HANA-Firewall
- HANA-Firewall creates insufficient configuration.
  (bsc#1221231)
SAPHanaSR
- Version bump to 0.162.4
  * unify global.ini examples
  * add demo script SAPHanaSR-upgrade-to-angi-demo
  * update man pages:
    SAPHanaSR_basic_cluster.7
    SAPHanaSR_maintenance_examples.7
    SAPHanaSR_upgrade_to_angi.7
    SAPHanaSR-manageProvider.8
    SAPHanaSR-upgrade-to-angi-demo.8
    SAPHanaSR.py.7

- Version bump to 0.162.3
  * Fix the hexdump log for empty node states
  * catch monitor calls for non-cloned resources and report them as
    unsupported instead of 'command not found'
    (bsc#1218333)
  * fix scope of variable 'site' to be global
    (bsc#1219194)
  * susChkSrv.py - relocate function logTimestamp()
  * update man pages:
    SAPHanaSR.7
    ocf_suse_SAPHana.7
    SAPHanaSR_maintenance_examples.7
    SAPHanaSR.py.7
    SAPHanaSR-showAttr.8

- Version bump to 0.162.2
  * inside SAPHanaSR-hookHelper use the full path for the cibadmin
    command to support non root users in special user environments
    (bsc#1216484)
  * if the SAPHanaSR.py hook has successfully reported a SR event
    to the cluster a still existing fall-back state file will be
    removed to prevent an override of an already reported
    SR state.
    (bsc#1215693)
  * improve supportability by providing the current process ID of
    the RA, which is logged in the RA outputs, to HANA tracefiles
    too.
    This allows a mapping of the SAP related command invocations
    from the RA and the HANA executions which might have a delay
    in between.
    (bsc#1214613)
  * avoid explicid and implicid usage of /tmp filesystem to keep
    the SAPHanaSR resource agents working even in situations with
    /tmp filesystem full.
    (bsc#1210728)
  * update man pages:
    SAPHanaSR.7
    SAPHanaSR_basic_cluster.7
    SAPHanaSR_maintenance_examples.7
    ocf_suse_SAPHana.7
    ocf_suse_SAPHanaTopology.7
    susCostOpt.py.7
    SAPHanaSR-monitor.8
    SAPHanaSR-showAttr.8
  * add improvements from SAP to the RA scripts, part II
    (jsc#PED-1739, jsc#PED-2608)
aaa_base
- modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  to also fix the typo to set JAVA_BINDIR in the csh variant
  of the alljava profile script (bsc#1221361)

- modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  drop the stderr redirection for csh (bsc#1221361)
- add git-49-3f8f26123d91f70c644677a323134fc79318c818.patch
  drop sysctl.d/50-default-s390.conf (bsc#1211721)
- add aaa_base-preinstall.patch
  make sure the script does not exit with 1 if a file
  with content is found (bsc#1222547)

- add patch git-48-477bc3c05fcdabf9319e84278a1cba2c12c9ed5a.patch
  home and end button not working from ssh client (bsc#1221407)
- use autosetup in prep stage of specfile

- silence the output in the case of broken symlinks (bsc#1218232)

- fix git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  to actually apply

- replace git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  by git-47-056fc66c699a8544c7692a03c905fca568f5390b.patch
  * fix the issues from bsc#1107342 and bsc#1215434 and just
    use the settings from update-alternatives to set JAVA_HOME
autofs
- autofs-5.1.6-remove-intr-hosts-map-mount-option.patch
  Don't use the intr option on NFS mounts by default, it's been
  ignored by the kernel for a long time now. (bsc#1225130)

- autofs-5.1.8-dont-use-initgroups-at-spawn.patch
  Don't use initgroups at spawn (bsc#1214710, bsc#1221181)
bind
- Security Fixes:
  * It is possible to craft excessively large numbers of resource
    record types for a given owner name, which has the effect of
    slowing down database processing. This has been addressed by
    adding a configurable limit to the number of records that can
    be stored per name and type in a cache or zone database. The
    default is 100, which can be tuned with the new
    max-types-per-name option. (CVE-2024-1737)
    [bsc#1228256, bind-9.16-CVE-2024-1737.patch]
  * Validating DNS messages signed using the SIG(0) protocol (RFC
    2931) could cause excessive CPU load, leading to a
    denial-of-service condition. Support for SIG(0) message
    validation was removed from this version of named.
    (CVE-2024-1975)
    [bsc#1228257, bind-9.16-CVE-2024-1975.patch]

- Security Fixes:
  * Validating DNS messages containing a lot of DNSSEC signatures
    could cause excessive CPU load, leading to a denial-of-service
    condition. This has been fixed. (CVE-2023-50387)
    [bsc#1219823, bind-CVE-2023-50387-CVE-2023-50868.patch]
  * Preparing an NSEC3 closest encloser proof could cause excessiv
    CPU load, leading to a denial-of-service condition. This has
    been fixed. (CVE-2023-50868)
    [bsc#1219826, bind-CVE-2023-50387-CVE-2023-50868.patch]
  * Parsing DNS messages with many different names could cause
    excessive CPU load. This has been fixed. (CVE-2023-4408)
    [bsc#1219851, bind-CVE-2023-4408.patch]
  * Specific queries could cause named to crash with an assertion
    failure when nxdomain-redirect was enabled. This has been
    fixed. (CVE-2023-5517)
    [bsc#1219852, bind-CVE-2023-5517.patch]
  * Query patterns that continuously triggered cache database
    maintenance could cause an excessive amount of memory to be
    allocated, exceeding max-cache-size and potentially leading to
    all available memory on the host running named being exhausted
    This has been fixed. (CVE-2023-6516)
    [bsc#1219854, bind-CVE-2023-6516.patch]
ca-certificates
- Update to version 2+git20240416.98ae794 (bsc#1221184):
  * Use flock to serialize calls (boo#1188500)
  * Make certbundle.run container friendly
  * Create /var/lib/ca-certificates if needed
catatonit
- Update to catatonit v0.2.0.
  * Change license to GPL-2.0-or-later.
- Remove upstreamed patches:
  - 99bb9048f.patch
chrony
- Use make quickcheck instead of make check to avoid >1h build
  times and failures due to timeouts. This was the default before
  3.2 but it changed to make tests more reliable. Here a seed is
  already set to get deterministic execution.

- Use shorter NTS-KE retry interval when network is down
  (bsc#1213551, chrony-burst_total_samples_to_go.patch,
  chrony-retry_interval_ke_start.patch).
cloud-init
- Add cloud-init-skip-rename.patch (bsc#1219680)
  + Brute force appraoch to skip renames if the device is already present

- Add cloud-init-usr-sudoers.patch (bsc#1223469)
  + Handle the existence of /usr/etc/sudoers to search for the expected
    include location

- Update cloud-init-no-openstack-guess.patch
  + Do not enable cloud-init on systems where there is no DMI just
    because no data source has been found. No data source means
    cloud-init will not run.

- Add cloud-init-no-nmcfg-needed.patch (bsc#1221726)
  + Do not require a NetworkManager config file in order to detect
    NetworkManager as the renderer

- Add cloud-init-no-openstack-guess.patch (bsc#1222113)
  + Do not guess if we are running on OpenStack or not. Only recognize
    the known markers and enable cloud-init if we know for sure.

- Add  cloud-init-ds-deterministic.patch (bsc#1221132)
  + Do not guess a data source when checking for a CloudStack
    environment

- Hardcode distribution to suse for proper cloud.cfg generation
  (bsc#1220132).

- Prepare for RPM 4.20 switch patch syntax

- Add cloud-init-skip-empty-conf.patch
  + Skip tests with empty config

- Add cloud-init-pckg-reboot.patch (boo#1198533, bsc#1218952,  jsc#SMO-326)
  + Support reboot on package update/upgrade via the cloud-init config

- Switch build dependency to the generic distribution-release package

- Move fdupes call back to %install (boo#1214169)

- Update to version 23.3 (bsc#1216011, bsc#1215794, bsc#1215740)
  + Remove patches included upstream:
  - cloud-init-fix-ca-test.patch
  - cloud-init-cve-2023-1786-redact-instance-data-json-main.patch
  - cloud-init-power-rhel-only.patch
  - cloud-init-flake8-fixes.patch
  + Add
  - cloud-init-keep-flake.patch
  - cloud-init-lint-fixes.patch
  + Update
  - cloud-init-write-routes.patch (bsc#1216007)
  + Bump pycloudlib to 1!5.1.0 for ec2 mantic daily image support (#4390)
  + Fix cc_keyboard in mantic (LP: #2030788)
  + ec2: initialize get_instance_userdata return value to bytes (#4387)
    [Noah Meyerhans]
  + cc_users_groups: Add doas/opendoas support (#4363) [dermotbradley]
  + Fix pip-managed ansible
  + status: treat SubState=running and MainPID=0 as service exited
  + azure/imds: increase read-timeout to 30s (#4372) [Chris Patterson]
  + collect-logs fix memory usage (SC-1590) (#4289)
    [Alec Warren] (LP: #1980150)
  + cc_mounts: Use fallocate to create swapfile on btrfs (#4369) [王煎饼]
  + Undocument nocloud-net (#4318)
  + feat(akamai): add akamai to settings.py and apport.py (#4370)
  + read-version: fallback to get_version when git describe fails (#4366)
  + apt: fix cloud-init status --wait blocking on systemd v 253 (#4364)
  + integration tests: Pass username to pycloudlib (#4324)
  + Bump pycloudlib to 1!5.1.0 (#4353)
  + cloud.cfg.tmpl: reorganise, minimise/reduce duplication (#4272)
    [dermotbradley]
  + analyze: fix (unexpected) timestamp parsing (#4347) [Mina Galić]
  + cc_growpart: fix tests to run on FreeBSD (#4351) [Mina Galić]
  + subp: Fix spurious test failure on FreeBSD (#4355) [Mina Galić]
  + cmd/clean: fix tests on non-Linux platforms (#4352) [Mina Galić]
  + util: Fix get_proc_ppid() on non-Linux systems (#4348) [Mina Galić]
  + cc_wireguard: make tests pass on FreeBSD (#4346) [Mina Galić]
  + unittests: fix breakage in test_read_cfg_paths_fetches_cached_datasource
    (#4328) [Ani Sinha]
  + Fix test_tools.py collection (#4315)
  + cc_keyboard: add Alpine support (#4278) [dermotbradley]
  + Flake8 fixes (#4340) [Robert Schweikert]
  + cc_mounts: Fix swapfile not working on btrfs (#4319) [王煎饼] (LP: #1884127)
  + ds-identify/CloudStack: $DS_MAYBE if vm running on vmware/xen (#4281)
    [Wei Zhou]
  + ec2: Support double encoded userdata (#4276) [Noah Meyerhans]
  + cc_mounts: xfs is a Linux only FS (#4334) [Mina Galić]
  + tests/net: fix TestGetInterfaces' mock coverage for get_master (#4336)
    [Chris Patterson]
  + change openEuler to openeuler and fix some bugs in openEuler (#4317)
    [sxt1001]
  + Replace flake8 with ruff (#4314)
  + NM renderer: set default IPv6 addr-gen-mode for all interfaces to eui64
    (#4291) [Ani Sinha]
  + cc_ssh_import_id: add Alpine support and add doas support (#4277)
    [dermotbradley]
  + sudoers not idempotent (SC-1589)  (#4296) [Alec Warren] (LP: #1998539)
  + Added support for Akamai Connected Cloud (formerly Linode) (#4167)
    [Will Smith]
  + Fix reference before assignment (#4292)
  + Overhaul module reference page (#4237) [Sally]
  + replaced spaces with commas for setting passenv (#4269) [Alec Warren]
  + DS VMware: modify a few log level (#4284) [PengpengSun]
  + tools/read-version refactors and unit tests (#4268)
  + Ensure get_features() grabs all features (#4285)
  + Don't always require passlib dependency (#4274)
  + tests: avoid leaks into host system checking of ovs-vsctl cmd (#4275)
  + Fix NoCloud kernel commandline key parsing (#4273)
  + testing: Clear all LRU caches after each test (#4249)
  + Remove the crypt dependency (#2139) [Gonéri Le Bouder]
  + logging: keep current file mode of log file if its stricter than the
    new mode (#4250) [Ani Sinha]
  + Remove default membership in redundant groups (#4258)
    [Dave Jones] (LP: #1923363)
  + doc: improve datasource_creation.rst (#4262)
  + Remove duplicate Integration testing button (#4261) [Rishita Shaw]
  + tools/read-version: fix the tool so that it can handle version parsing
    errors (#4234) [Ani Sinha]
  + net/dhcp: add udhcpc support (#4190) [Jean-François Roche]
  + DS VMware: add i386 arch dir to deployPkg plugin search path
    [PengpengSun]
  + LXD moved from linuxcontainers.org to Canonical [Simon Deziel]
  + cc_mounts.py: Add note about issue with creating mounts inside mounts
    (#4232) [dermotbradley]
  + lxd: install lxd from snap, not deb if absent in image
  + landscape: use landscape-config to write configuration
  + Add deprecation log during init of DataSourceDigitalOcean (#4194)
    [tyb-truth]
  + doc: fix typo on apt.primary.arches (#4238) [Dan Bungert]
  + Inspect systemd state for cloud-init status (#4230)
  + instance-data: add system-info and features to combined-cloud-config
    (#4224)
  + systemd: Block login until config stage completes (#2111) (LP: #2013403)
  + tests: proposed should invoke apt-get install -t=<release>-proposed
    (#4235)
  + cloud.cfg.tmpl: reinstate ca_certs entry (#4236) [dermotbradley]
  + Remove feature flag override ability (#4228)
  + tests: drop stray unrelated file presence test (#4227)
  + Update LXD URL (#4223) [Sally]
  + schema: add network v1 schema definition and validation functions
  + tests: daily PPA for devel series is version 99.daily update tests to
    match (#4225)
  + instance-data: write /run/cloud-init/combined-cloud-config.json
  + mount parse: Fix matching non-existent directories (#4222) [Mina Galić]
  + Specify build-system for pep517 (#4218)
  + Fix network v2 metric rendering (#4220)
  + Migrate content out of FAQ page (SD-1187) (#4205) [Sally]
  + setup: fix generation of init templates (#4209) [Mina Galić]
  + docs: Correct some bootcmd example wording
  + fix changelog
  + tests: reboot client to assert x-shellscript-per-boot is triggered
  + nocloud: parse_cmdline no longer detects nocloud-net datasource (#4204)
    (LP: 4203, #2025180)
  + Add docstring and typing to mergemanydict (#4200)
  + BSD: add dsidentify to early startup scripts (#4182) [Mina Galić]
  + handler: report errors on skipped merged cloud-config.txt parts
    (LP: #1999952)
  + Add cloud-init summit writeups (#4179) [Sally]
  + tests: Update test_clean_log for oci (#4187)
  + gce: improve ephemeral fallback NIC selection (CPC-2578) (#4163)
  + tests: pin pytest 7.3.1 to avoid adverse testpaths behavior (#4184)
  + Ephemeral Networking for FreeBSD (#2165) [Mina Galić]
  + Clarify directory syntax for nocloud local filesystem. (#4178)
  + Set default renderer as sysconfig for centos/rhel (#4165) [Ani Sinha]
  + Test static routes and netplan 0.106
  + FreeBSD fix parsing of mount and mount options (#2146) [Mina Galić]
  + test: add tracking bug id (#4164)
  + tests: can't match MAC for LXD container veth due to netplan 0.106
    (#4162)
  + Add kaiwalyakoparkar as a contributor (#4156) [Kaiwalya Koparkar]
  + BSD: remove datasource_list from cloud.cfg template (#4159) [Mina Galić]
  + launching salt-minion in masterless mode (#4110) [Denis Halturin]
  + tools: fix run-container builds for rockylinux/8 git hash mismatch
    (#4161)
  + fix doc lint: spellchecker tripped up (#4160) [Mina Galić]
  + Support Ephemeral Networking for BSD (#2127)
  + Added / fixed support for static routes on OpenBSD and FreeBSD (#2157)
    [Kadir Mueller]
  + cc_rsyslog: Refactor for better multi-platform support (#4119)
    [Mina Galić] (LP: #1798055)
  + tests: fix test_lp1835584 (#4154)
  + cloud.cfg mod names: docs and rename salt_minion and set_password (#4153)
  + tests: apt support for deb822 format .sources files on mantic
  + vultr: remove check_route check (#2151) [Jonas Chevalier]
  + Update SECURITY.md (#4150) [Indrranil Pawar]
  + Update CONTRIBUTING.rst (#4149) [Indrranil Pawar]
  + Update .github-cla-signers (#4151) [Indrranil Pawar]
  + Standardise module names in cloud.cfg.tmpl to only use underscore
    (#4128) [dermotbradley]
  + tests: update test_webhook_reporting
  + Modify PR template so autoclose works
  + doc: add missing semi-colon to nocloud cmdline docs (#4120)
  + .gitignore: extend coverage pattern (#4143) [Mina Galić]
  From 23.2.2
  + Fix NoCloud kernel commandline key parsing (#4273) (Fixes: #4271)
    (LP: #2028562)
  + Fix reference before assignment (#4292) (Fixes: #4288) (LP: #2028784)
  From 23.2.1
  + nocloud: Fix parse_cmdline detection of nocloud-net datasource (#4204)
    (Fixes: 4203) (LP: #2025180)
  From 23.2
  + BSD: simplify finding MBR partitions by removing duplicate code
  [Mina Galić]
  + tests: bump pycloudlib version for mantic builds
  + network-manager: Set higher autoconnect priority for nm keyfiles (#3671)
    [Ani Sinha]
  + alpine.py: change the locale file used (#4139) [dermotbradley]
  + cc_ntp: Sync up with current FreeBSD ntp.conf (#4122) [Mina Galić]
  + config: drop refresh_rmc_and_interface as RHEL 7 no longer supported
    [Robert Schweikert]
  + docs: Add feedback button to docs
  + net/sysconfig: enable sysconfig renderer if network manager has ifcfg-rh
    plugin (#4132) [Ani Sinha]
  + For Alpine use os-release PRETTY_NAME (#4138) [dermotbradley]
  + network_manager: add a method for ipv6 static IP configuration (#4127)
    [Ani Sinha]
  + correct misnamed template file host.mariner.tmpl (#4124) [dermotbradley]
  + nm: generate ipv6 stateful dhcp config at par with sysconfig (#4115)
    [Ani Sinha]
  + Add templates for GitHub Issues
  + Add 'peers' and 'allow' directives in cc_ntp (#3124) [Jacob Salmela]
  + FreeBSD: Fix user account locking (#4114) [Mina Galić] (GH: #1854594)
  + FreeBSD: add ResizeGrowFS class to cc_growpart (#2334) [Mina Galić]
  + Update tests in Azure TestCanDevBeReformatted class (#2771)
    [Ksenija Stanojevic]
  + Replace Launchpad references with GitHub Issues
  + Fix KeyError in iproute pformat (#3287) [Dmitry Zykov]
  + schema: read_cfg_paths call init.fetch to lookup /v/l/c/instance
  + azure/errors: introduce reportable errors for imds (#3647)
    [Chris Patterson]
  + FreeBSD (and friends): better identify MBR slices (#2168)
    [Mina Galić] (LP: #2016350)
  + azure/errors: add host reporting for dhcp errors (#2167)
    [Chris Patterson]
  + net: purge blacklist_drivers across net and azure (#2160)
    [Chris Patterson]
  + net: refactor hyper-v VF filtering and apply to get_interfaces() (#2153)
    [Chris Patterson]
  + tests: avoid leaks to underlying filesystem for /etc/cloud/clean.d
    (#2251)
  + net: refactor find_candidate_nics_on_linux() to use get_interfaces()
    (#2159) [Chris Patterson]
  + resolv_conf: Allow > 3 nameservers (#2152) [Major Hayden]
  + Remove mount NTFS error message (#2134) [Ksenija Stanojevic]
  + integration tests: fix image specification parsing (#2166)
  + ci: add hypothesis scheduled GH check (#2149)
  + Move supported distros list to docs (#2162)
  + Fix logger, use instance rather than module function (#2163)
  + README: Point to Github Actions build status (#2158)
  + Revert "fix linux-specific code on bsd (#2143)" (#2161)
  + Do not generate dsa and ed25519 key types when crypto FIPS mode is
    enabled (#2142) [Ani Sinha] (LP: 2017761)
  + Add documentation label automatically (#2156)
  + sources/azure: report success to host and introduce kvp module (#2141)
    [Chris Patterson]
  + setup.py: use pkg-config for udev/rules path (#2137) [dankm]
  + openstack/static: honor the DNS servers associated with a network
    (#2138) [Gonéri Le Bouder]
  + fix linux-specific code on bsd (#2143)
  + cli: schema validation of jinja template user-data (SC-1385) (#2132)
    (LP: #1881925)
  + gce: activate network discovery on every boot (#2128)
  + tests: update integration test to assert 640 across reboots (#2145)
  + Make user/vendor data sensitive and remove log permissions (#2144)
    (LP: #2013967)
  + Update kernel command line docs (SC-1457) (#2133)
  + docs: update network configuration path links (#2140) [d1r3ct0r]
  + sources/azure: report failures to host via kvp (#2136) [Chris Patterson]
  + net: Document use of `ip route append` to add routes (#2130)
  + dhcp: Add missing mocks (#2135)
  + azure/imds: retry fetching metadata up to 300 seconds (#2121)
    [Chris Patterson]
  + [1/2] DHCP: Refactor dhcp client code  (#2122)
  + azure/errors: treat traceback_base64 as string (#2131) [Chris Patterson]
  + azure/errors: introduce reportable errors (#2129) [Chris Patterson]
  + users: schema permit empty list to indicate create no users
  + azure: introduce identity module (#2116) [Chris Patterson]
  + Standardize disabling cloud-init on non-systemd (#2112)
  + Update .github-cla-signers (#2126) [Rob Tongue]
  + NoCloud: Use seedfrom protocol to determine mode (#2107)
  + rhel: Remove sysvinit files. (#2114)
  + tox.ini: set -vvvv --showlocals for pytest (#2104) [Chris Patterson]
  + Fix NoCloud kernel commandline semi-colon args
  + run-container: make the container/VM timeout configurable (#2118)
    [Paride Legovini]
  + suse: Remove sysvinit files. (#2115)
  + test: Backport assert_call_count for old requests (#2119)
  + Add "licebmi" as contributor (#2113) [Mark Martinez]
  + Adapt DataSourceScaleway to upcoming IPv6 support (#2033)
    [Louis Bouchard]
  + rhel: make sure previous-hostname file ends with a new line (#2108)
    [Ani Sinha]
  + Adding contributors for DataSourceAkamai (#2110) [acourdavAkamai]
  + Cleanup ephemeral IP routes on exception (#2100) [sxt1001]
  + commit 09a64badfb3f51b1b391fa29be19962381a4bbeb [sxt1001] (LP: #2011291)
  + Standardize kernel commandline user interface (#2093)
  + config/cc_resizefs: fix do_resize arguments (#2106) [Chris Patterson]
  + Fix test_dhclient_exits_with_error (#2105)
  + net/dhcp: catch dhclient failures and raise NoDHCPLeaseError (#2083)
    [Chris Patterson]
  + sources/azure: move pps handling out of _poll_imds() (#2075)
    [Chris Patterson]
  + tests: bump pycloudlib version (#2102)
  + schema: do not manipulate draft4 metaschema for jsonschema 2.6.0 (#2098)
  + sources/azure/imds: don't count timeout errors as connection errors
    (#2074) [Chris Patterson]
  + Fix Python 3.12 unit test failures (#2099)
  + integration tests: Refactor instance checking (#1989)
  + ci: migrate remaining jobs from travis to gh (#2085)
  + missing ending quote in instancedata docs(#2094) [Hong L]
  + refactor: stop passing log instances to cc_* handlers (#2016) [d1r3ct0r]
  + tests/vmware: fix test_no_data_access_method failure (#2092)
    [Chris Patterson]
  + Don't change permissions of netrules target (#2076) (LP: #2011783)
  + tests/sources: patch util.get_cmdline() for datasource tests (#2091)
    [Chris Patterson]
  + macs: ignore duplicate MAC for devs with driver driver qmi_wwan (#2090)
    (LP: #2008888)
  + Fedora: Enable CA handling (#2086) [František Zatloukal]
  + Send dhcp-client-identifier for InfiniBand ports (#2043) [Waleed Mousa]
  + cc_ansible: complete the examples and doc (#2082) [Yves]
  + bddeb: for dev package, derive debhelper-compat from host system
  + apport: only prompt for cloud_name when instance-data.json is absent
  + datasource: Optimize datasource detection, fix bugs (#2060)
  + Handle non existent ca-cert-config situation (#2073) [Shreenidhi Shedi]
  + sources/azure: add networking check for all source PPS (#2061)
    [Chris Patterson]
  + do not attempt dns resolution on ip addresses (#2040)
  + chore: fix style tip (#2071)
  + Fix metadata IP in instancedata.rst (#2063) [Brian Haley]
  + util: Pass deprecation schedule in deprecate_call() (#2064)
  + config: Update grub-dpkg docs (#2058)
  + docs: Cosmetic improvements and styling (#2057) [s-makin]
  + cc_grub_dpkg: Added UEFI support (#2029) [Alexander Birkner]
  + tests: Write to /var/spool/rsyslog to adhere to apparmor profile (#2059)
  + oracle-ds: prefer system_cfg over ds network config source (#1998)
    (LP: #1956788)
  + Remove dead code (#2038)
  + source: Force OpenStack when it is only option (#2045) (LP: #2008727)
  + cc_ubuntu_advantage: improve UA logs discovery
  + sources/azure: fix regressions in IMDS behavior (#2041) [Chris Patterson]
  + tests: fix test_schema (#2042)
  + dhcp: Cleanup unused kwarg (#2037)
  + sources/vmware/imc: fix-missing-catch-few-negtive-scenarios (#2027)
    [PengpengSun]
  + dhclient_hook: remove vestigal dhclient_hook command (#2015)
  + log: Add standardized deprecation tooling (SC-1312) (#2026)
  + Enable SUSE based distros for ca handling (#2036) [Robert Schweikert]
  From 23.1.2
  + Make user/vendor data sensitive and remove log permissions
    (LP: #2013967) (CVE-2023-1786)
  From 23.1.1
  + source: Force OpenStack when it is only option (#2045)
  + sources/azure: fix regressions in IMDS behavior (#2041)
    [Chris Patterson]

- Add cloud-init-flake8-fixes.patch
- Revert chnages from previous commit
  + Disabling checks the primary maintainer enabled for specific reasons
    is not a fix.

- update to 23.1.2:
  * Make user/vendor data sensitive and remove log permissions
  * source: Force OpenStack when it is only option (#2045)
  * sources/azure: fix regressions in IMDS behavior
- drop
  cloud-init-cve-2023-1786-redact-instance-data-json-main.patch (upstream)
- spec-file cleanups, including dropping flake8 (as build fails
  with newer flake8 versions)
cloud-netconfig
- Update to version 1.14
  + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757)

- Add version settings to Provides/Obsoletes

- Update to version 1.12 (bsc#1221202)
  + If token access succeeds using IPv4 do not use the IPv6 endpoint
    only use the IPv6 IMDS endpoint if IPv4 access fails.

- Add Provides/Obsoletes for dropped cloud-netconfig-nm
- Install dispatcher script into /etc/NetworkManager/dispatcher.d
  on older distributions
- Add BuildReqires: NetworkManager to avoid owning dispatcher.d
  parent directory

- Update to version 1.11:
  + Revert address metadata lookup in GCE to local lookup (bsc#1219454)
  + Fix hang on warning log messages
  + Check whether getting IPv4 addresses from metadata failed and abort
    if true
  + Only delete policy rules if they exist
  + Skip adding/removing IPv4 ranges if metdata lookup failed
  + Improve error handling and logging in Azure
  + Set SCRIPTDIR when installing netconfig wrapper

- Update to version 1.10:
  + Drop cloud-netconfig-nm sub package and include NM dispatcher
    script in main packages (bsc#1219007)
  + Spec file cleanup

- Update to version 1.9:
  + Drop package dependency on sysconfig-netconfig
  + Improve log level handling
  + Support IPv6 IMDS endpoint in EC2 (bsc#1218069)
cloud-regionsrv-client
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
  + Fix the failover path to a new target update server. At present a new
    server is not found since credential validation fails. We targeted
    the server detected in down condition to verify the credentials instead
    of the replacement server.

- Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159)
  + Fix the algorithm to determine the region from the availability zone
    information retrieved from IMDS.
- Update to version 10.1.6
  + Support specifying an IPv6 address for a manually configured target
    update server.

- Update to version 10.1.5 (bsc#1217583)
  + Fix fallback path when IPv6 network path is not usable
  + Enable an IPv6 fallback path in IMDS access if it cannot be accessed
    over IPv4
  + Enable IMDS access over IPv6

- Update to version 10.1.4 (bsc#1217451)
  + Fetch cert for new update server during failover
kernel-default
- Update
  patches.suse/0020-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch
  (git-fixes CVE-2021-47600 bsc#1226575).
- Update
  patches.suse/0022-block-Fix-wrong-offset-in-bio_truncate.patch
  (git-fixes CVE-2022-48747 bsc#1226643).
- Update
  patches.suse/ARM-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch
  (git-fixes CVE-2021-47618 bsc#1226644).
- Update
  patches.suse/ASoC-max9759-fix-underflow-in-speaker_gain_control_p.patch
  (git-fixes CVE-2022-48717 bsc#1226679).
- Update
  patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_-4cf28e9ae6e2.patch
  (git-fixes CVE-2022-48736 bsc#1226721).
- Update
  patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_-4f1e50d6a9cf.patch
  (git-fixes CVE-2022-48737 bsc#1226762).
- Update
  patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_.patch
  (git-fixes CVE-2022-48738 bsc#1226674).
- Update
  patches.suse/Bluetooth-refactor-malicious-adv-data-check.patch
  (git-fixes CVE-2021-47620 bsc#1226669).
- Update patches.suse/IB-hfi1-Fix-AIP-early-init-panic.patch
  (jsc#SLE-13208 CVE-2022-48728 bsc#1226691).
- Update
  patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch
  (git-fixes CVE-2021-47617 bsc#1226614).
- Update
  patches.suse/RDMA-ucma-Protect-mc-during-concurrent-multicast-lea.patch
  (bsc#1181147 CVE-2022-48726 bsc#1226686).
- Update
  patches.suse/ceph-properly-put-ceph_string-reference-after-async-create-attempt.patch
  (bsc#1195798 CVE-2022-48767 bsc#1226715).
- Update
  patches.suse/dma-buf-heaps-Fix-potential-spectre-v1-gadget.patch
  (git-fixes CVE-2022-48730 bsc#1226713).
- Update
  patches.suse/drm-msm-dpu-invalid-parameter-check-in-dpu_setup_dsp.patch
  (git-fixes CVE-2022-48749 bsc#1226650).
- Update
  patches.suse/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch
  (git-fixes CVE-2022-48756 bsc#1226698).
- Update
  patches.suse/drm-nouveau-fix-off-by-one-in-BIOS-boundary-checking.patch
  (git-fixes CVE-2022-48732 bsc#1226716).
- Update
  patches.suse/firmware-arm_scpi-Fix-string-overflow-in-SCPI-genpd-.patch
  (git-fixes CVE-2021-47609 bsc#1226562).
- Update patches.suse/i40e-Fix-queues-reservation-for-XDP.patch
  (git-fixes CVE-2021-47619 bsc#1226645).
- Update patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch
  (git-fixes CVE-2021-47589 bsc#1226557).
- Update
  patches.suse/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping
  (git-fixes CVE-2022-48724 bsc#1226624).
- Update
  patches.suse/mac80211-track-only-QoS-data-frames-for-admission-co.patch
  (git-fixes CVE-2021-47602 bsc#1226554).
- Update
  patches.suse/mac80211-validate-extended-element-ID-is-present.patch
  (git-fixes CVE-2021-47611 bsc#1226583).
- Update
  patches.suse/net-bridge-vlan-fix-memory-leak-in-__allowed_ingress.patch
  (bsc#1176447 CVE-2022-48748 bsc#1226647).
- Update
  patches.suse/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch
  (jsc#SLE-14777 CVE-2021-47596 bsc#1226558).
- Update
  patches.suse/net-ieee802154-ca8210-Stop-leaking-skb-s.patch
  (git-fixes CVE-2022-48722 bsc#1226619).
- Update
  patches.suse/net-mlx5e-Fix-handling-of-wrong-devices-during-bond-.patch
  (jsc#SLE-15172 CVE-2022-48746 bsc#1226703).
- Update
  patches.suse/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch
  (bsc#1176774 CVE-2021-47595 bsc#1226552).
- Update
  patches.suse/nfc-fix-segfault-in-nfc_genl_dump_devices_done.patch
  (git-fixes CVE-2021-47612 bsc#1226585).
- Update patches.suse/phylib-fix-potential-use-after-free.patch
  (git-fixes CVE-2022-48754 bsc#1226692).
- Update
  patches.suse/powerpc-perf-Fix-power_pmu_disable-to-call-clear_pmi.patch
  (bsc#1156395 CVE-2022-48752 bsc#1226709).
- Update
  patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ctr.patch
  (git-fixes CVE-2022-48759 bsc#1226711).
- Update
  patches.suse/scsi-bnx2fc-Flush-destroy_work-queue-before-calling-bnx2fc_interface_put
  (git-fixes CVE-2022-48758 bsc#1226708).
- Update patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe
  (git-fixes CVE-2022-48715 bsc#1226621).
- Update
  patches.suse/scsi-scsi_debug-Sanity-check-block-descriptor-length-in-resp_mode_select.patch
  (git-fixes CVE-2021-47576 bsc#1226537).
- Update
  patches.suse/smb-client-set-correct-id-uid-and-cruid-for-multiuser-automounts.patch
  (git-fixes CVE-2024-26822 bsc#1223011).
- Update
  patches.suse/tracing-histogram-Fix-a-potential-memory-leak-for-kstrdup.patch
  (git-fixes CVE-2022-48768 bsc#1226720).
- commit 3239c2b

- Update
  patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
  (CVE-2022-22942 bsc#1195065 CVE-2022-48771 bsc#1226732).
- Update
  patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-.patch
  (CVE-2021-43389 CVE-2021-3896 bsc#1191958 git-fixes
  CVE-2021-4439 bsc#1226670).
- Update
  patches.suse/media-mxl111sf-change-mutex_init-location.patch
  (git-fixes CVE-2021-47583 bsc#1226563).
- Update
  patches.suse/of-module-prevent-NULL-pointer-dereference-in-vsnprintf.patch
  (bsc#1226587 CVE-2024-38541 CVE-2024-35878 bsc#1224671).
- Update
  patches.suse/tipc-improve-size-validations-for-received-domain-re.patch
  (bsc#1195254 CVE-2022-0435 CVE-2022-48711 bsc#1226672).
- commit 4e385ef

- tcp: Use refcount_inc_not_zero() in tcp_twsk_unique()
  (CVE-2024-36904 bsc#1225732).
- commit 80f0f47

- tcp: do not accept ACK of bytes we never sent (CVE-2023-52881
  bsc#1225611).
- commit 874a2d3

- x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
  (bsc#1222015 bsc#1226962).
- commit c8cabcf

- USB: core: Fix hang in usb_kill_urb by adding memory barriers
  (CVE-2022-48760 bsc#1226712).
- commit da8ec3e

- scsi: qedf: Ensure the copied buf is NUL terminated (bsc#1226758
  CVE-2024-38559).
- scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786
  CVE-2024-38560).
- commit 0e33f69

- Update References tag
  patches.suse/Bluetooth-Disconnect-if-E0-is-used-for-Level-4.patch
  (bsc#1171988 CVE-2020-10135 bsc#1218148 CVE-2023-24023).
- commit 906dfa6

- RDMA/hns: Fix UAF for cq async event (bsc#1226595 CVE-2024-38545)
- commit d57d06d

- of: module: prevent NULL pointer dereference in vsnprintf() (bsc#1226587 CVE-2024-38541)
- commit c381bb4

- of: module: add buffer overflow check in of_modalias() (bsc#1226587 CVE-2024-38541)
- commit 212b607

- net/mlx5e: Fix use-after-free of encap entry in neigh update
  handler (bsc#1224865 CVE-2021-47247).
- commit 91cae43

- net: qcom/emac: fix UAF in emac_remove (bsc#1225010
  CVE-2021-47311).
- commit 5533443

- NFS: avoid infinite loop in pnfs_update_layout (bsc#1219633
  bsc#1226226).
- commit 1b48f4e

- net: macb: fix use after free on rmmod (CVE-2021-47372
  bsc#1225184).
- commit c9f62c2

- ocfs2: fix sparse warnings (bsc#1219224).
- ocfs2: speed up chain-list searching (bsc#1219224).
- ocfs2: adjust enabling place for la window (bsc#1219224).
- ocfs2: improve write IO performance when fragmentation is high
  (bsc#1219224).
- commit 124c57b

- smb: client: fix potential UAF in smb2_is_network_name_deleted()
  (bsc#1224764, CVE-2024-35862).
- commit 8a40236

- smb: client: fix potential UAF in smb2_is_valid_lease_break()
  (bsc#1224765, CVE-2024-35864).
- commit 8030dd8

- smb: client: fix potential UAF in
  cifs_signal_cifsd_for_reconnect() (bsc#1224766, CVE-2024-35861).
- commit d1384a0

- smb: client: fix use-after-free bug in
  cifs_debug_data_proc_show() (bsc#1225487, CVE-2023-52752).
- commit c058f4e

- blacklist.conf: bsc#1225047 CVE-2021-47328
  breaks kABI and does not apply
- commit 8d10b79

- blk-cgroup: fix UAF by grabbing blkcg lock before destroying
  blkg pd (CVE-2021-47379 bsc#1225203).
- commit af72a45

- wifi: mac80211: check/clear fast rx for non-4addr sta VLAN
  changes (CVE-2024-35789 bsc#1224749).
- commit 7707dc6

- fs/9p: only translate RWX permissions for plain 9P2000
  (bsc#1225866 CVE-2024-36964).
- commit c4d4f4c

- pinctrl: core: delete incorrect free in pinctrl_enable()
  (CVE-2024-36940 bsc#1225840).
- commit 6932105

- staging: rtl8192e: Fix use after free in
  _rtl92e_pci_disconnect() (CVE-2021-47571 bsc#1225518).
- commit b52b9d0

- enetc: Fix illegal access when reading affinity_hint
  (CVE-2021-47368 bsc#1225161).
- commit cde762c

- Bluetooth: Add more enc key size check (bsc#1218148
  CVE-2023-24023).
- commit 529bf5d

- Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt
  (bsc#1218148 CVE-2023-24023).
- commit 4ac624b

- blacklist.conf: Add 1971d13ffa84a "af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc()."
- commit 1f2871b

- usb: gadget: f_fs: Fix race between aio_cancel() and AIO
  request complete (CVE-2024-36894 bsc#1225749).
- commit 99fc30d

- net: preserve kabi for sk_buff (CVE-2024-26921 bsc#1223138).
- commit 62989dd

- inet: inet_defrag: prevent sk release while still in use
  (CVE-2024-26921 bsc#1223138).
- commit 599b2eb

- drm/client: Fully protect modes with dev->mode_config.mutex (CVE-2024-35950 bsc#1224703).
- commit f5de9d8

- smb: client: set correct id, uid and cruid for multiuser
  automounts (git-fixes).
- commit 548a1f6

- smb: client: fix dfs link mount against w2k8 (git-fixes).
- commit ffabd7c

- cifs: use tcon allocation functions even for dummy tcon
  (bsc#1213476).
- commit 8a18c8c

- cifs: avoid race conditions with parallel reconnects
  (bsc#1213476).
- commit 0156937

- cifs: check only tcon status on tcon related functions
  (bsc#1213476).
- commit 3ee757c

- cifs: return DFS root session id in DebugData (bsc#1213476).
- commit 40d8689

- cifs: fix use-after-free bug in refresh_cache_worker()
  (bsc#1213476).
- Refresh
  patches.suse/cifs-avoid-dup-prefix-path-in-dfs_get_automount_devname-.patch.
- commit efddc92

- cifs: set DFS root session in cifs_get_smb_ses() (bsc#1213476).
- commit 249b33f

- cifs: reuse cifs_match_ipaddr for comparison of dstaddr too
  (bsc#1213476).
- commit c221add

- cifs: match even the scope id for ipv6 addresses (bsc#1213476).
- commit 376b929

- cifs: get rid of dns resolve worker (bsc#1213476).
- commit 36fdff3

- nvme-rdma: destroy cm id before destroy qp to avoid use after
  free (CVE-2021-47378 bsc#1225201).
- commit 132f56c

- net/tls: Fix flipped sign in tls_err_abort() calls
  (CVE-2021-47496 bsc#1225354)
- commit c2b236a

- net: sched: flower: protect fl_walk() with rcu
  (CVE-2021-47402 bsc#1225301)
- commit 5275989

- Update
  patches.suse/0001-x86-ioremap-Map-efi_mem_reserve-memory-as-encrypted-.patch
  (bsc#1186885 bsc#1224826 CVE-2021-47228).
- Update
  patches.suse/0002-bcache-avoid-oversized-read-request-in-cache-miss.patch
  (bsc#1187357 bsc#1185570 bsc#1184631 bsc#1224965
  CVE-2021-47275).
- Update
  patches.suse/0002-ocfs2-fix-race-between-searching-chunks-and-release-.patch
  (bsc#1199304 bsc#1225439 CVE-2021-47493).
- Update
  patches.suse/0003-drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch
  (bsc#1152472 bsc#1222838 CVE-2021-47200).
- Update
  patches.suse/0015-dm-btree-remove-assign-new_root-only-when-removal-su.patch
  (git-fixes bsc#1225155 CVE-2021-47343).
- Update
  patches.suse/0019-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch
  (git-fixes bsc#1225247 CVE-2021-47435).
- Update patches.suse/ACPI-fix-NULL-pointer-dereference.patch
  (git-fixes bsc#1224984 CVE-2021-47289).
- Update
  patches.suse/ALSA-pcm-oss-Limit-the-period-size-to-16MB.patch
  (git-fixes bsc#1225409 CVE-2021-47509).
- Update
  patches.suse/ALSA-seq-Fix-race-of-snd_seq_timer_open.patch
  (git-fixes bsc#1224983 CVE-2021-47281).
- Update
  patches.suse/ALSA-usx2y-Don-t-call-free_pages_exact-with-NULL-add.patch
  (git-fixes bsc#1225091 CVE-2021-47332).
- Update
  patches.suse/ASoC-SOF-Fix-DSP-oops-stack-dump-output-contents.patch
  (git-fixes bsc#1225206 CVE-2021-47381).
- Update
  patches.suse/ASoC-codecs-wcd934x-handle-channel-mappping-list-cor.patch
  (git-fixes bsc#1225369 CVE-2021-47502).
- Update
  patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch
  (git-fixes bsc#1225303 CVE-2021-47404).
- Update
  patches.suse/HID-bigbenff-prevent-null-pointer-dereference.patch
  (CVE-2022-20132 bsc#1200619 bsc#1225437 CVE-2021-47522).
- Update
  patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
  (git-fixes bsc#1225238 CVE-2021-47405).
- Update
  patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch
  (git-fixes bsc#1225438 CVE-2021-47523).
- Update
  patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
  (CVE-2021-47485 bsc#1224904 bsc#1220960 CVE-2021-47104).
- Update
  patches.suse/KVM-PPC-Book3S-HV-Fix-stack-handling-in-idle_kvm_sta.patch
  (bko#206669 bsc#1174585 bsc#1192107 CVE-2021-43056 bsc#1225341
  CVE-2021-47465).
- Update
  patches.suse/KVM-mmio-Fix-use-after-free-Read-in-kvm_vm_ioctl_unr.patch
  (git-fixes bsc#1224923 CVE-2021-47341).
- Update
  patches.suse/KVM-x86-Immediately-reset-the-MMU-context-when-the-S.patch
  (git-fixes bsc#1224853 CVE-2021-47230).
- Update
  patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch
  (git-fixes bsc#1225263 CVE-2021-47442).
- Update
  patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch
  (git-fixes bsc#1225262 CVE-2021-47443).
- Update
  patches.suse/NFS-Fix-use-after-free-in-nfs4_init_client.patch
  (git-fixes bsc#1224953 CVE-2021-47259).
- Update
  patches.suse/RDMA-Verify-port-when-creating-flow-rule.patch
  (git-fixes bsc#1224957 CVE-2021-47265).
- Update
  patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch
  (git-fixes bsc#1210629 CVE-2023-2176 bsc#1225318
  CVE-2021-47391).
- Update
  patches.suse/RDMA-cma-Fix-listener-leak-in-rdma_cma_listen_on_all.patch
  (bsc#1181147 bsc#1225320 CVE-2021-47392).
- Update
  patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch
  (CVE-2021-39698 bsc#1196956 bsc#1225400 CVE-2021-47505).
- Update
  patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch
  (git-fixes bsc#1225393 CVE-2021-47464).
- Update
  patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch
  (bsc#1191452 bsc#1225193 CVE-2021-47375).
- Update
  patches.suse/bpf-s390-Fix-potential-memory-leak-about-jit_data.patch
  (git-fixes bsc#1225370 CVE-2021-47426).
- Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch
  (git-fixes bsc#1225256 CVE-2021-47456).
- Update
  patches.suse/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_car.patch
  (git-fixes bsc#1225435 CVE-2021-47521).
- Update
  patches.suse/cfg80211-fix-management-registrations-locking.patch
  (git-fixes bsc#1225450 CVE-2021-47494).
- Update
  patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch
  (bsc#1185902 bsc#1224961 CVE-2021-47307).
- Update
  patches.suse/cpufreq-schedutil-Use-kobject-release-method-to-free.patch
  (git-fixes bsc#1225316 CVE-2021-47387).
- Update
  patches.suse/dm-rq-don-t-queue-request-to-blk-mq-during-DM-suspen.patch
  (bsc#1221113 bsc#1225357 CVE-2021-47498).
- Update
  patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch
  (git-fixes bsc#1224968 CVE-2021-47305).
- Update
  patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch
  (git-fixes bsc#1224982 CVE-2021-47280).
- Update
  patches.suse/drm-amd-display-Avoid-HDCP-over-read-and-corruption.patch
  (git-fixes bsc#1225178 CVE-2021-47348).
- Update
  patches.suse/drm-amd-display-Fix-potential-memory-leak-in-DMUB-hw.patch
  (git-fixes bsc#1224886 CVE-2021-47253).
- Update patches.suse/drm-amdgpu-fix-gart.bo-pin_count-leak.patch
  (git-fixes bsc#1225390 CVE-2021-47431).
- Update
  patches.suse/drm-edid-In-connector_bad_edid-cap-num_of_ext-by-num.patch
  (git-fixes bsc#1225243 CVE-2021-47444).
- Update
  patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch
  (git-fixes bsc#1225261 CVE-2021-47445).
- Update
  patches.suse/drm-msm-a6xx-Allocate-enough-space-for-GMU-registers.patch
  (git-fixes bsc#1225446 CVE-2021-47535).
- Update
  patches.suse/drm-nouveau-avoid-a-use-after-free-when-BO-init-fail.patch
  (bsc#1152472 bsc#1224816 CVE-2020-36788).
- Update
  patches.suse/drm-nouveau-debugfs-fix-file-release-memory-leak.patch
  (git-fixes bsc#1225366 CVE-2021-47423).
- Update
  patches.suse/drm-nouveau-kms-nv50-fix-file-release-memory-leak.patch
  (git-fixes bsc#1225233 CVE-2021-47422).
- Update
  patches.suse/drm-radeon-fix-a-possible-null-pointer-dereference.patch
  (git-fixes bsc#1225230 CVE-2022-48710).
- Update patches.suse/drm-sched-Avoid-data-corruptions.patch
  (git-fixes bsc#1225140 CVE-2021-47354).
- Update
  patches.suse/ethtool-strset-fix-message-length-calculation.patch
  (bsc#1176447 bsc#1224842 CVE-2021-47241).
- Update
  patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch
  (git-fixes bsc#1224924 CVE-2021-47338).
- Update
  patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch
  (git-fixes bsc#1224966 CVE-2021-47276).
- Update
  patches.suse/gpio-wcd934x-Fix-shift-out-of-bounds-error.patch
  (git-fixes bsc#1224955 CVE-2021-47263).
- Update
  patches.suse/hwmon-mlxreg-fan-Return-non-zero-value-when-fan-curr.patch
  (git-fixes bsc#1225321 CVE-2021-47393).
- Update
  patches.suse/i2c-acpi-fix-resource-leak-in-reconfiguration-device.patch
  (git-fixes bsc#1225223 CVE-2021-47425).
- Update
  patches.suse/i40e-Fix-NULL-pointer-dereference-in-i40e_dbg_dump_d.patch
  (git-fixes bsc#1225361 CVE-2021-47501).
- Update
  patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch
  (git-fixes bsc#1225367 CVE-2021-47424).
- Update patches.suse/ice-avoid-bpf_prog-refcount-underflow.patch
  (jsc#SLE-7926 bsc#1225500 CVE-2021-47563).
- Update patches.suse/ice-fix-vsi-txq_map-sizing.patch
  (jsc#SLE-7926 bsc#1225499 CVE-2021-47562).
- Update
  patches.suse/igb-Fix-use-after-free-error-during-reset.patch
  (git-fixes bsc#1224916 CVE-2021-47301).
- Update
  patches.suse/igc-Fix-use-after-free-error-during-reset.patch
  (git-fixes bsc#1224917 CVE-2021-47302).
- Update
  patches.suse/iio-accel-kxcjk-1013-Fix-possible-memory-leak-in-pro.patch
  (git-fixes bsc#1225358 CVE-2021-47499).
- Update
  patches.suse/isdn-mISDN-Fix-sleeping-function-called-from-invalid.patch
  (git-fixes bsc#1225346 CVE-2021-47468).
- Update
  patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch
  (git-fixes bsc#1224987 CVE-2021-47284).
- Update
  patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch
  (bsc#1194591 bsc#1225198 CVE-2021-47478).
- Update
  patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch
  (git-fixes bsc#1225328 CVE-2021-47399).
- Update patches.suse/jfs-fix-GPF-in-diFree.patch (bsc#1203389
  bsc#1225148 CVE-2021-47340).
- Update
  patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch
  (git-fixes bsc#1225143 CVE-2021-47356).
- Update
  patches.suse/mac80211-fix-use-after-free-in-CCMP-GCMP-RX.patch
  (git-fixes bsc#1225214 CVE-2021-47388).
- Update
  patches.suse/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch
  (git-fixes bsc#1225327 CVE-2021-47396).
- Update
  patches.suse/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch
  (git-fixes bsc#1225326 CVE-2021-47395).
- Update
  patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch
  (git-fixes bsc#1224922 CVE-2021-47344).
- Update
  patches.suse/misc-alcor_pci-fix-null-ptr-deref-when-there-is-no-P.patch
  (git-fixes bsc#1225113 CVE-2021-47333).
- Update
  patches.suse/misc-libmasm-module-Fix-two-use-after-free-in-ibmasm.patch
  (git-fixes bsc#1225112 CVE-2021-47334).
- Update
  patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch
  (git-fixes bsc#1225224 CVE-2021-47441).
- Update
  patches.suse/mt76-mt7915-fix-NULL-pointer-dereference-in-mt7915_g.patch
  (git-fixes bsc#1225386 CVE-2021-47540).
- Update patches.suse/net-batman-adv-fix-error-handling.patch
  (git-fixes bsc#1224909 CVE-2021-47482).
- Update
  patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
  (git-fixes bsc#1224844 CVE-2021-47235).
- Update
  patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch
  (CVE-2022-1195 bsc#1198029 bsc#1224830 CVE-2021-47237).
- Update
  patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch
  (git-fixes bsc#1225453 CVE-2021-47541).
- Update
  patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch
  (git-fixes bsc#1224981 CVE-2021-47285).
- Update
  patches.suse/net-qlogic-qlcnic-Fix-a-NULL-pointer-dereference-in-.patch
  (git-fixes bsc#1225455 CVE-2021-47542).
- Update
  patches.suse/net-sched-fq_pie-prevent-dismantle-issue.patch
  (jsc#SLE-15172 bsc#1225424 CVE-2021-47512).
- Update
  patches.suse/net-sched-sch_ets-don-t-peek-at-classes-beyond-nband.patch
  (bsc#1176774 bsc#1225468 CVE-2021-47557).
- Update
  patches.suse/net-smc-fix-wrong-list_del-in-smc_lgr_cleanup_early
  (git-fixes bsc#1225447 CVE-2021-47536).
- Update
  patches.suse/netfilter-xt_IDLETIMER-fix-panic-that-occurs-when-ti.patch
  (bsc#1176447 bsc#1225237 CVE-2021-47451).
- Update
  patches.suse/nfc-fix-potential-NULL-pointer-deref-in-nfc_genl_dum.patch
  (git-fixes bsc#1225372 CVE-2021-47518).
- Update
  patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch
  (git-fixes bsc#1225427 CVE-2021-47516).
- Update
  patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch
  (git-fixes bsc#1225058 CVE-2021-47320).
- Update patches.suse/nfsd-Fix-nsfd-startup-race-again.patch
  (git-fixes bsc#1225405 CVE-2021-47507).
- Update
  patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch
  (git-fixes bsc#1225404 CVE-2021-47506).
- Update
  patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch
  (bsc#1190795 bsc#1225251 CVE-2021-47460).
- Update
  patches.suse/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
  (bsc#1197760 bsc#1225252 CVE-2021-47458).
- Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes
  bsc#1225336 CVE-2021-47416).
- Update
  patches.suse/powerpc-64s-fix-program-check-interrupt-emergency-st.patch
  (bsc#1156395 bsc#1225387 CVE-2021-47428).
- Update
  patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch
  (bsc#1156395 bsc#1225181 CVE-2021-47350).
- Update
  patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch
  (git-fixes bsc#1224907 CVE-2021-47483).
- Update
  patches.suse/rxrpc-Fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch
  (bsc#1154353 bnc#1151927 5.3.9 bsc#1225448 CVE-2021-47538).
- Update
  patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup
  (git-fixes bsc#1223512 CVE-2022-48636).
- Update
  patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list
  (git-fixes bsc#1225164 CVE-2021-47369).
- Update
  patches.suse/s390-qeth-fix-deadlock-during-failing-recovery
  (git-fixes bsc#1225207 CVE-2021-47382).
- Update
  patches.suse/sata_fsl-fix-UAF-in-sata_fsl_port_stop-when-rmmod-sa.patch
  (git-fixes bsc#1225508 CVE-2021-47549).
- Update
  patches.suse/scsi-core-Fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch
  (git-fixes bsc#1224926 CVE-2021-47337).
- Update
  patches.suse/scsi-core-Fix-error-handling-of-scsi_host_alloc.patch
  (git-fixes bsc#1224899 CVE-2021-47258).
- Update
  patches.suse/scsi-core-Put-LLD-module-refcnt-after-SCSI-device-is-released.patch
  (git-fixes bsc#1225322 CVE-2021-47480).
- Update
  patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs.patch
  (git-fixes bsc#1222867 CVE-2021-47192).
- Update
  patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch
  (bsc#1188616 bsc#1224963 CVE-2021-47308).
- Update
  patches.suse/scsi-megaraid_sas-Fix-resource-leak-in-case-of-probe-failure.patch
  (git-fixes bsc#1225083 CVE-2021-47329).
- Update
  patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test
  (git-fixes bsc#1225384 CVE-2021-47565).
- Update
  patches.suse/scsi-pm80xx-Do-not-call-scsi_remove_host-in-pm8001_alloc
  (git-fixes bsc#1225374 CVE-2021-47503).
- Update
  patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els
  (git-fixes bsc#1225192 CVE-2021-47473).
- Update
  patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch
  (git-fixes bsc#1194288 CVE-2021-47527).
- Update
  patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch
  (git-fixes bsc#1224990 CVE-2021-47274).
- Update
  patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
  (bsc#1222619 CVE-2023-52880).
- Update
  patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch
  (git-fixes bsc#1225084 CVE-2021-47330).
- Update
  patches.suse/udf-Fix-NULL-pointer-dereference-in-udf_symlink-func.patch
  (bsc#1206646 bsc#1225128 CVE-2021-47353).
- Update
  patches.suse/usb-chipidea-ci_hdrc_imx-Also-search-for-phys-phandl.patch
  (git-fixes bsc#1225333 CVE-2021-47413).
- Update
  patches.suse/usb-dwc2-check-return-value-after-calling-platform_g.patch
  (git-fixes bsc#1225330 CVE-2021-47409).
- Update
  patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch
  (git-fixes bsc#1224996 CVE-2021-47269).
- Update
  patches.suse/usb-fix-various-gadget-panics-on-10gbps-cabling.patch
  (git-fixes bsc#1224993 CVE-2021-47267).
- Update
  patches.suse/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cab.patch
  (git-fixes bsc#1224997 CVE-2021-47270).
- Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch
  (git-fixes bsc#1225244 CVE-2021-47436).
- Update patches.suse/usbnet-sanity-check-for-maxpacket.patch
  (git-fixes bsc#1225351 CVE-2021-47495).
- Update
  patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch
  (git-fixes bsc#1225060 CVE-2021-47321).
- Update
  patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch
  (git-fixes bsc#1225030 CVE-2021-47324).
- Update
  patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch
  (git-fixes bsc#1225026 CVE-2021-47323).
- Update
  patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
  (git-fixes bsc#1225177 CVE-2021-47347).
- Update
  patches.suse/x86-fpu-prevent-state-corruption-in-_fpu__restore_sig.patch
  (bsc#1178134 bsc#1224852 CVE-2021-47227).
- Update
  patches.suse/xhci-Fix-command-ring-pointer-corruption-while-abort.patch
  (git-fixes bsc#1225232 CVE-2021-47434).
- commit 0b290f8

- Update
  patches.suse/0002-bcache-avoid-oversized-read-request-in-cache-miss.patch
  (bsc#1184631 bsc#1224965 CVE-2021-47275).
- Update patches.suse/ACPI-fix-NULL-pointer-dereference.patch
  (git-fixes bsc#1224984 CVE-2021-47289).
- Update
  patches.suse/ALSA-usx2y-Don-t-call-free_pages_exact-with-NULL-add.patch
  (git-fixes bsc#1225091 CVE-2021-47332).
- Update
  patches.suse/ASoC-SOF-Fix-DSP-oops-stack-dump-output-contents.patch
  (git-fixes bsc#1225206 CVE-2021-47381).
- Update
  patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch
  (git-fixes bsc#1225303 CVE-2021-47404).
- Update
  patches.suse/HID-bigbenff-prevent-null-pointer-dereference.patch
  (CVE-2022-20132 bsc#1200619 bsc#1225437 CVE-2021-47522).
- Update
  patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
  (git-fixes bsc#1225238 CVE-2021-47405).
- Update
  patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
  (CVE-2021-47485 bsc#1224904 bsc#1220960 CVE-2021-47104).
- Update
  patches.suse/KVM-PPC-Book3S-HV-Fix-stack-handling-in-idle_kvm_sta.patch
  (bko#206669 bsc#1174585 bsc#1192107 CVE-2021-43056 bsc#1225341
  CVE-2021-47465).
- Update
  patches.suse/KVM-mmio-Fix-use-after-free-Read-in-kvm_vm_ioctl_unr.patch
  (git-fixes bsc#1224923 CVE-2021-47341).
- Update
  patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch
  (git-fixes bsc#1225263 CVE-2021-47442).
- Update
  patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch
  (git-fixes bsc#1225262 CVE-2021-47443).
- Update
  patches.suse/NFS-Fix-use-after-free-in-nfs4_init_client.patch
  (git-fixes bsc#1224953 CVE-2021-47259).
- Update
  patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch
  (bsc#1210629 CVE-2023-2176 bsc#1225318 CVE-2021-47391).
- Update
  patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch
  (CVE-2021-39698 bsc#1196956 bsc#1225400 CVE-2021-47505).
- Update
  patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch
  (git-fixes bsc#1225393 CVE-2021-47464).
- Update
  patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch
  (bsc#1191452 bsc#1225193 CVE-2021-47375).
- Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch
  (git-fixes bsc#1225256 CVE-2021-47456).
- Update
  patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch
  (bsc#1185902 bsc#1224961 CVE-2021-47307).
- Update
  patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch
  (git-fixes bsc#1224968 CVE-2021-47305).
- Update
  patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch
  (git-fixes bsc#1224982 CVE-2021-47280).
- Update patches.suse/drm-amdgpu-fix-gart.bo-pin_count-leak.patch
  (git-fixes bsc#1225390 CVE-2021-47431).
- Update
  patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch
  (git-fixes bsc#1225261 CVE-2021-47445).
- Update
  patches.suse/drm-nouveau-debugfs-fix-file-release-memory-leak.patch
  (git-fixes bsc#1225366 CVE-2021-47423).
- Update patches.suse/drm-sched-Avoid-data-corruptions.patch
  (git-fixes bsc#1225140 CVE-2021-47354).
- Update
  patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch
  (git-fixes bsc#1224924 CVE-2021-47338).
- Update
  patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch
  (git-fixes bsc#1224966 CVE-2021-47276).
- Update
  patches.suse/hwmon-mlxreg-fan-Return-non-zero-value-when-fan-curr.patch
  (git-fixes bsc#1225321 CVE-2021-47393).
- Update
  patches.suse/i2c-acpi-fix-resource-leak-in-reconfiguration-device.patch
  (git-fixes bsc#1225223 CVE-2021-47425).
- Update
  patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch
  (git-fixes bsc#1225367 CVE-2021-47424).
- Update patches.suse/ice-avoid-bpf_prog-refcount-underflow.patch
  (jsc#SLE-7926 bsc#1225500 CVE-2021-47563).
- Update patches.suse/ice-fix-vsi-txq_map-sizing.patch
  (jsc#SLE-7926 bsc#1225499 CVE-2021-47562).
- Update
  patches.suse/igb-Fix-use-after-free-error-during-reset.patch
  (git-fixes bsc#1224916 CVE-2021-47301).
- Update
  patches.suse/igc-Fix-use-after-free-error-during-reset.patch
  (git-fixes bsc#1224917 CVE-2021-47302).
- Update
  patches.suse/isdn-mISDN-Fix-sleeping-function-called-from-invalid.patch
  (git-fixes bsc#1225346 CVE-2021-47468).
- Update
  patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch
  (git-fixes bsc#1224987 CVE-2021-47284).
- Update
  patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch
  (git-fixes bsc#1225328 CVE-2021-47399).
- Update
  patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch
  (git-fixes bsc#1225143 CVE-2021-47356).
- Update
  patches.suse/mac80211-fix-use-after-free-in-CCMP-GCMP-RX.patch
  (git-fixes bsc#1225214 CVE-2021-47388).
- Update
  patches.suse/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch
  (git-fixes bsc#1225327 CVE-2021-47396).
- Update
  patches.suse/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch
  (git-fixes bsc#1225326 CVE-2021-47395).
- Update
  patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch
  (git-fixes bsc#1224922 CVE-2021-47344).
- Update
  patches.suse/misc-alcor_pci-fix-null-ptr-deref-when-there-is-no-P.patch
  (git-fixes bsc#1225113 CVE-2021-47333).
- Update
  patches.suse/misc-libmasm-module-Fix-two-use-after-free-in-ibmasm.patch
  (git-fixes bsc#1225112 CVE-2021-47334).
- Update
  patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch
  (git-fixes bsc#1225224 CVE-2021-47441).
- Update patches.suse/net-batman-adv-fix-error-handling.patch
  (git-fixes bsc#1224909 CVE-2021-47482).
- Update
  patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch
  (git-fixes bsc#1225453 CVE-2021-47541).
- Update
  patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch
  (git-fixes bsc#1224981 CVE-2021-47285).
- Update
  patches.suse/net-qlogic-qlcnic-Fix-a-NULL-pointer-dereference-in-.patch
  (git-fixes bsc#1225455 CVE-2021-47542).
- Update
  patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch
  (git-fixes bsc#1225427 CVE-2021-47516).
- Update
  patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch
  (git-fixes bsc#1225058 CVE-2021-47320).
- Update
  patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch
  (bsc#1190795 bsc#1225251 CVE-2021-47460).
- Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes
  bsc#1225336 CVE-2021-47416).
- Update
  patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch
  (bsc#1156395 bsc#1225181 CVE-2021-47350).
- Update
  patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch
  (git-fixes bsc#1224907 CVE-2021-47483).
- Update
  patches.suse/rxrpc-Fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch
  (bsc#1154353 bnc#1151927 5.3.9 bsc#1225448 CVE-2021-47538).
- Update
  patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list
  (git-fixes bsc#1225164 CVE-2021-47369).
- Update
  patches.suse/s390-qeth-fix-deadlock-during-failing-recovery
  (git-fixes bsc#1225207 CVE-2021-47382).
- Update
  patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch
  (bsc#1188616 bsc#1224963 CVE-2021-47308).
- Update
  patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test
  (git-fixes bsc#1225384 CVE-2021-47565).
- Update
  patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els
  (git-fixes bsc#1225192 CVE-2021-47473).
- Update
  patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch
  (git-fixes bsc#1194288 CVE-2021-47527).
- Update
  patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch
  (git-fixes bsc#1224990 CVE-2021-47274).
- Update
  patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
  (bsc#1222619 CVE-2023-52880).
- Update
  patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch
  (git-fixes bsc#1225084 CVE-2021-47330).
- Update
  patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch
  (git-fixes bsc#1224996 CVE-2021-47269).
- Update
  patches.suse/usb-fix-various-gadget-panics-on-10gbps-cabling.patch
  (git-fixes bsc#1224993 CVE-2021-47267).
- Update
  patches.suse/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cab.patch
  (git-fixes bsc#1224997 CVE-2021-47270).
- Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch
  (git-fixes bsc#1225244 CVE-2021-47436).
- Update patches.suse/usbnet-sanity-check-for-maxpacket.patch
  (git-fixes bsc#1225351 CVE-2021-47495).
- Update
  patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch
  (git-fixes bsc#1225060 CVE-2021-47321).
- Update
  patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch
  (git-fixes bsc#1225030 CVE-2021-47324).
- Update
  patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch
  (git-fixes bsc#1225026 CVE-2021-47323).
- Update
  patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
  (git-fixes bsc#1225177 CVE-2021-47347).
- Update
  patches.suse/xhci-Fix-command-ring-pointer-corruption-while-abort.patch
  (git-fixes bsc#1225232 CVE-2021-47434).
- commit 37dba5a

- net/smc: kABI workarounds for struct smc_link (CVE-2022-48673
  bsc#1223934).
- net/smc: Fix possible access to freed memory in link clear
  (CVE-2022-48673 bsc#1223934).
- commit 0f509bf

- soc: qcom: llcc: Handle a second device without data corruption (bsc#1225534 CVE-2023-52871)
- commit f6adad8

- x86/xen: Drop USERGS_SYSRET64 paravirt call (git-fixes).
- Refresh
  patches.suse/x86-entry_64-Add-VERW-just-before-userspace-transition.patch.
- Refresh
  patches.suse/x86-xen-add-xenpv_restore_regs_and_return_to_usermode.patch.
- commit fa16bf8

- cifs: fix underflow in parse_server_interfaces() (bsc#1223084,
  CVE-2024-26828).
- commit 8a48c12

- nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
  (bsc#1225355 CVE-2021-47497).
- commit 33cab00

- Refresh
  patches.suse/firmware-raspberrypi-introduce-vl805-init-routine.patch.
- Refresh
  patches.suse/pci-brcmstb-wait-for-raspberry-pi-s-firmware-when-present.patch.
- Refresh
  patches.suse/usb-pci-quirks-add-raspberry-pi-4-quirk.patch.
- Rename to
  patches.suse/soc-bcm2835-add-notify-xhci-reset-property.patch.
  Add upstream references, sync with upstream and move to the sorted
  section.
  3 of these patches were later reverted, but only because they were
  replaced by a different implementation, not because they were wrong.
  Add the reverts to blacklist.conf.
- commit ebed050

- iio: mma8452: Fix trigger reference couting (bsc#1225360
  CVE-2021-47500).
- commit 8ee9c73

- efi/capsule-loader: fix incorrect allocation size (bsc#1224438
  CVE-2024-27413).
- commit 66f7463

- tty: Fix out-of-bound vmalloc access in imageblit
  (CVE-2021-47383 bsc#1225208).
- commit aa2473d

- ALSA: pcm: oss: Fix negative period/buffer sizes (CVE-2021-47511
  bsc#1225411).
- commit 094796a

- Update tags in
  patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch.
  And move to the sorted section of series.conf.
- commit dc0df73

- Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch.
- Refresh
  patches.suse/x86-cpu-amd-move-the-errata-checking-functionality-up.patch.
  Move 2 upstream arch-specific patches to the sorted section.
- commit d5f36cd

- Input: synaptics-rmi4 - fix use after free in
  rmi_unregister_function() (CVE-2023-52840 bsc#1224928).
- commit 3a1b2ed

- IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() (CVE-2021-47485 bsc#1224904)
- commit 7e99b42

- af_unix: annote lockless accesses to unix_tot_inflight &
  gc_in_progress (bsc#1223384).
- Refresh
  patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch.
- commit 03fbb54

- IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields (CVE-2021-47485 bsc#1224904)
- commit c9482fe

- IB/mlx5: Fix initializing CQ fragments buffer (bsc#1224954 CVE-2021-47261)
- commit 77cbada

- Move powerpc patches to their specific section
  They are apparently not going upstream.
- commit eea93a0

- Move upstream patches to the sorted section
- commit 757eb5a

- Update
  patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch
  (bsc#1209657 CVE-2023-0160 CVE-2024-35895 bsc#1224511).
- Update
  patches.suse/nfsd-Fix-error-cleanup-path-in-nfsd_rename.patch
  (bsc#1221044 CVE-2023-52591 CVE-2024-35914 bsc#1224482).
- Update
  patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch
  (CVE-2023-47233 bsc#1216702 CVE-2024-35811 bsc#1224592).
- commit e0bcd81

- Update
  patches.suse/KVM-PPC-Fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch
  (bsc#1156395 CVE-2021-47296 bsc#1224891).
- Update
  patches.suse/NFS-Fix-a-potential-NULL-dereference-in-nfs_get_clie.patch
  (git-fixes CVE-2021-47260 bsc#1224834).
- Update
  patches.suse/PCI-aardvark-Fix-kernel-panic-during-PIO-transfer.patch
  (git-fixes CVE-2021-47229 bsc#1224854).
- Update
  patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch
  (git-fixes CVE-2021-47252 bsc#1224882).
- Update
  patches.suse/can-mcba_usb-fix-memory-leak-in-mcba_usb.patch
  (git-fixes CVE-2021-47231 bsc#1224849).
- Update
  patches.suse/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch
  (bsc#1188772 CVE-2021-47255 bsc#1224832).
- Update
  patches.suse/media-ngene-Fix-out-of-bounds-bug-in-ngene_command_c.patch
  (git-fixes CVE-2021-47288 bsc#1224889).
- Update
  patches.suse/memory-fsl_ifc-fix-leak-of-IO-mapping-on-probe-failu.patch
  (git-fixes CVE-2021-47315 bsc#1224892).
- Update
  patches.suse/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch
  (git-fixes CVE-2021-47314 bsc#1224893).
- Update patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch
  (git-fixes CVE-2021-47236 bsc#1224841).
- Update
  patches.suse/net-mlx5e-Fix-page-reclaim-for-dead-peer-hairpin.patch
  (git-fixes CVE-2021-47246 bsc#1224831).
- Update
  patches.suse/net-qrtr-fix-OOB-Read-in-qrtr_endpoint_post.patch
  (CVE-2021-3743 bsc#1189883 CVE-2021-47240 bsc#1224843).
- Update
  patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
  (git-fixes CVE-2021-47239 bsc#1224846).
- Update
  patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch
  (git-fixes CVE-2021-47220 bsc#1224859).
- commit 5376688

- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (bsc#1224888
  CVE-2021-47254).
- commit bf82ce3

- btrfs: do not start relocation until in progress drops are  done
  (bsc#1222251).
- commit a41ddb4

- btrfs: do not start relocation until in progress drops are  done
  (bsc#1222251).
- commit 0f3d5ec

- Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
  (bsc#1224174 CVE-2024-27398).
- commit 2d99726

- af_unix: Fix garbage collector racing against connect()
  (CVE-2024-26923 bsc#1223384).
- af_unix: Replace BUG_ON() with WARN_ON_ONCE() (bsc#1223384).
- af_unix: Do not use atomic ops for unix_sk(sk)->inflight (bsc#1223384).
- commit 9a2eeaf

- blacklist.conf: Fix for code not present (CVE-2024-26929)
- commit 3d9e5d9

- Refresh
  patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch.
- Refresh
  patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch.
- Refresh
  patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch.
  Adjust headers to minimize merge conflicts.
- commit 0300a69

- Refresh
  patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch.
  Swap headers to avoid a conflict when merging into consumer branches.
- commit 1510229

- Refresh
  patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch.
  Update Patch-mainline tag and move to sorted section.
- commit 81abd64

- Refresh patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch.
  Add upstream commit ID and move to sorted section.
- commit 5c72346

- Refresh
  patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch.
  Update Patch-mainline tag and move to sorted section.
- commit 684103a

- Refresh
  patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch.
  Update Patch-mainline tag and move to sorted section.
- commit a75fb60

- Refresh
  patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch.
  Driver was deleted upstream so this fix will stay out-of-tree
  forever. Move to the appropriate section.
- commit bce6652

- Refresh
  patches.suse/media-dvb-core-Fix-UAF-due-to-refcount-races-at-rele.patch.
  Add upstream commit ID and move to sorted section.
- commit 39ecedd

- Refresh
  patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch.
  Add upstream commit ID and move to sorted section.
- commit 6754ecb

- Refresh
  patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch.
  Add upstream commit ID and move to sorted section.
- commit 92fa4c5

- Refresh
  patches.suse/SUNRPC-auth-async-tasks-mustn-t-block-waiting-for-me.patch.
- Refresh
  patches.suse/SUNRPC-call_alloc-async-tasks-mustn-t-block-waiting-.patch.
- Refresh
  patches.suse/SUNRPC-improve-swap-handling-scheduling-and-PF_MEMAL.patch.
- Refresh
  patches.suse/SUNRPC-remove-scheduling-boost-for-SWAPPER-tasks.patch.
- Refresh
  patches.suse/SUNRPC-xprt-async-tasks-mustn-t-block-waiting-for-me.patch.
  Add upstream commit IDs and move to sorted section.
- commit 245a308

- Refresh
  patches.suse/NFS-change-nfs_access_get_cached-to-only-report-the-.patch.
- Refresh
  patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch.
- Refresh
  patches.suse/NFS-pass-cred-explicitly-for-access-tests.patch.
  Add upstream commit IDs and move to sorted section.
- commit 8f85449

- Refresh
  patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch.
  Add upstream commit ID and move to sorted section.
- commit 0e0054f

- NFC: nxp: add NXP1002 (bsc#1185589).
  Add upstream commit ID and subject, and move to sorted section.
- commit 01c3222

- series.conf: Move block-genhd-use-atomic_t-for-disk_event-block.patch
  Patch was never accepted upstream and was dropped from later products
  as it had problematic side effects. Move it to the appropriate
  out-of-tree section.
- commit 9199401

- PCI: rpaphp: Add MODULE_DESCRIPTION (bsc#1176869 ltc#188243).
  Add upstream commit ID and subject, and move to sorted section.
- commit 4630de9

- Refresh
  patches.suse/drivers-base-memory.c-cache-blocks-in-radix-tree-to-.patch.
  Document why this commit will never go upstream and move it to its
  specific section.
- commit f30bed3

- Refresh
  patches.suse/x86-boot-Ignore-relocations-in-.notes-sections-in-walk_rel.patch.
  Move to sorted section.
- commit 9bdf9d5

- blacklist.conf: add fix for code not present (CVE-2024-26930)
- commit 19f6175

- Update
  patches.suse/netfilter-nf_tables-mark-set-as-dead-when-unbinding-.patch
  (git-fixes CVE-2024-26643 bsc#1221829).
- Update
  patches.suse/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch
  (git-fixes CVE-2024-26925 bsc#1223390).
- Update
  patches.suse/netfilter-nft_set_rbtree-skip-end-interval-element-f.patch
  (git-fixes CVE-2024-26581 bsc#1220144).
- commit 5b5ef95

- Update
  patches.suse/io_uring-af_unix-disable-sending-io_uring-over-socke.patch
  (bsc#1220754 CVE-2023-6531 CVE-2023-52654 bsc#1224099).
- Update
  patches.suse/netfilter-nf_tables-fix-memleak-when-more-than-255-e.patch
  (git-fixes CVE-2023-52581 bsc#1220877).
- Update
  patches.suse/netfilter-nft_set_rbtree-skip-sync-GC-for-new-elemen.patch
  (git-fixes CVE-2023-52433 bsc#1220137).
- commit ab7595e

- blacklist.conf: Add 9474c62ab65f net/sched: Add module alias for sch_fq_pie
- commit 0f0d88e

- usb: aqc111: check packet for fixup for true limit (bsc#1217169
  CVE-2023-52655).
- commit 1678228

- Update
  patches.suse/drm-radeon-add-a-force-flush-to-delay-work-when-rade.patch
  (git-fixes CVE-2022-48704 bsc#1223932).
- commit d602686

- netfilter: nf_tables: release mutex after nft_gc_seq_end from
  abort path (git-fixes).
- commit 453d60a

- netfilter: nf_tables: mark set as dead when unbinding anonymous
  set with timeout (git-fixes).
- commit a3b6f2c

- netfilter: nft_set_rbtree: skip end interval element from gc
  (git-fixes).
- commit f941d80

- netfilter: nf_tables: skip dead set elements in netlink dump
  (git-fixes).
- commit 11672cf

- netfilter: nf_tables: mark newset as dead on transaction abort
  (git-fixes).
- commit deeefa0

- blacklist.conf: update blacklist
- commit d111502

- blacklist.conf: update blacklist
- commit c053707

- netfilter: nf_tables: nft_set_rbtree: fix spurious insertion
  failure (git-fixes).
- commit 787a388

- Refresh patches.kabi/netfilter-preserve-nf_tables-kabi.patch.
- commit f69dce7

- netfilter: nf_tables: fix memleak when more than 255 elements
  expired (git-fixes).
- commit 55db444

- blacklist.conf: update blacklist
- commit 3075338

- netfilter: nft_set_hash: try later when GC hits EAGAIN on
  iteration (git-fixes).
- commit bc13e9b

- netfilter: nft_set_rbtree: use read spinlock to avoid datapath
  contention (git-fixes).
- commit 9ed8e71

- netfilter: nft_set_rbtree: skip sync GC for new elements in
  this transaction (git-fixes).
- commit 0d564a0

- netfilter: nf_tables: defer gc run if previous batch is still
  pending (git-fixes).
- commit 1cb21d0

- netfilter: nf_tables: use correct lock to protect gc_list
  (git-fixes).
- commit f315c4c

- netfilter: nf_tables: GC transaction race with abort path
  (git-fixes).
- commit ce0642f

- netfilter: nf_tables: GC transaction race with netns dismantle
  (git-fixes).
- commit d9e442c

- blacklist.conf: update blacklist
- commit 51055c8

- netfilter: nf_tables: fix GC transaction races with netns and
  netlink event exit path (git-fixes).
- commit eacca32

- netfilter: nf_tables: fix kdoc warnings after gc rework
  (git-fixes).
- commit f86c22d

- Update
  patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch
  (git-fixes CVE-2022-48695 bsc#1223941).
- commit 033821b

- Update
  patches.suse/ALSA-emu10k1-Fix-out-of-bounds-access-in-snd_emu10k1.patch
  (git-fixes CVE-2022-48702 bsc#1223923).
- commit c521d4a

- Update
  patches.suse/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch
  (git-fixes CVE-2022-48672 bsc#1223931).
- commit e3fefd5

- cachefiles: fix memory leak in cachefiles_add_cache()
  (bsc#1222976 CVE-2024-26840).
- commit aa1fa99

- netfilter: nf_tables: adapt set backend to use GC transaction
  API (bsc#1215420 CVE-2023-4244).
- commit 2a5fb01

- btrfs: abort in rename_exchange if we fail to insert the second ref (CVE-2021-47113 bsc#1221543)
  Refresh patches.suse/btrfs-prevent-rename2-from-exchanging-a-subvol-with-a-directory-from-different-parents.patch
- commit cc57e15

- Update
  patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
  references (CVE-2024-26739 bsc#1222559, drop incorrect references).
- commit 8b3f599

- net/tls: Remove the context from the list in tls_device_down
  (bsc#1221545).
- commit aca4b2e

- blacklist.conf: add 94ce3b64c62d
  Blacklist commit 94ce3b64c62d ("net/tls: Use RCU API to access
  tls_ctx->netdev"). This is a follow-up to c55dcdd435aa which addresses an
  issue which is rather theoretical and the backport would be quite
  intrusive.
- commit 64bbcaf

- tls: Fix context leak on tls_device_down (bsc#1221545).
- commit 23bab3f

- Update
  patches.suse/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch
  (bsc#1200313 bsc#1201489 CVE-2022-48686 bsc#1223948).
- commit 5e5f9fe

- Update
  patches.suse/ALSA-usb-audio-Fix-an-out-of-bounds-bug-in-__snd_usb.patch
  (git-fixes CVE-2022-48701 bsc#1223921).
- commit 5de225e

- Update
  patches.suse/soc-brcmstb-pm-arm-Fix-refcount-leak-and-__iomem-lea.patch
  (git-fixes CVE-2022-48693 bsc#1223963).
- commit 0e4cd62

- kabi: hide new member of struct tls_context (CVE-2021-47131
  bsc#1221545).
- net/tls: Fix use-after-free after the TLS device goes down
  and up (CVE-2021-47131 bsc#1221545).
- commit c19ff47

- Update
  patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
  (bsc#1211592 CVE-2023-2860 CVE-2022-48687 bsc#1223952).
- commit 94a1c44

- net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
  (CVE-2024-26852 bsc#1223057).
- commit f51e744

- openvswitch: fix stack OOB read while fragmenting IPv4 packets
  (CVE-2021-46955 bsc#1220513).
- commit 37faff4

- packet: annotate data-races around ignore_outgoing
  (CVE-2024-26862 bsc#1223111).
- commit 9b14c5d

- sctp: fix potential deadlock on &net->sctp.addr_wq_lock
  (CVE-2024-0639 bsc#1218917).
- commit c0f421c

- netfilter: preserve nf_tables kabi (bsc#1215420 CVE-2023-424).
- commit e6ab556

- media: edia: dvbdev: fix a use-after-free (CVE-2024-27043
  bsc#1223824).
- commit 1c01fe0

- ext4: fix bug in extents parsing when eh_entries == 0 and
  eh_depth >  0 (bsc#1223475 CVE-2022-48631).
- commit 911e181

- md/raid5: fix atomicity violation in raid5_cache_count
  (bsc#1219169, CVE-2024-23307).
- commit b804891

- Update
  patches.suse/cgroup-cgroup_get_from_id-must-check-the-looked-up-kn-is-a-directory.patch
  (bsc#1203906 CVE-2022-48638 bsc#1223522).
- commit 3bd7c2d

- netfilter: nf_tables: GC transaction API to avoid race with
  control plane (bsc#1215420 CVE-2023-4244).
- commit 361e5a0

- netfilter: nf_tables: don't skip expired elements during walk
  (bsc#1215420 CVE-2023-4244).
- commit 47ee234

- Update
  patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch
  (bsc#1203935 CVE-2022-48650 bsc#1223509).
- commit c5c2590

- Update
  patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch
  (bsc#1204614 CVE-2022-48654 bsc#1223482).
- commit 1221e0a

- netfilter: nft_set_rbtree: fix overlap expiration walk
  (git-fixes).
- commit 90d7112

- netfilter: nft_set_rbtree: fix null deref on element insertion
  (git-fixes).
- commit f25e27c

- netfilter: nft_set_rbtree: skip elements in transaction from
  garbage collection (git-fixes).
- commit 845bbc6

- netfilter: nft_set_rbtree: Switch to node list walk for overlap
  detection (git-fixes).
- commit bd48625

- netfilter: nft_set_rbtree: overlap detection with element
  re-addition after deletion (git-fixes).
- commit d362ed4

- netfilter: nft_set_rbtree: Detect partial overlap with start
  endpoint match (git-fixes).
- commit 4970ce9

- netfilter: nft_set_rbtree: Handle outcomes of tree rotations
  in overlap detection (git-fixes).
- commit bc0387c

- netfilter: nft_set_rbtree: Don't account for expired elements
  on insertion (git-fixes).
- commit c90c848

- netfilter: nft_set_rbtree: Add missing expired checks
  (git-fixes).
- commit 0d65e63

- netfilter: nft_set_rbtree: Drop spurious condition for overlap
  detection on insertion (git-fixes).
- commit a64c352

- netfilter: nft_set_rbtree: Detect partial overlaps on insertion
  (git-fixes).
- commit 39167a3

- netfilter: nft_set_rbtree: Introduce and use
  nft_rbtree_interval_start() (git-fixes).
- commit 9b991e8

- netfilter: nft_set_rbtree: bogus lookup/get on consecutive
  elements in named sets (git-fixes).
- commit 1a2cbfc

- ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
  (bsc#1223513 CVE-2022-48651).
- commit 0325bf2

- x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (bsc#1223202 CVE-2024-26906).
- commit 4dcafb9

- x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h (bsc#1223202 CVE-2024-26906).
- commit 4e61cac

- x86/boot: Ignore relocations in .notes sections in walk_relocs() too (bsc#1222624 CVE-2024-26816).
- commit 8d2e301

- x86, relocs: Ignore relocations in .notes section (bsc#1222624 CVE-2024-26816).
- commit b1ed209

- Update
  patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch
  (bsc#1219264 CVE-2024-0841 CVE-2024-26688 bsc#1222482).
- Update
  patches.suse/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch
  (bsc#1219170 CVE-2024-22099 CVE-2024-26903 bsc#1223187).
- Update
  patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
  (CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559).
- commit edcb3fa

- Update
  patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch
  (git-fixes CVE-2021-47207 bsc#1222790).
- Update
  patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch
  (git-fixes CVE-2021-47194 bsc#1222829).
- Update
  patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch
  (git-fixes CVE-2021-47184 bsc#1222666).
- Update
  patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch
  (git-fixes CVE-2021-47201 bsc#1222792).
- Update
  patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch
  (git-fixes CVE-2021-47212 bsc#1222709).
- Update
  patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch
  (bsc#1190576 CVE-2021-47203 bsc#1222881).
- Update
  patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch
  (bsc#1192145 CVE-2021-47198 bsc#1222883).
- Update
  patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch
  (git-fixes CVE-2021-47185 bsc#1222669).
- Update
  patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch
  (git-fixes CVE-2021-47206 bsc#1222894).
- commit 8d3f18a

- Update
  patches.suse/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
  (bsc#1218562 CVE-2023-6270 CVE-2024-26898 bsc#1223016).
- commit 8d6a724

- Update patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch
  (git-fixes CVE-2021-47216 bsc#1222876).
- commit 1856476

- wifi: iwlwifi: fix a memory corruption (CVE-2024-26610
  bsc#1221299).
- commit cceba2c

- Update patches.suse/arp-Prevent-overflow-in-arp_req_get.patch
- fix build warning
- commit d969104

- ceph: prevent use-after-free in encode_cap_msg() (CVE-2024-26689
  bsc#1222503).
- commit c431df1

- Update patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch (git-fixes CVE-2021-47202 bsc#1222878)
- commit 94c254a

- nvme-tcp: can't set sk_user_data without write_lock
  (CVE-2021-47041 bsc#1220755).
- commit c3bc01a

- nvme-loop: fix memory leak in nvme_loop_create_ctrl()
  (CVE-2021-47074 bsc#1220854).
- nvme-loop: don't put ctrl on nvme_init_ctrl error
  (CVE-2021-47074 bsc#1220854).
- commit 8101361

- nvmet-tcp: fix incorrect locking in state_change sk callback
  (CVE-2021-47041 bsc#1220755).
- commit ee0c72d

- RDMA/srpt: Support specifying the srpt_service_guid parameter (bsc#1222449 CVE-2024-26744)
- commit 12241af

- Refresh
  patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch.
- commit ea3cbb2

- Update patches.suse/bpf-Fix-integer-overflow-involving-bucket_size.patch
  Fix CVE refence format.
- commit 86e8797

- Update
  patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch
  (git-fixes CVE-2021-47189 bsc#1222706).
- commit ed3e4bc

- Update
  patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch
  (git-fixes CVE-2021-47185).
- commit 972d0f6

- Update
  patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch
  (bsc#1192145 CVE-2021-47183 bsc#1222664).
- commit add99e0

- Update
  patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch
  (git-fixes CVE-2021-47181 bsc#1222660).
- commit 87eb148

- tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
  (bsc#1222619).
- commit 7db5139

- arp: Prevent overflow in arp_req_get() (CVE-2024-26733
  bsc#1222585).
- commit 0a4c958

- net/sched: act_mirred: don't override retval if we already
  lost the skb (CVE-2024-26733 bsc#1222585).
- commit cc1339b

- ext4: fix double-free of blocks due to wrong extents moved_len
  (bsc#1222422 CVE-2024-26704).
- commit d1a6e8f

- fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super
  (bsc#1219264).
- commit bc51f7b

- nfsd: Fix error cleanup path in nfsd_rename() (bsc#1221044
  CVE-2023-52591).
- commit 24c2d2e

- Update
  patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch
  (bsc#1214842 CVE-2023-52508 bsc#1221015).
- Update
  patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch
  (git-fixes CVE-2023-52575 bsc#1220871).
- commit 61a8300

- Update
  patches.suse/Bluetooth-avoid-deadlock-between-hci_dev-lock-and-so.patch
  (git-fixes CVE-2021-47038 bsc#1220753).
- Update
  patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch
  (git-fixes CVE-2021-47097 bsc#1220982).
- Update
  patches.suse/KEYS-trusted-Fix-TPM-reservation-for-seal-unseal.patch
  (git-fixes CVE-2021-46922 bsc#1220475).
- Update
  patches.suse/KEYS-trusted-Fix-memory-leak-on-object-td.patch
  (git-fixes CVE-2021-47009 bsc#1220733).
- Update
  patches.suse/RDMA-rtrs-clt-destroy-sysfs-after-removing-session-f.patch
  (jsc#SLE-15176 CVE-2021-47026 bsc#1220685).
- Update
  patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch
  (git-fixes CVE-2021-47101 bsc#1220987).
- Update
  patches.suse/ath10k-Fix-a-use-after-free-in-ath10k_htc_send_bundl.patch
  (git-fixes CVE-2021-47017 bsc#1220678).
- Update patches.suse/ch_ktls-Fix-kernel-panic.patch
  (jsc#SLE-15131 CVE-2021-46911 bsc#1220400).
- Update
  patches.suse/dmaengine-idxd-Fix-clobbering-of-SWERR-overflow-bit-.patch
  (git-fixes CVE-2021-46920 bsc#1220426).
- Update
  patches.suse/dmaengine-idxd-Fix-potential-null-dereference-on-poi.patch
  (git-fixes CVE-2021-47003 bsc#1220677).
- Update
  patches.suse/dmaengine-idxd-clear-MSIX-permission-entry-on-shutdo.patch
  (git-fixes CVE-2021-46918 bsc#1220429).
- Update
  patches.suse/dmaengine-idxd-fix-wq-cleanup-of-WQCFG-registers.patch
  (git-fixes CVE-2021-46917 bsc#1220432).
- Update
  patches.suse/dmaengine-idxd-fix-wq-size-store-permission-state.patch
  (git-fixes CVE-2021-46919 bsc#1220414).
- Update
  patches.suse/drm-amd-display-Fix-off-by-one-in-hdmi_14_process_tr.patch
  (git-fixes CVE-2021-47046 bsc#1220758).
- Update patches.suse/drm-i915-Fix-crash-in-auto_retire.patch
  (git-fixes CVE-2021-46976 bsc#1220621).
- Update
  patches.suse/iommu-vt-d-remove-wo-permissions-on-second-level-paging-entries
  (bsc#1187346 CVE-2021-47035 bsc#1220688).
- Update
  patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch
  (git-fixes CVE-2021-47100 bsc#1220985).
- Update
  patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch
  (git-fixes CVE-2021-47095 bsc#1220979).
- Update
  patches.suse/ixgbe-fix-unbalanced-device-enable-disable-in-suspen.patch
  (jsc#SLE-13706 CVE-2021-46914 bsc#1220465).
- Update patches.suse/net-dsa-mt7530-fix-VLAN-traffic-leaks.patch
  (git-fixes CVE-2021-47160 bsc#1221974).
- Update
  patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch
  (git-fixes CVE-2021-47150 bsc#1221973).
- Update
  patches.suse/net-lantiq-fix-memory-corruption-in-RX-ring.patch
  (git-fixes CVE-2021-47137 bsc#1221932).
- Update
  patches.suse/net-mlx5e-Fix-null-deref-accessing-lag-dev.patch
  (jsc#SLE-15172 CVE-2021-47164 bsc#1221978).
- Update
  patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch
  (jsc#SLE-15172 CVE-2021-46931 bsc#1220486).
- Update
  patches.suse/net-sched-act_ct-fix-wild-memory-access-when-clearin.patch
  (bsc#1176447 CVE-2021-47014 bsc#1220630).
- Update
  patches.suse/net-sched-fq_pie-fix-OOB-access-in-the-traffic-path.patch
  (jsc#SLE-15172 CVE-2021-47175 bsc#1222003).
- Update
  patches.suse/netfilter-nft_set_pipapo_avx2-Add-irq_fpu_usable-che.patch
  (bsc#1176447 CVE-2021-47174 bsc#1221990).
- Update patches.suse/nvmet-fix-freeing-unallocated-p2pmem.patch
  (git-fixes CVE-2021-47130 bsc#1221552).
- Update
  patches.suse/nvmet-rdma-Fix-NULL-deref-when-SEND-is-completed-wit.patch
  (git-fixes CVE-2021-46983 bsc#1220639).
- Update patches.suse/s390-dasd-add-missing-discipline-function
  (bsc#1188130 ltc#193581 CVE-2021-47176 bsc331221996
  bsc#1221996).
- Update
  patches.suse/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak
  (git-fixes CVE-2021-46968 bsc#1220689).
- Update
  patches.suse/sched-fair-Fix-shift-out-of-bounds-in-load_balance.patch
  (git fixes (sched) CVE-2021-47044 bsc#1220759).
- Update
  patches.suse/spi-Fix-use-after-free-with-devm_spi_alloc_.patch
  (git-fixes CVE-2021-46959 bsc#1220734).
- Update patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch
  (git-fixes CVE-2021-47087 bsc#1220954).
- Update
  patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch
  (git-fixes CVE-2021-46933 bsc#1220487).
- Update
  patches.suse/usb-typec-ucsi-Retrieve-all-the-PDOs-instead-of-just.patch
  (git-fixes CVE-2021-46980 bsc#1220663).
- Update
  patches.suse/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch
  (bsc#1185558 CVE-2021-46956 bsc#1220516).
- Update patches.suse/xprtrdma-Fix-cwnd-update-ordering.patch
  (git-fixes CVE-2021-47001 bsc#1220670).
- commit d6fc0df

- Update
  patches.suse/i2c-imx-fix-reference-leak-when-pm_runtime_get_sync-.patch
  (git-fixes CVE-2020-36781 bsc#1220557).
- commit c903cb8

- Update
  patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch
  (CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117).
- Update
  patches.suse/scsi-pm80xx-Avoid-leaking-tags-when-processing-OPC_INB_SET_CONTROLLER_CONFIG-command.patch
  (bsc#1220883 CVE-2023-52500).
- commit 81ec1ab

- scsi: pm80xx: Avoid leaking tags when processing
  OPC_INB_SET_CONTROLLER_CONFIG command (bsc#1220883
  cve-2023-52500).
- commit a52992b

- Fixup NULL ptr dereference due to mistake in backporting in
  patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch.
- commit f07130b

- bpf, sockmap: Prevent lock inversion deadlock in map delete elem
  (bsc#1209657 CVE-2023-0160).
- commit 299921b

- blacklist.conf: omit reverted sockmap deadlock fix
- commit 66facc4

- netfilter: nf_tables: disallow anonymous set with timeout flag
  (CVE-2024-26642 bsc#1221830).
- commit ca89796

- netfilter: ctnetlink: fix possible refcount leak in
  ctnetlink_create_conntrack() (CVE-2023-7192 bsc#1218479).
- commit c40a2c4

- README.BRANCH: Remove copy of branch name
- commit 27396e8

- README.BRANCH: Remove copy of branch name
- commit 757f48f

- Update
  patches.suse/net-zero-initialize-tc-skb-extension-on-allocation.patch
  (bsc#1176447 CVE-2021-47136 bsc#1221931).
- commit adea53b

- ipv6: init the accept_queue's spinlocks in inet6_create
  (bsc#1221293 CVE-2024-26614).
- commit 0cf80b2

- tcp: make sure init the accept_queue's spinlocks once
  (bsc#1221293 CVE-2024-26614).
- commit d27abbc

- userfaultfd: release page in error path to avoid BUG_ON
  (CVE-2021-46988 bsc#1220706).
- commit 37b27a1

- powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
  (CVE-2023-52607 bsc#1221061).
- commit 37ce65f

- perf/core: Fix unconditional security_locked_down() call
  (bsc#1220697, CVE-2021-46971).
- commit b2c4fe7

- Update
  patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch
  (bsc#1208995 CVE-2023-1192 CVE-2023-52572 bsc#1220946).
- Update
  patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch
  (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356 CVE-2023-52454 bsc#1220320).
- Update
  patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch
  (bsc#1221044 CVE-2023-52591 CVE-2023-52590 bsc#1221088).
- Update
  patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch
  (bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836).
- Update
  patches.suse/usb-hub-Guard-against-accesses-to-uninitialized-BOS-.patch
  (git-fixes CVE-2023-52477 bsc#1220790).
- commit 807fa36

- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487 CVE-2022-48626 bsc#1220366).
- commit 32e1ae4

- Update
  patches.suse/0005-dm-rq-fix-double-free-of-blk_mq_tag_set-in-dev-remov.patch
  (git-fixes CVE-2021-46938 bsc#1220554).
- Update
  patches.suse/0005-drm-bridge-panel-Cleanup-connector-on-bridge-detach.patch
  (bsc#1152489 CVE-2021-47063 bsc#1220777).
- Update
  patches.suse/0006-nbd-Fix-NULL-pointer-in-flush_workqueue.patch
  (git-fixes CVE-2021-46981 bsc#1220611).
- Update
  patches.suse/ARM-9064-1-hw_breakpoint-Do-not-directly-check-the-event-s-overflow_handler-hook.patch
  (git-fixes CVE-2021-47006 bsc#1220751).
- Update
  patches.suse/ARM-footbridge-fix-PCI-interrupt-mapping.patch
  (git-fixes CVE-2021-46909 bsc#1220442).
- Update
  patches.suse/HID-magicmouse-fix-NULL-deref-on-disconnect.patch
  (git-fixes CVE-2021-47120 bsc#1221606).
- Update
  patches.suse/KVM-Destroy-I-O-bus-devices-on-unregister-failure-_a.patch
  (bsc#git-fixes CVE-2021-47061 bsc#1220745).
- Update
  patches.suse/NFC-nci-fix-memory-leak-in-nci_allocate_device.patch
  (git-fixes CVE-2021-47180 bsc#1221999).
- Update
  patches.suse/NFS-Don-t-corrupt-the-value-of-pg_bytes_written-in-n.patch
  (git-fixes CVE-2021-47166 bsc#1221998).
- Update
  patches.suse/NFS-Fix-an-Oopsable-condition-in-__nfs_pageio_add_re.patch
  (git-fixes CVE-2021-47167 bsc#1221991).
- Update
  patches.suse/NFS-fix-an-incorrect-limit-in-filelayout_decode_layo.patch
  (git-fixes CVE-2021-47168 bsc#1222002).
- Update
  patches.suse/NFSv4-Fix-a-NULL-pointer-dereference-in-pnfs_mark_ma.patch
  (git-fixes CVE-2021-47179 bsc#1222001).
- Update
  patches.suse/USB-usbfs-Don-t-WARN-about-excessively-large-memory-.patch
  (git-fixes CVE-2021-47170 bsc#1222004).
- Update
  patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch
  (git-fixes CVE-2021-47015 bsc#1220794).
- Update
  patches.suse/btrfs-fix-race-between-transaction-aborts-and-fsyncs.patch
  (bsc#1186441 CVE-2021-46958 bsc#1220521).
- Update
  patches.suse/ceph-fix-inode-leak-on-getattr-error-in-_fh_to_dentry.patch
  (bsc#1186501 CVE-2021-47000 bsc#1220669).
- Update
  patches.suse/cifs-Return-correct-error-code-from-smb2_get_enc_key.patch
  (git-fixes CVE-2021-46960 bsc#1220528).
- Update
  patches.suse/crypto-qat-ADF_STATUS_PF_RUNNING-should-be-set-after.patch
  (git-fixes CVE-2021-47056 bsc#1220769).
- Update
  patches.suse/cxgb4-avoid-accessing-registers-when-clearing-filter.patch
  (git-fixes CVE-2021-47138 bsc#1221934).
- Update patches.suse/drm-amd-amdgpu-fix-refcount-leak.patch
  (git-fixes CVE-2021-47144 bsc#1221989).
- Update patches.suse/drm-amdgpu-Fix-a-use-after-free.patch
  (git-fixes CVE-2021-47142 bsc#1221952).
- Update
  patches.suse/drm-meson-fix-shutdown-crash-when-component-not-prob.patch
  (git-fixes CVE-2021-47165 bsc#1221965).
- Update
  patches.suse/ethernet-enic-Fix-a-use-after-free-bug-in-enic_hard_.patch
  (git-fixes CVE-2021-46998 bsc#1220625).
- Update
  patches.suse/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_spli.patch
  (bsc#1187408 CVE-2021-47117 bsc#1221575).
- Update
  patches.suse/ext4-fix-memory-leak-in-ext4_fill_super.patch
  (bsc#1187409 CVE-2021-47119 bsc#1221608).
- Update
  patches.suse/gve-Add-NULL-pointer-checks-when-freeing-irqs.patch
  (git-fixes CVE-2021-47141 bsc#1221949).
- Update
  patches.suse/i2c-i801-Don-t-generate-an-interrupt-on-bus-reset.patch
  (git-fixes CVE-2021-47153 bsc#1221969).
- Update
  patches.suse/i40e-Fix-use-after-free-in-i40e_client_subtask.patch
  (git-fixes CVE-2021-46991 bsc#1220575).
- Update
  patches.suse/iio-adc-ad7124-Fix-potential-overflow-due-to-non-seq.patch
  (git-fixes CVE-2021-47172 bsc#1221992).
- Update patches.suse/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu
  (bsc#1189218 CVE-2021-47177 bsc#1221997).
- Update
  patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch
  (bsc#1185988 bsc1220826 CVE-2021-47069 bsc#1220826).
- Update
  patches.suse/kyber-fix-out-of-bounds-access-when-preempted.patch
  (bsc#1187403 CVE-2021-46984 bsc#1220631).
- Update
  patches.suse/locking-qrwlock-Fix-ordering-in-queued_write_lock_sl.patch
  (bsc#1185041 CVE-2021-46921 bsc#1220468).
- Update
  patches.suse/md-raid1-properly-indicate-failure-when-ending-a-fai.patch
  (bsc#1185680 CVE-2021-46950 bsc#1220662).
- Update
  patches.suse/media-staging-intel-ipu3-Fix-memory-leak-in-imu_fmt.patch
  (git-fixes CVE-2021-46944 bsc#1220566).
- Update
  patches.suse/media-staging-intel-ipu3-Fix-set_fmt-error-handling.patch
  (git-fixes CVE-2021-46943 bsc#1220583).
- Update
  patches.suse/misc-uss720-fix-memory-leak-in-uss720_probe.patch
  (git-fixes CVE-2021-47173 bsc#1221993).
- Update
  patches.suse/mmc-uniphier-sd-Fix-a-resource-leak-in-the-remove-fu.patch
  (git-fixes CVE-2021-46962 bsc#1220532).
- Update
  patches.suse/msft-hv-2305-Drivers-hv-vmbus-Use-after-free-in-__vmbus_open.patch
  (git-fixes CVE-2021-47049 bsc#1220692).
- Update
  patches.suse/msft-hv-2316-uio_hv_generic-Fix-a-memory-leak-in-error-handling-p.patch
  (git-fixes CVE-2021-47071 bsc#1220846).
- Update
  patches.suse/msft-hv-2317-uio_hv_generic-Fix-another-memory-leak-in-error-hand.patch
  (git-fixes CVE-2021-47070 bsc#1220829).
- Update
  patches.suse/mtd-require-write-permissions-for-locking-and-badblo.patch
  (git-fixes CVE-2021-47055 bsc#1220768).
- Update
  patches.suse/net-hns3-put-off-calling-register_netdev-until-clien.patch
  (bsc#1154353 CVE-2021-47139 bsc#1221935).
- Update
  patches.suse/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch
  (CVE-2021-23134 bsc#1186060 CVE-2021-47068 bsc#1220739).
- Update
  patches.suse/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
  (git-fixes CVE-2021-47171 bsc#1221994).
- Update
  patches.suse/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch
  (CVE-2021-47013 bsc#1220641 CVE-2021-46992 bsc#1220638).
- Update patches.suse/ocfs2-fix-data-corruption-by-fallocate.patch
  (bsc#1187412 CVE-2021-47114 bsc#1221548).
- Update
  patches.suse/pid-take-a-reference-when-initializing-cad_pid.patch
  (bsc#1152489 CVE-2021-47118 bsc#1221605).
- Update
  patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch
  (git-fixes CVE-2021-47073 bsc#1220850).
- Update
  patches.suse/powerpc-64s-Fix-crashes-when-toggling-entry-flush-ba.patch
  (bsc#1177666 git-fixes bsc#1186460 ltc#192531 CVE-2021-46990
  bsc#1220743).
- Update
  patches.suse/powerpc-64s-Fix-pte-update-for-kernel-memory-on-radi.patch
  (bsc#1055117 git-fixes CVE-2021-47034 bsc#1220687).
- Update
  patches.suse/regmap-set-debugfs_name-to-NULL-after-it-is-freed.patch
  (git-fixes CVE-2021-47058 bsc#1220779).
- Update
  patches.suse/rtw88-Fix-array-overrun-in-rtw_get_tx_power_params.patch
  (git-fixes CVE-2021-47065 bsc#1220749).
- Update
  patches.suse/scsi-lpfc-Fix-null-pointer-dereference-in-lpfc_prep_.patch
  (bsc#1182574 CVE-2021-47045 bsc#1220640).
- Update
  patches.suse/scsi-qedf-Add-pointer-checks-in-qedf_update_link_speed
  (git-fixes CVE-2021-47077 bsc#1220861).
- Update
  patches.suse/scsi-qla2xxx-Fix-crash-in-qla2xxx_mqueuecommand.patch
  (bsc#1185491 CVE-2021-46963 bsc#1220536).
- Update
  patches.suse/serial-rp2-use-request_firmware-instead-of-request_f.patch
  (git-fixes CVE-2021-47169 bsc#1222000).
- Update
  patches.suse/soundwire-stream-fix-memory-leak-in-stream-config-er.patch
  (git-fixes CVE-2021-47020 bsc#1220785).
- Update
  patches.suse/spi-fsl-lpspi-Fix-PM-reference-leak-in-lpspi_prepare.patch
  (git-fixes CVE-2021-47051 bsc#1220764).
- Update
  patches.suse/spi-spi-fsl-dspi-Fix-a-resource-leak-in-an-error-han.patch
  (git-fixes CVE-2021-47161 bsc#1221966).
- Update
  patches.suse/tpm-efi-Use-local-variable-for-calculating-final-log.patch
  (git-fixes CVE-2021-46951 bsc#1220615).
- Update
  patches.suse/tracing-Restructure-trace_clock_global-to-never-block.patch
  (git-fixes CVE-2021-46939 bsc#1220580).
- Update
  patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch
  (bsc#1209635 CVE-2022-4744 CVE-2021-47082 bsc#1220969).
- Update
  patches.suse/x86-kvm-Disable-kvmclock-on-all-CPUs-on-shutdown.patch
  (bsc#1185308 CVE-2021-47110 bsc#1221532).
- Update
  patches.suse/x86-kvm-Teardown-PV-features-on-boot-CPU-as-well.patch
  (bsc#1185308 CVE-2021-47112 bsc#1221541).
- commit 563b877

- Update
  patches.suse/i2c-img-scb-fix-reference-leak-when-pm_runtime_get_s.patch
  (git-fixes CVE-2020-36783 bsc#1220561).
- Update
  patches.suse/i2c-imx-lpi2c-fix-reference-leak-when-pm_runtime_get.patch
  (git-fixes CVE-2020-36782 bsc#1220560).
- Update
  patches.suse/i2c-sprd-fix-reference-leak-when-pm_runtime_get_sync.patch
  (git-fixes CVE-2020-36780 bsc#1220556).
- commit 33b0d9d

- IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests (bsc#1220445 CVE-2023-52474)
- commit bdb2e0c

- Update patches.suse/s390-dasd-add-missing-discipline-function
  (bsc#1188130 ltc#193581 CVE-2021-47176 bsc331221996).
- commit d918596

- wifi: ath10k: fix NULL pointer dereference in
  ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336
  CVE-2023-7042).
- commit 22d99d7

- dmaengine: fix NULL pointer in channel unregistration function (bsc#1221276 CVE-2023-52492)
- commit b24663f

- Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
  (bsc#1219170 CVE-2024-22099).
- commit b8c2f38

- aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
  (bsc#1218562 CVE-2023-6270).
- commit 0e87477

- fs: no need to check source (bsc#1221044 CVE-2023-52591).
- commit df2f811

- rename(): avoid a deadlock in the case of parents having no
  common ancestor (bsc#1221044 CVE-2023-52591).
- commit faa6432

- kill lock_two_inodes() (bsc#1221044 CVE-2023-52591).
- commit d6f6371

- rename(): fix the locking of subdirectories (bsc#1221044
  CVE-2023-52591).
- commit 063df0d

- f2fs: Avoid reading renamed directory if parent does not change
  (bsc#1221044 CVE-2023-52591).
- commit 4dfa62d

- ext4: don't access the source subdirectory content on
  same-directory rename (bsc#1221044 CVE-2023-52591).
- commit 80ff66b

- ext2: Avoid reading renamed directory if parent does not change
  (bsc#1221044 CVE-2023-52591).
- commit 03d3930

- udf_rename(): only access the child content on cross-directory
  rename (bsc#1221044 CVE-2023-52591).
- commit 4bff17c

- ocfs2: Avoid touching renamed directory if parent does not
  change (bsc#1221044 CVE-2023-52591).
- commit 74fc5ec

- reiserfs: Avoid touching renamed directory if parent does not
  change (git-fixes bsc#1221044 CVE-2023-52591).
  Refresh patches.suse/reiserfs-add-check-to-detect-corrupted-directory-entry.patch
  Refresh patches.suse/reiserfs-don-t-panic-on-bad-directory-entries.patch
- commit f392df9

- fs: don't assume arguments are non-NULL (bsc#1221044
  CVE-2023-52591).
- commit a11eadd

- fs: Restrict lock_two_nondirectories() to non-directory inodes
  (bsc#1221044 CVE-2023-52591).
- commit 6ad8632

- fs: ocfs2: check status values (bsc#1221044 CVE-2023-52591).
- commit 696c231

- fs: Lock moved directories (bsc#1221044 CVE-2023-52591).
- commit c14fbaa

- fs: Establish locking order for unrelated directories
  (bsc#1221044 CVE-2023-52591).
- commit b424ded

- fs: introduce lock_rename_child() helper (bsc#1221044
  CVE-2023-52591).
- commit 02e4cc0

- dm: rearrange core declarations for extended use from dm-zone.c
  (bsc#1221113).
- Refresh
  patches.kabi/kABI-dm-fix-deadlock-when-swapping-to-encrypted-device.patch.
- commit 741eac7

- perf/x86/lbr: Filter vsyscall addresses (bsc#1220703,
  CVE-2023-52476).
- commit c46d003

- dm rq: don't queue request to blk-mq during DM suspend
  (bsc#1221113).
- commit b77fc22

- neighbour: allow NUD_NOARP entries to be forced GCed
  (bsc#1221534 CVE-2021-47109).
- commit d36f6ec

- net/sched: Add module alias for sch_fq_pie (bsc#1210335 CVE-2023-1829).
- commit d985f7c

- net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829).
- net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829).
- net/sched: Add module aliases for cls_,sch_,act_ modules
  (bsc#1210335 CVE-2023-1829).
- net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829).
- net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829).
- net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829).
- net/sched: Add module aliases for cls_,sch_,act_ modules
  (bsc#1210335 CVE-2023-1829).
- net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829).
- commit 6a5afc3

- x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (bsc#1213456 CVE-2023-28746).
- commit 15a7f43

- Sort already upstream patches
- Refresh
  patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch.
- Refresh
  patches.suse/KVM-VMX-Move-VERW-closer-to-VMentry-for-MDS-mitigation.patch.
- Refresh
  patches.suse/KVM-VMX-Use-BT-JNC-i.e.-EFLAGS.CF-to-select-VMRESUME-vs.-V.patch.
- Refresh
  patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch.
- Refresh
  patches.suse/x86-bugs-Add-asm-helpers-for-executing-VERW.patch.
- Refresh
  patches.suse/x86-bugs-Use-ALTERNATIVE-instead-of-mds_user_clear-static-.patch.
- Refresh
  patches.suse/x86-entry_32-Add-VERW-just-before-userspace-transition.patch.
- Refresh
  patches.suse/x86-entry_64-Add-VERW-just-before-userspace-transition.patch.
- Refresh
  patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch.
- commit 851bcbe

- perf/core: Fix unconditional security_locked_down() call
  (bsc#1220697, CVE-2021-46971).
- commit 0b7f805

- io_uring/af_unix: disable sending io_uring over sockets
  (bsc#1220754 CVE-2023-6531).
- commit a0d28a2

- usb: mtu3: fix list_head check warning (bsc#1220484
  CVE-2021-46930).
- commit b548734

- Refresh patches.kabi/team-Hide-new-member-header-ops.patch.
  Fix for kABI workaround.
- commit ff68767

- ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058
  CVE-2023-52583).
- commit 5c7a950

- usb: hub: Guard against accesses to uninitialized BOS
  descriptors (git-fixes).
  Altered because 5.3 does not do SSP
- commit 6d423f3

- Update
  patches.suse/scsi-qla2xxx-Fix-SRB-leak-on-switch-command-timeout.patch
  added CVE reference to: (jsc#SLE-9714 jsc#SLE-10327 jsc#SLE-10334
  bnc#1151927 5.3.17 cve-2021-46963).
- commit bac1eb3

- Update reference of bpf-Use-correct-permission-flag-for-mixed-signed-bou.patch
  (bsc#1184942 bsc#1220425 CVE-2021-29155 CVE-2021-46908).
- commit 787c408

- drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (bsc#1220413 CVE-2023-52470).
- commit d61356a

- drivers/amd/pm: fix a use-after-free in kv_parse_power_table (bsc#1220411 CVE-2023-52469).
- commit 10972e5

- irqchip/gic-v3: Do not enable irqs when handling spurious interrups (bsc#1220529,CVE-2021-46961)
- commit 83fe0b1

- group-source-files.pl: Quote filenames (boo#1221077).
  The kernel source now contains a file with a space in the name.
  Add quotes in group-source-files.pl to avoid splitting the filename.
  Also use -print0 / -0 when updating timestamps.
- commit a005e42

- phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600)
- commit c4890bf

- mm: fix gup_pud_range (bsc#1220824).
- commit d0caaa5

- RDMA/rxe: Clear all QP fields if creation failed (bsc#1220863 CVE-2021-47078)
- commit 23bba26

- RDMA/rxe: Return CQE error if invalid lkey was supplied (bsc#1220860 CVE-2021-47076)
- commit 1171085

- ACPI: extlog: fix NULL pointer dereference check (bsc#1221039
  CVE-2023-52605).
- commit a37794c

- Update
  patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch
  (bsc#1220416 bsc#1220418 CVE-2021-46904 CVE-2021-46905).
  Added second CVE reference
- commit 6b7d257

- Update
  patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch
  (bsc#1220416 CVE-2021-46904).
- Update
  patches.suse/net-hso-fix-null-ptr-deref-during-tty-device-unregis.patch
  (bsc#1220416 CVE-2021-46904).
  Added CVE references
- commit ce2a61e

- kernel-binary: Fix i386 build
  Fixes: 89eaf4cdce05 ("rpm templates: Move macro definitions below buildrequires")
- commit f7c6351

- KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746).
- commit d0c95ff

- x86/rfds: Mitigate Register File Data Sampling (RFDS) (bsc#1213456 CVE-2023-28746).
- commit 7725a96

- net: nfc: fix races in nfc_llcp_sock_get() and
  nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831).
- commit 3983469

- btrfs: remove BUG() after failure to insert delayed dir index
  item (bsc#1220918 CVE-2023-52569).
- commit ff844fd

- btrfs: improve error message after failure to add delayed dir
  index item (bsc#1220918 CVE-2023-52569).
- commit f310611

- Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746).
- commit bff3e02

- x86/srso: Add SRSO mitigation for Hygon processors (bsc#1220735
  CVE-2023-52482).
- commit 1f25b34

- KVM: s390: fix setting of fpc register (bsc#1221040
  CVE-2023-52597).
- commit 8155006

- vt: fix memory overlapping when deleting chars in the buffer
  (bsc#1220845 CVE-2022-48627).
- commit b8e8505

- kernel-binary: vdso: fix filelist for non-usrmerged kernel
  Fixes: a6ad8af207e6 ("rpm templates: Always define usrmerged")
- commit fb3f221

- kabi: team: Hide new member header_ops (bsc#1220870
  CVE-2023-52574).
- commit 04e32d4

- i2c: validate user data in compat ioctl (git-fixes bsc#1220469
  CVE-2021-46934).
- commit 554cd35

- ravb: Fix use-after-free issue in ravb_tx_timeout_work()
  (bsc#1212514 CVE-2023-35827).
- net: mana: Fix TX CQE error handling (bsc#1220932
  CVE-2023-52532).
- team: fix null-ptr-deref when team device type is changed
  (bsc#1220870 CVE-2023-52574).
- commit 5631a0c

- Update reference of bpf-Fix-masking-negation-logic-upon-negative-dst-reg.patch
  (bsc#1155518 bsc#1220700 CVE-2021-46974).
- commit 5f6c988

- wifi: mac80211: fix potential key use-after-free (CVE-2023-52530
  bsc#1220930).
- wifi: iwlwifi: mvm: Fix a memory corruption issue
  (CVE-2023-52531 bsc#1220931).
- commit 7072ac0

- pinctrl: mediatek: fix global-out-of-bounds issue
  (CVE-2021-47083 bsc#1220917).
- commit f54296c

- drm/bridge: sii902x: Fix probing race issue (bsc#1220736 CVE-2024-26607).
- commit 470c611

- KVM: Destroy target device if coalesced MMIO unregistration
  fails (git-fixes).
- commit c99d976

- KVM: mmio: Fix use-after-free Read in
  kvm_vm_ioctl_unregister_coalesced_mmio (git-fixes).
- commit f7f8d3b

- bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS (bsc#1220255
  CVE-2024-26589).
- commit 84782c1

- PCI: endpoint: Fix NULL pointer dereference for ->get_features()
  (bsc#1220660 CVE-2021-47005).
- commit 4cda383

- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- commit 7207999

- kabi: restore return type of dst_ops::gc() callback
  (CVE-2023-52340 bsc#1219295).
- ipv6: remove max_size check inline with ipv4 (CVE-2023-52340
  bsc#1219295).
- commit 077e12d

- netfilter: nf_tables: fix 64-bit load issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit b02bdeb

- netfilter: nf_tables: fix 64-bit load issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit 67cfeec

- Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch
  (CVE-2022-20154 CVE-2021-46929 bsc#1200599 bsc#1220482).
- commit 8d1b35f

- Update patches.suse/scsi-qla2xxx-Reserve-extra-IRQ-vectors.patch
  (bsc#1184436 bsc#1186286 bsc#1220538 CVE-2021-46964).
- commit e5c6db2

- KVM: Stop looking for coalesced MMIO zones if the bus is
  destroyed (bsc#1220742 CVE-2021-47060).
- commit 7287801

- netfilter: nft_set_pipapo: skip inactive elements during set
  walk (CVE-2023-6817 bsc#1218195).
- commit ba8530f

- tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825
  CVE-2024-26622).
- commit 6d24f8e

- Update
  patches.suse/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak
  (git-fixes CVE-2021-46968).
- commit a63feba

- doc/README.SUSE: Update information about module support status
  (jsc#PED-5759)
  Following the code change in SLE15-SP6 to have externally supported
  modules no longer taint the kernel, update the respective documentation
  in README.SUSE:
  * Describe that support status can be obtained at runtime for each
  module from /sys/module/$MODULE/supported and for the entire system
  from /sys/kernel/supported. This provides a way how to now check that
  the kernel has any externally supported modules loaded.
  * Remove a mention that externally supported modules taint the kernel,
  but keep the information about bit 16 (X) and add a note that it is
  still tracked per module and can be read from
  /sys/module/$MODULE/taint. This per-module information also appears in
  Oopses.
- commit 9ed8107

- powerpc/pseries/memhp: Fix access beyond end of drmem array
  (bsc#1220250,CVE-2023-52451).
- commit 9865154

- Input: appletouch - initialize work before device registration
  (CVE-2021-46932 bsc#1220444).
- commit 8f106a8

- Update
  patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch
  (bsc#1185988, bsc1220826, CVE-2021-47069).
- commit f01183e

- Update References
  patches.suse/ACPI-GTDT-Don-t-corrupt-interrupt-mappings-on-watchd.patch
  (git-fixes bsc#1220599 CVE-2021-46953).
- commit 5b10499

- Update References
  patches.suse/ACPI-custom_method-fix-potential-use-after-free-issu.patch
  (git-fixes bsc#1220572 CVE-2021-46966).
- commit 8eecec3

- efivarfs: force RO when remounting if SetVariable is not
  supported (bsc#1220328 CVE-2023-52463).
- commit 0c76724

- RDMA/siw: Fix a use after free in siw_alloc_mr (bsc#1220627
  CVE-2021-47012).
- commit 96f4478

- mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
  (bsc#1220238 CVE-2023-52449).
- commit d23e49b

- Input: powermate - fix use-after-free in
  powermate_config_complete (CVE-2023-52475 bsc#1220649).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
  (CVE-2023-52478 bsc#1220796).
- commit 92ea315

- hfsplus: prevent corruption in shrinking truncate (bsc#1220737
  CVE-2021-46989).
- commit cc37c78

- Update patch reference for qcom bus fix (CVE-2021-47054 bsc#1220767)
- commit 024411a

- netfilter: nft_limit: avoid possible divide error in
  nft_limit_init (bsc#1220436 CVE-2021-46915).
- commit 291b0ff

- NFC: st21nfca: Fix memory leak in device probe and remove
  (CVE-2021-46924 bsc#1220459).
- commit 2b46faa

- Update patch reference for HID fix (CVE-2021-46906 bsc#1220421)
- commit 89e5504

- i2c: Fix a potential use after free (bsc#1220409
  CVE-2019-25162).
- commit 6421697

- i2c: cadence: fix reference leak when pm_runtime_get_sync fails
  (bsc#1220570 CVE-2020-36784).
- commit 5fa02fa

- KVM: Destroy I/O bus devices on unregister failure _after_
  sync'ing SRCU (bsc#git-fixes, CVE-2021-47061).
- commit b2a896d

- Update patch reference for media usb fix (CVE-2020-36777 bsc#1220526)
- commit f0fcd0d

- media: pvrusb2: fix use after free on context disconnection
  (CVE-2023-52445 bsc#1220241).
- commit 3f02f88

- nfc: nci: fix possible NULL pointer dereference in
  send_acknowledge() (bsc#1219125 CVE-2023-46343).
- commit 9371a32

- uio: Fix use-after-free in uio_open (bsc#1220140
  CVE-2023-52439).
- commit 758615f

- apparmor: avoid crash when parsed profile name is empty
  (CVE-2023-52443 bsc#1220240).
- commit 9d07817

- sched/membarrier: reduce the ability to hammer on sys_membarrier
  (git-fixes, bsc#1220398, CVE-2024-26602).
- commit b645222

- i2c: i801: Fix block process call transactions (bsc#1220009
  CVE-2024-26593).
- commit c348c97

- netfilter: nftables: avoid overflows in nft_hash_buckets()
  (CVE-2021-47013 bsc#1220641).
- commit f0d286e

- net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
  (CVE-2021-47013 bsc#1220641).
- commit 378bb67

- mlxsw: spectrum_acl_tcam: Fix stack corruption (bsc#1220243
  CVE-2024-26586).
- mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in
  error path (bsc#1220344 CVE-2024-26595).
- commit 76ed3a3

- EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330)
- commit 5f2e003

- gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
  (bsc#1220253 CVE-2023-52448).
- commit a731316

- rpm templates: Always define usrmerged
  usrmerged is now defined in kernel-spec-macros and not the distribution.
  Only check if it's defined in kernel-spec-macros, not everywhere where
  it's used.
- commit a6ad8af

- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit fda6073

- blacklist.conf: Blacklist a clang fix
- commit 6540830

- rpm templates: Move macro definitions below buildrequires
  Many of the rpm macros defined in the kernel packages depend directly or
  indirectly on script execution. OBS cannot execute scripts which means
  values of these macros cannot be used in tags that are required for OBS
  to see such as package name, buildrequires or buildarch.
  Accumulate macro definitions that are not directly expanded by mkspec
  below buildrequires and buildarch to make this distinction clear.
- commit 89eaf4c

- net: openvswitch: limit the number of recursions from action
  sets (bsc#1219835 CVE-2024-1151).
- commit 5a5045f

- rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE
  Introduced by commit 68fb3ca0e408 ("update workarounds for gcc "asm
  goto" issue").
- commit be1bdab

- compute-PATCHVERSION: Do not produce output when awk fails
  compute-PATCHVERSION uses awk to produce a shell script that is
  subsequently executed to update shell variables which are then printed
  as the patchversion.
  Some versions of awk, most notably bysybox-gawk do not understand the
  awk program and fail to run. This results in no script generated as
  output, and printing the initial values of the shell variables as
  the patchversion.
  When the awk program fails to run produce 'exit 1' as the shell script
  to run instead. That prevents printing the stale values, generates no
  output, and generates invalid rpm spec file down the line. Then the
  problem is flagged early and should be easier to diagnose.
- commit 8ef8383

- x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (git-fixes).
- commit 6d2e676

- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation  code (git-fixes).
- commit 1f3dbeb

- KVM: x86: synthesize CPUID leaf 0x80000021h if useful (git-fixes).
- commit 2581a0e

- KVM: x86: add support for CPUID leaf 0x80000021 (git-fixes).
- commit 79ab1f6

- x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes).
- commit 26d80bf

- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes).
- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes).
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes).
  Also add the removed mds_user_clear symbol to kABI severities as it is
  exposed just for KVM module and is generally a core kernel component so
  removing it is low risk.
- x86/entry_32: Add VERW just before userspace transition (git-fixes).
- x86/entry_64: Add VERW just before userspace transition (git-fixes).
- x86/bugs: Add asm helpers for executing VERW (git-fixes).
- commit 8f33ff8

- mbcache: Fixup kABI of mb_cache_entry (bsc#1207653 bsc#1219915).
- commit 52b181f

- ext4: fix deadlock due to mbcache entry corruption
  (bsc#1207653 bsc#1219915).
- commit 14e0a9c

- net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
  (bsc#1219127 CVE-2024-23849).
- commit 75b4a5b

- cifs: fix missing unload_nls() in smb2_reconnect()
  (bsc#1213476).
- commit 7236d05

- cifs: fix status checks in cifs_tree_connect (bsc#1213476).
- commit a4a76da

- smb: client: fix null auth (bsc#1213476).
- commit 08d9d59

- kernel-binary: Move build script to the end
  All other spec templates have the build script at the end, only
  kernel-binary has it in the middle. Align with the other templates.
- commit 98cbdd0

- rpm templates: Aggregate subpackage descriptions
  While in some cases the package tags, description, scriptlets and
  filelist are located together in other cases they are all across the
  spec file. Aggregate the information related to a subpackage in one
  place.
- commit 8eeb08c

- rpm templates: sort rpm tags
  The rpm tags in kernel spec files are sorted at random.
  Make the order of rpm tags somewhat more consistent across rpm spec
  templates.
- commit 8875c35

- Update to add CVE-2024-23851 tag,
  patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch
  (bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851).
- commit ef15d5e

- dm: limit the number of targets and parameter size area
  (bsc#1219827, bsc#1219146, CVE-2023-52429).
- commit 2431307

- vhost: use kzalloc() instead of kmalloc() followed by memset()
  (CVE-2024-0340, bsc#1218689).
- commit aa86ef0

- kernel-binary: certs: Avoid trailing space
- commit bc7dc31

- rpm/kernel-binary.spec.in: install scripts/gdb when enabled in config
  (bsc#1219653)
  They are put into -devel subpackage. And a proper link to
  /usr/share/gdb/auto-load/ is created.
- commit 1dccf2a

- Refresh
  patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch.
  Add the upstream commit ID.
- commit d9857fd

- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
  (CVE-2024-1086 bsc#1219434).
- commit 33a2cdd

- drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128
  CVE-2023-51042).
- commit 2e8464f

- rpm/mkspec: sort entries in _multibuild
  Otherwise it creates unnecessary diffs when tar-up-ing. It's of course
  due to readdir() using "random" order as served by the underlying
  filesystem.
  See for example:
  https://build.opensuse.org/request/show/1144457/changes
- commit d1155de

- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
  bsc#1218730).
- commit 6405c59

- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
  XSA-448, bsc#1218836).
- commit 7d3a106

- ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
  (CVE-2021-33631 bsc#1219412).
- commit 792d624

- kernel-source: Fix description typo
- commit 8abff35

- nvmet-tcp: Fix the H2C expected PDU len calculation
  (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356).
- nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988
  bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356).
- nvmet-tcp: fix a crash in nvmet_req_complete() (bsc#1217987
  bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356).
- nvmet-tcp: Fix a kernel panic when host sends an invalid H2C
  PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535
  CVE-2023-6536 CVE-2023-6356).
- commit e2033e6

- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
  (CVE-2023-47233 bsc#1216702).
- commit 6452010

- rpm/constraints.in: set jobs for riscv to 8
  The same workers are used for x86 and riscv and the riscv builds take
  ages. So align the riscv jobs count to x86.
- commit b2c82b9

- x86/entry/ia32: Ensure s32 is sign extended to s64 (bsc#1193285).
- commit 8395685

- net: sched: sch_qfq: Use non-work-conserving warning handler
  (CVE-2023-4921 bsc#1215275).
- commit aabd893

- mkspec: Use variant in constraints template
  Constraints are not applied consistently with kernel package variants.
  Add variant to the constraints template as appropriate, and expand it
  in mkspec.
- commit cc68ab9

- rpm/constraints.in: add static multibuild packages
  Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
  constraints on multibuild) added "kernel-source:" prefix to the
  dynamically generated kernels. But there are also static ones like
  kernel-docs. Those fail to build as the constraints are still not
  applied.
  So add the prefix also to the static ones.
  Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
  will ever be multibuilt...
- commit c2e0681

- drm/atomic: Fix potential use-after-free in nonblocking commits
  (bsc#1219120 CVE-2023-51043).
- commit 1f381b4

- Revert "Limit kernel-source build to architectures for which the kernel binary"
  This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
  The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a

- mkspec: Include constraints for both multibuild and plain package always
  There is no need to check for multibuild flag, the constraints can be
  always generated for both cases.
- commit 308ea09

- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
  Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b

- rpm/kernel-source.rpmlintrc: add action-ebpf
  Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
  plugin) added this precompiled binary blob. Adapt rpmlintrc for
  kernel-source.
- commit b5ccb33

- ext4: improve error recovery code paths in __ext4_remount()
  (bsc#1219053 CVE-2024-0775).
- commit f053871

- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
  The previous change added the manual entry from kernel-sources.change.old
  to old_changelog.txt unnecessarily.  Let's fix it.
- commit fb033e8

- rpm/kernel-docs.spec.in: fix build with 6.8
  Since upstream commit f061c9f7d058 (Documentation: Document each netlink
  family), the build needs python yaml.
- commit 6a7ece3

- smb: client: fix OOB in receive_encrypted_standard()
  (bsc#1218832 CVE-2024-0565).
- commit 59d97af

- ida: Fix crash in ida_free when the bitmap is empty (bsc#1218804
  CVE-2023-6915).
- commit e0cf5bf

- netfilter: nf_tables: Reject tables of unsupported family
  (bsc#1218752 CVE-2023-6040).
- commit 9fd7b64

- net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782
  bsc#1218757).
- commit 1ba2d82

- powerpc/powernv: Add a null pointer check in opal_event_init()
  (bsc#1065729 CVE-2023-52686).
- commit 0f57a9b

- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
  The old entries are found in kernel-docs/old_changelog.txt in docdir.
  rpm/old_changelog.txt can be an optional file that stores the similar
  info like rpm/kernel-sources.changes.old.  It can specify the commit
  range that have been truncated.  scripts/tar-up.sh expands from the
  git log accordingly.
- commit c9a2566

- smb: client: fix potential OOB in smb2_dump_detail()
  (bsc#1217946 CVE-2023-6610).
- commit 838930f

- Limit kernel-source build to architectures for which the kernel binary
  is built (bsc#1108281).
- commit 08a9e44

- Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
  (CVE-2023-51779 bsc#1218559).
- commit 10b8efc

- clocksource: Suspend the watchdog temporarily when high read
  latency detected (bsc#1218105).
- commit 683a4c2

- clocksource: Avoid accidental unstable marking of clocksources
  (bsc#1218105).
- commit 0d50b3e

- mkspec: Add multibuild support (JSC-SLE#5501, boo#1211226, bsc#1218184)
  When MULTIBUILD option in config.sh is enabled generate a _multibuild
  file listing all spec files.
- commit f734347

- Build in the correct KOTD repository with multibuild
  (JSC-SLE#5501, boo#1211226, bsc#1218184)
  With multibuild setting repository flags is no longer supported for
  individual spec files - see
  https://github.com/openSUSE/open-build-service/issues/3574
  Add ExclusiveArch conditional that depends on a macro set up by
  bs-upload-kernel instead. With that each package should build only in
  one repository - either standard or QA.
  Note: bs-upload-kernel does not interpret rpm conditionals, and only
  uses the first ExclusiveArch line to determine the architectures to
  enable.
- commit aa5424d

- Bluetooth: avoid memcmp() out of bounds warning (bsc#1215237
  CVE-2020-26555).
- Bluetooth: hci_event: Fix coding style (bsc#1215237
  CVE-2020-26555).
- Bluetooth: hci_event: Fix using memcmp when comparing keys
  (bsc#1215237 CVE-2020-26555).
- commit bb86106

- Bluetooth: Reject connection with the device which has same
  BD_ADDR (bsc#1215237 CVE-2020-26555).
- commit 360840a

- Bluetooth: hci_event: Ignore NULL link key (bsc#1215237
  CVE-2020-26555).
- commit 13b41ce

- perf: Fix perf_event_validate_size() lockdep splat
  (CVE-2023-6931 bsc#1218258).
- perf: Fix perf_event_validate_size() (CVE-2023-6931
  bsc#1218258).
- commit e551d3d

- smb: client: fix OOB in smbCalcSize() (bsc#1217947
  CVE-2023-6606).
- commit bba90ea

- ipv4: igmp: fix refcnt uaf issue when receiving igmp query
  packet (bsc#1218253 CVE-2023-6932).
- commit 1240db6

- io_uring: fix 32-bit compatability with sendmsg/recvmsg (bsc#1217709).
  This was originally blacklisted for no good reason.  Since now we have
  an actual bug report that breaks LTP, drop from blacklist and backport.
- commit 8a7380f

- efi/mokvar: Reserve the table only if it is in boot services
  data (bsc#1215375).
- commit 2c6d22d

- nvmet: nul-terminate the NQNs passed in the connect command
  (bsc#1217250 CVE-2023-6121).
- commit 3b11907

- kernel-source: Remove config-options.changes (jsc#PED-5021)
  The file doc/config-options.changes was used in the past to document
  kernel config changes. It was introduced in 2010 but haven't received
  any updates on any branch since 2015. The file is renamed by tar-up.sh
  to config-options.changes.txt and shipped in the kernel-source RPM
  package under /usr/share/doc. As its content now only contains outdated
  information, retaining it can lead to confusion for users encountering
  this file.
  Config changes are nowadays described in associated Git commit messages,
  which get automatically collected and are incorporated into changelogs
  of kernel RPM packages.
  Drop then this obsolete file, starting with its packaging logic.
  For branch maintainers: Upon merging this commit on your branch, please
  correspondingly delete the file doc/config-options.changes.
- commit adedbd2

- doc/README.SUSE: Simplify the list of references (jsc#PED-5021)
  Reduce indentation in the list of references, make the style consistent
  with README.md.
- commit 70e3c33

- doc/README.SUSE: Add how to update the config for module signing
  (jsc#PED-5021)
  Configuration files for SUSE kernels include settings to integrate with
  signing support provided by the Open Build Service. This creates
  problems if someone tries to use such a configuration file to build
  a "standalone" kernel as described in doc/README.SUSE:
  * Default configuration files available in the kernel-source repository
  unset CONFIG_MODULE_SIG_ALL to leave module signing to
  pesign-obs-integration. In case of a "standalone" build, this
  integration is not available and the modules don't get signed.
  * The kernel spec file overrides CONFIG_MODULE_SIG_KEY to
  ".kernel_signing_key.pem" which is a file populated by certificates
  provided by OBS but otherwise not available. The value ends up in
  /boot/config-$VERSION-$RELEASE-$FLAVOR and /proc/config.gz. If someone
  decides to use one of these files as their base configuration then the
  build fails with an error because the specified module signing key is
  missing.
  Add information on how to enable module signing and where to find the
  relevant upstream documentation.
- commit a699dc3

- doc/README.SUSE: Remove how to build modules using kernel-source
  (jsc#PED-5021)
  Remove the first method how to build kernel modules from the readme. It
  describes a process consisting of the kernel-source installation,
  configuring this kernel and then performing an ad-hoc module build.
  This method is not ideal as no modversion data is involved in the
  process. It results in a module with no symbol CRCs which can be wrongly
  loaded on an incompatible kernel.
  Removing the method also simplifies the readme because only two main
  methods how to build the modules are then described, either doing an
  ad-hoc build using kernel-devel, or creating a proper Kernel Module
  Package.
- commit 9285bb8
containerd
- Revert noarch for devel subpackage
  Switching to noarch causes issues on SLES maintenance updates, reverting it
  fixes our image builds

- Update to containerd v1.7.17. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.17>
- Switch back to using tar_scm service. Aside from obs_scm using more bandwidth
  and storage than a locally-compressed tar.xz, it seems there's some weird
  issue with paths in obscpio that break our SLE-12-only patch.
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.16. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.16>
  CVE-2023-45288 bsc#1221400

- Use obs_scm service instead of tar_scm
- Removed patch 0002-shim-Create-pid-file-with-0644-permissions.patch
  (merged upstream at
  <https://github.com/containerd/containerd/pull/9571>)
- Update to containerd v1.7.15. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.15>
- Update to containerd v1.7.14. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.14>
- Update to containerd v1.7.13. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.13>
- Update to containerd v1.7.12. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.12>
- Update to containerd v1.7.11. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.11>
  GHSA-jq35-85cj-fj4p bsc#1224323

- Use %patch -P N instead of deprecated %patchN.

- Enable manpage generation
- Make devel package noarch
- adjust rpmlint filters

- Add patch for bsc#1217952:
  + 0002-shim-Create-pid-file-with-0644-permissions.patch

- Update to containerd v1.7.10. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.10>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
coreutils
- coreutils-ls-avoid-triggering-automounts.patch
  ls: avoid triggering automounts (bsc#1221632)
cpio
- Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238
  * fix-bsc1219238.patch

- Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571)
  * fix-CVE-2023-7207.patch
samba
- Add "net offlinejoin composeodj" command; (bsc#1214076);
cups
- Require the exact matching version-release of all libcups*
  sub-packages (bsc#1226192)

- cups-2.2.7-CVE-2024-35235.patch is derived
  from the upstream patch against master (CUPS 2.5)
  to behave backward compatible for CUPS 2.2.7
  in SLE15 and openSUSE Leap 15 to fix CVE-2024-35235
  "cupsd Listen port arbitrary chmod 0140777"
  without the more secure but backward-incompatible behaviour
  of the upstream patch for CUPS 2.5
  that ignores domain sockets specified in 'Listen' entries
  in /etc/cups/cupsd.conf when cupsd is lauched via systemd
  (in particular when launched on-demand by systemd)
  https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
  bsc#1225365

- cups-2.2.7-web-ui-kerberos-authentication.patch, update
  patch to handle local 'Negotiate' authentication response
  for cli clients. (bsc#1223179).

- Remove '--enable-debug-printfs' from configure options, see
  https://github.com/OpenPrinting/cups/issues/875
  (bsc#1217119).
curl
- regression fix [bsc#1219273]
  https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325
- added patches
  + curl-CVE-2023-27534-tilde-back.patch

- Security fix: [bsc#1221667, CVE-2024-2398]
  * curl: HTTP/2 push headers memory-leak
  * Add curl-CVE-2024-2398.patch

- Fix: libssh: Implement SFTP packet size limit (bsc#1216987)
  * Add curl-libssh_Implement_SFTP_packet_size_limit.patch
desktop-data-SLE
- Fix typo in the desktop files for some of the wallpapers
  (bsc#1222146).
docker
[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/25.0/#2506>
- This update includes a fix for CVE-2024-41110. bsc#1228324
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
  * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch

- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
  symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
  <https://github.com/moby/buildkit/pull/5060>. bsc#1221916
  + 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- Write volume options atomically so sudden system crashes won't result in
  future Docker starts failing due to empty files. Backport of
  <https://github.com/moby/moby/pull/48034>. bsc#1214855
  + 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch

[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/25.0/#2505> bsc#1223409
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
  - 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- Update --add-runtime to point to correct binary path.

[NOTE: This update was only ever released in SLES and Leap.]
- Add patch to fix bsc#1220339
  * 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch

- Allow to disable apparmor support (ALP supports only SELinux)

- Update to Docker 25.0.3-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/25.0/#2503>
- Fixes:
  * bsc#1219267 - CVE-2024-23651
  * bsc#1219268 - CVE-2024-23652
  * bsc#1219438 - CVE-2024-23653
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
  - 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch

- Vendor latest buildkit v0.11:
  Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that
  vendors in the latest v0.11 buildkit branch including bugfixes for the following:
  * bsc#1219438: CVE-2024-23653
  * bsc#1219268: CVE-2024-23652
  * bsc#1219267: CVE-2024-23651
- rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- switch from %patchN to %patch -PN syntax
- remove unused rpmlint filters and add filters to silence pointless bash & zsh
  completion warnings

- Update to Docker 24.0.7-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513
  * Deny containers access to /sys/devices/virtual/powercap by default.
  - CVE-2020-8694 bsc#1170415
  - CVE-2020-8695 bsc#1170446
  - CVE-2020-12912 bsc#1178760
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch

- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of
  version-specific templating for the default apparmor profile. bsc#1213500
  + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

- Update to Docker 24.0.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Switch from disabledrun to manualrun in _service.
- Add a docker.socket unit file, but with socket activation effectively
  disabled to ensure that Docker will always run even if you start the socket
  individually. Users should probably just ignore this unit file. bsc#1210141
fence-agents
- L3: fence_vmware_rest : monitoring is not detecting problems accessing the fence device
  (bsc#1218718)
  o Add upstream patch:
    0001-fence_vmware_rest-monitoring-action-is-not-detecting.patch
gdk-pixbuf
- Add CVE-2022-48622.patch: ANI: Reject files with multiple anih
  chunks(bsc#1219276, CVE-2022-48622, glgo#GNOME/gdk-pixbuf#202).
glib2
- Add patches to fix CVE-2024-34397 (boo#1224044):
  glib2-allocate-SignalSubscriber-structs-individually.patch
  glib2-CVE-2024-34397.patch (glgo#GNOME/glib#3268).
  glib2-fix-ibus-regression.patch (glgo#GNOME/glib#3353)
glibc
- nscd-netgroup-cache-timeout.patch: Use time_t for return type of
  addgetnetgrentX (CVE-2024-33602, bsc#1223425)

- ulp-prologue-into-asm-functions.patch: Avoid creating ULP prologue
  for _start routine (bsc#1221940)

- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
  nscd: Stack-based buffer overflow in netgroup cache
  (CVE-2024-33599, bsc#1223423, BZ #31677)
- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
  nscd: Avoid null pointer crashes after notfound response
  (CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
  nscd: Do not send missing not-found response in addgetnetgrentX
  (CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
  netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
  CVE-2024-33602, bsc#1223425, BZ #31680)

- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
  writes when writing escape sequence (CVE-2024-2961, bsc#1222992)

- duplocale-global-locale.patch: duplocale: protect use of global locale
  (bsc#1220441, BZ #23970)

- qsort-invalid-cmp.patch: qsort: handle degenerated compare function
  (bsc#1218866)

- getaddrinfo-eai-memory.patch: getaddrinfo: translate ENOMEM to
  EAI_MEMORY (bsc#1217589, BZ #31163)

- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr
  (bsc#1217445, BZ #31113)
gnutls
- Security fix: [bsc#1218865, CVE-2024-0553]
  * Incomplete fix for CVE-2023-5981.
  * The response times to malformed ciphertexts in RSA-PSK
    ClientKeyExchange differ from response times of ciphertexts
    with correct PKCS#1 v1.5 padding.
  * Add gnutls-CVE-2024-0553.patch

- Security fix: [bsc#1217277, CVE-2023-5981]
  * Fix timing side-channel inside RSA-PSK key exchange.
  * auth/rsa_psk: side-step potential side-channel
  * Add curl-CVE-2023-5981.patch
hawk2
- Update to version 2.6.4+git.1708604510.dc8c081f:
  * Enable ACL (bsc#1214396,bsc#1219548)

- Update to version 2.6.4+git.1702030539.5fb7d91b:
  * Enable HttpOnly secure flag by default (bsc#1216508)
  * Enforce CSRF in errors_controller.rb (bsc#1216571)
  * Fix mime type issue in MS windows (bsc#1215438)
  * Parametrize CORS Access-Control-Allow-Origin header (bsc#1213454)
  * Tests: upgrate tests for ruby3.2 (tumbleweed) (bsc#1215976)
  * Upgrade for ruby3.2 (tumbleweed) (bsc#1215976)
  * Forbid special symbols in the category (bsc#1206217)
  * Fix the sass-rails version on ~5.0 (bsc#1208533)
  * Don't delete the private key if the public key is missing (bsc#1207930)
  * make-sle155-compatible.patch . No bsc, it's for backwards compatibility.
krb5
- Fix vulnerabilities in GSS message token handling, add patch
  0013-Fix-vulnerabilities-in-GSS-message-token-handling.patch
  * CVE-2024-37370, bsc#1227186
  * CVE-2024-37371, bsc#1227187

- Fix memory leaks, add patch 0012-Fix-two-unlikely-memory-leaks.patch
  * CVE-2024-26458, bsc#1220770
  * CVE-2024-26461, bsc#1220771
resource-agents
- Azure-lb fails if IPv6 disabled (bsc#1223554)
  Add upstream patch:
    Add a new parameter: listen
    This parameter can have following walues:
    default: Neither -4 nor -6 will be used. The default behavior of socat and nc will be used.
    socat: Listen only on IPv4 addresses
    nc: If net.ipv6.bindv6only = 0 => Listen on both IPv4 and IP6 addresses
    If net.ipv6.bindv6only = 1 => Listen only on IPv4 addresses
    ipv4only: Listen only on IPv4 addresses.
    ipv6enable: Enable TCP6 support.
    nc: Listen only on IPv6 adresses independent of net.ipv6.bindv6only
    socat: If net.ipv6.bindv6only = 0 => Listen on both IPv4 and IP6 addresses.
    If net.ipv6.bindv6only = 1 => Listen only on IPv6 adresses.
  Add patch:
    0001-Azure-lb-fails-if-IPv6-disabled.patch

- resource-agents:azure-lb IPv6 support (bsc#1220997)
  Add patch:
    0001-Support-IPv6-with-Azure-load-balncer.patch
less
- Fix CVE-2024-32487, mishandling of \n character in paths when
  LESSOPEN is set leads to OS command execution
  (CVE-2024-32487, bsc#1222849)
  * CVE-2024-32487.patch

- Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell
  metacharacters, bsc#1219901
  * CVE-2022-48624.patch
gcc13
- Update to GCC 13.3 release

- Update to gcc-13 branch head, b7a2697733d19a093cbdd0e200, git8761
- Removed gcc13-pr111731.patch now included upstream

- Add gcc13-amdgcn-remove-fiji.patch removing Fiji support from
  the GCN offload compiler as that is requiring Code Object version 3
  which is no longer supported by llvm18.

- Add gcc13-pr101523.patch to avoid combine spending too much
  compile-time and memory doing nothing on s390x.  [boo#1188441]

- Make requirement to lld version specific to avoid requiring the
  meta-package.

- Add gcc13-pr111731.patch to fix unwinding for JIT code.
  [bsc#1221239]

- Revert libgccjit dependency change.  [boo#1220724]

- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.

- Use %patch -P N instead of %patchN.

- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
  crypt and crypt_r interceptors.  The crypt API change in SLE15 SP3
  breaks them.  [bsc#1219520]

- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
  - fmin-function-alignment.  [bsc#1214934]

- Use %{_target_cpu} to determine host and build.

- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
  * Includes fix for building TVM.  [boo#1218492]

- Add cross-X-newlib-devel requires to newlib cross compilers.
  [boo#1219031]

- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
  in gcc13-devel.  [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
  are linked against libstdc++6.

- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205

- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
  * Includes fix for building mariadb on i686.  [bsc#1217667]
  * Remove pr111411.patch contained in the update.

- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
  cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
  %product_libs_llvm_ver where available and adjust tool discovery
  accordingly.  This should also properly trigger re-builds when
  the patchlevel version of llvmVER changes, possibly changing
  the binary names we link to.  [bsc#1217450]
avahi
- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
  avahi_rdata_parse (bsc#1216853, CVE-2023-38472).

- Add avahi-CVE-2023-38471.patch: Extract host name using
  avahi_unescape_label (bsc#1216594, CVE-2023-38471).
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
  records (bsc#1216598, CVE-2023-38469).

- Add avahi-CVE-2023-38470.patch: Ensure each label is at least one
  byte long (bsc#1215947, CVE-2023-38470).

- Add avahi-CVE-2023-38473.patch: derive alternative host name from
  its unescaped version (bsc#1216419 CVE-2023-38473).
util-linux
- fix Xen virtualization type misidentification bsc#1215918
  lscpu-fix-parameter-order-for-ul_prefix_fopen.patch

- Properly neutralize escape sequences in wall
  (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
  and its prerequisites: util-linux-fputs_careful1.patch,
  util-linux-wall-migrate-to-memstream.patch
  util-linux-fputs_careful2.patch).

- Add upstream patch
  util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch
  bsc#1207987 gh#util-linux/util-linux@1d98827edde4
c-ares
- CVE-2024-25629.patch: fix out of bounds read in ares__read_line()
  (bsc#1220279, CVE-2024-25629)
libxcrypt
- fix variable name for datamember in 'struct crypt_data' [bsc#1215496]
- added patches
  fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2
  + libxcrypt-man-fix-variable-name.patch
libfastjson
- fix CVE-2020-12762 integer overflow and out-of-bounds write via a
  large JSON file (bsc#1171479)
  add 0001-Fix-CVE-2020-12762.patch
mozilla-nss
- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
  depends on it and will create a broken, empty config, if sed is
  missing (bsc#1227918)

- update to NSS 3.101.2
  * bmo#1905691 - ChaChaXor to return after the function

- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
  bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
  nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
  bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
  bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.

- update to NSS 3.101.1
  * bmo#1901932 - missing sqlite header.
  * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
  * bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
  * bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
  * bmo#1899883 - fix formatting issues.
  * bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
  * bmo#1899593 - remove invalid acvp fuzz test vectors.
  * bmo#1898830 - pad short P-384 and P-521 signatures gtests.
  * bmo#1898627 - remove unused FreeBL ECC code.
  * bmo#1898830 - pad short P-384 and P-521 signatures.
  * bmo#1898825 - be less strict about ECDSA private key length.
  * bmo#1854439 - Integrate HACL* P-521.
  * bmo#1854438 - Integrate HACL* P-384.
  * bmo#1898074 - memory leak in create_objects_from_handles.
  * bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
  * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * bmo#1748105 - clean up escape handling
  * bmo#1896353 - Use lib::pkix as default validator instead of the old-one
  * bmo#1827444 - Need to add high level support for PQ signing.
  * bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
  * bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
  * bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
  * bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
  * bmo#1793811 - Implement support for PBMAC1 in PKCS#12
  * bmo#1897487 - disable VLA warnings for fuzz builds.
  * bmo#1895032 - remove redundant AllocItem implementation.
  * bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
  * bmo#215997  - Clang-formatting of SEC_GetMgfTypeByOidTag update
  * bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
  * bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
  * bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
- update to NSS 3.100
  - bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
    faster Xyber operations.
  - bmo#1893752 - remove ckcapi.
  - bmo#1893162 - avoid a potential PK11GenericObject memory leak.
  - bmo#671060  - Remove incomplete ESDH code.
  - bmo#215997  - Decrypt RSA OAEP encrypted messages.
  - bmo#1887996 - Fix certutil CRLDP URI code.
  - bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
  - bmo#676118  - Add ability to encrypt and decrypt CMS messages using ECDH.
  - bmo#676100  - Correct Templates for key agreement in smime/cmsasn.c.
  - bmo#1548723 - Moving the decodedCert allocation to NSS.
  - bmo#1885404 - Allow developers to speed up repeated local execution
    of NSS tests that depend on certificates.
- update to NSS 3.99
  * Removing check for message len in ed25519 (bmo#1325335)
  * add ed25519 to SECU_ecName2params. (bmo#1884276)
  * add EdDSA wycheproof tests. (bmo#1325335)
  * nss/lib layer code for EDDSA. (bmo#1325335)
  * Adding EdDSA implementation. (bmo#1325335)
  * Exporting Certificate Compression types (bmo#1881027)
  * Updating ACVP docker to rust 1.74 (bmo#1880857)
  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
- update to NSS 3.98
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
    in TLS
  * bmo#1879513 - Certificate Compression: enabling the check that
    the compression was advertised
  * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
  * bmo#1879945 - Remove Email trust bit from OISTE WISeKey
    Global Root GC CA
  * bmo#1877344 - Replace `distutils.spawn.find_executable` with
    `shutil.which` within `mach` in `nss`
  * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
    support Certificate compression
  * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
  * bmo#1875356 - Add valgrind annotations to freebl kyber operations
    for constant-time execution tests
  * bmo#1870673 - Set nssckbi version number to 2.66
  * bmo#1874017 - Add Telekom Security roots
  * bmo#1873095 - Add D-Trust 2022 S/MIME roots
  * bmo#1865450 - Remove expired Security Communication RootCA1 root
  * bmo#1876179 - move keys to a slot that supports concatenation in
    PK11_ConcatSymKeys
  * bmo#1876800 - remove unmaintained tls-interop tests
  * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
    flags
  * bmo#1874937 - bogo: add support for the -curves shim flag and
    update Kyber expectations
  * bmo#1874937 - bogo: adjust expectation for a key usage bit test
  * bmo#1757758 - mozpkix: add option to ignore invalid subject
    alternative names
  * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
  * bmo#1876390 - take ownership of ecckilla shims
  * bmo#1874458 - add valgrind annotations to freebl/ec.c
  * bmo#864039  - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
  * bmo#1875965 - Update zlib to 1.3.1
- Use %patch -P N instead of deprecated %patchN.
- update to NSS 3.97
  * bmo#1875506 - make Xyber768d00 opt-in by policy
  * bmo#1871631 - add libssl support for xyber768d00
  * bmo#1871630 - add PK11_ConcatSymKeys
  * bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
  * bmo#1871152 - add a FreeBL API for Kyber
  * bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
  * bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
  * bmo#1835828 - Removing the calls to RSA Blind from loader.*
  * bmo#1874111 - fix worker type for level3 mac tasks
  * bmo#1835828 - RSA Blind implementation
  * bmo#1869642 - Remove DSA selftests
  * bmo#1873296 - read KWP testvectors from JSON
  * bmo#1822450 - Backed out changeset dcb174139e4f
  * bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
  * bmo#1871219 - Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
  * bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
  * bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
  * bmo#1867408 - add a defensive check for large ssl_DefSend return values
  * bmo#1869378 - Add dependency to the taskcluster script for Darwin
  * bmo#1869378 - Upgrade version of the MacOS worker for the CI
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
  explicit default trust flags" test needs longer than the allowed
  6 seconds on s390x
- update to NSS 3.95
  * bmo#1842932 - Bump builtins version number.
  * bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
    Firmaprofesional CIF A62634068 root cert.
  * bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
  * bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
  * bmo#1850982 - Remove Camerfirma root certificates from NSS.
  * bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
    Certificate.
  * bmo#1860670 - Add four Commscope root certificates to NSS.
  * bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
  * bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
  * bmo#1861728 - Include P-256 Scalar Validation from HACL*.
  * bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
    256 ECC without DER wrapping at the softoken level
  * bmo#1837987 - Add means to provide library parameters to C_Initialize
  * bmo#1573097 - clang format
  * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
  * bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
  * bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
  * bmo#1573097 - Fix Invalid casts in instance.c
- update to NSS 3.94
  * bmo#1853737 - Updated code and commit ID for HACL*
  * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
    current NSS
  * bmo#1827303 - Softoken C_ calls should use system FIPS setting
    to select NSC_ or FC_ variants
  * bmo#1774659 - NSS needs a database tool that can dump the low level
    representation of the database
  * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
  * bmo#1852179 - avoid implicit conversion for ByteString
  * bmo#1818766 - update rust version for acvp docker
  * bmo#1852011 - Moving the init function of the mpi_ints before
    clean-up in ec.c
  * bmo#1615555 - P-256 ECDH and ECDSA from HACL*
  * bmo#1840510 - Add ACVP test vectors to the repository
  * bmo#1849077 - Stop relying on std::basic_string<uint8_t>
  * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
- Update to NSS 3.93:
  * bmo#1849471 - Update zlib in NSS to 1.3.
  * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
  * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
- update to NSS 3.92
  * bmo#1822935 - Set nssckbi version number to 2.62
  * bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
  * bmo#1839992 - Add 4 SSL.com Root CA certificates
  * bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
  * bmo#1840437 - Add LAWtrust Root CA2 (4096)
  * bmo#1822936 - Remove E-Tugra Certification Authority root
  * bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
  * bmo#1840505 - Remove Hongkong Post Root CA 1
  * bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
  * bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
  * bmo#1837431 - Implementation of the HW support check for ADX instruction
  * bmo#1836925 - Removing the support of Curve25519
  * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
  * bmo#1839327 - Adding args to enable-legacy-db build
  * bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
    default trust flags"
  * bmo#1837617 - Initialize flags in slot structures
  * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
  * bmo#1829112 - Followup Fixes
  * bmo#1784253 - avoid processing unexpected inputs by checking for
    m_exptmod base sign
  * bmo#1826652 - add a limit check on order_k to avoid infinite loop
  * bmo#1834851 - Update HACL* to commit 5f6051d2
  * bmo#1753026 - add SHA3 to cryptohi and softoken
  * bmo#1753026 - HACL SHA3
  * bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch

- update to NSS 3.90.3
  * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * bmo#1748105 - clean up escape handling.
  * bmo#1895032 - remove redundant AllocItem implementation.
  * bmo#1836925 - Disable ASM support for Curve25519.
  * bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch

- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
  when using FIPS-mode (bsc#1223724).

- Added "Provides: nss" so other RPMs that require 'nss' can
  be installed (jira PED-6358).

- update to NSS 3.90.2
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
    decryption in TLS. (bsc#1216198)
  * bmo#1867408 - add a defensive check for large ssl_DefSend
    return values.

- update to NSS 3.90.1
  * bmo#1813401 - regenerate NameConstraints test certificates.
  * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
- Remove nss-fix-bmo1813401.patch which is now upstream.

- Add nss-fix-bmo1813401.patch to fix bsc#1214980
libgudev
- Update to version 237:
  + Fix reading double precision floats from sysfs attributes in
    locales that use comma as a separator
  + Fix compilation warning
  + Fix headers to help with build reproducibility
  + Clarify licensing information
- Changes from version 236:
  + Fix meson project name to match autotools.
- Changes from version 235:
  + Port build system to meson and remove autotools
  + Fix conversion of sysfs attributes to boolean.
- Add meson BuildRequires and macros following upstreams port.
- Enable pkgconfig(umockdev-1.0) BuildRequires and test macro.
- Update Licence tag to LGPL-2.1-or-later.

- update to 234:
  * Clarify that _get_sysfs_attr() functions are cached
  * Add functions to get uncached sysfs attributes

- Update to version 233:
  + Require glib 2.38.
  + Small documentation updates.
  + Remove gnome-common build dependency.
- Use modern macros.

- Modernize spec-file by calling spec-cleaner
jbigkit
- security update
- added patches
  fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler
  + jbigkit-CVE-2022-1210.patch
ncurses
- Add patch ncurses-6.1-bsc1220061.patch (bsc#1220061, CVE-2023-45918)
  * Backport from ncurses-6.4-20230615.patch
    improve checks in convert_string() for corrupt terminfo entry

- Add patch bsc1218014-cve-2023-50495.patch
  * Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry()
    (bsc#1218014)

- Add patch boo1201384.patch
  * Do not fully reset serial lines
nghttp2
- security update
- added patches
  fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + nghttp2-CVE-2024-28182-1.patch
  fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + nghttp2-CVE-2024-28182-2.patch
openssl-1_1
- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
  security vulnerability. Calling the function SSL_free_buffers()
  potentially caused memory to be accessed that was previously
  freed in some situations and a malicious attacker could attempt
  to engineer a stituation where this occurs to facilitate a
  denial-of-service attack. [CVE-2024-4741, bsc#1225551]

- Security fix: [bsc#1222548, CVE-2024-2511]
  * Fix unconstrained session cache growth in TLSv1.3
  * Add openssl-CVE-2024-2511.patch

- Security fix: [bsc#1219243, CVE-2024-0727]
  * Add NULL checks where ContentInfo data can be NULL
  * Add openssl-CVE-2024-0727.patch
pacemaker
- tools: CIB clients retry signon upon an EAGAIN error (gh#ClusterLabs/pacemaker#3567, bsc#1224183)
  * bsc#1224183-0002-Fix-tools-CIB-clients-retry-signon-upon-an-EAGAIN-er.patch
- libcib: new function cib__signon_attempts() (gh#ClusterLabs/pacemaker#3567, bsc#1224183)
  * bsc#1224183-0001-Refactor-libcib-new-function-cib__signon_attempts.patch

- libcrmcommon: reject ISO 8601 duration without any values (gh#ClusterLabs/pacemaker#3517)
  * pacemaker#3517-0002-Low-libcrmcommon-reject-ISO-8601-duration-without-an.patch
- libstonithd: prevent to free 'op_reply' repeatedly in 'stonith_send_command' (gh#ClusterLabs/pacemaker#3517)
  * pacemaker#3517-0001-prevent-to-free-op_reply-repeatedly-in-stonith_send_.patch

- tools: make crm_mon exit upon loss of the attached pseudo-terminal (bsc#1220229, gh#ClusterLabs/pacemaker#3430)
  * bsc#1220229-0001-Fix-tools-make-crm_mon-exit-upon-loss-of-the-attache.patch

- libcib: Don't incorrectly expand "++" and "+=" in XML attr values (gh#ClusterLabs/pacemaker#3413)
  * pacemaker#3413-0003-Fix-libcib-Don-t-incorrectly-expand-and-in-XML-attr-.patch
- libpacemaker: pcmk__inject_failcount should set an integer value (gh#ClusterLabs/pacemaker#3413)
  * pacemaker#3413-0001-Low-libpacemaker-pcmk__inject_failcount-should-set-a.patch
- scheduler: log unknown nodes in location constraints (gh#ClusterLabs/pacemaker#3409, CLBZ#5415)
  * pacemaker#3409-0007-Log-scheduler-log-unknown-nodes-in-location-constrai.patch
- scheduler: correct lifetime deprecation warning (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0006-Log-scheduler-correct-lifetime-deprecation-warning.patch
- tools: honor rules when getting utilization attributes with crm_resource (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0005-Fix-tools-honor-rules-when-getting-utilization-attri.patch
- scheduler: deprecate support for default instance attributes (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0004-Low-scheduler-deprecate-support-for-default-instance.patch
- scheduler: use default timeout (20s) if user configures 0 (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0003-Fix-scheduler-use-default-timeout-20s-if-user-config.patch
- tools: crm_resource should ignore resource meta-attribute node expressions (gh#ClusterLabs/pacemaker#3409)
  * pacemaker#3409-0001-Fix-tools-crm_resource-should-ignore-resource-meta-a.patch

- fencer: always format time_t values as long long (gh#ClusterLabs/pacemaker#3407)
  * pacemaker#3407-0001-Log-fencer-always-format-time_t-values-as-long-long.patch

- libcrmcommon: NULL-check strdup() in pcmk__register_message() (gh#ClusterLabs/pacemaker#3394)
  * pacemaker#3394-0004-Low-libcrmcommon-NULL-check-strdup-in-pcmk__register.patch
- libcrmcommon: NULL-check strdup() in pcmk__register_format() (gh#ClusterLabs/pacemaker#3394)
  * pacemaker#3394-0003-Low-libcrmcommon-NULL-check-strdup-in-pcmk__register.patch
- libpacemaker: Correctly free graphs and synapses (gh#ClusterLabs/pacemaker#3394)
  * pacemaker#3394-0002-Low-libpacemaker-Correctly-free-graphs-and-synapses.patch
- libcrmcommon: Initialize some variables (gh#ClusterLabs/pacemaker#3394)
  * pacemaker#3394-0001-Low-libcrmcommon-Initialize-some-variables.patch
- HealthSMART:fix the description of temp_lower_limit (gh#ClusterLabs/pacemaker#3392)
  * pacemaker#3392-0001-Doc-HealthSMART-fix-the-description-of-temp_lower_li.patch

- cibsecret: Use 'ps axww' to avoid truncating issue (gh#ClusterLabs/pacemaker#3384)
  * pacemaker#3384-0001-Fix-cibsecret-Use-ps-axww-to-avoid-truncating-issue.patch

- libcrmcommon: Don't try to parse XML from bad .bz2 file (gh#ClusterLabs/pacemaker#3361)
  * pacemaker#3361-0001-Low-libcrmcommon-Don-t-try-to-parse-XML-from-bad-.bz.patch

- libcrmcommon: use uint32_t for 32-bit magic numbers (gh#ClusterLabs/pacemaker#3381)
  * pacemaker#3381-0001-Fix-libcrmcommon-use-uint32_t-for-32-bit-magic-numbe.patch

- libcrmcommon: Use free_xml in html_free_priv. (gh#ClusterLabs/pacemaker#3380)
  * pacemaker#3380-0003-Low-libcrmcommon-Use-free_xml-in-html_free_priv.patch
- libcrmcommon:  Free error strings in html/xml outputters. (gh#ClusterLabs/pacemaker#3380)
  * pacemaker#3380-0002-Low-libcrmcommon-Free-error-strings-in-html-xml-outp.patch
- libcrmcommon: Free text/curses private list data. (gh#ClusterLabs/pacemaker#3380)
  * pacemaker#3380-0001-Low-libcrmcommon-Free-text-curses-private-list-data.patch
- tools: Fix argument validation for crm_attribute update. (gh#ClusterLabs/pacemaker#3379)
  * pacemaker#3379-0001-Low-tools-Fix-argument-validation-for-crm_attribute-.patch

- libcrmcommon: Always output request= in XML output. (gh#ClusterLabs/pacemaker#3362)
  * pacemaker#3362-0001-Low-libcrmcommon-Always-output-request-in-XML-output.patch

- tools: Fix memory leak in crm_mon with HTML output (gh#ClusterLabs/pacemaker#3332)
  * pacemaker#3332-0001-Low-tools-Fix-memory-leak-in-crm_mon-with-HTML-outpu.patch

- attrd: write Pacemaker Remote node attributes even if not in cache (gh#ClusterLabs/pacemaker#3304)
  * pacemaker#3304-0001-Fix-attrd-write-Pacemaker-Remote-node-attributes-eve.patch
- agents: Use attrd_updater dampen delay in SysInfo (gh#ClusterLabs/pacemaker#3286)
  * pacemaker#3286-0002-Fix-agents-Use-attrd_updater-dampen-delay-in-SysInfo.patch
- libcrmcommon: Check correct env vars in pcmk__node_attr_target() (gh#ClusterLabs/pacemaker#3286)
  * pacemaker#3286-0001-Low-libcrmcommon-Check-correct-env-vars-in-pcmk__nod.patch

- scheduler: restore nvpair behavior without id-ref (gh#ClusterLabs/pacemaker#3292)
  * pacemaker#3292-0004-Low-scheduler-restore-nvpair-behavior-without-id-ref.patch
- libcrmcommon: fix NULL dereference in expand_idref() (gh#ClusterLabs/pacemaker#3292)
  * pacemaker#3292-0002-Low-libcrmcommon-fix-NULL-dereference-in-expand_idre.patch
- scheduler: improve logs for invalid id-ref's (gh#ClusterLabs/pacemaker#3292)
  * pacemaker#3292-0001-Log-scheduler-improve-logs-for-invalid-id-ref-s.patch
- pacemaker-attrd,libcrmcluster: avoid use-after-free when remote node in cluster node cache (gh#ClusterLabs/pacemaker#3293)
  * pacemaker#3293-0002-Fix-pacemaker-attrd-libcrmcluster-avoid-use-after-fr.patch
- libcrmcluster: avoid use-after-free in trace log (gh#ClusterLabs/pacemaker#3293)
  * pacemaker#3293-0001-Low-libcrmcluster-avoid-use-after-free-in-trace-log.patch
- HealthSmart: Check the parameter values of check_temperature to avoid error output (gh#ClusterLabs/pacemaker#3289)
  * pacemaker#3289-0001-Fix-HealthSmart-Check-the-parameter-values-of-check_.patch

- agents: handle dampening parameter consistently and correctly
  * 0001-Fix-agents-handle-dampening-parameter-consistently-a.patch

- crm_resource: make --wait wait for pending actions in CIB
  * 0001-Refactor-crm_resource-make-wait-wait-for-pending-act.patch

- agents: HealthCPU - fix the validation of input
  * 0001-fix-the-validation-of-input.patch

- libcrmcommon: wait for reply from appropriate controller commands (bsc#1218312, rh#2225631, rh#2221084)
  * bsc#1218312-0001-Fix-libcrmcommon-wait-for-reply-from-appropriate-con.patch
polkit
- Change permissions for rules folders (bsc#1209282)
procps
- Submit latest procps 3.3.17 to SLE-15 tree for jira#PED-3244
  and jira#PED-6369
- The patches now upstream had been dropped meanwhile
  * procps-vmstat-1b9ea611.patch (bsc#1185417)
  - For support up to 2048 CPU as well
  * bsc1209122-a6c0795d.patch (bnc#1209122)
  - allow `-´ as leading character to ignore possible errors
    on systctl entries
  * patch procps-ng-3.3.9-bsc1121753-Cpus.patch (bsc#1121753)
  - was a backport of an upstream fix to get the first CPU
    summary correct
- Enable pidof for SLE-15 as this is provided by sysvinit-tools
- Use a check on syscall __NR_pidfd_open to decide if
  the pwait tool and its manual page will be build

- Modify patches
  * procps-ng-3.3.9-w-notruncate.diff
  * procps-ng-3.3.17-logind.patch
  to real to not truncate output of w with option -n

- procps-ng-3.3.17-logind.patch: Backport from 4.x git, prefer
  logind over utmp (jsc#PED-3144)
python3
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
  (CVE-2024-4032) rearranging definition of private v global IP
  addresses.

- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
  fixing bsc#1226447 (CVE-2024-0397) by removing memory race
  condition in ssl.SSLContext certificate store methods.

- Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109,
  gh#python/cpython!16557) fixes syslog making default "ident"
  from sys.argv[0].
- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that
  it uses features sniffing, not just comparing version number
  (bsc#1220664, bsc#1219559, bsc#1221563, bsc#1222075).
- Remove support-expat-CVE-2022-25236-patched.patch, which was
  the previous name of this patch.
- Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping
  failing tests.
- Refresh patches:
  - CVE-2023-27043-email-parsing-errors.patch
  - fix_configure_rst.patch
  - skip_if_buildbot-extend.patch

- bsc#1221854 (CVE-2024-0450) Add
  CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
  detecting the vulnerability of the "quoted-overlap" zipbomb
  (from gh#python/cpython!110016).
- Add bh42369-thread-safety-zipfile-SharedFile.patch (from
  gh#python/cpython!26974) required by the previous patch.
- Add expat-260-test_xml_etree-reparse-deferral.patch to make the
  interpreter work with patched libexpat in our distros.
- Move all patches from locally sourced to the branch
  opensuse-3.6 branch at GitHub repo, and move all metadata to
  commits themselves (readable in the headers of each patch).
- Add bpo-41675-modernize-siginterrupt.patch to make Python build
  cleanly even on more recent SPs of SLE-15
  (gh#python/cpython#85841).
- Remove patches:
  - bpo36263-Fix_hashlib_scrypt.patch - fix against bug in
    OpenSSL fixed in 1.1.1c (gh#openssl/openssl!8483), so this
    patch is redundant on all SUSE-supported distros
  - python-3.3.0b1-test-posix_fadvise.patch - protection
    against the kernel issues which has been fixed in
    gh#torvalds/linux@3d3727cdb07f, which has been included in
    all our kernels more recent than SLE-11.
  - python-3.3.3-skip-distutils-test_sysconfig_module.patch -
    skips a test, which should be relevant only for testing on
    Mac OS X systems with universal builds. I have no valid
    record, that this test would be ever problematic on Linux.
  - bpo-36576-skip_tests_for_OpenSSL-111.patch, which was
    included already in Python 3.5.

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into
  skip_SSL_tests.patch, and make them include all conditionals.

- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
libqb
- ipc: Retry receiving credentials if the the message is short (gh#ClusterLabs/libqb#476, rh#2111711, bsc#1224183)
  * bsc#1224183-0001-ipc-Retry-receiving-credentials-if-the-the-message-i.patch
qrencode
- update to 4.1.1 (jsc#PED-7296):
  * Some minor bugs in Micro QR Code generation have been fixed.
  * The data capacity calculations are now correct. These bugs probably did not
    affect the Micro QR Code generation.

- update to 4.1.0:
  * Command line tool "qrencode" has been improved:
  * New option "--inline" has been added. (Thanks to @jp-bennett)
  * New option "--strict-version" has been added.
  * UTF8 mode now supports ANSI256 color. (Thanks to András Veres-
    Szentkirályi)
  * Micro QR Code no longer requires to specify the version number.
  * 'make check' allows to run the test programs. (Thanks to Jan Tojnar)
  * Some compile time warnings have been fixed.
  * Various CMake support improvements. (Thanks to @mgorny and @sdf5)
  * Some minor bug fixes. (Thanks to Lonnie Abelbeck and Frédéric Wang)
  * Some documentation/manpage improvements. (Thanks to Dan Jacobson)
  * Some performance improvements. (Thanks to @4061N and Mika Lindqvist)
- remove qrencode-fix-installation.patch (upstream)

- Update to version 4.0.2
  * Build script fixes. (Thanks to @mgorny)
  version 4.0.1
  * CMake support improved.
  * New test scripts have been added.
  * Some compile time warnings have been fixed.
- Refreshed qrencode-fix-installation.patch
libsolv
- add a conflict to older libsolv-tools to libsolv-tools-base

- improve updating of installed multiversion packages
- fix decision introspection going into an endless loop in some
  cases
- added experimental lua bindings
- bump version to 0.7.29

- split libsolv-tools into libsolv-tools-base [jsc#PED-8153]

- build for multiple python versions [jsc#PED-6218]
- bump version to 0.7.28

- add zstd support for the installcheck tool
- add putinowndirpool cache to make file list handling in
  repo_write much faster
- bump version to 0.7.27

- fix evr roundtrip in testcases
- do not use deprecated headerUnload with newer rpm versions
- bump version to 0.7.26

- support complex deps in SOLVABLE_PREREQ_IGNOREINST
- fix minimization not prefering installed packages in some cases
- reduce memory usage in repo_updateinfoxml
- fix lock-step interfering with architecture selection
- fix choice rule handing for package downgrades
- fix complex dependencies with an "else" part sometimes leading
  to unsolved dependencies
- bump version to 0.7.25
libssh
- Fix regression parsing IPv6 addresses provided as hostname (bsc#1227396)
  - added libssh-fix-ipv6-hostname-regression.patch

- Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795]
  * Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch
  * Remove patches fixed in the update:
  - CVE-2019-14889.patch
  - 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch

- Update to version 0.9.8
  * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
  * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
  * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
  * Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
  * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
    guessing (bsc#1211188)
  * Fix CVE-2023-2283: a possible authorization bypass in
    pki_verify_data_signature under low-memory conditions (bsc#1211190)
  * Fix several memory leaks in GSSAPI handling code

- Update to version 0.9.6 (bsc#1189608, CVE-2021-3634)
  * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6

- Add missing BR for openssh needed for tests

- update to 0.9.5 (bsc#1174713, CVE-2020-16135):
  * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
  * Improve handling of library initialization (T222)
  * Fix parsing of subsecond times in SFTP (T219)
  * Make the documentation reproducible
  * Remove deprecated API usage in OpenSSL
  * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
  * Define version in one place (T226)
  * Prevent invalid free when using different C runtimes than OpenSSL (T229)
  * Compatibility improvements to testsuite

- Update to version 0.9.4
  * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
  * Fix possible Denial of Service attack when using AES-CTR-ciphers
    CVE-2020-1730 (bsc#1168699)
libssh2_org
- Fix an issue with Encrypt-then-MAC family. [bsc#1221622]
  * Test the ETM feature in the remote end's configuration when
    receiving data. Upstream issue: #1331.
  * Add libssh2_org-ETM-remote.patch

- Always add the KEX pseudo-methods "ext-info-c" and "kex-strict-c-v00@openssh.com"
  when configuring custom method list. [bsc#1218971, CVE-2023-48795]
  * The strict-kex extension is announced in the list of available
    KEX methods. However, when the default KEX method list is modified
    or replaced, the extension is not added back automatically.
  * Add libssh2_org-CVE-2023-48795-ext.patch

- Security fix: [bsc#1218127, CVE-2023-48795]
  * Add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
  * Add libssh2_org-CVE-2023-48795.patch
suseconnect-ng
- Update version to 1.11
  - Added uname as collector
  - Added SAP workload detection
  - Added detection of container runtimes
  - Multiple fixes on ARM64 detection
  - Use `read_values` for the CPU collector on Z
  - Fixed data collection for ppc64le
  - Grab the home directory from /etc/passwd if needed (bsc#1226128)

- Update version to 1.10.0
  * Build zypper-migration and zypper-packages-search as standalone
    binaries rather then one single binary
  * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004)
  * Include /etc/products.d in directories whose content are backed
    up and restored if a zypper-migration rollback happens. (bsc#1219004)
  * Add the ability to upload the system uptime logs, produced by the
    suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report.
    (jsc#PED-7982) (jsc#PED-8018)
  * Add support for third party packages in SUSEConnect
  * Refactor existing system information collection implementation

- Update to version 1.9.0
  * Fix certificate import for Yast when using a registration proxy with
    self-signed SSL certificate (bsc#1223107)

- Update to version 1.8.0
  * Allow "--rollback" flag to run on readonly filesystem (bsc#1220679)

- Update to version 1.7.0
  * Allow SUSEConnect on read write transactional systems (bsc#1219425)

- Update to version 1.6.0
  * Disable EULA display for addons (bsc#1218649 and bsc#1217961)

- Update to version 1.5.0
  * Configure docker credentials for registry authentication
  * Feature: Support usage from Agama + Cockpit for ALP Micro system registration (bsc#1218364)
  * Add --json output option
tiff
- security update:
  * CVE-2023-3164 [bsc#1212233]
    Fix heap buffer overflow in tiffcrop
    + tiff-CVE-2023-3164.patch

- security update:
  * CVE-2023-40745[bsc#1214687] CVE-2023-41175[bsc#1214686] [bsc#1221187]
    CVE-2023-38288[bsc#1213590]
    Fix potential int overflow in raw2tiff.c and tiffcp.c
    Rename tiff-CVE-2023-38288.patch into
    tiff-CVE-2023-38288,CVE-2023-40745,CVE-2023-41175.patch

- security update:
  * CVE-2023-52356 [bsc#1219213]
    Fix segfault in TIFFReadRGBATileExt()
    + tiff-CVE-2023-52356.patch

- security update:
  * CVE-2023-2731 [bsc#1211478]
    Fix null pointer deference in LZWDecode()
    This patch also contains a required commit which is marked
    to fix CVE-2022-1622 [bsc#1199483] but we are not vulnerable
    to that CVE because relevant code is not present.
    + tiff-CVE-2023-2731.patch
  * CVE-2023-26965 [bsc#1212398]
    Fix heap-based use after free in loadImage()
    + tiff-CVE-2023-26965.patch
  * CVE-2022-40090 [bsc#1214680]
    Fix infinite loop in TIFFReadDirectory()
    + tiff-CVE-2022-40090.patch
  * CVE-2023-1916 [bsc#1210231]
    Fix out-of-bounds read in extractImageSection()
    + tiff-CVE-2023-1916.patch
libvirt
- CVE-2024-2494: remote: check for negative array lengths before
  allocation
  8a3f8d95-CVE-2024-2494.patch, 1b8c1ce7-adapt-libssh2-api.patch
  bsc#1221815
libxml2
- Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in
  xmlHTMLPrintFileContext in xmllint.c
  * Added libxml2-CVE-2024-34459.patch

- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
  * Added libxml2-CVE-2024-25062.patch
libzypp
- zypp-tui: Make sure translated texts use the correct textdomain
  (fixes #551)
- Skip libproxy1 requires for tumbleweed.
- version 17.34.1 (34)

- don't require libproxy1 on tumbleweed, it is optional now

- version 17.34.0 (34)
- Fix versioning scheme

- version 17.33.4 (35)

- add one more missing export for libyui-qt-pkg

- Revert eintrSafeCall behavior to setting errno to 0.
- version 17.33.3 (34)

- fix up requires_eq usage for libsolv-tools-base
- add one more missing export for PackageKit
- version 17.33.2

- version 17.33.1 (33)

- switch to reduced size libsolv-tools-base (jsc#PED-8153)

- Fixed check for outdated repo metadata as non-root user
  (bsc#1222086)
- Add ZYPP_API for exported functions and switch to
  visibility=hidden (jsc#PED-8153)
- Dynamically resolve libproxy (jsc#PED-8153)
- version 17.33.0 (33)

- Fix download from gpgkey URL (bsc#1223430, fixes openSUSE/zypper#546)
- version 17.32.6 (32)

- Don't try to refresh volatile media as long as raw metadata are
  present (bsc#1223094)
- version 17.32.5 (32)

- Fix creation of sibling cache dirs with too restrictive mode
  (bsc#1222398)
  Some install workflows in YAST may lead to too restrictive (0700)
  raw cache directories in case of newly created repos. Later
  commands running with user privileges may not be able to access
  these repos.
- version 17.32.4 (32)

- Update RepoStatus fromCookieFile according to the files mtime
  (bsc#1222086)
- TmpFile: Don't call chmod if makeSibling failed.
- version 17.32.3 (32)

- Fixup New VendorSupportOption flag VendorSupportSuperseded
  (jsc#OBS-301, jsc#PED-8014)
  Fixed the name of the keyword to "support_superseded" as it was
  agreed on in jsc#OBS-301.
- version 17.32.2 (32)

- Add resolver option 'removeUnneeded' to file weak remove jobs
  for unneeded packages (bsc#1175678)
- version 17.32.1 (32)

- Add resolver option 'removeOrphaned' for distupgrade
  (bsc#1221525)
- New VendorSupportOption flag VendorSupportSuperseded
  (jsc#OBS-301, jsc#PED-8014)
- Tests: fix vsftpd.conf where SUSE and Fedora use different
  defaults (fixes #522)
- Add default stripe minimum (#529)
- Don't expose std::optional where YAST/PK explicitly use c++11.
- Digest: Avoid using the deprecated OPENSSL_config.
- version 17.32.0 (32)

- ProblemSolution::skipsPatchesOnly overload to handout the
  patches.
- Remove https->http redirection exceptions for
  download.opensuse.org.
- version 17.31.32 (22)

- tui: allow to access the underlying ostream of out::Info.
- Add MLSep: Helper to produce not-NL-terminated multi line
  output.
- version 17.31.31 (22)

- applydeltaprm: Create target directory if it does not exist
  (bsc#1219442)
- Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514)
- Fix problems with EINTR in ExternalDataSource::getline (fixes
  bsc#1215698)
- version 17.31.30 (22)

- CheckAccessDeleted: fix running_in_container detection
  (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime
  (bsc#1218831)
- Make Wakeup class EINTR safe.
- Add a way to cancel media operations on shutdown
  (openSUSE/zypper#522)
  This patch adds a mechanism to signal libzypp that a shutdown was
  requested, usually when CTRL+C was pressed by the user. Currently
  only the media backend will utilize this, but can be extended to
  all code paths that use g_poll() to wait for events.
- Manually poll fds for curl in MediaCurl.
  Using curl_easy_perform does not give us the required control on
  when we want to cancel a download. Switching to the MultiCurl
  implementation with a external poll() event loop will give us
  much more freedom and helps us to improve our Ctrl+C handling.
- Move reusable curl poll code to curlhelper.h.
- version 17.31.29 (22)

- Fix to build with libxml 2.12.x (fixes #505)
- version 17.31.28 (22)

- CheckAccessDeleted: fix 'running in container' filter
  (bsc#1218291)
- version 17.31.27 (22)

- Call zypp commit plugins during transactional update (fixes #506)
- Add support for loongarch64 (fixes #504)
- Teach MediaMultiCurl to download HTTP Multibyte ranges.
- Teach zsync downloads to MultiCurl.
- Expand RepoVars in URLs downloading a .repo file (bsc#1212160)
  Convenient and helps documentation as it may refer to a single
  command for a bunch of distributions. Like e.g. "zypper ar
  'https://server.my/$releasever/my.repo'".
- version 17.31.26 (22)

- Fix build issue with zchunk build flags (fixes #500)
- version 17.31.25 (22)

- Open rpmdb just once during execution of %posttrans scripts
  (bsc#1216412)
- Avoid using select() since it does not support fd numbers >
  1024 (fixes #447)
- tools/DownloadFiles: use standard zypp progress bar (fixes #489)
- Revert "Color download progress bar" (fixes #475)
  Cyan is already used for the output of RPM scriptlets. Avoid this
  colorific collision between download progress bar and scriptlet
  output.
- Fix ProgressBar's calculation of the printed tag position (fixes #494)
- Switch zypp::Digest to Openssl 3.0 Provider API (fixes #144)
- Fix usage of deprecated CURL features (fixes #486)
- version 17.31.24 (22)

- Stop using boost version 1 timer library (fixes #489,
  bsc#1215294)
- version 17.31.23 (22)
lifecycle-data-sle-module-live-patching
- Added data for 5_14_21-150400_24_119,
  5_14_21-150400_24_122, 5_14_21-150500_55_62,
  5_14_21-150500_55_65, 5_14_21-150500_55_68,
  5_3_18-150200_24_191, 5_3_18-150200_24_194,
  5_3_18-150300_59_161, 5_3_18-150300_59_164,
  6_4_0-150600_21, 6_4_0-150600_23_7,
  +kernel-livepatch-5_14_21-150500_13_52-rt,*,+kernel-livepatch-5_14_21-150500_13_55-rt,*,+kernel-livepatch-5_14_21-150500_13_58-rt,*. (bsc#1020320)

- Added data for 5_14_21-150400_24_111, 5_14_21-150400_24_116,
  5_14_21-150500_55_52, 5_14_21-150500_55_59,
  5_3_18-150200_24_183, 5_3_18-150200_24_188,
  5_3_18-150300_59_153, 5_3_18-150300_59_158,
  +kernel-livepatch-5_14_21-150400_15_71-rt,*,+kernel-livepatch-5_14_21-150500_13_38-rt,*,+kernel-livepatch-5_14_21-150500_13_43-rt,*,+kernel-livepatch-5_14_21-150500_13_47-rt,*. (bsc#1020320)

- Added data for 4_12_14-150100_197_168,
  5_14_21-150400_24_103, 5_14_21-150400_24_108,
  5_14_21-150500_55_44, 5_14_21-150500_55_49,
  5_3_18-150200_24_175, 5_3_18-150200_24_178,
  5_3_18-150300_59_147, 5_3_18-150300_59_150,
  +kernel-livepatch-5_14_21-150400_15_65-rt,*,+kernel-livepatch-5_14_21-150400_15_68-rt,*,+kernel-livepatch-5_14_21-150500_13_30-rt,*,+kernel-livepatch-5_14_21-150500_13_35-rt,*. (bsc#1020320)

- Added data for 4_12_14-150100_197_160,
  4_12_14-150100_197_165, 5_14_21-150400_24_100,
  5_14_21-150400_24_66, 5_14_21-150400_24_88,
  5_14_21-150400_24_92, 5_14_21-150400_24_97,
  5_14_21-150500_55_28, 5_14_21-150500_55_31,
  5_14_21-150500_55_36, 5_14_21-150500_55_39,
  5_3_18-150200_24_166, 5_3_18-150200_24_169,
  5_3_18-150200_24_172, 5_3_18-150300_59_138,
  5_3_18-150300_59_141, 5_3_18-150300_59_144,
  +kernel-livepatch-5_14_21-150400_15_53-rt,*,+kernel-livepatch-5_14_21-150400_15_56-rt,*,+kernel-livepatch-5_14_21-150400_15_59-rt,*,+kernel-livepatch-5_14_21-150400_15_62-rt,*,+kernel-livepatch-5_14_21-150500_13_18-rt,*,+kernel-livepatch-5_14_21-150500_13_21-rt,*,+kernel-livepatch-5_14_21-150500_13_24-rt,*,+kernel-livepatch-5_14_21-150500_13_27-rt,*. (bsc#1020320)

- Added data for 4_12_14-150100_197_154, 4_12_14-150100_197_157,
  5_14_21-150400_24_74, 5_14_21-150400_24_81,
  5_14_21-150400_24_84, 5_14_21-150500_55_12,
  5_14_21-150500_55_19, 5_14_21-150500_55_22,
  5_3_18-150200_24_160, 5_3_18-150200_24_163,
  5_3_18-150300_59_130, 5_3_18-150300_59_133,
  +kernel-livepatch-5_14_21-150400_15_46-rt,*,+kernel-livepatch-5_14_21-150400_15_49-rt,*,+kernel-livepatch-5_14_21-150500_13_11-rt,*,+kernel-livepatch-5_14_21-150500_13_14-rt,*. (bsc#1020320)
shadow
- bsc#1228770: Fix not copying of skel files
  Update shadow-CVE-2013-4235.patch

- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
  Add shadow-CVE-2013-4235.patch
netcfg
- Add krb-prop entry, fix for bsc#1211886.
ocfs2-tools
- OCFS2 writes delay on large volumes - slow la window lookup from global_bitmap (bsc#1219224)
  * bsc1219224-debugfs.ocfs2-support-recording-gd-bg_contig_free_bi.patch

- fsck.ocfs2: add the ability to clear jbd2 errno (bsc#1216834)
  + mounted.ocfs2-use-sys-sysmacros.h-include-for-makede.patch
  + Fix-build-failure-with-glibc-2.28.patch
  + bsc1216834-fsck.ocfs2-add-the-ability-to-clear-jbd2-errno.patch
openssh
- Add patches from upstream to change the default value of
  UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled).
  This makes ssh update the known_hosts stored keys with all
  published versions by the server (after it's authenticated
  with an existing key), which will allow to identify the
  server with a different key if the existing key is considered
  insecure at some point in the future (bsc#1222831).
  * 0001-upstream-enable-UpdateHostkeys-by-default-when-the.patch
  * 0002-upstream-disable-UpdateHostkeys-by-default-if.patch

- Add patches openssh-7.7p1-seccomp_getuid.patch and
  openssh-bsc1216474-s390-leave-fds-open.patch
  (bsc#1216474, bsc#1218871)

- Fix hostbased ssh login failing occasionally with "signature
  unverified: incorrect signature" by fixing a typo in patch
  (bsc#1221123):
  * openssh-7.8p1-role-mls.patch

- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
  This limits the use of shell metacharacters in host- and
  user names.

- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
  This mitigates a prefix truncation attack that could be used to
  undermine channel security.

- Enhanced SELinux functionality. Added
  * openssh-7.8p1-role-mls.patch
    Proper handling of MLS systems and basis for other SELinux
    improvements
  * openssh-6.6p1-privsep-selinux.patch
    Properly set contexts during privilege separation
  * openssh-6.6p1-keycat.patch
    Add ssh-keycat command to allow retrival of authorized_keys
    on MLS setups with polyinstantiation
  * openssh-6.6.1p1-selinux-contexts.patch
    Additional changes to set the proper context during privilege
    separation
  * openssh-7.6p1-cleanup-selinux.patch
    Various changes and putting the pieces together
  For now we don't ship the ssh-keycat command, but we need the patch
  for the other SELinux infrastructure
  This change fixes issues like bsc#1214788, where the ssh daemon
  needs to act on behalf of a user and needs a proper context for this
pam-config
- Fix pam_gnome_keyring module for AUTH.
  [pam-config-fix-pam_gnome_keyring.patch, bsc#1219767]
pam
- Add missing O_DIRECTORY flag in `protect_dir()` for pam_namespace module.
  [bsc#1218475, pam-bsc1218475-pam_namespace-O_DIRECTORY-flag.patch]

- pam_lastlog: check localtime_r() return value (bsc#1217000)
  * Added: pam-bsc1217000-pam_lastlog-check-localtime_r-return-value.patch
perl
- fix space calculation issues in pp_pack.c [bnc#1082216]
  [CVE-2018-6913]
  * new patch: perl-pack-overflow.diff
- fix heap buffer overflow in regexec.c [bnc#1082233]
  [CVE-2018-6798]
  new patch: perl-regexec-heap-overflow.diff
- make Net::FTP work with TLS 1.3 [bnc#1213638]
  new patch: perl-net-ftp-tls13.diff
python-instance-billing-flavor-check
- Version 0.0.6 (bsc#1218561)
  Support proxy setup on the client to access the update infrastructure
  API

- Version 0.0.5
  Add IPv6 support (bsc#1218739)

- Version 0.0.4
  Run the command as sudo only (bsc#1217696, bsc#1217695)

- Version 0.0.3
  Handle exception for Python 3.4
python-Jinja2
- Add CVE-2024-34064.patch upstream patch
  (CVE-2024-34064, bsc#1223980, gh#pallets/jinja@0668239dc6b4)
  Also fixes (CVE-2024-22195, bsc#1218722)
python-chardet
- Fix update-alternative in %postun, bsc#1218765
python-cryptography
- Add CVE-2023-49083.patch to fix A null-pointer-dereference and
  segfault could occur when loading certificates from a PKCS#7 bundle.
  bsc#1217592
python-docutils
- Use update-alternatives for all binary scripts and provide
  /usr/bin/docutils to avoid conflict with python311-docutils
  bsc#1219501
python-idna
- Add CVE-2024-3651.patch, backported from upstream commit
  gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
  (bsc#1222842, CVE-2024-3651)
python-requests
- Update CVE-2024-35195.patch to allow the usage of "verify" parameter
  as a directory, bsc#1225912

- Add CVE-2024-35195.patch (CVE-2024-35195, bsc#1224788)
- Add httpbin.patch to fix a test failure caused by the previous patch.
python-urllib3
- Add CVE-2024-37891.patch (bsc#1226469, CVE-2024-37891)
rubygem-actionpack-5_1
- modified patches
  + 0009-CVE-2020-8166.patch (fixed)
  - rubygem-actionpack-5_1-CVE-2020-8166.patch (renamed)

- security update
  * fix CVE-2020-8166 patch port [bsc#1215707]

- security update
- added patches
  fix CVE-2020-8166 [bsc#1172182], Ability to forge per-form CSRF tokens given a global CSRF token
  + rubygem-actionpack-5_1-CVE-2020-8166.patch
rubygem-rack
- security update
- added patches
  fix CVE-2024-25126 [bsc#1220239], Denial of Service Vulnerability in Rack Content-Type Parsing
  + rubygem-rack-CVE-2024-25126.patch
  fix CVE-2024-26141 [bsc#1220242], Denial of Service Vulnerability in Range request header parsing
  + rubygem-rack-CVE-2024-26141.patch
  fix CVE-2024-26146 [bsc#1220248], Denial of Service vulnerability in Rack headers parsing routine
  + rubygem-rack-CVE-2024-26146.patch
rubygem-sass
- updated to version 3.7.4
  no changelog found

- updated to version 3.7.3
  no changelog found

- updated to version 3.7.2
  no changelog found

- updated to version 3.6.0
  no changelog found

- updated to version 3.5.7
  no changelog found

- updated to version 3.5.6
  no changelog found

- updated to version 3.5.5
  no changelog found
runc
[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.13. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>.
- Rebase patches:
  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
- Backport <https://github.com/opencontainers/runc/pull/3931> to fix a
  performance issue when running lots of containers, caused by system getting
  too many mount notifications. bsc#1214960
  + 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch

- Add upstream patch <https://github.com/opencontainers/runc/pull/4219> to
  properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050
  + 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  + 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  + 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch

- Update to runc v1.1.12. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
  * This release fixes a container breakout vulnerability (CVE-2024-21626). For
    more details, see the upstream security advisory:
    <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  * Remove upstreamed patches:
  - CVE-2024-21626.patch
  * Update runc.keyring to match upstream changes.

[ This was only ever released for SLES. ]
- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894
  <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  + CVE-2024-21626.patch

- Update to runc v1.1.11. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.11>.
sapconf
- version update from 5.0.6 to 5.0.7
- add require of package sysctl-logger
  (jsc#PED-5025)
- suppress error message regarding missing systemd service file
  during posttrans script
saptune
- update package version of saptune to 3.1.2
  * to support setups with saptune monitoring and heavy automation
    we limited the setting of our saptune lock to commands having
    the potential to change anything in the system.
    (bsc#1219500)
  * fix timestamp in log messages of saptune
  * remove redundant version information in header comment of
    note definition files
  * SAP Note 1656250 updated to Version 63
    SAP Note 1771258 updated to Version 8
    SAP Note 2382421 updated to Version 45
    SAP Note 3024346 updated to Version 10
    but without parameter value changes, only house keeping of the
    version section and comment updates
  * SAP Note 1984787 updated to Version 42
    SAP Note 2578899 updated to Version 47
- add require of package sysctl-logger
  (jsc#PED-5025)
sed
- 0001-sed-set-correct-umask-on-temporary-files.patch
  Fix for bsc#1221218
000release-packages:sle-ha-release
n/a
000release-packages:sle-module-basesystem-release
n/a
000release-packages:sle-module-cap-tools-release
n/a
000release-packages:sle-module-desktop-applications-release
n/a
000release-packages:sle-module-development-tools-release
n/a
000release-packages:sle-module-live-patching-release
n/a
000release-packages:sle-module-public-cloud-release
n/a
000release-packages:sle-module-sap-applications-release
n/a
000release-packages:sle-module-server-applications-release
n/a
000release-packages:sle-module-web-scripting-release
n/a
sudo
- Fix NOPASSWD issue introduced by patches for CVE-2023-42465
  [bsc#1221151, bsc#1221134]
  * Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
  * Enable running regression selftests during build time.

- Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465]
  * Try to make sudo less vulnerable to ROWHAMMER attacks.
  * Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
supportutils-plugin-ha-sap
- Update to version 0.0.5+git.1709295499.1c8e8cd
  * adapt documentation links
  * add support for SAP systemd services regarding SID retrieval
  * add information about SAP related systemd services
  * add information about sapcontrol function GetStartProfile
  * add information from daemon.ini
  * collect hook script logs (suschksrv and saphanasr_multitarget_hook)
  * collect logs of sap_suse_cluster_connector and sapstartsrv
  * Add python version
  * Check sudoers for srhook configuration
supportutils-plugin-suse-public-cloud
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
  + Remove duplicate data collection for the plugin itself
  + Collect archive metering data when available
  + Query billing flavor status
supportutils
- Changes in version 3.1.30
  + Added -V key:value pair option (bsc#1222021, PED-8211)
  + Avoid getting duplicate kernel verifications in boot.text (pr#193)
  + Suppress file descriptor leak warnings from lvm commands (pr#192, bsc#1220082)
  + Includes container log timestamps (pr#197)

- Changes to version 3.1.29
  + Extended scaling for performance (bsc#1214713)
  + Fixed kdumptool output error (bsc#1218632)
  + Corrected podman ID errors (bsc#1218812)
  + Duplicate non root podman entries removed (bsc#1218814)
  + Corrected get_sles_ver for SLE Micro (bsc#1219241)
  + Check nvidida-persistenced state (bsc#1219639)

- Additional changes in version 3.1.28
  + ipset - List entries for all sets
  + ipvsadm - Inspect the virtual server table (pr#185)
  + Correctly detects Xen Dom0 (bsc#1218201)
  + Fixed smart disk error (bsc#1218282)

- Changes in version 3.1.28
  + Inhibit the conversion of port numbers to port names for network files (cherry picked from commit 55f5f716638fb15e3eb1315443949ed98723d250)
  + powerpc: collect rtas_errd.log and lp_diag.log files (pr#175)
  + Get list of pam.d file (cherry picked from commit eaf35c77fd4bc039fd7e3d779ec1c2c6521283e2)
  + Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
  + Added missing klp information to kernel-livepatch.txt (bsc#1216390)
  + Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
  + Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
  + Optimize lsof usage (bsc#1183663)
  + Added mokutil commands for secureboot (pr#179)
  + Collects chrony or ntp as needed (bsc#1196293)

- Changes in version 3.1.27
  + Fixed podman display issue (bsc#1217287)
  + Added nvme-stas configuration to nvme.txt (bsc#1216049)
  + Added timed command to fs-files.txt (bsc#1216827)
  + Collects zypp history file issue#166 (bsc#1216522)
  + Changed -x OPTION to really be exclude only (issue#146)
  + Collect HA related rpm package versions in ha.txt (pr#169)
suse-build-key
- added missing ; in shell script (bsc#1227681)

- Added new keys of the SLE Micro 6.0 / SLES 16 series, and auto import
  them. (bsc#1227429)
  gpg-pubkey-09d9ea69-645b99ce.asc: Main SLE Micro 6/SLES 16 key
  gpg-pubkey-73f03759-626bd414.asc: Backup SLE Micro 6/SLES 16 key.

- Switch container key to be default RSA 4096bit. (jsc#PED-2777)

- run rpm commands in import script only when libzypp is not
  active. bsc#1219189 bsc#1219123

- run import script also in %posttrans section, but only when
  libzypp is not active. bsc#1219189 bsc#1219123
suse-module-tools
- Update to version 15.3.18:
  * rpm-script: add symlink /boot/.vmlinuz.hmac (bsc#1217775)
systemd-default-settings
- Import 0.10
  5088997 SLE: Disable pids controller limit under user instances (jsc#SLE-10123)

- Import 0.9
  bb859bf user@.service: Disable controllers by default (jsc#PED-2276)

- The usage of drop-ins is now the official way for configuring systemd and its
  various daemons on Factory/ALP. Hence the early drop-ins SUSE specific
  "feature" has been abandoned.

- Import 0.8
  f34372f User priority '26' for SLE-Micro
  c8b6f0a Revert "Convert more drop-ins into early ones"

- Import commit 6b8dde1d4f867aff713af6d6830510a84fad58d2
  6b8dde1 Convert more drop-ins into early ones
systemd-presets-branding-SLE
- Enable sysctl-logger (jsc#PED-5024)
systemd-presets-common-SUSE
- Split hcn-init.service to hcn-init-NetworkManager and hcn-init-wicked
  (bsc#1200731 ltc#198485 https://github.com/ibm-power-utilities/powerpc-utils/pull/84)
  Support both the old and new service to avoid complex version interdependency.
tar
- Fix CVE-2023-39804, Incorrectly handled extension attributes in
  PAX archives can lead to a crash, bsc#1217969
  * fix-CVE-2023-39804.patch
timezone
- update to 2024a:
  * Kazakhstan unifies on UTC+5.  This affects Asia/Almaty and
    Asia/Qostanay which together represent the eastern portion of the
    country that will transition from UTC+6 on 2024-03-01 at 00:00 to
    join the western portion.  (Thanks to Zhanbolat Raimbekov.)
  * Palestine springs forward a week later than previously predicted
    in 2024 and 2025.  (Thanks to Heba Hamad.)  Change spring-forward
    predictions to the second Saturday after Ramadan, not the first;
    this also affects other predictions starting in 2039.
  * Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00
    not 00:00.  (Thanks to Đoàn Trần Công Danh.)
  * From 1947 through 1949, Toronto's transitions occurred at 02:00
    not 00:00.  (Thanks to Chris Walton.)
  * In 1911 Miquelon adopted standard time on June 15, not May 15.
  * The FROM and TO columns of Rule lines can no longer be "minimum"
    or an abbreviation of "minimum", because TZif files do not support
    DST rules that extend into the indefinite past - although these
    rules were supported when TZif files had only 32-bit data, this
    stopped working when 64-bit TZif files were introduced in 1995.
    This should not be a problem for realistic data, since DST was
    first used in the 20th century.  As a transition aid, FROM columns
    like "minimum" are now diagnosed and then treated as if they were
    the year 1900; this should suffice for TZif files on old systems
    with only 32-bit time_t, and it is more compatible with bugs in
    2023c-and-earlier localtime.c.  (Problem reported by Yoshito
    Umaoka.)
  * localtime and related functions no longer mishandle some
    timestamps that occur about 400 years after a switch to a time
    zone with a DST schedule.  In 2023d data this problem was visible
    for some timestamps in November 2422, November 2822, etc. in
    America/Ciudad_Juarez.  (Problem reported by Gilmore Davidson.)
  * strftime %s now uses tm_gmtoff if available.  (Problem and draft
    patch reported by Dag-Erling Smørgrav.)
  * The strftime man page documents which struct tm members affect
    which conversion specs, and that tzset is called.  (Problems
    reported by Robert Elz and Steve Summit.)

- update to 2023d:
  * Ittoqqortoormiit, Greenland changes time zones on
    2024-03-31.
  * Vostok, Antarctica changed time zones on 2023-12-18.
  * Casey, Antarctica changed time zones five times since
    2020.
  * Code and data fixes for Palestine timestamps starting in
    2072.
  * A new data file zonenow.tab for timestamps starting now.
  * Fix predictions for DST transitions in Palestine in
    2072-2075, correcting a typo introduced in 2023a.
  * Vostok, Antarctica changed to +05 on 2023-12-18.  It had
    been at +07 (not +06) for years.
  * Change data for Casey, Antarctica to agree with
    timeanddate.com, by adding five time zone changes since 2020.
    Casey is now at +08 instead of +11.
  * Much of Greenland, represented by America/Nuuk, changed
    its standard time from -03 to -02 on 2023-03-25, not on
    2023-10-28.
  * localtime.c no longer mishandles TZif files that contain
    a single transition into a DST regime.  Previously,
    it incorrectly assumed DST was in effect before the transition
    too.
  * tzselect no longer creates temporary files.
  * tzselect no longer mishandles the following:
  * Spaces and most other special characters in BUGEMAIL,
    PACKAGE, TZDIR, and VERSION.
  * TZ strings when using mawk 1.4.3, which mishandles
    regular expressions of the form /X{2,}/.
  * ISO 6709 coordinates when using an awk that lacks the
    GNU extension of newlines in -v option-arguments.
  * Non UTF-8 locales when using an iconv command that
    lacks the GNU //TRANSLIT extension.
  * zic no longer mishandles data for Palestine after the
    year 2075.
- Refresh tzdata-china.diff
util-linux-systemd
- Properly neutralize escape sequences in wall
  (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
  and its prerequisites: util-linux-fputs_careful1.patch,
  util-linux-wall-migrate-to-memstream.patch
  util-linux-fputs_careful2.patch).

- Add upstream patch
  util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch
  bsc#1207987 gh#util-linux/util-linux@1d98827edde4
vim
- Updated to version 9.1 with patch level 0330, fixes the following problems
  * Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1
- refreshed vim-7.3-filetype_spec.patch
- refreshed vim-7.3-filetype_ftl.patch
- Update spec.skeleton to use autosetup in place of setup macro.
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330

- Updated to version 9.1 with patch level 0111, fixes the following security problems
  * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
  * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
  * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
  * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
  * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
  * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
  * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
  * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
  * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
  * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
wget
- Fix mishandled semicolons in the userinfo subcomponent could lead to an
  insecure behavior in which data that was supposed to be in the userinfo
  subcomponent is misinterpreted to be part of the host subcomponent.
  [bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
wicked
- Update to version 0.6.76
  - compat-suse: warn user and create missing parent config of
    infiniband children (gh#openSUSE/wicked#1027)
  - client: fix origin in loaded xml-config with obsolete port
    references but missing port interface config, causing a
    no-carrier of master (bsc#1226125)
  - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
  - wireless: add frequency-list in station mode (jsc#PED-8715)
  - client: fix crash while hierarchy traversing due to loop in
    e.g. systemd-nspawn containers (bsc#1226664)
  - man: add supported bonding options to ifcfg-bonding(5) man page
    (gh#openSUSE/wicked#1021)
  - arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019)
  - man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018)
  - client: warn on interface wait time reached (gh#openSUSE/wicked#1017)
  - compat-suse: fix dummy type detection from ifname to not cause
    conflicts with e.g. correct vlan config on dummy0.42 interfaces
    (gh#openSUSE/wicked#1016)
  - compat-suse: fix infiniband and infiniband child type detection
    from ifname (gh#openSUSE/wicked#1015)
- Removed patches included in the source archive:
  [- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
  [- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]

- arp: increase arp-send retry value to avoid address configuration
  failure due to ENOBUF reported by kernel while duplicate address
  detection with underlying bonding in 802.3ad mode reporting link
  "up & running" too early (bsc#1218668, gh#openSUSE/wicked#1020,
  gh#openSUSE/wicked#1020).
  [+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]

- client: fix ifreload to pull UP ports/links again when the config
  of their master/lower changed (bsc#1224100,gh#openSUSE/wicked#1014).
  [+ 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]

- Update to version 0.6.75:
  - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings
  - cleanup: fix overflow warnings in a socket testcase on i586
  - ifcheck: report new and deleted configs as changed (bsc#1218926)
  - man: improve ARP configuration options in the wicked-config.5
  - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108)
  - cleanup: fix interface dependencies and shutdown order (bsc#1205604)
  - Remove port arrays from bond,team,bridge,ovs-bridge (redundant)
    and consistently use config and state info attached to the port
    interface as in rtnetlink(7).
  - Cleanup ifcfg parsing, schema configuration and service properties
  - Migrate ports in xml config and policies already applied in nanny
  - Remove "missed config" generation from finite state machine, which
    is completed while parsing the config or while xml config migration.
  - Issue a warning when "lower" interface (e.g. eth0) config is missed
    while parsing config depending on it (e.g. eth0.42 vlan).
  - Resolve ovs master to the effective bridge in config and wickedd
  - Implement netif-check-state require checks using system relations
    from wickedd/kernel instead of config relations for ifdown and add
    linkDown and deleteDevice checks to all master and lower references.
  - Add a `wicked <ifup|ifdown|ifreload> --dry-run …` option to show the
    system/config interface hierarchies as notice with +/- marked
    interfaces to setup and/or shutdown.
- Removed patches included in the source archive:
  [- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
  [- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
  [- 0003-move-all-attribute-definitions-to-compiler-h.patch]
  [- 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
  [- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]

- client: do not convert sec to msec twice (bsc#1222105)
  [+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]

- addrconf: fix fallback-lease drop (bsc#1220996)
  [+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
- extensions/nbft: use upstream `nvme nbft show` (bsc#1221358)
  [+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
- hide secrets in debug log (bsc#1221194)
  [+ 0003-move-all-attribute-definitions-to-compiler-h.patch]
  [+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch]

- update to version 0.6.74
  + team: add new options like link_watch_policy (jsc#PED-7183)
  + Fix memory leaks in dbus variant destroy and fsm free (gh#openSUSE/wicked#1001)
  + xpath: allow underscore in node identifier (gh#openSUSE/wicked#999)
  + vxlan: don't format unknown rtnl attrs (bsc#1219751)
- removed patches included in the source archive:
  [- 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
  [- 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
  [- 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
  [- 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
  [- 0005-duid-fix-comment-for-v6time.patch]
  [- 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
  [- 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
  [- 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
  [- 0001-fix_arp_notify_loop_and_burst_sending.patch]

- ifreload: VLAN changes require device deletion (bsc#1218927)
  [+ 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
- ifcheck: fix config changed check (bsc#1218926)
  [+ 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
- client: fix exit code for no-carrier status (bsc#1219265)
  [+ 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
- dhcp6: omit the SO_REUSEPORT option (bsc#1215692)
  [+ 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
- duid: fix comment for v6time
  (https://github.com/openSUSE/wicked/pull/989)
  [+ 0005-duid-fix-comment-for-v6time.patch]
- rtnl: fix peer address parsing for non ptp-interfaces
  (https://github.com/openSUSE/wicked/pull/987,
  https://github.com/openSUSE/wicked/pull/988)
  [+ 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
  [+ 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
- system-updater: Parse updater format from XML configuration to
  ensure install calls can run.
  (https://github.com/openSUSE/wicked/pull/985)
  [+ 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
xen
- bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86
  guest IRQ handling (XSA-458)
  xsa458.patch

- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
  History Injection (XSA-456)
  Corrections to the following patches
  xsa456-5.patch
  xsa456-6.patch

- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
  History Injection (XSA-456)
  xsa456-0a.patch
  xsa456-0b.patch
  xsa456-0c.patch
  xsa456-0d.patch
  xsa456-0e.patch
  xsa456-0f.patch
  xsa456-0g.patch
  xsa456-0h.patch
  xsa456-0i.patch
  xsa456-0j.patch
  xsa456-0k.patch
  xsa456-0l.patch
  xsa456-0m.patch
  xsa456-0n.patch
  xsa456-0o.patch
  xsa456-0p.patch
  xsa456-1.patch
  xsa456-2.patch
  xsa456-3.patch
  xsa456-4.patch
  xsa456-5.patch
  xsa456-6.patch
  xsa456-7.patch

- bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may
  trigger Xen bug check (XSA-454)
  xsa454-1.patch
  xsa454-2.patch
- bsc#1222302 - VUL-0: CVE-2024-31142: xen: x86: Incorrect logic
  for BTC/SRSO mitigations (XSA-455)
  xsa455.patch

- bsc#1221332 - VUL-0: CVE-2023-28746: xen: x86: Register File Data
  Sampling (XSA-452)
  xsa452-1.patch
  xsa452-2.patch
  xsa452-3.patch
  xsa452-4.patch
  xsa452-5.patch
  xsa452-6.patch
  xsa452-7.patch
- bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative
  Race Conditions (XSA-453)
  xsa453-1.patch
  xsa453-2.patch
  xsa453-3.patch
  xsa453-4.patch
  xsa453-5.patch
  xsa453-6.patch
  xsa453-7.patch
  xsa453-8.patch
- Modified xsa451.patch (bsc#1219885)

- bsc#1219885 - VUL-0: CVE-2023-46841: xen: x86: shadow stack vs
  exceptions from emulation stubs (XSA-451)
  xsa451.patch

- bsc#1218851 - VUL-0: CVE-2023-46839: xen: phantom functions
  assigned to incorrect contexts (XSA-449)
  xsa449.patch
xkbcomp
- U_Ignore-xkb_keycodes.maximum-of-255.patch
  * fix keyboard layouts in XWayland applications when having
    several keyboard layouts enabled (boo#1219505)
xterm
- xterm-reset-parsing-state.patch: A bug in the parser for several
  escape sequences causes the first character following the
  sequence to be ignored (bsc#1220585). Patch backported from
  version 335n.
yast2
- Reimplemented the hardcoded product mapping to support also the
  migration from SLE_HPC to SLES SP6+ (with the HPC module)
  (bsc#1220567)
- 4.3.70
yast2-network
- Guard secret attributes against leaking to the log (bsc#1221194)
- 4.3.89
yast2-packager
- Reimplemented the hardcoded product mapping to support also the
  migration from SLE_HPC to SLES SP6+ (with the HPC module)
  (bsc#1220567)
- 4.3.27
yast2-pkg-bindings
- Fixed repository and service probing with libzypp 7.31.26
  and newer, fixes broken repository handling (bsc#1218977,
  bsc#1218399)
- 4.3.13
yast2-registration
- Set the new product mapping when upgrading SLE_HPC to SLES SP6+
  (with the HPC module), use the old product mapping when upgrading
  from SLE_HPC-SP3 to SLE_HPC-SP4 (bsc#1220567)
- 4.3.29

- Adapted to SCC API change 'base' -> 'isbase' (bsc#1217317):
  Cherry-picked igonzalezsosa's commit 431d937b78c209c0d35
- 4.3.28
zypper
- Fixed check for outdated repo metadata as non-root user
  (bsc#1222086)
- BuildRequires:  libzypp-devel >= 17.33.0.
- Delay zypp lock until command options are parsed (bsc#1223766)
- version 1.14.73

- Unify message format(fixes #485)
- version 1.14.72

- switch cmake build type to RelWithDebInfo
- modernize spec file (remove Authors section, use proper macros,
  remove redundant clean section, don't mark man pages as doc)
- switch to -O2 -fvisibility=hidden -fpie:
  * PIC is not needed as no shared lib is built
  * fstack-protector-strong is default on modern dists and would
    be downgraded by fstack-protector
  * default visibility hidden allows better optimisation
  * O2 is reducing inlining bloat
  - > 18% reduced binary size

- remove procps requires (was only for ZMD which is dropped)
  (jsc#PED-8153)

- Do not try to refresh repo metadata as non-root user
  (bsc#1222086)
  Instead show refresh stats and hint how to update them.
- man: Explain how to protect orphaned packages by collecting
  them in a plaindir repo.
- packages: Add --autoinstalled and --userinstalled options to
  list them.
- Don't print 'reboot required' message if download-only or
  dry-run (fixes #529)
  Instead point out that a reboot would be required if the option
  was not used.
- Resepect zypper.conf option `showAlias` search commands
  (bsc#1221963)
  Repository::asUserString (or Repository::label) respects the
  zypper.conf option, while name/alias return the property.
- version 1.14.71

- dup: New option --remove-orphaned to remove all orphaned
  packages in dup (bsc#1221525)
- version 1.14.70

- info,summary: Support VendorSupportOption flag
  VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014)
- BuildRequires:  libzypp-devel >= 17.32.0.
  API cleanup and changes for VendorSupportSuperseded.
- Show active dry-run/download-only at the commit propmpt.
- patch: Add --skip-not-applicable-patches option (closes #514)
- Fix printing detailed solver problem description.
  The problem description() is one rule out possibly many in
  completeProblemInfo() the solver has chosen to represent the
  problem. So either description or completeProblemInfo should be
  printed, but not both.
- Fix bash-completion to work with right adjusted numbers in the
  1st column too (closes #505)
- Set libzypp shutdown request signal on Ctrl+C (fixes #522)
- lr REPO: In the detailed view show all baseurls not just the
  first one (bsc#1218171)
- version 1.14.69

- Fix search/info commands ignoring --ignore-unknown (bsc#1217593)
  The switch makes search commands return 0 rather than 104 for
  empty search results.
- version 1.14.68

- patch: Make sure reboot-needed is remembered until next boot
  (bsc#1217873)
- version 1.14.67