n/a

- Limit additional section processing for large RDATA sets.
  When answering queries, don’t add data to the additional
  section if the answer has more than 13 names in the RDATA. This
  limits the number of lookups into the database(s) during a
  single client query, reducing the query-processing load.
  (CVE-2024-11187)
  [bsc#1236596, bind-9.16-CVE-2024-11187.patch]

- media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED
  in uvc_parse_format (CVE-2024-53104 bsc#1234025).
- commit a0c98f3

- Fix sorting error
  ```
  Error: Current series.conf is not sorted. Please run series_sort.py first and commit the result before adding new patches.
  ```
- commit a81b3e9

- kABI fix for net: defer final 'struct net' free in netns dismantle (CVE-2024-56658 bsc#1235441).
  Upstream commit 0f6ede9fbc74 ("net: defer final 'struct
  net' free in netns dismantle") introduced a new struct element
  `defer_free_list` into `struct net`. In order to preserve the kABI, move
  the newly added element into a hole.
  ```
    struct netns_nexthop       nexthop;              /*   560    72 */
    /* XXX 8 bytes hole, try to pack */
    /* --- cacheline 10 boundary (640 bytes) --- */
    struct netns_ipv4          ipv4 __attribute__((__aligned__(64))); /*   640   704 */
  ```
- commit 3fc1183

- net: defer final 'struct net' free in netns dismantle (CVE-2024-56658 bsc#1235441).
- commit 8694248

- NFS: Trigger the "ls -l" readdir heuristic sooner (bsc#1231847).
- commit eadd17e

- NFS: Improve heuristic for readdirplus (bsc#1231847).
- commit ea10ca2

- NFS: Adjust the amount of readahead performed by NFS readdir
  (bsc#1231847).
- commit ec8e677

- NFS: Do not flush the readdir cache in nfs_dentry_iput()
  (bsc#1231847).
- commit ac72a63

- smb: prevent use-after-free due to open_cached_dir error paths
  (CVE-2024-53177 bsc#1234896).
- commit 43156cd

- net: inet6: do not leave a dangling sk pointer in inet6_create()
  (CVE-2024-56600 bsc#1235217).
- commit 4f3d37a

- blacklist.conf: Not affected byy CVE-2024-44932 and CVE-2024-44964
- Delete
  patches.suse/idpf-fix-UAFs-when-destroying-the-queues.patch.
- Delete
  patches.suse/idpf-fix-memory-leaks-and-crashes-while-performing-a.patch.
  This fixes bsc#1236628
- commit 6ceedf0

- netfilter: x_tables: fix LED ID check in led_tg_check()
  (CVE-2024-56650 bsc#1235430).
- commit a130a9c

- drm/amdkfd: Correct the migration DMA map direction (bsc#1235969 CVE-2024-57897)
- commit e14ed1e

- Refresh patches.suse/drm-dp_mst-Ensure-mst_primary-pointer-is-valid-in-dr.patch.
  Fix warning by removing unused label out_put_primary
- commit 354b3cb

- Update patches.suse/tipc-fix-NULL-deref-in-cleanup_bearer.patch
  (bsc#1235433 CVE-2024-56661 bsc#1234931).
- commit cb91989

- Update
  patches.suse/Bluetooth-hci_event-Align-BR-EDR-JUST_WORKS-paring-w.patch
  (git-fixes bsc#1230697 CVE-2024-8805 CVE-2024-53144
  bsc#1234690).
- commit ea9bf7d

- net: inet: do not leave a dangling sk pointer in inet_create()
  (CVE-2024-56601 bsc#1235230).
- commit b4769c0

- btrfs: fix use-after-free when COWing tree bock and tracing
  is enabled (bsc#1235645 CVE-2024-56759).
- commit e811c1c

- scsi: qla2xxx: Fix use after free on unload (CVE-2024-56623
  bsc#1235466).
- block, bfq: fix bfqq uaf in bfq_limit_depth() (CVE-2024-53166
  bsc#1234884).
- commit 894e940

- Refresh
  patches.suse/x86-xen-don-t-do-PV-iret-hypercall-through-hypercall.patch.
- commit df281af

- x86/static-call: Remove early_boot_irqs_disabled check to fix
  Xen PVH dom0 (git-fixes).
- commit 2c0880a

- ALSA: seq: oss: Fix races at processing SysEx messages
  (CVE-2024-57893 bsc#1235920).
- commit f05049d

- drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() (CVE-2024-57798 bsc#1235818).
- commit bfdad42

- drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() (CVE-2024-57798 bsc#1235818).
- commit 15490f2

- net/smc: check return value of sock_recvmsg when draining clc
  data (CVE-2024-57791 bsc#1235759).
- commit b879d55

- power: supply: gpio-charger: Fix set charge current limits
  (git-fixes CVE-2024-57792 bsc#1235764).
- commit 80ed527

- bpf, sockmap: Fix race between element replace and close()
  (CVE-2024-56664 bsc#1235249).
- commit 03e2626

- s390/cpum_sf: Handle CPU hotplug remove during sampling
  (CVE-2024-57849 bsc#1235814).
- commit e03f9af

- Update
  patches.suse/smb-client-fix-TCP-timers-deadlock-after-rmmod.patch
  (CVE-2024-53095 bsc#1233642 CVE-2024-54680 bsc#1235723).
- commit 6deb1aa

- mm/swapfile: skip HugeTLB pages for unuse_vma (CVE-2024-50199
  bsc#1233112).
- commit 63ec06b

- tipc: fix NULL deref in cleanup_bearer() (bsc#1235433).
- commit a0043a3

- scsi: sg: Fix slab-use-after-free read in sg_release()
  (CVE-2024-56631 bsc#1235480).
- commit 9399f03

- 9p/xen: fix release of IRQ (CVE-2024-56704 bsc#1235584).
- commit 614e74c

- net: ieee802154: do not leave a dangling sk pointer in
  ieee802154_create() (CVE-2024-56602 bsc#1235521).
- commit 4049cc5

- net: hsr: avoid potential out-of-bound access in
  fill_frame_info() (CVE-2024-56648 bsc#1235451).
- commit 0a88cb0

- Security fix: [bsc#1236590, CVE-2025-0725]
  * content_encoding: drop support for zlib before 1.2.0.4
  * content_encoding: put the decomp buffers into the writer structs
  * Add curl-CVE-2025-0725.patch

- Security fix: [bsc#1236588, CVE-2025-0167]
  * netrc: 'default' with no credentials is not a match
  * Add curl-CVE-2025-0167.patch

- do not crash when file system loop was encountered [bsc#1231472]
- added patches
  fix https://git.savannah.gnu.org/cgit/findutils.git/commit/?id=e5d6eb919b9
  + findutils-avoid-crash-system-loop.patch
- modified patches
  % findutils-xautofs.patch (p1)

- assert-message-allocation.patch: Fix underallocation of abort_msg_s
  struct (CVE-2025-0395, bsc#1236282, BZ #32582))

- Security fixes for 2024
  * 0001-misc-Implement-grub_strlcpy.patch
- Fix CVE-2024-45781 (bsc#1233617)
  * 0002-fs-ufs-Fix-a-heap-OOB-write.patch
- Fix CVE-2024-56737 (bsc#1234958)
- Fix CVE-2024-45782 (bsc#1233615)
  * 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch
- Fix CVE-2024-45780 (bsc#1233614)
  * 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2024-45783 (bsc#1233616)
  * 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch
  * 0006-kern-file-Ensure-file-data-is-set.patch
  * 0007-kern-file-Implement-filesystem-reference-counting.patch
- Fix CVE-2025-0624 (bsc#1236316)
  * 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch
- Fix CVE-2024-45774 (bsc#1233609)
  * 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch
- Fix CVE-2024-45775 (bsc#1233610)
  * 0010-commands-extcmd-Missing-check-for-failed-allocation.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0012-normal-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0013-gettext-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2024-45776 (bsc#1233612)
  * 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch
- Fix CVE-2024-45777 (bsc#1233613)
  * 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2025-0690 (bsc#1237012)
  * 0016-commands-read-Fix-an-integer-overflow-when-supplying.patch
- Fix CVE-2025-1118 (bsc#1237013)
  * 0017-commands-minicmd-Block-the-dump-command-in-lockdown-.patch
- Fix CVE-2024-45778 (bsc#1233606)
- Fix CVE-2024-45779 (bsc#1233608)
  * 0018-fs-bfs-Disable-under-lockdown.patch
- Fix CVE-2025-0677 (bsc#1237002)
- Fix CVE-2025-0684 (bsc#1237008)
- Fix CVE-2025-0685 (bsc#1237009)
- Fix CVE-2025-0686 (bsc#1237010)
- Fix CVE-2025-0689 (bsc#1237011)
  * 0019-fs-Disable-many-filesystems-under-lockdown.patch
- Fix CVE-2025-1125 (bsc#1237014)
- Fix CVE-2025-0678 (bsc#1237006)
  * 0020-fs-Prevent-overflows-when-allocating-memory-for-arra.patch
- Bump upstream SBAT generation to 5

- iscsid-clear-scanning-thread-pr_set_io_flusher-flag.patch: fix
  device discovery failure on systems with a large number of
  devices (bsc#1235606).

- Fix issue with yast restarting the iscsid service without
  first restarting the iscsid socket, which upsets systemd
  (bsc#1206132). This is already fixed upstream.

- Branched SLE-15-SP3 from Factory. No longer in sync with
  Tumbleweed.
- Backported upstream commit, which sets 'safe_logout' and
  'startup' in iscsid.conf, to address bsc#1207157
- Updated year in SPEC file

- Prevent overflow when calculating ulog block size. An authenticated
  attacker can cause kadmind to write beyond the end of the mapped
  region for the iprop log file, likely causing a process crash;
  (CVE-2025-24528); (bsc#1236619).
- Add patch 0014-Prevent-overflow-when-calculating-ulog-block-size.patch

- Security fix: [bsc#1236136, CVE-2024-13176]
  * timing side-channel in the ECDSA signature computation
  * Add openssl-CVE-2024-13176.patch

- Add CVE-2025-0938-sq-brackets-domain-names.patch which
  disallows square brackets ([ and ]) in domain names for parsed
  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)

- Configure externally_managed with a bcond
  https://en.opensuse.org/openSUSE:Python:Externally_managed
  bsc#1228165

- Add CVE-2025-0938-sq-brackets-domain-names.patch which
  disallows square brackets ([ and ]) in domain names for parsed
  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)

- Security fix: [bsc#1236878, CVE-2024-12133]
  * Potential DoS in handling of numerous SEQUENCE OF or SET OF elements
  * Add libtasn1-CVE-2024-12133.patch

- security update
- added patches
  fix CVE-2022-49043 [bsc#1236460], use-after-free in xmlXIncludeAddNode
  + libxml2-CVE-2022-49043.patch

- Don't issue deprecated warnings if -DNDEBUG is set (bsc#1236983)
  Released libyui packages compile with -Werror=deprecated-declarations
  so we can't add deprecated warnings without breaking them.
- make gcc15 happy (fixes #613)
- version 17.36.1 (35)

- Drop zypp-CheckAccessDeleted in favor of 'zypper ps'.
- Fix Repoverification plugin not being executed (fixes #614)
- Refresh: Fetch the master index file before key and signature
  (bsc#1236820)
- Allow libzypp to compile with C++20.
- Deprecate RepoReports we do not trigger.
- version 17.36.0 (35)

- Create '.keep_packages' in the package cache dir to enforce
  keeping downloaded packages of all repos cahed there (bsc#1232458)
- version 17.35.19 (35)

- Fix missing UID checks in repomanager workflow (fixes #603)
- version 17.35.18 (35)

- Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28)
- Fix 'zypper ps' when running in incus container (bsc#1229106)
  Should apply to lxc and lxd containers as well.
- Re-enable 'rpm --runposttrans' usage for chrooted systems
  (bsc#1216091)
- version 17.35.17 (35)

- Backported patch to fix a MitM attack against OpenSSH's
  VerifyHostKeyDNS-enabled client (bsc#1237040, CVE-2025-26465):
  * fix-CVE-2025-26465.patch

- Security update fix [bsc#1237062, CVE-2025-24032], [bsc#1237058, CVE-2025-24031]
  * Fix CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`)
  * Fix CVE-2025-24031: vulnerable to segmentation fault on ctrl-c/ctrl-d when asked for PIN
  * Add pam_pkcs11-CVE-2025-24032.patch
  * Add pam_pkcs11-CVE-2025-24031.patch
  * spec: set noarch for doc pkg, add %check section

- Version 0.1.2 (bsc#1234444)
  + Improve detection of IPv4 and IPv6 network setup and use appropriate
    IP version for access the update servers
  + Improve reliability of flavor detection. Try an update server multiple
    times to get an answer, if we hit timeouts return the value flavor
    value from a cahce file.

- Version 0.1.1 (bsc#1235991, bsc#1235992)
  + Add time stamp to log
- From version 0.1.0
  + Doc improvements clarifying exit staus codes

- Revert setting SELinux context for minion service (bsc#1233667)
- Remove System V init support
  - Make systemd the only supported init system by removing System V init
    and insserv references
  - Ensure package builds with no init system dependencies if built
    without systemd (for example for use in containers)
  - Apply some spec-cleaner suggestions (update copyright year, sort
    requirements, adjust spacing)
  Signed-off-by: Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
- Fix the condition of alternatives for Tumbleweed and Leap 16
- Use update-alternatives for salt-call and fix builing on EL8
- Build all python bindings for all flavors
- Make minion reconnecting on changing master IP (bsc#1228182)
- Handle logger exception when flushing already closed file
- Include passlib as a recommended dependency
- Make Salt Bundle more tolerant to long running jobs (bsc#1228690)
- Fix additional x509 tests and test_suse tests for SLE12
- Added:
  * enhance-cleanup-mechanism-after-salt-bundle-upgrade-.patch
  * fix-x509-private-key-tests-and-test_suse-on-sle12-68.patch
  * handle-logger-flushing-already-closed-file-686.patch
  * revert-setting-selinux-context-for-minion-service-bs.patch
  * make-minion-reconnecting-on-changing-master-ip-bsc-1.patch

- Bump protocol version to 32 - make it easier to show server is patched.
  * Add rsync-protocol-version-32.patch

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

- Update to version 0.0.7+git.1737125956.a7079fc:
  * Call saphana-check.sh if the script is available in
    /usr/lib/saphana-checks (SUSE package) or in
    /opt/sap/saphana-checks (SAP package)
    (jsc#PED-11748, jsc#PED-11747)
  * to support 'trento checks' on supportutils content
    collect additional information:
    /usr/sap/hostctrl/exe/saphostctrl -function Ping
    corosync-cmapctl -b
    su - <SIDADM> -c disp+work
    su - <SIDADM> -c 'sapcontrol -nr <NR> -function GetVersionInfo'
    ls -lA --time-style=long-iso /etc/polkit-1/rules.d/[0-9][0-9]-SAP[A-Z][A-Z0-9][A-Z0-9]-[0-9][0-9].rules
    content of files in /etc/products.d/
    (jsc#PED-12000, jsc#PED-12001)
  * collect Netweaver version by
    'sapcontrol -nr <NR> -function GetVersionInfo'
  * collect 'operation_mode' setting by
    'python getParameter.py --key=global.ini/system_replication/operation_mode --sapcontrol=1'
  * some shellcheck cleanup
  * adaption to the new used supportconfig.rc
- change requirements
  remove the long deprecated supportconfig-plugin-resource and
  supportconfig-plugin-tag and add instead 'Requires: supportutils'
  (bsc#1235145)

- Do not interfere Meta with Carriage Return (boo#1170527)

- Key-binding: support also other variants of terminals like xterm-256color

- If wget for an http URL is redirected to a different site (hostname
  parts of URLs differ), then any "Authenticate" and "Cookie" header
  entries are discarded.
  [bsc#1185551, wget-do-not-propagate-credentials.patch,
  bsc#1230795, CVE-2021-31879]

- Let zypper dup fail in case of (temporarily) unaccessible repos
  (bsc#1228434, bsc#1236939, fixes #446)
- version 1.14.84

- New system-architecture command (bsc#1236384)
  Prints the detected system architecture.
- version 1.14.83

- requires: libzypp >= 17.36.0.
- Change versioncmp command to return exit code according to the
  comparison result (#593)
- version 1.14.82

- lr: show the repositories keep-packages flag (bsc#1232458)
  It is shown in the  details view or by using -k,--keep-packages.
  In addition libyzpp supports to enforce keeping downloaded
  packages of all repos within a package cache by creating a
  '.keep_packages' file there.
- version 1.14.81

- Try to refresh update repos first to have updated GPG keys on
  the fly (bsc#1234752)
  An update repo may contain a prolonged GPG key for the GA repo.
  Refreshing the update repo first updates a trusted key on the fly
  and avoids a 'key has expired' warning being issued when
  refreshing the GA repo.
- Refresh: restore legacy behavior and suppress Exception
  reporting as non-root (bsc#1235636)
- version 1.14.80