0.6.66
- wireless: migrate to wpa-supplicant v1 DBus interface (bsc#1156920)
  - support multiple networks configurations per interface
  - show connection status and scan-results (bsc#1160654)
  - corrected eap-tls,ttls cetificate handling and open vs. shared
    wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
  - cleanups and several other improvements, see changes
  - updated man ifcfg-wireless manual pages
- nanny: fix identify node owner exit condition
- schema: several xml-schema and dbus/property improvements
- utils: format/parse bitmap to array and string alternatives
- client: expose ethtool --get-permanent-address option
- removed sle15-sp3 patches included in the master sources (bsc#1181812)
  [- 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
  [- 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- dhcp4: discover on reboot timeout after start-delay (bsc#1181812)
  [+ 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
- dhcp6: request nis options on sle15 by default (bsc#1181812)
  [+ 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- version 0.6.65
- ifconfig: differentiate if to re-trigger dad on address updates (bsc#1177215)
- client: parse sysctl files in the correct order (bsc#1181186)
- ifup: fix for set up with unenslave from unconfigured master (boo#954329)
- rpm: prepare for new builds using usrmerged rpm macro (boo#1029961)
- rpm: Let wicked-service also provide service(network)
- cleanup: remove obsolete use-nanny=false (gh#openSUSE/wicked#815)
- dbus: add variant container, generic object-path and uint32 array macros
xen
- bsc#1199966 - VUL-0: EMBARGOED: CVE-2022-26363,CVE-2022-26364: xen:
  Insufficient care with non-coherent mappings
  fix xsa402-5.patch
- bsc#1199965 - VUL-0: CVE-2022-26362: xen: Race condition in
  typeref acquisition (XSA-401)
  xsa401-1.patch
  xsa401-2.patch
- bsc#1199966 - VUL-0: CVE-2022-26363,CVE-2022-26364: xen:
  Insufficient care with non-coherent mappings (XSA-402)
  xsa402-1.patch
  xsa402-2.patch
  xsa402-3.patch
  xsa402-4.patch
  xsa402-5.patch
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
  CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
  map (AMD-Vi) handling issues (XSA-400)
  624ebcef-VT-d-dont-needlessly-look-up-DID.patch
  624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch
  624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch
- bsc#1197423 - VUL-0: CVE-2022-26356: xen: Racy interactions
  between dirty vram tracking and paging log dirty hypercalls
  (XSA-397)
  xsa397.patch
- bsc#1197425 - VUL-0: CVE-2022-26357: xen: race in VT-d domain ID
  cleanup (XSA-399)
  xsa399.patch
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
  CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
  map (AMD-Vi) handling issues (XSA-400)
  xsa400-00.patch
  xsa400-01.patch
  xsa400-02.patch
  xsa400-03.patch
  xsa400-04.patch
  xsa400-05.patch
  xsa400-06.patch
  xsa400-07.patch
  xsa400-08.patch
  xsa400-09.patch
  xsa400-10.patch
  xsa400-11.patch
- bsc#1196915 - VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401:
  xen: BHB speculation issues (XSA-398)
  xsa398-1.patch
  xsa398-2.patch
  xsa398-3.patch
  xsa398-4.patch
  xsa398-5.patch
  xsa398-6.patch
- bsc#1194576 - VUL-0: CVE-2022-23033: xen: arm:
  guest_physmap_remove_page not removing the p2m mappings (XSA-393)
  xsa393.patch
- bsc#1194581 - VUL-0: CVE-2022-23034: xen: a PV guest could DoS
  Xen while unmapping a grant (XSA-394)
  xsa394.patch
- bsc#1194588 - VUL-0: CVE-2022-23035: xen: insufficient cleanup of
  passed-through device IRQs (XSA-395)
  xsa395.patch
- bsc#1191668 - L3: issue around xl and virsh operation - virsh
  list not giving any output (see also bsc#1194267)
  libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch
  libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch
- Collect active VM config files in the supportconfig plugin
  xen-supportconfig
- bsc#1191510 - [UEFI]15sp4 uefi fv guest on 12sp5 host unable to
  bootup with sriov pci device plugin
  5e15e174-libxl-dont-needlessly-report-highmem-in-use.patch
- Upstream bug fixes (bsc#1027519)
  616d66bd-x86-HVM-cleanup-after-failed-viridian_vcpu_init.patch
  616e7cfe-x86-paging-restrict-paddr-width-reported.patch
  619b7ac9-harden-assign_pages.patch
  619b8cb0-x86-PoD-misaligned-GFNs.patch
  619b8cb1-x86-PoD-intermediate-page-orders.patch
  619b8cb2-x86-P2M-set-partial-success.patch
- Drop xsa patches in favor of upstream versions
  xsa385.patch
  xsa388-1.patch
  xsa388-2.patch
  xsa389.patch
xkeyboard-config
- U_Add-the-new-AZERTY-layout-norm-NF-Z71-300.patch
  * Backport French standardized AZERTY layout (AFNOR: NF Z71-300)
    (bsc#1188867)
xz
- Fix ZDI-CAN-16587 Fix escaping of malicious filenames
  (ZDI-CAN-16587 bsc#1198062 CVE-2022-1271)
  * bsc1198062.patch
yaml-cpp
- Fix CVE-2018-20573 The Scanner:EnsureTokensInQueue function in yaml-cpp
  allows remote attackers to cause DOS via a crafted YAML file
  (CVE-2018-20573, bsc#1121227)
- Fix CVE-2018-20574 The SingleDocParser:HandleFlowMap function in
  yaml-cpp allows remote attackers to cause DOS via a crafted YAML file
  (CVE-2018-20574, bsc#1121230)
- Fix CVE-2019-6285 The SingleDocParser::HandleFlowSequence function in
  cpp allows remote attackers to cause DOS via a crafted YAML file
  (CVE-2019-6285, bsc#1122004)
- Fix CVE-2019-6292 An issue was discovered in singledocparser.cpp in
  yaml-cpp which cause DOS by stack consumption
  (CVE-2019-6292, bsc#1122021)
- Added patch cve-2018-20574.patch
yast2-add-on
- Restore the repo unexpanded URL to get it properly saved in
  the /etc/zypp/repos.d file (bsc#972046, bsc#1194851).
- 4.2.19
yast2-storage-ng
- Fix fstab entry filesystem matching allowing the use of quotes
  surrounding the device UUID or label (bsc#1197692)
- 4.2.122
zlib
- CVE-2018-25032: Fix memory corruption on deflate, bsc#1197459
  * bsc1197459.patch
zsh
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
  unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
  could be exploited through e.g.  VCS_Info to execute arbitrary shell
  commands (CVE-2021-45444 bsc#1196435)
zypp-plugin

      
zypper
- info: print the packages upstream URL if available (fixes #426)
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- Don't prevent less restrictive umasks (bsc#1195999)
- version 1.14.52
- Singletrans: handle fatal and non-fatal script errors properly.
- Add SingleTransReportReceiver.
- Immediately write out additional rpm output.
- BuildRequires:  libzypp-devel >= 17.29.0.
  Need SingleTransReport and immediate rpm script output reports.
- version 1.14.51