binutils
- Update to current 2.43.1 branch [PED-10474]:
  * PR32109 - fuzzing problem
  * PR32083 - LTO vs overridden common symbols
  * PR32067 - crash with LTO-plugin and --oformat=binary
  * PR31956 - LTO vs wrapper symbols
  * riscv - add Zimop and Zcmop extensions
- Adjusted binutils-2.43-branch.diff.gz.

- Update to version 2.43:
  * new .base64 pseudo-op, allowing base64 encoded data as strings
  * Intel APX: add support for CFCMOV, CCMP, CTEST, zero-upper, NF
    (APX_F now fully supported)
  * x86 Intel syntax now warns about more mnemonic suffixes
  * macros and .irp/.irpc/.rept bodies can use \+ to get at number
    of times the macro/body was executed
  * aarch64: support 'armv9.5-a' for -march, add support for LUT
    and LUT2
  * s390: base register operand in D(X,B) and D(L,B) can now be
    omitted (ala 'D(X,)'); warn when register type doesn't match
    operand type (use option
    'warn-regtype-mismatch=[strict|relaxed|no]' to adjust)
  * riscv: support various extensions: Zacas, Zcmp, Zfbfmin,
    Zvfbfmin, Zvfbfwma, Smcsrind/Sscsrind, XCvMem, XCvBi, XCvElw,
    XSfCease, all at version 1.0;
    remove support for assembly of privileged spec 1.9.1 (linking
    support remains)
  * arm: remove support for some old co-processors: Maverick and FPA
  * mips: '--trap' now causes either trap or breakpoint instructions
    to be emitted as per current ISA, instead of always using trap
    insn and failing when current ISA was incompatible with that
  * LoongArch: accept .option pseudo-op for fine-grained control
    of assembly code options; add support for DT_RELR
  * readelf: now displays RELR relocations in full detail;
    add -j/--display-section to show just those section(s) content
    according to their type
  * objdump/readelf now dump also .eh_frame_hdr (when present) when
    dumping .eh_frame
  * gprofng: add event types for AMD Zen3/Zen4 and Intel Ice Lake
    processors; add minimal support for riscv
  * linker:
  - put .got and .got.plt into relro segment
  - add -z isa-level-report=[none|all|needed|used] to the x86 ELF
    linker to report needed and used x86-64 ISA levels
  - add --rosegment option which changes the -z separate-code
    option so that only one read-only segment is created (instead
    of two)
  - add --section-ordering-file <FILE> option to add extra
    mapping of input sections to output sections
  - add -plugin-save-temps to store plugin intermediate files
    permanently
- Removed binutils-2.42.tar.bz2, binutils-2.42-branch.diff.gz.
- Added binutils-2.43.tar.bz2, binutils-2.43-branch.diff.gz.
- Removed upstream patch riscv-no-relax.patch.
- Rebased ld-relro.diff and binutils-revert-rela.diff.

- binutils-pr22868.diff: Remove obsolete patch
- Undefine _FORTIFY_SOURCE when running checks

- Allow to disable profiling

- Use %patch -P N instead of deprecated %patchN.

- riscv-no-relax.patch: RISC-V: Don't generate branch/jump relocation if
  symbol is local when no-relax

- Add binutils-disable-code-arch-error.diff to demote an
  error about swapped .arch/.code directives to a warning.
  It happens in the wild.

- Update to version 2.42:
  * Add support for many aarch64 extensions: SVE2.1, SME2.1, B16B16,
  RASv2, LSE128, GCS, CHK, SPECRES2, LRCPC3, THE, ITE, D128, XS and
  flags to enable them: '+fcma', '+jscvt', '+frintts', '+flagm2',
  '+rcpc2' and '+wfxt'
  * Add experimantal support for GAS to synthesize call-frame-info for
  some hand-written asm (--scfi=experimental) on x86-64.
  * Add support for more x86-64 extensions: APX: 32 GPRs, NDD, PUSH2/POP2,
  PUSHP/POPP; USER_MSR, AVX10.1, PBNDKB, SM4, SM3, SHA512, AVX-VNNI-INT16.
  * Add support for more RISC-V extensions: T-Head v2.3.0, CORE-V v1.0,
  SiFive VCIX v1.0.
  * BPF assembler: ';' separates statements now, and does not introduce
  line comments anymore (use '#' or '//' for this).
  * x86-64 ld: Add '-z mark-plt/-z nomark-plt' to mark PLT entries with
  dynamic tags.
  * risc-v ld: Add '--[no-]check-uleb128'.
  * New linker script directive: REVERSE, to be combined with SORT_BY_NAME
  or SORT_BY_INIT_PRIORITY, reverses the generated order.
  * New linker options --warn-execstack-objects (warn only about execstack
  when input object files request it), and --error-execstack plus
  - -error-rxw-segments to convert the existing warnings into errors.
  * objdump: Add -Z/--decompress to be used with -s/--full-contents to
  decompress section contents before displaying.
  * readelf: Add --extra-sym-info to be used with --symbols (currently
  prints section name of references section index).
  * objcopy: Add --set-section-flags for x86_64 to include
  SHF_X86_64_LARGE.
  * s390 disassembly: add target-specific disasm option 'insndesc',
  as in "objdump -M insndesc" to display an instruction description
  as comment along with the disassembly.
- Add binutils-2.42-branch.diff.gz.
- Rebased s390-biarch.diff.
- Adjusted binutils-revert-hlasm-insns.diff,
  binutils-revert-plt32-in-branches.diff and binutils-revert-rela.diff
  for upstream changes.
- Removed binutils-2.41-branch.diff.gz, binutils-2.41.tar.bz2,
  binutils-2.41-branch.diff.gz.
- Removed binutils-use-less-memory.diff, binutils-old-makeinfo.diff
  and riscv-relro.patch (all upstreamed).
- Removed add-ulp-section.diff, we use a different mechanism
  for live patching since a long time.

- Add binutils-use-less-memory.diff to be a little nicer to 32bit
  userspace and huge links.  [bsc#1216908]

- riscv-relro.patch: RISC-V: Protect .got with relro

- Add libzstd-devel to Requires of binutils-devel. (bsc#1215341)
ca-certificates-mozilla
- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".
cloud-regionsrv-client
- Update to 10.3.4
  + Modify the message when network access over a specific IP version does
    not work. This is an informational message and should not look like
    an error
  + Inform the user that LTSS registration takes a little longer
  + Add fix-for-sles12-no-trans_update.patch
    + SLE 12 family has no products with transactional-update we do not
    need to look for this condition
- From 10.3.3 (bsc#1229472)
  + Handle changes in process structure to properly identify the running
    zypper parent process and only check for 1 PID
- From 10.3.2
  + Remove rgnsrv-clnt-fix-docker-setup.patch included upstream
- From 10.3.1 (jsc#PCT-400)
  + Add support for LTSS registration
  + Add fix-for-sles12-disable-registry.patch
    ~ No container support in SLE 12

- Add rgnsrv-clnt-fix-docker-setup.patch (bsc#1229137)
  + The entry for the update infrastructure registry mirror was written
    incorrectly causing docker daemon startup to fail.

- Update to version 10.3.0 (bsc#1227308, bsc#1222985)
  + Add support for sidecar registry
    Podman and rootless Docker support to set up the necessary
    configuration for the container engines to run as defined
  + Add running command as root through sudoers file

- Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016)
  + In addition to logging, write message to stderr when registration fails
  + Detect transactional-update system with read only setup and use
    the transactional-update command to register
  + Handle operation in a different target root directory for credentials
    checking
kernel-default
- Update patches.suse/usb-f_fs-Fix-use-after-free-for-epfile.patch
  (git-fixes bsc#1228040 CVE-2022-48822).
- commit 2c8d4da

- ima: Fix use-after-free on a dentry's dname.name (bsc#1227716
  CVE-2024-39494).
- commit f6c5c97

- ASoC: topology: Fix route memory corruption (CVE-2024-41069
  bsc#1228644).
- commit f66560f

- IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145)
- commit f02f32a

- ASoC: topology: Fix references to freed memory (CVE-2024-41069
  bsc#1228644).
- commit 92df0ca

- hfsplus: fix uninit-value in copy_name (bsc#1228561
  CVE-2024-41059).
- commit 97ed148

- dmaengine: idxd: Fix possible Use-After-Free in
  irq_process_work_list (CVE-2024-40956 bsc#1227810).
- commit 26f1077

- ocfs2: fix DIO failure due to insufficient transaction credits
  (bsc#1216834).
- commit 300f953

- SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (CVE-2023-52885
  bsc#1227750).
- commit e97b8a4

- scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
  (bsc#1228013 CVE-2022-48792).
- commit e1a6b29

- tap: add missing verification for short frame (CVE-2024-41090
  bsc#1228328).
- commit ebf78ce

- ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions
  (CVE-2021-47291 bsc#1224918).
- ipv6: Fix KASAN: slab-out-of-bounds Read in
  fib6_nh_flush_exceptions (bsc#1224918 CVE-2021-47126
  bsc#1221539).
- commit 8e8ce7c

- drm/amdkfd: don't allow mapping the MMIO HDP page with large
  pages (CVE-2024-41011 bsc#1228115).
- commit 71f4e95

- sch_cake: do not call cake_destroy() from cake_init()
  (CVE-2021-47598 bsc#1226574).
- commit bd20b3c

- scsi: scsi_debug: Fix type in min_t to avoid stack OOB
  (bsc#1226550 CVE-2021-47580).
- scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()
  (bsc#1222824 CVE-2021-47219).
- commit 2e165bd

- X.509: Fix the parser of extended key usage for length
  (bsc#1218820 bsc#1226666).
- commit 2d78310

- gve: Clear napi->skb before dev_kfree_skb_any() (CVE-2024-40937
  bsc#1227836).
- commit 2df93fe

- Update References
  patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch
  (bsc#1186463 CVE-2021-0129 CVE-2020-26558 bsc#1179610
  CVE-2020-26558).
- commit d06a0d0

- Update
  patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch
  (bsc#1186463 CVE-2021-0129 CVE-2020-26558 bsc#1179610
  CVE-2020-26558).
- commit 9cfc088

- misc: fastrpc: avoid double fput() on failed usercopy
  (CVE-2022-48821 bsc#1227976).
- commit 57e770a

- Update
  patches.suse/tls-fix-use-after-free-on-failed-backlog-decryption.patch
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186
  CVE-2024-26800 bsc#1222728).
- commit 72c3b29

- Update
  patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_eve.patch
  (bsc#1065729 CVE-2023-52686 bsc#1224682).
- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226758 CVE-2024-38559 bsc#1226785).
- commit 53c517e

- nfsd: fix use-after-free due to delegation race (CVE-2021-47506
  bsc#1225404 bsc#1227497).
- commit b195c7b

- Update
  patches.suse/net-tls-factor-out-tls_-crypt_async_wait.patch.
- fix build warning
- commit 7f81dcf

- Fix spurious WARNING caused by a qxl driver patch (bsc#1227213)
  Refresh patches.suse/drm-qxl-fix-UAF-on-handle-creation.patch
- commit e245863

- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226785 CVE-2024-38559).
  Fix incorrect bug reference.
- commit 7bd70b9

- can: pch_can: pch_can_rx_normal: fix use after free (bsc#1225431
  CVE-2021-47520).
- commit 0094102

- powerpc/rtas: Prevent Spectre v1 gadget construction in
  sys_rtas() (bsc#1227487).
- commit 74bce38

- blacklist.conf:
- commit cdd4002

- NFS: Don't overfill uncached readdir pages (bsc#1226662).
- commit d0f2933

- tls: fix use-after-free on failed backlog decryption
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: separate no-async decryption request handling from async
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: decrement decrypt_pending if no async completion will be
  called (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: handle backlogging of crypto requests (CVE-2024-26584
  bsc#1220186).
- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- tls: fix race between async notify and socket close
  (CVE-2024-26583 bsc#1220185).
- net: tls: factor out tls_*crypt_async_wait() (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: fix async vs NIC crypto offload (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: use async as an in-out argument (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: assume crypto always calls our callback (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't track the async count (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: simplify async wait (CVE-2024-26583 CVE-2024-26584
  bsc#1220185 bsc#1220186).
- tls: rx: wrap decryption arguments in a structure
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't report text length from the bowels of decrypt
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: drop unnecessary arguments from tls_setup_from_iter()
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net/tls: race causes kernel panic (CVE-2024-26583 CVE-2024-26584
  bsc#1220185 bsc#1220186).
- commit cf4818b

- Delete
  patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch.
  Will be replaced with refreshed version once all conflicting patches are in.
- commit e1dd229

- dm btree remove: fix use after free in rebalance_children()
  (CVE-2021-47600, bsc#1226575).
- commit 088e9db
containerd
- Update to containerd v1.7.21. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.21>
  Fixes CVE-2023-47108. bsc#1217070
  Fixes CVE-2023-45142. bsc#1228553
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
cups
- cups-branch-2.2-commit-b643d6ba92f00752aa5e74ff86ad3974334914c1.diff
  is https://github.com/OpenPrinting/cups/commit/b643d6ba92f00752aa5e74ff86ad3974334914c1
  which was added in CUPS 2.2.8 that
  fixed a parsing bug in cups_auth_find() in cups/auth.c
  which lead to cupsd failing to authenticate users
  when group membership is required by cupsd configuration
  like 'Require user @GROUP' which lead to CUPS related commands
  requesting password from group users even if it is not needed
  (bsc#1226227)
- In cups.changes replaced one place where UTF-8 characters
  were used in the entry dated "Sat Sep 30 08:52:42 UTC 2017"
  for what should be ' - ' by ASCII to avoid RPMLINT warning
  about 'non-break-space' which "can lead to obscure errors".
curl
- Security fix: [bsc#1230093, CVE-2024-8096]
  * curl: OCSP stapling bypass with GnuTLS
  * Add curl-CVE-2024-8096.patch

- Security fix: [bsc#1228535, CVE-2024-7264]
  * curl: ASN.1 date parser overread
  * Add curl-CVE-2024-7264.patch
deltarpm
- update to deltarpm-3.6.4
  * support for threaded zstd
  * use a tmp file instead of memory to hold the incore data
    [bsc#1228948]
- dropped patches:
  * deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch

- deltarpm-b7987f6aa4211df3df03dcfc55a00b2ce7472e0a.patch: fixed
  some C bugs ( incorrect sized memset() , memcpy instead of strcpy,
  unsigned int)

- update to deltarpm-3.6.3
  * support for threaded zstd compression

- Actually enable zstd compression

- update to deltarpm-3.6.2
  * support for zstd compression
glib2
- Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in
  a dbus message. Fixes a possible use after free (boo#1224044).
glibc
- s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ
  [#31934])
grub2
- Fix btrfs subvolume for platform modules not mounting at runtime when the
  default subvolume is the topmost root tree (bsc#1228124)
  * grub2-btrfs-06-subvol-mount.patch
- Rediff
  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
gtk2
- Add CVE-2024-6655.patch: CVE-2024-6655 Stop looking for modules
  in cwd (bsc#1228120).
libqt5-qtbase
- Added a patch from upstream to prepare the code so that the
  following patch can be applied (which fixes QTBUG-95277):
  * 0001-H2-emit-encrypted-for-at-least-the-first-reply_-similar-to.patch
- Add rebased upstream patch to delay any HTTP2 communication until
  encrypted() can be responded to (bsc#1227426, CVE-2024-39936).
  * 0001-HTTP2-Delay-any-communication-until-encrypted-can-be.patch
- Add upstream patch to fix a NULL pointer dereference via the
  function QXcbConnection::initializeAllAtoms() when there is
  anomalous behavior from the X server (bsc#1222120,
  CVE-2023-45935):
  * 0001-xcb-guard-a-pointer-before-usage.patch

- Add patch from upstream to fix a regression in the ODBC driver
  (bsc#1227513, QTBUG-112375):
  * 0001-QSQL-ODBC-fix-regression-trailing-NUL.patch
  * 0002-SQL-ODBC-Pass-correct-length-to-SQLColAttribute.patch

- Add upstream patches to fix an incorrect integer overflow check
  (boo#1218413, CVE-2023-51714):
  * 0001-HPack-fix-a-Yoda-Condition.patch
  * 0002-HPack-fix-incorrect-integer-overflow-check.patch
- Add upstream patch to fix a potential overflow in
  assemble_hpack_block():
  * 0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch

- use pkgconfig(icu-18n) to select current icu

- Add patches from upstream that fixes a buffer overflow in
  QXmlStreamReader (bsc#1214327, CVE-2023-37369, QTBUG-91889):
  * 0001-Dont-parse-XML-symbols-longer-than-4096-characters.patch
  * CVE-2023-37369-qtbase-5.15.diff
mozilla-nss
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
  approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
openssl-1_1
- Security fix: [bsc#1227138, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch
libsolv
- removed dependency on external find program in the repo2solv tool
- bindings: fix return value of repodata.add_solv()
- new SOLVER_FLAG_FOCUS_NEW flag
- bump version to 0.7.30
tiff
- security update:
  * CVE-2024-7006 [bsc#1228924]
    Fix pointer deref in tif_dirinfo.c
    + tiff-CVE-2024-7006.patch
libzypp
- Make sure not to statically linked installed tools (bsc#1228787)
- version 17.35.8 (35)

- MediaPluginType must be resolved to a valid MediaHandler
  (bsc#1228208)
- version 17.35.7 (35)

- Export CredentialManager for legacy YAST versions (bsc#1228420)
- version 17.35.6 (35)

- Export asSolvable for YAST (bsc#1228420)
- Fix 4 typos in zypp.conf.
- version 17.35.5 (35)

- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- version 17.35.4 (35)

- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
  Older zypp-plugins reject stomp headers including a '-'. Like the
  'content-length' header we may send.
- Fix int overflow in Provider (fixes #559)
  This patch fixes an issue in safe_strtonum which caused
  timestamps to overflow in the Provider message parser.
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- version 17.35.3 (35)

- Keep UrlResolverPlugin API public (fixes #560)
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
  Buddy pairs (like -release package and product) internally share
  the same status object. When applying locks from query results
  the locked bit must be set if either item is locked.
- version 17.35.2 (35)

- Install zypp/APIConfig.h legacy include (fixes #557)
- version 17.35.1 (35)

- Update soname due to RepoManager refactoring and cleanup.
- version 17.35.0 (35)

- Workaround broken libsolv-tools-base requirements (fixes
  openSUSE/zypper#551)
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency.
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows.
- version 17.34.2 (34)
pam
- Prevent cursor escape from the login prompt [bsc#1194818]
  * Added: pam-bsc1194818-cursor-escape.patch
python-PyYAML
- reenable the cython yaml loader (bsc#1225641)
python-setuptools
- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
  * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)
zypp-plugin
- Fix stomp header regex to include '-' (bsc#1227793)
- version 0.6.4

- singlespec in Tumbleweed must support multiple python3 flavors
  in the future gh#openSUSE/python-rpm-macros#66

- Provide python3-zypp-plugin down to SLE12 (bsc#1081596)

- Provide python3-zypp-plugin in SLE12-SP3 (bsc#1081596)
regionServiceClientConfigEC2
- Update to version 4.3.0 (bsc#1228363)
  + The IPv6 cert was switched up for the region server running in us-west-2
    and as such the SSL handshake was failing. Drop the incorrect cert
    and add the correct cert.

- Switch the patch syntax away form the deprecated shorthand macro

- Version 4.2.0
  Replace certs (length 4096):
  rgnsrv-ec2-cn-north1  -> 54.223.148.145 expires in 8 years
  rgnsrv-ec2-us-west2-2 -> 54.245.101.47  expires in 9 years
  Sidenote: We have one server with a short cert (2048) left;
  34.197.223.242 expires in 2027

- Version 4.1.1
  Add patch no-ipv6.patch to not serve IPv6 addresses on SLES12
  Related to bsc#1218656
runc
[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.14. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
  Includes the patch for CVE-2024-45310. bsc#1230092
- Rebase patches:
  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
  * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
saptune
- update package version of saptune to 3.1.3
  * remove note 1868829 from solution S4HANA-APPSERVER as it is a
    HANA DB note and was added by accident
    (bsc#1226093)
  * for verify and simulate output table - wrap content of the
    columns 'actual', 'expected' and 'override', if they exceed a
    width of 30 characters (e.g. net.ipv4.ip_local_reserved_ports)
  * support inline comments in /etc/sysconfig/saptune
  * change handling of the performance options.
    Check, if the settings are supported in the get-Functions too.
    This should fix the problem with some special Azure VMs
    (E20d_v5) on newer SLES SPs
    (jsc#SAPSOL-110)
  * SAP Note 2578899 updated to Version 48
    setting kernel.pid_max to 4194304 and
    start sysctl-logger service

- add require of package sysctl-logger for 15SP4 and 15SP5 too
  (jsc#PED-6220)
000release-packages:sle-ha-release
n/a
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-desktop-applications-release
n/a
000release-packages:sle-module-development-tools-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-sap-applications-release
n/a
000release-packages:sle-module-server-applications-release
n/a
supportutils
- Changes to version 3.2.8
  + Avoid getting duplicate kernel verifications in boot.text (pr#190)
  + lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
  + docker_info: Add timestamps to container logs (pr#196)
  + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
  + Update supportconfig get pam.d sorted (pr#199)
  + yast_files: Exclude .zcat (pr#201)
  + Sanitize grub bootloader (bsc#1227127, pr#203)
  + Sanitize regcodes (pr#204)
  + Improve product detection (pr#205)
  + Add read_values for s390x (bsc#1228265, pr#206)
  + hardware_info: Remove old alsa ver check (pr#209)
  + drbd_info: Fix incorrect escape of quotes (pr#210)
suse-build-key
- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
  - gpg-pubkey-39db7c82-5f68629b.asc
  + gpg-pubkey-39db7c82-66c5d91a.asc
unzip
- Use %patch -P N instead of deprecated %patchN.

- Build unzip-rcc using multibuild and update unzip-rcc.spec file
xen
- bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86
  IOMMU identity mapping (XSA-460)
  xsa460.patch
- bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through
  with shared resources (XSA-461)
  xsa461.patch
zypper
- Show rpm install size before installing (bsc#1224771)
  If filesystem snapshots are taken before the installation (e.g.
  by snapper) no disk space is freed by removing old packages. In
  this case the install size of all packages is a hint how much
  additional disk space is needed by the new packages static
  content.
- version 1.14.76

- Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly
  (bsc#1227205)
- version 1.14.75

- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- version 1.14.74