sle-hpc-15-sp4-byos-v20260601-x86-64 Package Source Changes

000release-packages:SLE_HPC-release

n/a

kernel-default

- net: gro: don't merge zcopy skbs (git-fixes).
- net: skbuff: propagate shared-frag marker through frag-transfer
helpers (CVE-2026-43503 bsc#1265960).
- net: skbuff: preserve shared-frag marker during coalescing
(CVE-2026-46300 bsc#1265209).
- commit 9cbfbf9

- Revert "net: skbuff: propagate shared-frag marker through pskb_copy()"
This reverts commit 6efe0d21527e99384f2bf133c6f425539df0441e.
- commit 454d2dc

- Refresh
patches.suse/perf-Fix-__perf_event_overflow-vs-perf_remove_from_context.patch.
Fix ISO C90 warnings in previous submission
- commit 52955e7

- kernel-binary: Only apply vmlinux workaround on SLE15 and later
To create debuginfo for vmlinux the file needs to be present even if
it's not packaged because a compressed file is packaged insteand.
To accomplish that the file is marked as ghost in the file list. Then
rpm does not complain that the file exists but does not package it.
However, rpm still reserves space for ghost files when installing a
package. To avoid reserving space for a file that is not used the file
is truncated.
That works on SLE 15 but on SLE 12 rpm then fails packaging the
debuginfo complaiing that extra debuginfo files are present. Limit the
workaround to SLE 15 and later.
Fixes: 222edac2a18 (kernel-binary: prevent uncompressed vmlinux from inflating rpm size requirements)
- commit 1ef7451

- Update
patches.suse/net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
(bsc#1265626 CVE-2026-43494).
- commit 8d04456

- Kernel-binary: Do not truncate vmlinux when it's the boot image
Some architectures use vmlinux to boot. Truncating vmlinux on those
architectures causes signing failure during build. Also if the signing
was disabled a brokne kernel would be produced.
Fixes: 222edac2a18 (kernel-binary: prevent uncompressed vmlinux from inflating rpm size requirements)
- commit d3cf603

- perf: Fix __perf_event_overflow() vs perf_remove_from_context()
race (bsc#1260018 CVE-2026-23271).
- commit 581183d

- kernel-binary: prevent uncompressed vmlinux from inflating rpm size requirements
define %__spec_install_post to truncate the uncompressed vmlinux
to 0 bytes after find-debuginfo.sh and brp-* scripts run. This prevents
rpmbuild from baking the %ghost file size into the FILESIZES
header, which can cause installation failures on smaller /boot partitions.
Fixes: bsc#1265456
- commit 222edac

- net/rds: reset op_nents when zerocopy page pin fails
(bsc#1265626 CVE-2026-43494).
- net/rds: reset op_nents when zerocopy page pin fails
(bsc#1265626).
- commit 7f316d0

gnutls

- Security fixes:
  * CVE-2026-33846: buffers: add more checks to DTLS reassembly (bsc#1263705)
  * CVE-2026-42009: lib/buffers: ensure packets have differing sequence numbers (bsc#1263708)
  * CVE-2026-33845: buffers: switch from end_offset over to frag_length (bsc#1263704)
  * CVE-2026-42010: lib/auth/rsa_psk: fix binary PSK identity lookup (bsc#1263709)
  * CVE-2026-3833: x509/name-constraints: compare domain names case-insensitive (bsc#1263707)
  * CVE-2026-42011: x509/name_constraints: fix intersecting empty constraints (bsc#1263710)
  * CVE-2026-42012: x509/hostname-verify: make URI/SRV SAN preclude CN fallback (bsc#1263711)
  * CVE-2026-42013: x509: prevent fallback on oversized SAN (bsc#1263712)
  * CVE-2026-42014: pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin (bsc#1263713)
  * CVE-2026-42015: x509/pkcs12_bag: fix off-by-one in bag element bounds check (bsc#1263714)
  * CVE-2026-5260: lib/pkcs11_privkey: guard against overreading on short ciphertexts (bsc#1263715)
  * Add patches:
    gnutls-CVE-2026-33846.patch gnutls-CVE-2026-42009.patch
    gnutls-CVE-2026-33845.patch gnutls-CVE-2026-42010.patch
    gnutls-CVE-2026-3833.patch  gnutls-CVE-2026-42011.patch
    gnutls-CVE-2026-42012.patch gnutls-CVE-2026-42013.patch
    gnutls-CVE-2026-42014.patch gnutls-CVE-2026-5260.patch
    gnutls-CVE-2026-42015.patch

xz

- Fix buffer overflow in lzma_index_append (bsc#1261280, CVE-2026-34743)
  * CVE-2026-34743.patch
- Change SUSE-Public-Domain license to LicenseRef-SUSE-Public-Domain to
  fix rpmlint errors

libpng16

- added patches
  CVE-2026-34757: Information disclosure and data corruption via use-after-free vulnerability [bsc#1261957]
  * libpng16-CVE-2026-34757.patch

python-urllib3

- CVE-2026-44431: sensitive information disclosure due to sensitive
  headers being forwarded across origins in proxied low-level redirects
  (bsc#1265267)
  Add patch CVE-2026-44431.patch

rsync

- Security update:
  - bsc#1234100, CVE-2024-12084: Heap Buffer Overflow in Checksum Parsing
  - bsc#1234101, CVE-2024-12085: Info Leak via uninitialized Stack contents defeats ASLR
  - bsc#1234102, CVE-2024-12086: server leaks arbitrary client files
  - bsc#1234103, CVE-2024-12087: server can make client write files outside of destination directory using symbolic links
  - bsc#1234104, CVE-2024-12088: --safe-links bypass
  - bsc#1235475, CVE-2024-12747: Race Condition in rsync Handling Symbolic Links
  - bsc#1254441, CVE-2025-10158: Out of bounds array access via negative index
  - bsc#1262223, CVE-2026-41035: Count of entries mismatch can lead to a use-after-free
  - bsc#1264511, CVE-2026-29518: Symlink-Race TOCTOU in Daemon (use chroot = no)
  - bsc#1264515, CVE-2026-43617: Authorization Bypass via Hostname Resolution
  - bsc#1264512, CVE-2026-43618: Integer Overflow Information Disclosure
  - bsc#1264513, CVE-2026-43620: Out-of-Bounds Array Read via recv_files()
  - bsc#1265296, CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing
- With the big security update above-mentioned, we received a big amount of harderning
  patches that are pre-requisitoes that we added to this version:
  - rsync-hardening-0001-Fix-warning-about-conflicting-lseek-lseek64-prototyp.patch
  - rsync-hardening-0002-hlink-Fix-function-pointer-cast-in-qsort.patch
  - rsync-hardening-0003-bool-is-a-keyword-in-C23.patch
  - rsync-hardening-0004-Fix-warning-about-missing-bomb-.-prototype.patch
  - rsync-hardening-0005-CVE-2024-12084-Some-checksum-buffer-fixes.patch
    (replaces: rsync-CVE-2024-12084-overflow-01.patch)
  - rsync-hardening-0006-CVE-2024-12084-Another-cast-when-multiplying-integers.patch
    (replaces: rsync-CVE-2024-12084-overflow-02.patch)
  - rsync-hardening-0007-CVE-2024-12085-prevent-information-leak-off-the-stack.patch
    (replaces: rsync-CVE-2024-12085.patch)
  - rsync-hardening-0008-CVE-2024-12086-refuse-fuzzy-options-when-fuzzy-not-selected.patch
    (replaces: rsync-CVE-2024-12086_01.patch)
  - rsync-hardening-0009-added-secure_relative_open.patch
    (replaces: rsync-CVE-2024-12086_02.patch)
  - rsync-hardening-0010-receiver-use-secure_relative_open-for-basis-file.patch
    (replaces: rsync-CVE-2024-12086_03.patch)
  - rsync-hardening-0011-disallow-.-elements-in-relpath-for-secure_relative_o.patch
    (replaces: rsync-CVE-2024-12086_04.patch)
  - rsync-hardening-0012-CVE-2024-12087-Refuse-a-duplicate-dirlist.patch
    (replaces: rsync-CVE-2024-12087_01.patch)
  - rsync-hardening-0013-CVE-2024-12087-range-check-dir_ndx-before-use.patch
    (replaces:: rsync-CVE-2024-12087_02.patch)
  - rsync-hardening-0014-CVE-2024-12088-make-safe-links-stricter.patch
    (replaces: rsync-CVE-2024-12088.patch)
  - rsync-hardening-0015-CVE-2024-12747-fixed-symlink-race-condition-in-sender.patch
    (replaces: rsync-CVE-2024-12747.patch)
  - rsync-hardening-0016-syscall-fix-a-Y2038-bug-by-replacing-Int32x32To64-wi.patch
  - rsync-hardening-0017-options.c-Fix-segv-if-poptGetContext-returns-NULL.patch
  - rsync-hardening-0018-Using-a-correct-time-in-log-file.patch
  - rsync-hardening-0019-configure.ac-check-for-xattr-support-both-in-libc-an.patch
    (replaces: rsync-no-libattr.patch)
  - rsync-hardening-0020-util-fixed-issue-in-clean_fname.patch
  - rsync-hardening-0021-testsuite-added-clean-fname-underflow-test.patch
  - rsync-hardening-0022-CVE-2025-10158-fixed-an-invalid-access-to-files-array.patch
    (replaces: rsync-CVE-2025-10158.patch)
  - rsync-hardening-0023-fix-uninitialized-buf1-in-get_checksum2-MD4-path.patch
  - rsync-hardening-0024-reject-negative-token-values-in-compressed-stream-re.patch
  - rsync-hardening-0025-acl-fixed-ACL-ID-mapping-for-non-root.patch
  - rsync-hardening-0026-fix-uninitialized-mul_one-in-AVX2-checksum-and-add-S.patch
  - rsync-hardening-0027-Fix-glibc-2.43-constness-warnings.patch
  - rsync-hardening-0029-fix-signed-integer-overflow-in-proxy-protocol-v2-hea.patch
  - rsync-hardening-0030-zero-all-new-memory-from-allocations.patch
  - rsync-hardening-0031-CVE-2026-41035-xattrs-fixed-count-in-qsort.patch
  - rsync-hardening-0032-call-tzset-before-chroot-to-cache-timezone-data.patch
  - rsync-hardening-0033-testsuite-xattrs-ignore-SUNWattr_-in-the-Solaris-xls.patch
  - rsync-hardening-0037-CVE-2026-29518-syscall-clientserver-am_chrooted-and-use_secure_syml.patch
  - rsync-hardening-0038-CVE-2026-29518-sender-fix-read-path-TOCTOU-by-opening-from-module-r.patch
  - rsync-hardening-0044-CVE-2026-43618-token-harden-compressed-token-decoding-against-integ.patch
  - rsync-hardening-0045-CVE-2026-43618-testsuite-cover-refuse-options-compress-for-the-daem.patch
  - rsync-hardening-0046-CVE-2026-43620-receiver-add-parent_ndx-0-guard-mirroring-797e17f.patch
  - rsync-hardening-0047-CVE-2026-43617-clientserver-fix-hostname-ACL-bypass-when-using-daem.patch
  - rsync-hardening-0048-CVE-2026-43618-defence-in-depth-bound-wire-supplied-counts-and-leng.patch
  - rsync-hardening-0049-CVE-2026-43618-defence-in-depth-guard-cumulative-snprintf-against-l.patch
  - rsync-hardening-0050-CVE-2026-43620-defence-in-depth-receiver-block-index-bounds-read_de.patch
  - rsync-hardening-0052-exclude-fix-crashes-with-fortified-strlcpy.patch
    (replaces: rsync-fortified-strlcpy-fix.patch)
  - rsync-hardening-0053-testsuite-use-integer-sleep-in-clean-fname-underflow.patch
  - rsync-hardening-0055-popt-fix-poptDupArgv-strlcpy-size-argument.patch
  - rsync-hardening-0056-testsuite-fixes-for-3.2.7-backport.patch
  - rsync-hardening-0057-rsync.h-lower-MAX_WIRE_DEL_STAT-to-avoid-signed-int-.patch
  - rsync-hardening-0058-CVE-2026-45232-socket-reject-over-long-proxy-response-line.patch
  - rsync-hardening-0059-main-reject-hyphen-prefixed-remote-shell-hostnames.patch
  - rsync-hardening-0060-util1-handle-out-of-range-times-in-timestring.patch
- A few hardening patches were discarded, as the don't affect SUSE distributions:
  - rsync-hardening-0028-zlib-convert-K-R-function-definitions-to-ANSI-style
    (we don't bundle zlib, nothing to patch)
  - rsync-hardening-0051-CI-added-workflows-from-master-for-backport-testing
    (fixes CI Github Actions, not present in release tarballs)
  - rsync-hardening-0054-ci-update-RSYNC_EXPECT_SKIPPED-for-3.2.7-backport-ba
    (fixes CI Github Actions, not present in release tarballs)
- Rename rsync-fix-FLAG_GOT_DIR_FLIST.patch to rsync-fix-duplicate.patch to align codestreams.

- Security update (CVE-2026-41035, bsc#1262223): rsync: count of
  entries mismatch can lead to a use-after-free
  - Add rsync-CVE-2026-41035.patch

samba

- CVE-2026-4480: Fix Unauthenticated Remote Code Execution;
  (bso#16033); (bsc#1261161).
- CVE-2026-4408: Fix Remote Code Execution in SAMR;(bso#16034);
  (bsc#1261163).
- CVE-2026-3238: Fix unauthenticated udp packet crashes AD DC
  nbt server; (bso#16012); (bsc#1261160).
- CVE-2026-2340: vfs_worm does not block directory modification;
  (bso#15997); (bsc#1261158).

-  Fix pthreadpool_tevent race conditions accessing both
  pthreadpool_tevent.jobs list and pthreadpool_tevent.glue_list;
  (bsc#1252963), (bso#15958).

000release-packages:sle-module-basesystem-release

n/a

000release-packages:sle-module-containers-release

n/a

000release-packages:sle-module-desktop-applications-release

n/a

000release-packages:sle-module-development-tools-release

n/a

000release-packages:sle-module-hpc-release

n/a

000release-packages:sle-module-public-cloud-release

n/a

000release-packages:sle-module-server-applications-release

n/a

000release-packages:sle-module-web-scripting-release

n/a