- 000release-packages:SLES_SAP-release
-
n/a
- cloud-netconfig
-
- Update to version 1.15
+ Add support for creating IPv6 default route in GCE (bsc#1240869)
+ Minor fix when looking up IPv6 default route
- kernel-default
-
- netfilter: conntrack: revisit the gc initial rescheduling bias
(CVE-2022-49110 bsc#1237981).
- commit 7e1d902
- netfilter: conntrack: fix the gc rescheduling delay
(CVE-2022-49110 bsc#1237981).
- commit 9cc8bdd
- netfilter: conntrack: revisit gc autotuning (CVE-2022-49110
bsc#1237981).
- commit da48bfa
- Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
(bsc#1238032 CVE-2022-49139).
- commit 2031355
- watch_queue: fix pipe accounting mismatch (CVE-2025-23138 bsc#1241648).
- commit 789ef85
- 9p/trans_fd: always use O_NONBLOCK read/write (CVE-2022-49767 bsc#1242493).
- commit 9dce75d
- Update
patches.suse/dm-crypt-add-cond_resched-to-dmcrypt_write-fb29.patch
(git-fixes CVE-2023-53051 bsc#1242284).
- commit 9098844
- x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778).
- x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778).
- x86/bpf: Call branch history clearing sequence on exit
(bsc#1242778).
- commit 636fe6a
- Update
patches.suse/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch
(git-fixes stable-5.14.19 CVE-2021-47671 bsc#1241421).
- commit 855e2af
- Update
patches.suse/cifs-fix-potential-null-pointer-use-in-destroy_workqueue-in-init_ci.patch
(git-fixes CVE-2024-42307 bsc#1229361).
- Update patches.suse/fou-fix-initialization-of-grc.patch
(CVE-2024-46763 bsc#1230764 CVE-2024-46865 bsc#1231103).
- commit 5bc8269
- Revert "exec: fix the racy usage of fs_struct->in_exec (CVE-2025-22029"
This reverts commit b68bd5953c15c3c2b21e60fbd6d8a52b0bbb030c.
This turned out to be not an issue. See https://bugzilla.suse.com/show_bug.cgi?id=1241378#c4
- commit d9d19c1
- exec: fix the racy usage of fs_struct->in_exec (CVE-2025-22029
bsc#1241378).
- commit b68bd59
- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
(CVE-2025-22045 bsc#1241433).
- commit c4ca325
- memstick: rtsx_usb_ms: Fix slab-use-after-free in
rtsx_usb_ms_drv_remove (bsc#1241280 CVE-2025-22020).
- commit 0f74fae
- drm/vkms: Fix use after free and double free on init error
(CVE-2025-22097 bsc#1241541).
- commit 02fe040
- jfs: fix slab-out-of-bounds read in ea_get() (bsc#1241625
CVE-2025-39735).
- commit dfc1530
- fou: fix initialization of grc (CVE-2024-46763 bsc#1230764).
- commit 3a5d26f
- fou: Fix null-ptr-deref in GRO (CVE-2024-46763 bsc#1230764).
- commit 176d11e
- net: fix geneve_opt length integer overflow (CVE-2025-22055
bsc#1241371).
- commit 15ff527
- net: atm: fix use after free in lec_send() (CVE-2025-22004
bsc#1240835).
- commit 889e26f
- kABI workaround struct rcu_head and ax25_ptr (CVE-2025-21812
bsc#1238471).
- commit 1d6ea68
- ax25: rcu protect dev->ax25_ptr (CVE-2025-21812 bsc#1238471).
- Refresh patches.kabi/net-ax25_dev-kabi-workaround.patch.
- commit 88b5c8e
- Update patches.suse/Bluetooth-hci_conn-Fix-memory-leaks.patch
(git-fixes CVE-2023-53018 bsc#1240211).
- Update patches.suse/acpi-Fix-suspend-with-Xen-PV.patch
(git-fixes CVE-2023-52994 bsc#1240269).
- Update
patches.suse/bpf-Skip-invalid-kfunc-call-in-backtrack_insn.patch
(bsc#1225903 CVE-2023-52928 bsc#1240248).
- Update
patches.suse/bpf-sockmap-Check-for-any-of-tcp_bpf_prots-when-clon.patch
(git-fixes CVE-2023-52986 bsc#1240306).
- Update
patches.suse/dmaengine-tegra-Fix-memory-leak-in-terminate_all.patch
(git-fixes CVE-2023-53014 bsc#1240295).
- Update
patches.suse/drm-amdkfd-Add-sync-after-creating-vram-bo.patch
(bsc#1206843 CVE-2023-53009 bsc#1240314).
- Update
patches.suse/drm-drm_vma_manager-Add-drm_vma_node_allow_once.patch
(git-fixes CVE-2023-53001 bsc#1240315).
- Update
patches.suse/drm-i915-Avoid-potential-vm-use-after-free.patch
(git-fixes CVE-2023-52931 bsc#1240271).
- Update
patches.suse/drm-i915-Fix-a-memory-leak-with-reused-mmap_offset.patch
(git-fixes CVE-2023-53002 bsc#1240230).
- Update
patches.suse/drm-i915-Fix-request-ref-counting-during-error-captu.patch
(git-fixes CVE-2023-52981 bsc#1240274).
- Update patches.suse/fpga-m10bmc-sec-Fix-probe-rollback.patch
(git-fixes CVE-2022-49745 bsc#1240246).
- Update
patches.suse/fscache-Use-wait_on_bit-to-wait-for-the-freeing-of-re.patch
(bsc#1210409 CVE-2023-52982 bsc#1240214).
- Update
patches.suse/kernel-irq-irqdomain.c-fix-memory-leak-with-using-de.patch
(git-fixes CVE-2023-52936 bsc#1240321).
- Update
patches.suse/msft-hv-2746-HV-hv_balloon-fix-memory-leak-with-using-debugfs_loo.patch
(git-fixes CVE-2023-52937 bsc#1240209).
- Update
patches.suse/powerpc-imc-pmu-Fix-use-of-mutex-in-IRQs-disabled-se.patch
(bsc#1054914 fate#322448 git-fixes CVE-2023-53031 bsc#1240285).
- Update
patches.suse/usb-typec-ucsi-Don-t-attempt-to-resume-the-ports-bef.patch
(git-fixes CVE-2023-52938 bsc#1240228).
- commit 402c01c
- Update
patches.suse/fbdev-smscufx-fix-error-handling-code-in-ufx_usb_pro.patch
(git-fixes CVE-2022-49741 bsc#1240747).
- commit 0c9a431
- arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785 bsc#1238747)
- commit 2c96a9a
- netfilter: nf_tables: must hold rcu read lock while iterating
object type list (CVE-2022-48933 bsc#1229621).
- netfilter: nf_tables: skip transaction if update object is
not implemented (CVE-2022-48933 bsc#1229621).
- netfilter: nf_tables: NULL pointer dereference in
nf_tables_updobj() (CVE-2022-48933 bsc#1229621).
- commit 176015d
- netfilter: nf_tables: fix memory leak during stateful obj update
(CVE-2022-48933 bsc#1229621).
- commit e34cbe9
- netfilter: xtables: fix typo causing some targets not to load
on IPv6 (CVE-2024-50038 bsc#1231910).
- netfilter: xtables: avoid NFPROTO_UNSPEC where needed
(CVE-2024-50038 bsc#1231910).
- commit 9a939db
- vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791
bsc#1238512).
- commit 50bbf71
- CIFS: New mount option for cifs.upcall namespace resolution
(CVE-2025-2312 bsc#1239684).
- commit 8fc41d8
- Delete
patches.suse/btrfs-defrag-don-t-use-merged-extent-map-for-their-generat.patch.
- Delete
patches.suse/btrfs-fix-defrag-not-merging-contiguous-extents-due-to-mer.patch.
- Delete
patches.suse/btrfs-fix-extent-map-merging-not-happening-for-adjacent-ex.patch.
Reverting ineffective changes for bsc#1239968 and closing it as WONTFIX.
- commit d7eeedb
- padata: avoid UAF for reorder_work (CVE-2025-21726 bsc#1238865).
- commit bfab8c2
- kABI: Fix kABI after backport od CVE-2025-21839 (bsc#1239061 CVE-2025-21839).
- commit 38fa6d3
- KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061 CVE-2025-21839).
- commit 325b428
- KVM: X86: Set host DR6 only on VMX and for KVM_DEBUGREG_WONT_EXIT (bsc#1239061 CVE-2025-21839).
- commit 8727046
- KVM: X86: Remove unneeded KVM_DEBUGREG_RELOAD (bsc#1239061 CVE-2025-21839).
- commit bbb1715
- crmsh
-
- Update to version 4.5.1+20250526.a9db5fe:
* Fix: report: Don't collect cib.txt separately (bsc#1243498)
- glib2
-
- Add glib2-CVE-2025-3360.patch:
Backport 8d60d7dc from upstream, Fix integer overflow when
parsing very long ISO8601 inputs. This will only happen with
invalid (or maliciously invalid) potential ISO8601 strings,
but `g_date_time_new_from_iso8601()` needs to be robust against
that.
(CVE-2025-3360, bsc#1240897)
- glibc
-
- static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and
debug env var for setuid for static (CVE-2025-4802, bsc#1243317)
- pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ
[#25847])
- grub2
-
- Refresh PPC NVMEoF ofpath related patches to newer revision
* 0002-ieee1275-ofpath-enable-NVMeoF-logical-device-transla.patch
- Patch refreshed
* 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
- Patch obsoleted
* 0004-ofpath-controller-name-update.patch
- Fix segmentation fault error in grub2-probe with target=hints_string
(bsc#1235971) (bsc#1235958) (bsc#1239651)
* 0001-ofpath-Add-error-check-in-NVMEoF-device-translation.patch
- hwinfo
-
- merge gh#openSUSE/hwinfo#156
- fix network card detection on aarch64 (bsc#1240648)
- 21.88
- icewm
-
- Add icewm-translation-update.patch: Update the latest translation
from https://l10n.opensuse.org/projects/icewm/icewm-1-4-branch/.
- iputils
-
- Security fix [bsc#1242300, CVE-2025-47268]
* integer overflow in RTT calculation can lead to undefined behavior
* Add iputils-CVE-2025-47268.patch
- kbd
-
- Don't search for resources in the current directory. It can cause
unwanted side effects or even infinite loop (bsc#1237230,
kbd-ignore-working-directory-1.patch,
kbd-ignore-working-directory-2.patch,
kbd-ignore-working-directory-3.patch).
- kexec-tools
-
- add support for lockless ringbuffer (bsc#1241249)
- kexec-tools-Cleanup-remove-the-read_elf_kcore.patch
- kexec-tools-Fix-an-error-definition-about-the-variable-fname.patch
- kexec-tools-Cleanup-move-it-back-from-util_lib-elf_info.c.patch
- kexec-tools-printk-add-support-for-lockless-ringbuffer.patch
- resource-agents
-
- L3: fuser returning unexpected list of PIDs to Filesystem RA
(bsc#1241867) Apply upstream patch:
0001-Filesystem-fix-getting-the-wrong-block-device-when-d.patch
- L3: DB2 resource agent forcefully shuts down database, risking data loss — ref:_00D1igLOd._500TrYJM7l:ref
(bsc#1241692)
Add patch:
bsc-1241692.patch
- ncurses
-
- Modify patch ncurses-5.9-ibm327x.dif
* Backport sclp terminfo description entry if for s390 sclp terminal lines
* Add a further sclp entry for qemu s390 based systems
* Make use of dumb
- librdkafka
-
- 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch:
avoid endless loops (bsc#1242842)
- libsolv
-
- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32
- Provide a symbol specific for the ruby-version
so yast does not break across updates (boo#1235598)
- libzypp
-
- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
libxml2 2.14 potentially reads the complete stream, so it may
have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
service may set.
Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
keeppackages, gpgkey, mirrorlist, and metalink with the same
semantic as in a .repo file.
- version 17.36.7 (35)
- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires: %{libsolv_devel_package} >= 0.7.32.
Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
default (false).
The default was true in Code12 (libzypp-16.x) and changed to
false with Code15 (libzypp-17.x). Unfortunately this was done by
shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)
- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
(bsc#1238315)
Ftp actually differs between absolute and relative URL paths.
Absolute path names begin with a double slash encoded as '/%2F'.
This must be preserved when manipulating the path.
- version 17.36.5 (35)
- Add a transaction package preloader (fixes openSUSE/zypper#104)
This patch adds a preloader that concurrently downloads files
during a transaction commit. It's not yet enabled per default.
To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
(fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)
- openssh
-
- Added openssh-bsc1241045-kexalgo-gt-256bits.patch (bsc#1241045)
from upstream, which allows KEX hashes greater than 256 bits.
Thanks to Ali Abdallah <ali.abdallah@suse.com>.
- Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728).
This fixes an upstream logic error handling the DisableForwarding
option.
- Update openssh-7.6p1-audit_race_condition.patch (bsc#1232533),
fixing failures with very large MOTDs. Thanks to Ali Abdallah
<ali.abdallah@suse.com>.
- Updated openssh-8.1p1-audit.patch (bsc#1228634) with modification
from Jaroslav Jindrak (jjindrak@suse.com) to fix the hostname
being left out of the audit output.
- python-pyzmq
-
- Prevent open files leak by closing sockets on timeout (bsc#1241624)
- Added:
* close-socket-on-timeout.patch
- python3-setuptools
-
- Add patch CVE-2025-47273.patch to fix A path traversal
vulnerability.
(bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f)
- python-cryptography
-
- Update vendor tarball to fix CVE-2025-3416 (bsc#1242631)
- rubygem-rack
-
- security update
- added patches
fix CVE-2025-32441 [bsc#1242899], Rack Session Reuse Vulnerability
+ rubygem-rack-CVE-2025-32441.patch
- security update
- added patches
fix CVE-2025-46727 [bsc#1242894], Unbounded-Parameter DoS in Rack:QueryParser
+ rubygem-rack-CVE-2025-46727.patch
- 000release-packages:sle-ha-release
-
n/a
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-containers-release
-
n/a
- 000release-packages:sle-module-desktop-applications-release
-
n/a
- 000release-packages:sle-module-development-tools-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-sap-applications-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- sysstat
-
- Remove cron dependency (bsc#1239297).
- Introduce systemd timers.
- Delete sysstat.cron.suse.
- xen
-
- bsc#1243117 - VUL-0: CVE-2024-28956: xen: Intel CPU: Indirect
Target Selection (ITS) (XSA-469)
xsa469-01.patch
xsa469-02.patch
xsa469-03.patch
xsa469-04.patch
xsa469-05.patch
xsa469-06.patch
xsa469-07.patch
- bsc#1238043 - VUL-0: CVE-2025-1713: xen: deadlock potential with
VT-d and legacy PCI device pass-through (XSA-467)
xsa467.patch
- bsc#1234282 - VUL-0: xen: XSA-466: Xen hypercall page unsafe
against speculative attacks
xsa466.patch
- zypper
-
- Updated translations (bsc#1230267)
- version 1.14.89
- Do not double encode URL strings passed on the commandline
(bsc#1237587)
URLs passed on the commandline must have their special chars
encoded already. We just want to check and encode forgotten
unsafe chars like a blank. A '%' however must not be encoded
again.
- version 1.14.88
- Package preloader that concurrently downloads files. It's not yet
enabled per default. To enable the preview set ZYPP_CURL2=1 and
ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires: libzypp-devel >= 17.36.4.
- version 1.14.87
- refresh: add --include-all-archs (fixes #598)
Future multi-arch repos may allow to download only those metadata
which refer to packages actually compatible with the systems
architecture. Some tools however want zypp to provide the full
metadata of a repository without filtering incompatible
architectures.
- info,search: add option to search and list Enhances
(bsc#1237949)
- version 1.14.86