n/a

- Update to version 1.19
  + Make sure IPADDR variable is stripped of netmask

- Update to version 1.18
  +  Fix issue with link-local address routing (bsc#1258730)

- Update to version 1.17
  + Do not set broadcast address explicitly (bsc#1258406)

- Update to version 1.16
  + Fix query of default CLOUD_NETCONFIG_MANAGE (bsc#1253223
  + Fix variable names in the README

- Security fixes:
  * CVE-2026-4873: connection reuse ignores TLS requirement (bsc#1262631)
  * CVE-2026-5545: wrong reuse of HTTP Negotiate connection (bsc#1262632)
  * CVE-2026-6253: proxy credentials leak over redirect-to proxy (bsc#1262635)
  * CVE-2026-6276: stale custom cookie host causes cookie leak (bsc#1262636)
  * CVE-2026-6429: netrc credential leak with reused proxy connection (bsc#1262638)
  * sws: prevent "connection monitor" to say disconnect twice (bsc#1259362)
  * Add patches:
  - curl-CVE-2026-4873.patch
  - curl-CVE-2026-5545.patch
  - curl-CVE-2026-6253.patch
  - curl-CVE-2026-6276.patch
  - curl-CVE-2026-6429.patch
  - curl-CVE-2026-1965-disable-ntlm-fix.patch

- Update to version 055+suse.362.ge7032140:
  * fix: make iso-scan trigger udev events (bsc#1261274)

- Fix double free in xen booting if root filesystem is Btrfs (bsc#1259543)
  * grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
  * grub2-btrfs-09-get-default-subvolume.patch

- crypto: authencesn - Fix src offset when decrypting in-place
  (bsc#1262573 CVE-2026-31431).
- commit eeb9840

- crypto: authencesn - Do not place hiseq at end of dst for
  out-of-place decryption (bsc#1262573 CVE-2026-31431).
- commit b95e28f

- crypto: authenc - use memcpy_sglist() instead of null skcipher
  (bsc#1262573 CVE-2026-31431).
- Refresh
  patches.suse/crypto-authencesn-reject-too-short-AAD-assoclen-8-to.patch
- commit 5e2a8c3

- kABI: Restore af_alg_{count,pull}_tsgl() signatures (bsc#1262573
  CVE-2026-31431).
- commit 4724a96

- crypto: algif_aead - Revert to operating out-of-place
  (bsc#1262573 CVE-2026-31431).
- commit 28ccad7

- crypto: algif_aead - use memcpy_sglist() instead of null skcipher
  (bsc#1262573 CVE-2026-31431).
- commit a10af2f

- crypto: scatterwalk - Fix memcpy_sglist() to always succeed
  (bsc#1262573 CVE-2026-31431).
- commit 2dd8cc2

- crypto: scatterwalk - Add memcpy_sglist (bsc#1262573
  CVE-2026-31431).
- commit 2f7dbcb

- watchdog/perf: properly initialize the turbo mode timestamp and rearm counter (bsc#1256504).
- commit 90b1596

- netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
  (CVE-2026-23274 bsc#1260005).
- commit 523e0c7

- netfilter: nf_tables: unconditionally bump set->nelems before
  insertion (CVE-2026-23272 bsc#1260009).
- commit 9195450

- Refresh
  patches.suse/iommu-disable-SVA-when-CONFIG_X86-is-set.patch.
  Move the condition check before iommu_group_get() to prevent
  reference count leak.
- commit 46c4966

- RDMA/umad: Reject negative data_len in ib_umad_write (CVE-2026-23243 bsc#1259797)
- commit 58ab8fc

- Delete
  patches.suse/scsi-qla2xxx-Perform-lockless-command-completion-in-abort-path.patch.
  Commnit 0367076b0817 ('scsi: qla2xxx: Perform lockless command
  completion in abort path'), locally contained in patch
  scsi-qla2xxx-Perform-lockless-command-completion-in-.patch,
  has been reveted upstream by CVE-2025-68818 (see bsc#1256675).
  Intead of committing a revert patch, just remove this patch.
- commit 8d16011

- Delete
  patches.suse/scsi-qla2xxx-Perform-lockless-command-completion-in-abort-path.patch.
  Commnit 0367076b0817 ('scsi: qla2xxx: Perform lockless command
  completion in abort path'), locally contained in patch
  scsi-qla2xxx-Perform-lockless-command-completion-in-.patch,
  has been reveted upstream by CVE-2025-68818 (see bsc#1256675).
  Intead of committing a revert patch, just remove this patch.
- commit 05a58b7

- kABI fix for ipvlan: Make the addrs_lock be per port
  (CVE-2026-23103 bsc#1257773).
- ipvlan: Make the addrs_lock be per port (CVE-2026-23103
  bsc#1257773).
- commit d6cd4ec

- sched/rt: Fix race in push_rt_task (CVE-2025-38234 bsc#1246057)
- commit 3cdc4b6

- Use unified maintainers' email address
- commit 353ed49

- Recognize fuse "portal" as a virtual file system (boo#1234736,
  util-linux-libmount-fuse-portal.patch).

- fdisk: Fix possible partition overlay and data corruption if EBR
  gap is missing (boo#1222465,
  util-linux-libfdisk-ebr-missing-gap-1.patch,
  util-linux-tests-fdisk-ebr-missing-gap-1.patch,
  util-linux-tests-fdisk-ebr-missing-gap-2.patch,
  util-linux-libfdisk-ebr-missing-gap-2.patch,
  util-linux-tests-fdisk-ebr-missing-gap-3.patch).

- Add opensm-osm_port_info_rcv.c-Re-query-PortInfo-with-extended-speeds-enabled.patch to fix
  issue with NDR switches (bsc#1258143)

- Security fix:
  * CVE-2026-28390: NULL pointer dereference during processing of a crafted
    CMS EnvelopedData message with KeyTransportRecipientInfo (bsc#1261678)
  * Add openssl-CVE-2026-28390.patch

- avoid reading endless amounts of memory (CVE-2026-4897 bsc#1260859)
  0001-CVE-2026-4897-getline-string-overflow.patch

- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
  injection by Base64-encoding cookie values embedded in JS
  (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).

- Add CVE-2026-1502-reject-CRLF-HTTP-tunnel.patch which rejects
  CR/LF in HTTP tunnel request headers (bsc#1261969,
  CVE-2026-1502, gh#python/cpython#146211).

- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
  webbrowser %action substitution bypass of dash-prefix check
  (bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).

- Add CVE-2026-6100-use-after-free-decompression.patch preventing
  dangling pointer which can end in the use-after-free error
  (CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).

- Fix calling of sphinx build with non-standard Python
  interpreter (including new patch sphinx-set-PYTHON.patch).

- Add CVE-2026-3446-base64-padding.patch preventing ignoring
  excess Base64 data after the first padded quad (bsc#1261970,
  CVE-2026-3446, gh#python/cpython#145264).

- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
  the same security model as open(). The documented limitations
  ensure compatibility with non-filesystem loaders; Python
  doesn't check that. (bsc#1259989, CVE-2026-3479,
  gh#python/cpython#146121).

- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
  leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
  gh#python/cpython#143930).

- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
  TarInfo DIRTYPE normalization during GNU long name handling
  (bsc#1259611, CVE-2025-13462).

- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
  unbound C recursion in conv_content_model in pyexpat.c
  (bsc#1259735, CVE-2026-4224).

- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
  control characters in http.cookies.Morsel.update() and
  http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).

- CVE-2026-3731: Denial of Service via out-of-bounds read in SFTP extension name handler  (bsc#1259377)
  Added libssh-CVE-2026-3731.patch

- Security fixes:
  * CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049)
  * CVE-2026-0965: Possible Denial of Service when parsing unexpected
    configuration files (bsc#1258045)
  * CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054)
  * CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081)
  * CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080)
  * Add patches:
  - libssh-CVE-2026-0964-scp-Reject-invalid-paths-received-thro.patch
  - libssh-CVE-2026-0965-config-Do-not-attempt-to-read-non-regu.patch
  - libssh-CVE-2026-0966-misc-Avoid-heap-buffer-underflow-in-ss.patch
  - libssh-CVE-2026-0966-tests-Test-coverage-for-ssh_get_hexa.patch
  - libssh-CVE-2026-0966-doc-Update-guided-tour-to-use-SHA256-f.patch
  - libssh-CVE-2026-0967-match-Avoid-recursive-matching-ReDoS.patch
  - libssh-CVE-2026-0968-sftp-Sanitize-input-handling-in-sftp_p.patch

- update to NSS 3.112.4
  * bmo#2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
  * bmo#2029752 - Improving the allocation of S/MIME DecryptSymKey.
  * bmo#2029462 - store email on subject cache_entry in NSS trust domain.
  * bmo#2029425 - Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation.
  * bmo#2029323 - Improve size calculations in CMS content buffering.
  * bmo#2028001 - avoid integer overflow while escaping RFC822 Names.
  * bmo#2027378 - Reject excessively large ASN.1 SEQUENCE OF in quickder.
  * bmo#2027365 - Deep copy profile data in CERT_FindSMimeProfile.
  * bmo#2027345 - Improve input validation in DSAU signature decoding.
  * bmo#2026311 - avoid integer overflow in RSA_EMSAEncodePSS.
  * bmo#2019357 - RSA_EMSAEncodePSS should validate the length of mHash.
  * bmo#2026156 - Add a maximum cert uncompressed len and tests.
  * bmo#2026089 - Clarify extension negotiation mechanism for TLS Handshakes.
  * bmo#2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
  * bmo#2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
  * bmo#2019224 - Remove invalid PORT_Free().
  * bmo#1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
  * bmo#1935995 - make ss->ssl3.hs.cookie an owned-copy of the cookie.

- CVE-2026-25645: `extract_zipped_paths()` uses predictable filenames when extracting files from zip archives and reuses target files that already exist without validation (bsc#1260589)
  Add patch CVE-2026-25645.patch

- Add CVE-2026-5958.patch
  * Fix CVE-2026-5958 (bsc#1262144):
    A TOCTOU race can allow to read attacker-controlled content and write
    it to an unintended file

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

- Recognize fuse "portal" as a virtual file system (boo#1234736,
  util-linux-libmount-fuse-portal.patch).

- fdisk: Fix possible partition overlay and data corruption if EBR
  gap is missing (boo#1222465,
  util-linux-libfdisk-ebr-missing-gap-1.patch,
  util-linux-tests-fdisk-ebr-missing-gap-1.patch,
  util-linux-tests-fdisk-ebr-missing-gap-2.patch,
  util-linux-libfdisk-ebr-missing-gap-2.patch,
  util-linux-tests-fdisk-ebr-missing-gap-3.patch).

- bsc#1262428 - VUL-0: CVE-2025-54505: xen: Floating Point Divider
  State Sampling on AMD CPUs AMD-SN-7053 (XSA-488)
  xsa488.patch

- bsc#1262178 - VUL-0: CVE-2026-23557: xen: Xenstored DoS via
  XS_RESET_WATCHES command (XSA-484)
  xsa484.patch
- bsc#1262180 - VUL-0: CVE-2026-23558: xen: grant table v2 race in
  status page mapping (XSA-486)
  xsa486.patch