- aaa_base
-
- Add patch git-51-fbf7ee9dc9cd970532a54eed6472d7f3b0e7f431.patch
* If a user switches the login shell respect the already set
PATH environment (bsc#1235481)
- add patch aaa_base-rc.status.patch (bsc#1236033)
(no git, file is gone in factory/tumbleweed)
update detection for systemd in rc.status, mountpoint for
cgroup changed with cgroup2, so just check if pid 1 is systemd
- apparmor
-
- Add dac_read_search capability for unix_chkpwd to allow it to read the shadow
file even if it has 000 permissions. This is needed after the CVE-2024-10041
fix in PAM.
* unix-chkpwd-add-read-capability.path, bsc#1241678
- Allow pam_unix to execute unix_chkpwd with abi/3.0
- remove dovecot-unix_chkpwd.diff
- Add allow-pam_unix-to-execute-unix_chkpwd.patch
- Add revert-abi-change-for-unix_chkpwd.patch
(bsc#1234452, bsc#1232234)
- augeas
-
- Add patch, fix for bsc#1239909 / CVE-2025-2588:
* CVE-2025-2588.patch
- ca-certificates-mozilla
-
- revert the distrusted certs for now. originally these only
distrust "new issued" certs starting after a certain date,
while old certs should still work. (bsc#1240343)
- remove-distrusted.patch: removed
- cifs-utils
-
- CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong
namespace in containerized environments while trying to get Kerberos
credentials (bsc#1239680)
* add New-mount-option-for-cifs.upcall-namespace-reso.patch
- cloud-netconfig
-
- Update to version 1.15
+ Add support for creating IPv6 default route in GCE (bsc#1240869)
+ Minor fix when looking up IPv6 default route
- cloud-regionsrv-client
-
- Update version to 10.4.0
+ Remove repositories when the package is being removed
We do not want to leave repositories behind refering to the plugin that
is being removed when the package gets removed (bsc#1240310, bsc#1240311)
+ Turn docker into an optional setup (jsc#PCT-560)
Change the Requires into a Recommends and adapt the code accordingly
+ Support flexible licenses in GCE (jsc#PCT-531)
+ Drop the azure-addon package it is geting replaced by the
license-watcher package which has a generic implementation of the
same functionality.
+ Handle cache inconsistencies (bsc#1218345)
+ Properly handle the zypper root target argument (bsc#1240997)
- containerd
-
- Update to containerd v1.7.27. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.27>
bsc#1239749 CVE-2024-40635
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.26. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.26>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.25. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.25>
<https://github.com/containerd/containerd/releases/tag/v1.7.24>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- lvm2
-
- LVM filter behaves unexpectedly for MPIO devices in SLES15SP5 (bsc#1216938)
* set lvm.conf devices.multipath_wwids_file=""
- glib2
-
- Add glib2-CVE-2025-3360.patch:
Backport 8d60d7dc from upstream, Fix integer overflow when
parsing very long ISO8601 inputs. This will only happen with
invalid (or maliciously invalid) potential ISO8601 strings,
but `g_date_time_new_from_iso8601()` needs to be robust against
that.
(CVE-2025-3360, bsc#1240897)
- glibc
-
- static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and
debug env var for setuid for static (CVE-2025-4802, bsc#1243317)
- Add support for userspace livepatching for ppc64le (jsc#PED-11850)
- pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ
[#25847])
- Mark functions in libc_nonshared.a as hidden (bsc#1239883)
- Bump minimal kernel version to 4.3 to enable use of direct socketcalls
on x86-32 and s390x (bsc#1234713)
- google-guest-agent
-
- Update to version 20250506.01 (bsc#1243254, bsc#1243505)
* Make sure agent added connections are activated by NM (#534)
- from version 20250506.00
* wrap NSS cache refresh in a goroutine (#533)
- from version 20250502.01
* Wicked: Only reload interfaces for which configurations are written or changed. (#524)
- from version 20250502.00
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- from version 20250418.00
* Re-enable disabled services if the core plugin was enabled (#521)
- from version 20250414.00
* Add AuthorizedKeysCompat to windows packaging (#530)
* Remove error messages from gce_workload_cert_refresh and metadata script runner (#527)
* Update guest-logging-go dependency (#526)
* Add 'created-by' metadata, and pass it as option to logging library (#508)
* Revert "oslogin: Correctly handle newlines at the end of modified files (#520)" (#523)
* Re-enable disabled services if the core plugin was enabled (#522)
* Enable guest services on package upgrade (#519)
* oslogin: Correctly handle newlines at the end of modified files (#520)
* Fix core plugin path (#518)
* Fix package build issues (#517)
* Fix dependencies ran go mod tidy -v (#515)
* Fix debian build path (#514)
* Bundle compat metadata script runner binary in package (#513)
* Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512)
* Update startup/shutdown services to launch compat manager (#503)
* Bundle new gce metadata script runner binary in agent package (#502)
* Revert "Revert bundling new binaries in the package (#509)" (#511)
- grub2
-
- Fix CVE-2025-4382: TPM auto-decryption data exposure (bsc#1242971)
* 0001-kern-rescue_reader-Block-the-rescue-mode-until-the-C.patch
* 0002-commands-search-Introduce-the-cryptodisk-only-argume.patch
* 0003-disk-diskfilter-Introduce-the-cryptocheck-command.patch
* 0004-commands-search-Add-the-diskfilter-support.patch
* 0005-docs-Document-available-crypto-disks-checks.patch
* 0006-disk-cryptodisk-Add-the-erase-secrets-function.patch
* 0007-disk-cryptodisk-Wipe-the-passphrase-from-memory.patch
* 0008-cryptocheck-Add-quiet-option.patch
- patch rebased
* 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
* 0004-Key-revocation-on-out-of-bound-file-access.patch
- patch refrehed
* 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
- Refresh PPC NVMEoF ofpath related patches to newer revision
* 0002-ieee1275-ofpath-enable-NVMeoF-logical-device-transla.patch
- Patch refreshed
* 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
- Patch obsoleted
* 0004-ofpath-controller-name-update.patch
* 0001-squash-ieee1275-ofpath-enable-NVMeoF-logical-device-.patch
- Fix segmentation fault error in grub2-probe with target=hints_string
(bsc#1235971) (bsc#1235958) (bsc#1239651)
* 0001-ofpath-Add-error-check-in-NVMEoF-device-translation.patch
- hwinfo
-
- merge gh#openSUSE/hwinfo#156
- fix network card detection on aarch64 (bsc#1240648)
- 21.88
- iproute2
-
- avoid spurious cgroup warning (bsc#1234383):
- ss-Tone-down-cgroup-path-resolution.patch
- iputils
-
- Security fix [bsc#1242300, CVE-2025-47268]
* integer overflow in RTT calculation can lead to undefined behavior
* Add iputils-CVE-2025-47268.patch
- kbd
-
- Don't search for resources in the current directory. It can cause
unwanted side effects or even infinite loop (bsc#1237230,
kbd-ignore-working-directory-1.patch,
kbd-ignore-working-directory-2.patch,
kbd-ignore-working-directory-3.patch).
- kernel-default
-
- dm: fix copying after src array boundaries (git-fixes).
- commit 10c16a9
- dm: add missing unlock on in dm_keyslot_evict() (git-fixes).
- commit a94a8c2
- codel: remove sch->q.qlen check before
qdisc_tree_reduce_backlog() (CVE-2025-37798 bsc#1242414).
- commit 8fb5816
- Update
patches.suse/net-smc-initialize-close_work-early-to-avoid-warning.patch
(CVE-2024-56641 bsc#1235526 bsc#1242985).
- commit d393a0f
- mptcp: fix NULL pointer in can_accept_new_subflow
(CVE-2025-23145 bsc#1242596).
- mptcp: relax check on MPC passive fallback (git-fixes).
- mptcp: refine opt_mp_capable determination (git-fixes).
- mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req()
(git-fixes).
- mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
(git-fixes CVE-2024-35840 bsc#1224597).
- mptcp: strict validation before using mp_opt->hmac (git-fixes).
- commit b0b581d
- mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN
(git-fixes).
- blacklist.conf:
- remove the entry for commit be1d9d9d38da which was blacklisted as not
needed because of absence of this backport
- commit 07c39d4
- ax25: Remove broken autobind (CVE-2025-22109 bsc#1241573).
- commit 9a9abc7
- udp: Fix memory accounting leak (CVE-2025-22058 bsc#1241332).
- commit 6a0c03a
- perf: arm_cspmu: nvidia: monitor all ports by default (bsc#1242172)
- commit bf5ce56
- perf: arm_cspmu: nvidia: enable NVLINK-C2C port filtering (bsc#1242172)
- commit d976f98
- perf: arm_cspmu: nvidia: fix sysfs path in the kernel doc (bsc#1242172)
- commit bcf5e61
- perf: arm_cspmu: nvidia: remove unsupported SCF events (bsc#1242172)
- commit 4647012
- x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006 CVE-2024-28956).
- commit fac02ba
- x86/its: Align RETs in BHB clear sequence to avoid thunking (bsc#1242006 CVE-2024-28956).
- commit 909407f
- x86/its: Add support for RSB stuffing mitigation (bsc#1242006 CVE-2024-28956).
- commit 42d05af
- x86/its: Add "vmexit" option to skip mitigation on some CPUs (bsc#1242006 CVE-2024-28956).
- commit cefce67
- x86/its: Enable Indirect Target Selection mitigation (bsc#1242006 CVE-2024-28956).
- commit 6720dce
- x86/its: Add support for ITS-safe return thunk (bsc#1242006 CVE-2024-28956).
- commit b904ebb
- watch_queue: fix pipe accounting mismatch (CVE-2025-23138 bsc#1241648).
- commit 53d2fbb
- x86/its: Add support for ITS-safe indirect thunk (bsc#1242006 CVE-2024-28956).
- commit 73d0713
- x86/its: Enumerate Indirect Target Selection (ITS) bug (bsc#1242006 CVE-2024-28956).
- commit 0ceddfb
- Documentation: x86/bugs/its: Add ITS documentation (bsc#1242006 CVE-2024-28956).
- commit 8fd974a
- vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp
(CVE-2025-37799 bsc#1242283).
- commit f53c65a
- btrfs: always fallback to buffered write if the inode requires
checksum (bsc#1242831 bsc#1242710).
- commit fd92bec
- x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778).
- x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778).
- x86/bpf: Call branch history clearing sequence on exit
(bsc#1242778).
- commit 7613146
- jbd2: increase IO priority for writing revoke records
(bsc#1242332).
- commit a27757f
- Bluetooth: btnxpuart: Fix kernel panic during FW release
(bsc#1241456 CVE-2025-22102).
- commit 9e6b312
- Bluetooth: btnxpuart: Remove check for CTS low after FW download
(bsc#1241456 CVE-2025-22102).
- commit 43b7feb
- firmware: arm_ffa: Skip Rx buffer ownership release if not
acquired (git-fixes).
- firmware: arm_scmi: Balance device refcount when destroying
devices (git-fixes).
- commit e6126fe
- ext4: goto right label 'out_mmap_sem' in ext4_setattr()
(bsc#1242556).
- commit f73dc04
- mm: fix filemap_get_folios_contig returning batches of identical
folios (bsc#1242327).
- commit ab60c72
- mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT
(bsc#1242326).
- commit eefd306
- mm/readahead: fix large folio support in async readahead
(bsc#1242321).
- commit ca8ae9b
- mm: fix oops when filemap_map_pmd() without prealloc_pte
(bsc#1242546).
- commit d84ed9f
- udf: Fix inode_getblk() return value (bsc#1242313).
- commit 083cf55
- udf: Verify inode link counts before performing rename
(bsc#1242314).
- commit 8e7cda1
- udf: Skip parent dir link count update if corrupted
(bsc#1242315).
- commit 94318f0
- ext4: fix FS_IOC_GETFSMAP handling (bsc#1240557).
- commit 531b964
- ext4: make block validity check resistent to sb bh corruption
(bsc#1242348).
- commit 12e4947
- ext4: don't treat fhandle lookup of ea_inode as FS corruption
(bsc#1242347).
- commit 3337bde
- jbd2: add a missing data flush during file and fs
synchronization (bsc#1242346).
- commit 0ebdf6c
- ext4: don't over-report free space or inodes in statvfs
(bsc#1242345).
- commit c197ee4
- jbd2: fix off-by-one while erasing journal (bsc#1242344).
- commit 362ca97
- jbd2: remove wrong sb->s_sequence check (bsc#1242343).
- commit b288b9a
- ext4: add missing brelse() for bh2 in ext4_dx_add_entry()
(bsc#1242342).
- commit 8643d9f
- ext4: protect ext4_release_dquot against freezing (bsc#1242335).
- commit 532c985
- jbd2: flush filesystem device before updating tail sequence
(bsc#1242333).
- commit 79495ff
- ext4: partial zero eof block on unaligned inode size extension
(bsc#1242336).
- commit 992adfb
- ext4: correct encrypted dentry name hash when not casefolded
(bsc#1242540).
- commit 71bfc00
- ext4: treat end of range as exclusive in ext4_zero_range()
(bsc#1242539).
- commit 8950964
- ext4: unify the type of flexbg_size to unsigned int
(bsc#1242538).
Refresh: patches.suse/ext4-avoid-online-resizing-failures-due-to-oversized.patch
- commit 9b599f9
- jbd2: increase the journal IO's priority (bsc#1242537).
- commit 65fd6c7
- ext4: replace the traditional ternary conditional operator
with with max()/min() (bsc#1242536).
Refresh patches.suse/ext4-move-setting-of-trimmed-bit-into-ext4_try_to_tr.patch
Refresh patches.suse/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch
- commit 9de0d03
- splice: remove duplicate noinline from pipe_clear_nowait
(bsc#1242328).
- commit 8a9c110
- fs: consistently deref the files table with
rcu_dereference_raw() (bsc#1242535).
- commit 0f7e4fb
- fs: support relative paths with FSCONFIG_SET_STRING (git-fixes).
- commit 51930da
- vfs: don't mod negative dentry count when on shrinker list
(bsc#1242534).
- commit 25c9c4a
- fs: better handle deep ancestor chains in is_subdir()
(bsc#1242528).
Refresh patches.suse/dcache-keep-dentry_hashtable-or-d_hash_shift-even-when-not.patch
- commit 42bc37f
- fs: don't allow non-init s_user_ns for filesystems without
FS_USERNS_MOUNT (bsc#1242526).
- commit 08659e8
- isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
(bsc#1242307).
- commit 08eabe6
- Update
patches.suse/OPP-add-index-check-to-assert-to-avoid-buffer-overfl.patch
(bsc#1238961 CVE-2024-57998 bsc#1238527).
- Update
patches.suse/PCI-ASPM-Fix-link-state-exit-during-switch-upstream-.patch
(git-fixes CVE-2024-58093 bsc#1241347).
- Update
patches.suse/RDMA-erdma-Prevent-use-after-free-in-erdma_accept_ne.patch
(git-fixes CVE-2025-22088 bsc#1241528).
- Update
patches.suse/RDMA-mlx5-Fix-mlx5_poll_one-cur_qp-update-flow.patch
(git-fixes CVE-2025-22086 bsc#1241458).
- Update
patches.suse/acpi-nfit-fix-narrowing-conversion-in-acpi_nfit_ctl.patch
(git-fixes CVE-2025-22044 bsc#1241424).
- Update
patches.suse/arm64-Don-t-call-NULL-in-do_compat_alignment_fixup.patch
(git-fixes CVE-2025-22033 bsc#1241436).
- Update
patches.suse/bnxt_en-Mask-the-bd_cnt-field-in-the-TX-BD-properly.patch
(git-fixes CVE-2025-22108 bsc#1241574).
- Update
patches.suse/bpf-avoid-holding-freeze_mutex-during-mmap-operation.patch
(git-fixes CVE-2025-21853 bsc#1239476).
- Update
patches.suse/dlm-prevent-NPD-when-writing-a-positive-value-to-event_done.patch
(git-fixes CVE-2025-23131 bsc#1241601).
- Update
patches.suse/drm-amd-display-avoid-NPD-when-ASIC-does-not-support.patch
(git-fixes CVE-2025-22093 bsc#1241545).
- Update
patches.suse/drm-vkms-Fix-use-after-free-and-double-free-on-init-.patch
(git-fixes CVE-2025-22097 bsc#1241541).
- Update patches.suse/fou-fix-initialization-of-grc.patch
(CVE-2024-46763 bsc#1230764 CVE-2024-46865 bsc#1231103).
- Update
patches.suse/idpf-check-error-for-register_netdev-on-init.patch
(git-fixes CVE-2025-22116 bsc#1241459).
- Update
patches.suse/idpf-fix-adapter-NULL-pointer-dereference-on-reboot.patch
(git-fixes CVE-2025-22065 bsc#1241333).
- Update
patches.suse/jfs-add-check-read-only-before-truncation-in-jfs_truncate_nolock.patch
(git-fixes CVE-2024-58094 bsc#1241443).
- Update
patches.suse/jfs-add-check-read-only-before-txBeginAnon-call.patch
(git-fixes CVE-2024-58095 bsc#1241442).
- Update
patches.suse/media-streamzap-fix-race-between-device-disconnectio.patch
(git-fixes CVE-2025-22027 bsc#1241369).
- Update
patches.suse/net-Add-rx_skb-of-kfree_skb-to-raw_tp_null_args.patch
(bsc#1235501 CVE-2024-56702 CVE-2025-21852 bsc#1239487).
- Update
patches.suse/netfilter-br_netfilter-skip-conntrack-input-hook-for.patch
(CVE-2024-27415 bsc#1224757 CVE-2024-27018 bsc#1223809).
- Update
patches.suse/nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch
(git-fixes CVE-2025-22025 bsc#1241361).
- Update
patches.suse/ntb_hw_switchtec-Fix-shift-out-of-bounds-in-switchte.patch
(git-fixes CVE-2023-53034 bsc#1241341).
- Update
patches.suse/ocfs2-handle-a-symlink-read-error-correctly.patch
(git-fixes CVE-2024-58001 bsc#1239079).
- Update
patches.suse/rtnetlink-Allocate-vfinfo-size-for-VF-GUIDs-when-sup.patch
(bsc#1224013 CVE-2025-22075 bsc#1241402).
- Update
patches.suse/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch
(git-fixes CVE-2025-22062 bsc#1241412).
- Update
patches.suse/tcp-fix-mptcp-DSS-corruption-due-to-large-pmtu-xmit.patch
(git-fixes CVE-2024-50083 bsc#1232493).
- Update
patches.suse/thermal-int340x-Add-NULL-check-for-adev.patch
(git-fixes CVE-2025-23136 bsc#1241357).
- Update patches.suse/usbnet-fix-NPE-during-rx_complete.patch
(git-fixes CVE-2025-22050 bsc#1241441).
- Update
patches.suse/wifi-ath11k-Clear-affinity-hint-before-calling-ath11.patch
(git-fixes CVE-2025-23129 bsc#1241599).
- Update
patches.suse/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-mo.patch
(git-fixes CVE-2024-58096 bsc#1241344).
- Update
patches.suse/wifi-ath11k-fix-RCU-stall-while-reaping-monitor-dest.patch
(git-fixes CVE-2024-58097 bsc#1241343).
- Update
patches.suse/wifi-ath12k-Clear-affinity-hint-before-calling-ath12.patch
(git-fixes CVE-2025-22128 bsc#1241598).
- commit a961a1a
- cifs: Fix integer overflow while processing actimeo mount option
(git-fixes).
- commit 747d942
- iommu: Fix two issues in iommu_copy_struct_from_user()
(git-fixes).
- commit 7b79fa9
- cifs: Fix integer overflow while processing acdirmax mount
option (CVE-2025-21963 bsc#1240717).
- commit 5907e46
- cifs: Fix integer overflow while processing acregmax mount
option (CVE-2025-21964 bsc#1240740).
- commit a723b7b
- cifs: Fix integer overflow while processing closetimeo mount
option (CVE-2025-21962 bsc#1240655).
- commit 03a43b4
- mptcp: consolidate suboption status (CVE-2025-21707
bsc#1238862).
- commit 18d9efe
- powerpc: Don't use --- in kernel logs (git-fixes).
- commit df3b280
- tools/hv: update route parsing in kvp daemon (git-fixes).
- commit 2e81126
- bpf: Fix bpf_sk_select_reuseport() memory leak (bsc#1236704
CVE-2025-21683).
- commit e163503
- i2c: imx-lpi2c: Fix clock count when probe defers (git-fixes).
- ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence
(git-fixes).
- ALSA: hda/realtek: Fix built-mic regression on other ASUS models
(git-fixes).
- ALSA: hda/realtek - Enable speaker for HP platform (git-fixes).
- commit 5b6152a
- spi: tegra114: Don't fail set_cs_timing when delays are zero
(git-fixes).
- drm/i915/pxp: fix undefined reference to
`intel_pxp_gsccs_is_ready_for_sessions' (git-fixes).
- drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS
(git-fixes).
- drm/fdinfo: Protect against driver unbind (git-fixes).
- drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()
(git-fixes).
- drm/amd/display: Force full update in gpu reset (stable-fixes).
- ata: libata-scsi: Improve CDL control (git-fixes).
- ata: libata-scsi: Fix ata_msense_control_ata_feature()
(git-fixes).
- ata: libata-scsi: Fix ata_mselect_control_ata_feature() return
type (git-fixes).
- USB: serial: simple: add OWON HDS200 series oscilloscope support
(stable-fixes).
- USB: serial: ftdi_sio: add support for Abacus Electrics Optical
Probe (stable-fixes).
- USB: serial: option: add Sierra Wireless EM9291 (stable-fixes).
- usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash
Drive (stable-fixes).
- USB: VLI disk crashes if LPM is used (stable-fixes).
- USB: storage: quirk for ADATA Portable HDD CH94 (stable-fixes).
- usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive
(stable-fixes).
- USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02)
(stable-fixes).
- mei: me: add panther lake H DID (stable-fixes).
- spi: tegra210-quad: add rate limiting and simplify timeout
error message (stable-fixes).
- spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for
timeouts (stable-fixes).
- ACPI: EC: Set ec_no_wakeup for Lenovo Go S (stable-fixes).
- ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls
(stable-fixes).
- ntb_hw_amd: Add NTB PCI ID for new gen CPU (stable-fixes).
- ntb: reduce stack usage in idt_scan_mws (stable-fixes).
- rtc: pcf85063: do a SW reset if POR failed (stable-fixes).
- thunderbolt: Scan retimers after device router has been
enumerated (stable-fixes).
- usb: host: xhci-plat: mvebu: use ->quirks instead of
- >init_quirk() func (stable-fixes).
- usb: gadget: aspeed: Add NULL pointer check in
ast_vhub_init_dev() (stable-fixes).
- usb: dwc3: gadget: Avoid using reserved endpoints on Intel
Merrifield (stable-fixes).
- usb: dwc3: gadget: Refactor loop to avoid NULL endpoints
(stable-fixes).
- usb: host: max3421-hcd: Add missing spi_device_id table
(stable-fixes).
- sound/virtio: Fix cancel_sync warnings on uninitialized
work_structs (stable-fixes).
- dmaengine: dmatest: Fix dmatest waiting less when interrupted
(stable-fixes).
- iio: adc: ad7768-1: Fix conversion result sign (git-fixes).
- iio: adc: ad7768-1: Move setting of val a bit later to avoid
unnecessary return value check (stable-fixes).
- pinctrl: renesas: rza2: Fix potential NULL pointer dereference
(stable-fixes).
- crypto: ccp - Add support for PCI device 0x1134 (stable-fixes).
- auxdisplay: hd44780: Fix an API misuse in hd44780.c (git-fixes).
- auxdisplay: hd44780: Convert to platform remove callback
returning void (stable-fixes).
- commit fe3cf03
- net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (CVE-2025-22107 bsc#1241575)
- commit 673084b
- ibmvnic: Use kernel helpers for hex dumps (CVE-2025-22104 bsc#1241550)
- commit 44ef4eb
- dm: always update the array size in realloc_argv on success
(git-fixes).
- commit 80e573b
- dm-bufio: don't schedule in atomic context (git-fixes).
- commit 59b9988
- dm-ebs: fix prefetch-vs-suspend race (git-fixes).
- commit 89effad
- dm-verity: fix prefetch-vs-suspend race (git-fixes).
- commit 6899d31
- dm-integrity: set ti->error on memory allocation failure
(git-fixes).
- commit 3c1b2c7
- netfilter: nf_tables: don't unregister hook when table is
dormant (CVE-2025-22064 bsc#1241413).
- commit 3c82332
- net: ipv6: fix UDPv6 GSO segmentation with NAT (git-fixes).
- commit a110462
- net_sched: qfq: Fix double list add in class with netem as
child qdisc (git-fixes).
- commit 8e1bbd0
- net_sched: ets: Fix double list add in class with netem as
child qdisc (git-fixes).
- commit 2e9fa99
- net_sched: hfsc: Fix a UAF vulnerability in class with netem
as child qdisc (git-fixes).
- commit 3f5a489
- net_sched: drr: Fix double list add in class with netem as
child qdisc (git-fixes).
- commit 4947830
- ax25: Fix refcount leak caused by setting SO_BINDTODEVICE
sockopt (CVE-2025-21792 bsc#1238745).
- commit 2ffce83
- ipv6: mcast: add RCU protection to mld_newpack() (CVE-2025-21758
bsc#1238737).
- commit 4b8b3e5
- Bluetooth: btusb: avoid NULL pointer dereference in
skb_dequeue() (git-fixes).
- wifi: brcm80211: fmac: Add error handling for
brcmf_usb_dl_writeimage() (git-fixes).
- wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
(git-fixes).
- commit 470cfc0
- net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels
(CVE-2025-21768 bsc#1238714).
- commit ed713b9
- kABI workaround struct rcu_head and ax25_ptr (CVE-2025-21812
bsc#1238471).
- commit 714a2d7
- btrfs: fix block group refcount race in
btrfs_create_pending_block_groups() (bsc#1241578
CVE-2025-22115).
- commit 1f7a10d
- Refresh
patches.kabi/kabi-fix-for-bpf-Prevent-tailcall-infinite-loop-caus.patch.
Piggyback kABI workaround for "struct bpf_subprog_info" for upstream
commit 51081a3f25c7 "bpf: track changes_pkt_data property for global
functions".
- commit bf7c4bc
- Add missing bugzilla references (CVE-2025-22105 bsc#1241548 CVE-2025-37860 bsc#1241452)
- commit 00ec2e2
- atm: Fix NULL pointer dereference (CVE-2025-22018 bsc#1241266)
- commit 8ef48c7
- bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT (CVE-2024-58070 bsc#1238983)
- commit 335e132
- iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (CVE-2025-21833, bsc#1239108).
- commit 069abee
- sfc: fix NULL dereferences in ef100_process_design_param()
(CVE-2025-37860).
- net: mvpp2: Prevent parser TCAM memory corruption
(CVE-2025-22060 bsc#1241526).
- bonding: check xdp prog when set bond mode (CVE-2025-22105).
- bonding: return detailed error when loading native XDP fails
(CVE-2025-22105).
- commit 1110c2d
- ALSA: ump: Fix buffer overflow at UMP SysEx message conversion
(bsc#1242044).
- commit 43160c9
- Correct the upsteram version numbers in the previous patches
- commit 6f72baf
- mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe
(git-fixes).
- platform/x86/intel-uncore-freq: Fix missing uncore sysfs during
CPU hotplug (git-fixes).
- commit f912ebf
- Require zstd in kernel-default-devel when module compression is zstd
To use ksym-provides tool modules need to be uncompressed.
Without zstd at least kernel-default-base does not have provides.
Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82
- commit a3262dd
- net: ibmveth: make veth_pool_store stop hanging (CVE-2025-22053
bsc#1241373).
- commit 509c07e
- powerpc/boot: Fix dash warning (bsc#1215199).
- commit aeb4455
- exec: fix the racy usage of fs_struct->in_exec (CVE-2025-22029
bsc#1241378).
- commit f780e88
- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
(CVE-2025-22045 bsc#1241433).
- commit 1e24dab
- powerpc/boot: Check for ld-option support (bsc#1215199).
- commit 333e1e5
- selftests/bpf: extend changes_pkt_data with cases w/o
subprograms (bsc#1241590).
- bpf: fix null dereference when computing changes_pkt_data of
prog w/o subprogs (bsc#1241590).
- selftests/bpf: validate that tail call invalidates packet
pointers (bsc#1241590).
- bpf: consider that tail calls invalidate packet pointers
(bsc#1241590).
- selftests/bpf: freplace tests for tracking of
changes_packet_data (bsc#1241590).
- bpf: check changes_pkt_data property for extension programs
(bsc#1241590).
- Refresh patches.kabi/kabi-fix-for-bpf-Prevent-tailcall-infinite-loop-caus.patch
- selftests/bpf: test for changing packet data from global
functions (bsc#1241590).
- bpf: track changes_pkt_data property for global functions
(bsc#1241590).
- bpf: refactor bpf_helper_changes_pkt_data to use helper number
(bsc#1241590).
- bpf: add find_containing_subprog() utility function
(bsc#1241590).
- commit e531d2b
- Update
patches.suse/memstick-rtsx_usb_ms-Fix-slab-use-after-free-in-rtsx.patch
(bsc#1241280 CVE-2025-22020).
Added CVE reference
- commit 80d99d3
- Fixup breakage in ext2 introduced by backporting in:
patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch.
- commit b7c808a
- cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error
path (git-fixes).
- eth: bnxt: fix missing ring index trim on error path
(git-fixes).
- igc: add lock preventing multiple simultaneous PTM transactions
(git-fixes).
- igc: cleanup PTP module if probe fails (git-fixes).
- igc: handle the IGC_PTP_ENABLED flag correctly (git-fixes).
- igc: move ktime snapshot into PTM retry loop (git-fixes).
- igc: increase wait time before retrying PTM (git-fixes).
- igc: fix PTM cycle trigger logic (git-fixes).
- idpf: fix adapter NULL pointer dereference on reboot
(git-fixes).
- e1000e: change k1 configuration on MTP and later platforms
(git-fixes).
- gve: handle overflow when reporting TX consumed descriptors
(git-fixes).
- net/mlx5e: SHAMPO, Make reserved size independent of page size
(git-fixes).
- vdpa/mlx5: Fix oversized null mkey longer than 32bit
(git-fixes).
- idpf: check error for register_netdev() on init (git-fixes).
- ice: stop truncating queue ids when checking (git-fixes).
- virtchnl: make proto and filter action count unsigned
(git-fixes).
- ice: fix reservation of resources for RDMA when disabled
(git-fixes).
- net/mlx5: Start health poll after enable hca (git-fixes).
- bnxt_en: Linearize TX SKB if the fragments exceed the max
(git-fixes).
- bnxt_en: Mask the bd_cnt field in the TX BD properly
(git-fixes).
- net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context
(git-fixes).
- igb: reject invalid external timestamp requests for 82580-based
HW (git-fixes).
- net/mlx5e: Prevent bridge link show failure for
non-eswitch-allowed devices (git-fixes).
- net/mlx5: Lag, Check shared fdb before creating MultiPort
E-Switch (git-fixes).
- net/mlx5: Fill out devlink dev info only for PFs (git-fixes).
- net/mlx5: IRQ, Fix null string in debug print (git-fixes).
- gve: set xdp redirect target only when it is available
(git-fixes).
- ice: Add check for devm_kzalloc() (git-fixes).
- commit 8b3f5c6
- ext4: fix OOB read when checking dotdot dir (bsc#1241640
CVE-2025-37785).
- ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
(bsc#1241593 CVE-2025-22121).
- proc: fix UAF in proc_get_inode() (bsc#1240802 CVE-2025-21999).
- fs: relax assertions on failure to encode file handles
(bsc#1236086 CVE-2024-57924).
- commit 0e972d0
- net: gso: fix ownership in __udp_gso_segment (CVE-2025-21926
bsc#1240712).
- commit a0db76b
- jfs: add sanity check for agwidth in dbMount (git-fixes).
- commit 8faa28a
- jfs: Prevent copying of nlink with value 0 from disk inode
(git-fixes).
- commit eea1d40
- fs/jfs: Prevent integer overflow in AG size calculation
(git-fixes).
- commit fce66a4
- fs/jfs: cast inactags to s64 to prevent potential overflow
(git-fixes).
- commit 8b1cc16
- jfs: Fix uninit-value access of imap allocated in the diMount()
function (git-fixes).
- commit 5b527ae
- irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
(git-fixes).
- drm/amd/display: Fix gpu reset in multidisplay config
(git-fixes).
- Revert "drm/meson: vclk: fix calculation of 59.94 fractional
rates" (git-fixes).
- commit 9f8b470
- block: integrity: Do not call set_page_dirty_lock() (git-fixes).
- loop: stop using vfs_iter_{read,write} for buffered I/O
(git-fixes).
- loop: LOOP_SET_FD: send uevents for partitions (git-fixes).
- loop: properly send KOBJ_CHANGED uevent for disk device
(git-fixes).
- block: fix resource leak in blk_register_queue() error path
(git-fixes).
- block: make sure ->nr_integrity_segments is cloned in
blk_rq_prep_clone (git-fixes).
- badblocks: fix missing bad blocks on retry in _badblocks_check()
(git-fixes).
- badblocks: fix merge issue when new badblocks align with pre+1
(git-fixes).
- badblocks: fix the using of MAX_BADBLOCKS (git-fixes).
- badblocks: return error if any badblock set fails (git-fixes).
- badblocks: return error directly when setting badblocks exceeds
512 (git-fixes).
- badblocks: Fix error shitf ops (git-fixes).
- blk-throttle: fix lower bps rate by throtl_trim_slice()
(git-fixes).
- block: change blk_mq_add_to_batch() third argument type to bool
(git-fixes).
- block: fix conversion of GPT partition name to 7-bit
(git-fixes).
- ublk: set_params: properly check if parameters can be applied
(git-fixes).
- block: fix 'kmem_cache of name 'bio-108' already exists'
(git-fixes).
- commit 607aa83
- drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is
enabled (git-fixes).
- commit 03063eb
- USB: wdm: add annotation (git-fixes).
- USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context
(git-fixes).
- USB: wdm: close race between wdm_open and wdm_wwan_port_stop
(git-fixes).
- USB: wdm: handle IO errors in wdm_wwan_port_start (git-fixes).
- usb: dwc3: gadget: check that event count does not exceed
event buffer length (git-fixes).
- usb: dwc3: xilinx: Prevent spike in reset signal (git-fixes).
- usb: cdns3: Fix deadlock when using NCM gadget (git-fixes).
- usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error
handling (git-fixes).
- usb: chipidea: ci_hdrc_imx: fix call balance of regulator
routines (git-fixes).
- serial: sifive: lock port in startup()/shutdown() callbacks
(git-fixes).
- serial: msm: Configure correct working mode before starting
earlycon (git-fixes).
- misc: microchip: pci1xxxx: Fix incorrect IRQ status handling
during ack (git-fixes).
- misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler
registration (git-fixes).
- string: Add load_unaligned_zeropad() code path to
sized_strscpy() (git-fixes).
- kunit: qemu_configs: SH: Respect kunit cmdline (git-fixes).
- Revert "wifi: mac80211: Update skb's control block key in
ieee80211_tx_dequeue()" (git-fixes).
- wifi: mac80211: Update skb's control block key in
ieee80211_tx_dequeue() (git-fixes).
- selftests/mm: generate a temporary mountpoint for cgroup
filesystem (git-fixes).
- selftests/futex: futex_waitv wouldblock test should fail
(git-fixes).
- phy: freescale: imx8m-pcie: assert phy reset and perst in
power off (git-fixes).
- PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type
(stable-fixes).
- ktest: Fix Test Failures Due to Missing LOG_FILE Directories
(stable-fixes).
- wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
(stable-fixes).
- wifi: ath12k: Fix invalid data access in
ath12k_dp_rx_h_undecap_nwifi (stable-fixes).
- wifi: ath12k: Fix invalid entry fetch in
ath12k_dp_mon_srng_process (stable-fixes).
- net: usb: asix_devices: add FiberGecko DeviceID (stable-fixes).
- media: uvcvideo: Add quirk for Actions UVC05 (stable-fixes).
- mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two
halves (stable-fixes).
- pm: cpupower: bench: Prevent NULL dereference on malloc failure
(stable-fixes).
- commit b154b2c
- drm/tests: probe-helper: Fix drm_display_mode memory leak
(git-fixes).
- drm/tests: modes: Fix drm_display_mode memory leak (git-fixes).
- drm/tests: cmdline: Fix drm_display_mode memory leak
(git-fixes).
- drm/tests: helpers: Create kunit helper to destroy a
drm_display_mode (stable-fixes).
- drm/i915/gvt: fix unterminated-string-initialization warning
(stable-fixes).
- drm/i915: Disable RPG during live selftest (git-fixes).
- gpio: zynq: Fix wakeup source leaks on device unbind
(stable-fixes).
- drm/amd: Handle being compiled without SI or CIK support better
(stable-fixes).
- drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power
on/off (stable-fixes).
- drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data
(stable-fixes).
- drm/amdgpu: handle amdgpu_cgs_create_device() errors in
amd_powerplay_create() (stable-fixes).
- drm/amdkfd: debugfs hang_hws skip GPU with MES (stable-fixes).
- drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
(stable-fixes).
- drm/amdkfd: Fix mode1 reset crash issue (stable-fixes).
- drm/amdkfd: clamp queue size to minimum (stable-fixes).
- drm/amd/display: add workaround flag to link to force FFE preset
(stable-fixes).
- drm/bridge: panel: forbid initializing a panel with unknown
connector type (stable-fixes).
- drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini
(Intel) (stable-fixes).
- drm: panel-orientation-quirks: Add new quirk for GPD Win 2
(stable-fixes).
- drm: panel-orientation-quirks: Add quirk for AYA NEO Slide
(stable-fixes).
- drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS
and KB (stable-fixes).
- drm: panel-orientation-quirks: Add support for AYANEO 2S
(stable-fixes).
- drm: allow encoder mode_set even when connectors change for crtc
(stable-fixes).
- fbdev: omapfb: Add 'plane' value check (stable-fixes).
- drm/tests: helpers: Fix compiler warning (git-fixes).
- drm/tests: helpers: Add helper for
drm_display_mode_from_cea_vic() (stable-fixes).
- drm/i915/dg2: wait for HuC load completion before running
selftests (stable-fixes).
- drm/tests: Add helper to create mock crtc (stable-fixes).
- commit a0a41da
- char: misc: register chrdev region with all possible minors
(git-fixes).
- Revert "drivers: core: synchronize really_probe() and
dev_uevent()" (stable-fixes).
- Bluetooth: l2cap: Process valid commands in too long frame
(stable-fixes).
- drivers: base: devres: Allow to release group on device release
(stable-fixes).
- Bluetooth: hci_uart: Fix another race during initialization
(git-fixes).
- Bluetooth: hci_uart: fix race during initialization
(stable-fixes).
- cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk
(stable-fixes).
- ahci: add PCI ID for Marvell 88SE9215 SATA Controller
(stable-fixes).
- ASoC: amd: yc: update quirk data for new Lenovo model
(stable-fixes).
- ASoC: fsl_audmix: register card device depends on 'dais'
property (stable-fixes).
- ASoC: SOF: topology: Use krealloc_array() to replace krealloc()
(stable-fixes).
- ASoC: amd: Add DMI quirk for ACP6X mic support (stable-fixes).
- ALSA: usb-audio: Fix CME quirk for UF series keyboards
(stable-fixes).
- ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist
(stable-fixes).
- ALSA: hda: intel: Fix Optimus when GPU has no sound
(stable-fixes).
- drm/tests: Add helper to create mock plane (stable-fixes).
- drm/tests: helpers: Add atomic helpers (stable-fixes).
- drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+
(stable-fixes).
- commit 58c19a1
- Update
patches.suse/vmxnet3-unregister-xdp-rxq-info-in-the-reset-path.patch
(bsc#1241394 CVE-2025-22106 bsc#1241547).
- commit a998629
- mm: (un)track_pfn_copy() fix + doc improvements (CVE-2025-22090
bsc#1241537).
- commit 1ccdfdd
- x86/mm/pat: Fix VM_PAT handling when fork() fails in
copy_page_range() (CVE-2025-22090 bsc#1241537).
- commit f0ac623
- exfat: fix random stack corruption after get_block (bsc#1241426
CVE-2025-22036).
- commit 1f685c3
- exfat: do not fallback to buffered write (git-fixes).
- commit f7d2bc8
- exfat: drop ->i_size_ondisk (git-fixes).
- commit 9420be9
- fs/ntfs3: Prevent integer overflow in hdr_first_de()
(bsc#1241416 CVE-2025-22080).
- commit 401237e
- clk: samsung: Fix UBSAN panic in samsung_clk_init()
(CVE-2025-39728 bsc#1241626).
- commit 146debe
- net: phy: leds: fix memory leak (git-fixes).
- net: phy: microchip: force IRQ polling mode for lan88xx
(git-fixes).
- crypto: atmel-sha204a - Set hwrng quality to lowest possible
(git-fixes).
- commit 007e98d
- net: ethtool: Don't call .cleanup_data when prepare_data fails
(git-fixes).
- ethtool: Fix set RXNFC command with symmetric RSS hash
(git-fixes).
- ethtool: Fix wrong mod state in case of verbose and no_mask
bitset (git-fixes).
- ethtool: Fix context creation with no parameters (git-fixes).
- ethtool: fix setting key and resetting indir at once
(git-fixes).
- ethtool: rss: echo the context number back (git-fixes).
- net: ethtool: Fix RSS setting (git-fixes).
- ethtool: netlink: do not return SQI value if link is down
(git-fixes).
- ethtool: netlink: Add missing ethnl_ops_begin/complete
(git-fixes).
- ethtool: don't propagate EOPNOTSUPP from dumps (git-fixes).
- ethtool: plca: fix plca enable data type while parsing the value
(git-fixes).
- commit 6a09a48
- OPP: add index check to assert to avoid buffer overflow in _read_freq() (bsc#1238961)
- commit 2e43a01
- Test the correct macro to detect RT kernel build
Fixes: 470cd1a41502 ("kernel-binary: Support livepatch_rt with merged RT branch")
- commit 50e863e
- mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111
CVE-2025-21696).
Refreshed:
patches.suse/mm-hugetlb-Add-huge-page-size-param-to-huge_ptep_get_and_clear.patch
- commit e18d57e
- bpf: Make sure internal and UAPI bpf_redirect flags don't
overlap (bsc#1233098 CVE-2024-50163).
- commit f73adfb
- bpf: selftests: send packet to devmap redirect XDP (bsc#1233075
CVE-2024-50162).
- bpf: devmap: provide rxq after redirect (bsc#1233075
CVE-2024-50162).
- commit efb272f
- mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111
CVE-2025-21696).
Refreshed:
patches.suse/mm-hugetlb-Add-huge-page-size-param-to-huge_ptep_get_and_clear.patch
- commit 559ab65
- mm/migrate: fix shmem xarray update during migration
(CVE-2025-22015 bsc#1240944).
- commit 18f748b
- fou: fix initialization of grc (CVE-2024-46763 bsc#1230764).
- commit c144530
- kernel-source: Also update the search to match bin/env
Fixes: dc2037cd8f94 ("kernel-source: Also replace bin/env"
- commit bae6b69
- rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN
- commit 816118c
- fou: Fix null-ptr-deref in GRO (CVE-2024-46763 bsc#1230764).
- commit 759f2a9
- hwpoison, memory_hotplug: lock folio before unmap hwpoisoned
folio (CVE-2025-21931 bsc#1240709).
- commit 1ece281
- net: fix geneve_opt length integer overflow (CVE-2025-22055
bsc#1241371).
- commit 45017c8
- PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads
(git-fixes).
- irqchip/davinci: Remove leftover header (git-fixes).
- tty: n_tty: use uint for space returned by tty_write_room()
(git-fixes).
- commit 2e047cb
- kABI fix for sctp: detect and prevent references to a freed
transport in sendmsg (git-fixes).
- commit ce43999
- wifi: ath11k: update channel list in reg notifier instead reg
worker (CVE-2025-23133 bsc#1241451).
- commit dfc599a
- exfat: short-circuit zero-byte writes in exfat_file_write_iter
(git-fixes).
- commit c31ee51
- exfat: fix soft lockup in exfat_clear_bitmap (git-fixes).
- commit 527ed08
- nfsd: decrease sc_count directly if fail to queue dl_recall
(git-fixes).
- commit 91b68ee
- nfs: add missing selections of CONFIG_CRC32 (git-fixes).
- commit f409d6e
- nvmet-fcloop: swap list_add_tail arguments (git-fixes).
- nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes).
- nvme/ioctl: don't warn on vectorized uring_cmd with fixed buffer
(git-fixes).
- nvme-pci: fix stuck reset on concurrent DPC and HP (git-fixes).
- nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
(git-fixes).
- nvme-pci: clean up CMBMSC when registering CMB fails
(git-fixes).
- nvme-tcp: fix possible UAF in nvme_tcp_poll (git-fixes).
- commit bf9d0e5
- Move upstreamed smb patch into sorted section
Also move other out-of-tree patches into the proper section
- commit ba77adc
- rpm/kernel-binary.spec.in: revert the revert change with OrderWithRequires
The recent change using OrderWithRequires addresses the known issues,
but also caused regressions for the existing image or package builds.
For SLE15-SPx, better to be conservative and stick with the older way.
- commit bbe05e4
- Refresh
patches.suse/kernel-add-product-identifying-information-to-kernel-build.patch.
scripts/gen-suse_version_h.sh requires bash, yet in Makefile
CONFIG_SHELL is defined to 'sh'. In openSUSE and SUSE products 'sh' is a
symbolic link to 'bash', hence this isn't a problem. However
distributions like Debian and Ubuntu 'sh' is symbolically linked to
'dash' instead, and gen-suse_version_h.sh will fail to run with
./scripts/gen-suse_version_h.sh: 3: Syntax error: "(" unexpected
make[1]: *** [/home/runner/work/libbpf/libbpf/.kernel/Makefile:1135: include/generated/uapi/linux/suse_version.h] Error 2
make: *** [Makefile:224: __sub-make] Error 2
Explicitly use bash to run scripts/gen-suse_version_h.sh to make sure
it will always work.
- commit 2be3c0f
- scsi: iscsi: Fix missing scsi_host_put() in error path
(git-fixes).
- scsi: hisi_sas: Enable force phy when SATA disk directly
connected (git-fixes).
- scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag
(git-fixes).
- scsi: scsi_debug: Remove a reference to in_use_bm (git-fixes).
- scsi: mpt3sas: Fix a locking bug in an error path (git-fixes).
- scsi: mpi3mr: Fix locking in an error path (git-fixes).
- scsi: mpt3sas: Reduce log level of ignore_delay_remove message
to KERN_INFO (git-fixes).
- scsi: core: Use GFP_NOIO to avoid circular locking dependency
(git-fixes).
- commit c9f2a96
- net: annotate data-races around sk->sk_tx_queue_mapping
(git-fixes).
- commit 39ebbf2
- sctp: detect and prevent references to a freed transport in
sendmsg (git-fixes).
- commit 1334236
- sctp: add mutual exclusion in proc_sctp_do_udp_port()
(git-fixes).
- commit 711cff2
- sctp: Fix undefined behavior in left shift operation
(git-fixes).
- commit a1edf61
- netpoll: Use rcu_access_pointer() in netpoll_poll_lock
(git-fixes).
- commit 4965a27
- tcp: fix mptcp DSS corruption due to large pmtu xmit
(git-fixes).
- commit ba5be47
- sctp: ensure sk_state is set to CLOSED if hashing fails in
sctp_listen_start (git-fixes).
- commit a7b311d
- sctp: fix association labeling in the duplicate COOKIE-ECHO case
(git-fixes).
- commit f2ab0aa
- sctp: prefer struct_size over open coded arithmetic (git-fixes).
- commit e26aab9
- net: blackhole_dev: fix build warning for ethh set but not used
(git-fixes).
- commit 9f9bf2f
- net: sctp: fix skb leak in sctp_inq_free() (git-fixes).
- commit ef140e3
- sctp: fix busy polling (git-fixes).
- commit 533e122
- sctp: support MSG_ERRQUEUE flag in recvmsg() (git-fixes).
- commit 1e9a8f7
- i2c: cros-ec-tunnel: defer probe if parent EC is not present
(git-fixes).
- commit 68f8146
- vmxnet3: unregister xdp rxq info in the reset path
(bsc#1241394).
- vmxnet3: Fix tx queue race condition with XDP (bsc#1241394).
- commit d09ed0e
- ALSA: hda/realtek - Fixed ASUS platform headset Mic issue
(git-fixes).
- commit 53f07fb
- Refresh patches.suse/ALSA-hda-realtek-Workaround-for-resume-on-Dell-Venue.patch
The patch was applied incorrectly to a wrong device
- commit cf41ba6
- Bluetooth: vhci: Avoid needless snprintf() calls (git-fixes).
- wifi: wl1251: fix memory leak in wl1251_tx_work (git-fixes).
- wifi: mac80211: Purge vif txq in ieee80211_do_stop()
(git-fixes).
- wifi: at76c50x: fix use after free access in at76_disconnect
(git-fixes).
- Bluetooth: l2cap: Check encryption key size on incoming
connection (git-fixes).
- Bluetooth: btrtl: Prevent potential NULL dereference
(git-fixes).
- Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for
invalid address (git-fixes).
- ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels
(git-fixes).
- ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (git-fixes).
- ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()
(git-fixes).
- ASoC: qcom: Fix sc7280 lpass potential buffer overflow
(git-fixes).
- asus-laptop: Fix an uninitialized variable (git-fixes).
- ata: libata-sata: Save all fields from sense data descriptor
(git-fixes).
- commit b064ee6
- smb: client: fix folio leaks and perf improvements (bsc#1239997,
bsc1241265).
- commit 3640faf
- net: mark racy access on sk->sk_rcvbuf (git-fixes).
- commit c7df85a
- net: set SOCK_RCU_FREE before inserting socket into hashtable
(git-fixes).
- commit 469342f
- net: annotate data-races around sk->sk_dst_pending_confirm
(git-fixes).
- commit ddac370
- Refresh patches.suse/x86-paravirt-Move-halt-paravirt-calls-under-CONFIG_PARAVIR.patch.
This fixes a build error
- commit 885e121
- ipv4: fib: annotate races around nh->nh_saddr_genid and
nh->nh_saddr (git-fixes).
- commit 42e44b7
- rpm/kernel-binary.spec.in: Also order against update-bootloader
(boo#1228659, boo#1240785, boo#1241038).
- commit fe0a8c9
- crypto: caam/qi - Fix drv_ctx refcount bug (git-fixes).
- commit 004010d
- selftests/bpf: Add a few tests to cover (git-fixes).
- bpf: Add missed var_off setting in coerce_subreg_to_size_sx()
(git-fixes).
- bpf: Add missed var_off setting in set_sext32_default_val()
(git-fixes).
- commit 07fae33
- Drop PCI patch that caused a regression (bsc#1241123)
The patch patches.suse/PCI-Avoid-reset-when-disabled-via-sysfs.patch
seems causing a regression about missing device passthrough on VM.
Drop it to address the regression.
- commit 5845d87
- bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()
(bsc#1240181 CVE-2025-21867).
- commit 82a6d4f
- Revert commit (bsc#1241051)
Delete
patches.suse/mm-various-give-up-if-pte_offset_map-_lock-fails.patch.
- commit c63b737
- rpm/package-descriptions: Add rt and rt_debug descriptions
- commit 09573c0
- fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
(bsc#1241250).
- commit a11e79b
- x86/microcode/AMD: Split load_microcode_amd() (git-fixes).
- Refresh
patches.suse/x86-microcode-AMD-Fix-out-of-bounds-on-systems-with-.patch.
- commit e4a11da
- x86/microcode/AMD: Pay attention to the stepping dynamically (git-fixes).
- commit 581b74c
- x86/microcode/intel: Set new revision only after a successful update (git-fixes).
- commit 7ef0614
- x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (git-fixes).
- commit 0584d8b
- btrfs: fix hole expansion when writing at an offset beyond EOF
(bsc#1241151).
- btrfs: fix swap file activation failure due to extents that
used to be shared (bsc#1241204).
- btrfs: fix race with memory mapped writes when activating swap
file (bsc#1241204).
- btrfs: fix missing snapshot drew unlock when root is dead
during swap activation (bsc#1241204).
- btrfs: add and use helper to verify the calling task has locked
the inode (bsc#1241204).
- commit d9b6443
- sched: address a potential NULL pointer dereference in the
GRED scheduler (CVE-2025-21980 bsc#1240809).
- commit ce44194
- net: atm: fix use after free in lec_send() (CVE-2025-22004
bsc#1240835).
- commit 0623761
- llc: do not use skb_get() before dev_queue_xmit()
(CVE-2025-21925 bsc#1240713).
- commit 79eced9
- tools/power turbostat: report CoreThr per measurement interval
(git-fixes).
- commit d3776d1
- x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID (git-fixes).
- Refresh
patches.suse/x86-microcode-AMD-Flush-patch-buffer-mapping-after-applica.patch.
- commit 88521da
- x86/microcode: Rework early revisions reporting (git-fixes).
- Refresh
patches.suse/x86-microcode-AMD-Flush-patch-buffer-mapping-after-applica.patch.
- commit 4d17d9e
- ax25: rcu protect dev->ax25_ptr (CVE-2025-21812 bsc#1238471).
- commit 5fd1fff
- x86/microcode: Remove the driver announcement and version (git-fixes).
- commit 46995b1
- x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes).
- commit d56cfaf
- x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes).
- commit d95d976
- Refresh
patches.suse/ipv6-remove-hard-coded-limitation-on-ipv6_pinfo.patch.
- commit 0200f55
- hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
(git-fixes).
- commit 6eab8d6
- x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes).
- commit df4a06f
- x86/microcode/AMD: Flush patch buffer mapping after application (git-fixes).
- commit 3abf82a
- x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment (git-fixes).
- commit 9a5f9b4
- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes).
- commit a987e8f
- x86/uaccess: Improve performance by aligning writes to 8 bytes in copy_user_generic(), on non-FSRM/ERMS CPUs (git-fixes).
- commit b668be3
- x86/bugs: Add RSB mitigation document (git-fixes).
- commit b8dad0f
- x86/bugs: Don't fill RSB on context switch with eIBRS (git-fixes).
- commit 187dbce
- x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline (git-fixes).
- commit 4f16d88
- x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes).
- commit fb3ed54
- x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes).
- commit 4702713
- x86/bugs: Rename entry_ibpb() to write_ibpb() (git-fixes).
- commit 05f7f50
- selftest/bpf: Add vsock test for sockmap rejecting unconnected
(bsc#1239470 CVE-2025-21854).
- selftest/bpf: Adapt vsock_delete_on_close to sockmap rejecting
unconnected (bsc#1239470 CVE-2025-21854).
- vsock/bpf: Warn on socket without transport (bsc#1239470
CVE-2025-21854).
- commit 9aa107b
- tools/power turbostat: Increase CPU_SUBSET_MAXCPUS to 8192
(bsc#1241175).
- commit b06e876
- sockmap, vsock: For connectible sockets allow only connected
(bsc#1239470 CVE-2025-21854).
- bpf: sockmap, test for unconnected af_unix sock (bsc#1239470
CVE-2025-21854).
- Refresh patches.suse/selftest-bpf-Add-test-for-af_vsock-poll.patch
- bpf: syzkaller found null ptr deref in unix_bpf proto add
(bsc#1239470 CVE-2025-21854).
- Refresh patches.suse/udp-fix-busy-polling.patch
- Refresh
patches.suse/bpf-sockmap-SK_DROP-on-attempted-redirects-of-unsupported-.patch
- commit 62e8475
- bpf, vsock: Invoke proto::close on close() (bsc#1239470 CVE-2025-21854).
- Refresh
patches.suse/vsock-Keep-the-binding-until-socket-destruction.patch.
- Refresh patches.suse/vsock-Orphan-socket-after-transport-release.patch
- commit a88600e
- selftest/bpf: Add test for vsock removal from sockmap on close()
(bsc#1239470 CVE-2025-21854).
- selftest/bpf: Add test for af_vsock poll() (bsc#1239470
CVE-2025-21854).
- bpf, vsock: Fix poll() missing a queue (bsc#1239470
CVE-2025-21854).
- commit 43f792d
- RDMA/core: Silence oversized kvmalloc() warning (git-fixes)
- commit 0801938
- RDMA/cma: Fix workqueue crash in cma_netevent_work_handler (git-fixes)
- commit 8be4a6f
- RDMA/hns: Fix wrong maximum DMA segment size (git-fixes)
- commit 9a0c549
- RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (git-fixes)
- commit 7bf895d
- net: xdp: Disallow attaching device-bound programs in generic
mode (bsc#1238742 CVE-2025-21808).
- commit c2feb9e
- md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb (bsc#1238212)
Also reenable patches.suse/md-md-bitmap-fix-writing-non-bitmap-pages-ab99.patch
- commit 22ce219
- bpf: Fix deadlock when freeing cgroup storage (CVE-2024-58088 bsc#1239510)
- commit a5b985f
- dpll: fix xa_alloc_cyclic() error handling (CVE-2025-22016 bsc#1240934)
- commit 2521b46
- devlink: fix xa_alloc_cyclic() error handling (CVE-2025-22017 bsc#1240936)
- commit 6e391e8
- zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with
TIF_SIGPENDING (bsc#1241167).
- commit 2fe69fb
- caif_virtio: fix wrong pointer check in cfv_probe()
(CVE-2025-21904 bsc#1240576).
- commit 9a83e3e
- Refresh
patches.kabi/kABI-fix-for-ipv6-remove-hard-coded-limitation-on-ip.patch.
- commit 81847b0
- xfs: flush inodegc before swapon (git-fixes).
- commit c599968
- net: mana: Switch to page pool for jumbo frames (git-fixes).
- RDMA/mana_ib: Ensure variable err is initialized (git-fixes).
- x86/hyperv: Fix check of return value from snp_set_vmsa()
(git-fixes).
- commit 2b709c0
- pwm: fsl-ftm: Handle clk_get_rate() returning 0 (git-fixes).
- pwm: rcar: Improve register calculation (git-fixes).
- pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()
(git-fixes).
- commit 9d83cd0
- ata: sata_sx4: Add error handling in pdc20621_i2c_read()
(git-fixes).
- ata: pata_pxa: Fix potential NULL pointer dereference in
pxa_ata_probe() (git-fixes).
- commit dcc1d06
- kABI workaround for powercap update (bsc#1241010).
- commit 6da4ad4
- drm/amd/display: Fix out-of-bound accesses (bsc#1240811 CVE-2025-21985)
- commit f9ae89c
- Revert "tcp: Fix bind() regression for v6-only wildcard and"
This reverts commit 10a8fd3005bd56ac305a4a4e9bf53cfc50aad28f.
This patch is part of a bigger series [0] and AFAIU can't be applied
individually. Applying the entire series would result in kABI breakage.
[0]
https://lore.kernel.org/all/20231213082029.35149-1-kuniyu@amazon.com/
- commit 9692530
- Update
patches.suse/Bluetooth-Add-check-for-mgmt_alloc_skb-in-mgmt_devic.patch
(git-fixes CVE-2025-21936 bsc#1240716).
- Update
patches.suse/Bluetooth-Add-check-for-mgmt_alloc_skb-in-mgmt_remot.patch
(git-fixes CVE-2025-21937 bsc#1240643).
- Update
patches.suse/Bluetooth-Fix-error-code-in-chan_alloc_skb_cb.patch
(git-fixes CVE-2025-22007 bsc#1240829).
- Update
patches.suse/HID-appleir-Fix-potential-NULL-dereference-at-raw-ev.patch
(git-fixes CVE-2025-21948 bsc#1240703).
- Update
patches.suse/HID-hid-steam-Fix-use-after-free-when-detaching-devi.patch
(git-fixes CVE-2025-21923 bsc#1240691).
- Update
patches.suse/HID-ignore-non-functional-sensor-in-HP-5MP-Camera.patch
(stable-fixes CVE-2025-21992 bsc#1240796).
- Update
patches.suse/HID-intel-ish-hid-Fix-use-after-free-issue-in-ishtp_.patch
(git-fixes CVE-2025-21928 bsc#1240722).
- Update
patches.suse/KVM-arm64-Unconditionally-save-flush-host-FPSIMD-SVE-SME-state.patch
(git-fixes CVE-2025-22013 bsc#1240938).
- Update
patches.suse/RDMA-hns-Fix-soft-lockup-during-bt-pages-loop.patch
(git-fixes CVE-2025-22010 bsc#1240943).
- Update
patches.suse/accel-qaic-Fix-integer-overflow-in-qaic_validate_req.patch
(git-fixes CVE-2025-22001 bsc#1240873).
- Update
patches.suse/bus-mhi-host-pci_generic-Use-pci_try_reset_function-.patch
(git-fixes CVE-2025-21951 bsc#1240718).
- Update
patches.suse/can-ucan-fix-out-of-bound-read-in-strscpy-source.patch
(git-fixes CVE-2025-22003 bsc#1240825).
- Update
patches.suse/cdx-Fix-possible-UAF-error-in-driver_override_show.patch
(git-fixes CVE-2025-21915 bsc#1240594).
- Update
patches.suse/dm-flakey-Fix-memory-corruption-in-optional-corrupt_.patch
(git-fixes CVE-2025-21966 bsc#1240779).
- Update
patches.suse/drivers-virt-acrn-hsm-Use-kzalloc-to-avoid-info-leak.patch
(git-fixes CVE-2025-21950 bsc#1240719).
- Update
patches.suse/drm-amd-display-Assign-normalized_pix_clk-when-color.patch
(stable-fixes CVE-2025-21956 bsc#1240739).
- Update
patches.suse/drm-amd-display-Fix-null-check-for-pipe_ctx-plane_st-374c9fa.patch
(git-fixes CVE-2025-21941 bsc#1240701).
- Update
patches.suse/drm-amd-display-Fix-slab-use-after-free-on-hdcp_work.patch
(git-fixes CVE-2025-21968 bsc#1240783).
- Update
patches.suse/drm-hyperv-Fix-address-space-leak-when-Hyper-V-DRM-d.patch
(git-fixes CVE-2025-21978 bsc#1240806).
- Update
patches.suse/drm-radeon-fix-uninitialized-size-issue-in-radeon_vc.patch
(git-fixes CVE-2025-21996 bsc#1240801).
- Update
patches.suse/drm-sched-Fix-fence-reference-count-leak.patch
(git-fixes CVE-2025-21995 bsc#1240821).
- Update
patches.suse/gpio-aggregator-protect-driver-attr-handlers-against.patch
(git-fixes CVE-2025-21943 bsc#1240647).
- Update
patches.suse/gpio-rcar-Use-raw_spinlock-to-protect-register-acces.patch
(stable-fixes CVE-2025-21912 bsc#1240584).
- Update
patches.suse/msft-hv-3170-net-mana-cleanup-mana-struct-after-debugfs_remove.patch
(git-fixes CVE-2025-21953 bsc#1240727).
- Update
patches.suse/net_sched-Prevent-creation-of-classes-with-TC_H_ROOT.patch
(git-fixes CVE-2025-21971 bsc#1240799).
- Update
patches.suse/nvme-tcp-fix-potential-memory-corruption-in-nvme_tcp.patch
(git-fixes CVE-2025-21927 bsc#1240714).
- Update
patches.suse/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_.patch
(git-fixes CVE-2025-21935 bsc#1240700).
- Update
patches.suse/rapidio-fix-an-API-misues-when-rio_add_net-fails.patch
(git-fixes CVE-2025-21934 bsc#1240708).
- Update
patches.suse/regulator-check-that-dummy-regulator-has-been-probed.patch
(stable-fixes CVE-2025-22008 bsc#1240942).
- Update
patches.suse/regulator-dummy-force-synchronous-probing.patch
(git-fixes CVE-2025-22009 bsc#1240940).
- Update
patches.suse/slimbus-messaging-Free-transaction-ID-in-delayed-int.patch
(git-fixes CVE-2025-21914 bsc#1240595).
- Update
patches.suse/soc-qcom-pdr-Fix-the-potential-deadlock.patch
(git-fixes CVE-2025-22014 bsc#1240937).
- Update
patches.suse/usb-atm-cxacru-fix-a-flaw-in-existing-endpoint-check.patch
(git-fixes CVE-2025-21916 bsc#1240582).
- Update
patches.suse/usb-renesas_usbhs-Flush-the-notify_hotplug_work.patch
(git-fixes CVE-2025-21917 bsc#1240596).
- Update patches.suse/usb-typec-ucsi-Fix-NULL-pointer-access.patch
(git-fixes CVE-2025-21918 bsc#1240592).
- Update
patches.suse/wifi-cfg80211-cancel-wiphy_work-before-freeing-wiphy.patch
(git-fixes CVE-2025-21979 bsc#1240808).
- Update
patches.suse/wifi-cfg80211-regulatory-improve-invalid-hints-check.patch
(git-fixes CVE-2025-21910 bsc#1240583).
- Update
patches.suse/wifi-iwlwifi-limit-printed-string-from-FW-file.patch
(git-fixes CVE-2025-21905 bsc#1240575).
- Update
patches.suse/wifi-iwlwifi-mvm-don-t-try-to-talk-to-a-dead-firmwar.patch
(git-fixes CVE-2025-21930 bsc#1240715).
- Update
patches.suse/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-w.patch
(git-fixes CVE-2025-21909 bsc#1240590).
- commit a467018
- affs: don't write overlarge OFS data block size fields
(git-fixes).
- commit 334bc15
- affs: generate OFS sequence numbers starting at 1 (git-fixes).
- commit f93c833
- nfsd: put dl_stid if fail to queue dl_recall (git-fixes).
- commit 4b6b673
- security, lsm: Introduce security_mptcp_add_subflow()
(bsc#1240375).
- Refresh
patches.suse/net-better-track-kernel-sockets-lifetime.patch.
- commit bd8699b
- selinux: Implement mptcp_add_subflow hook (bsc#1240375).
- commit c784a67
- powercap: intel_rapl_tpmi: Enable PMU support (bsc#1241010).
- commit 2a705e9
- powercap: intel_rapl: Introduce APIs for PMU support
(bsc#1241010).
- commit b0e2847
- drm/amd: Keep display off while going into S4 (stable-fixes).
- Refresh
patches.suse/drm-amd-display-Restore-correct-backlight-brightness.patch.
- commit e9996bf
- drm/sti: remove duplicate object names (git-fixes).
- drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes).
- drm/amd/pm/smu11: Prevent division by zero (git-fixes).
- drm/amdgpu/dma_buf: fix page_link check (git-fixes).
- drm/i915/huc: Fix fence not released on early probe errors
(git-fixes).
- gpio: tegra186: fix resource handling in ACPI probe path
(git-fixes).
- mtd: rawnand: Add status chack in r852_ready() (git-fixes).
- mtd: inftlcore: Add error check for inftl_read_oob()
(git-fixes).
- ntb: use 64-bit arithmetic for the MSI doorbell mask
(git-fixes).
- ntb_hw_switchtec: Fix shift-out-of-bounds in
switchtec_ntb_mw_set_trans (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
(stable-fixes).
- mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes).
- hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
(stable-fixes).
- wifi: mac80211: flush the station before moving it to
UN-AUTHORIZED state (stable-fixes).
- platform/x86/intel/vsec: Add Diamond Rapids support
(stable-fixes).
- platform/x86: intel-hid: fix volume buttons on Microsoft
Surface Go 4 tablet (stable-fixes).
- wifi: brcmfmac: keep power during suspend if board requires it
(stable-fixes).
- wifi: iwlwifi: mvm: use the right version of the rate API
(stable-fixes).
- wifi: iwlwifi: fw: allocate chained SG tables for dump
(stable-fixes).
- HID: i2c-hid: improve i2c_hid_get_report error message
(stable-fixes).
- ntb: Force physically contiguous allocation of rx ring buffers
(git-fixes).
- ntb_perf: Fix printk format (git-fixes).
- commit a733ec5
- netfilter: br_netfilter: skip conntrack input hook for promisc
packets (CVE-2024-27415 bsc#1224757).
- commit 01cefc0
- kabi: restore layout of struct nf_ct_hook after backport of
commit 62e7151ae3eb (CVE-2024-27415 bsc#1224757).
- netfilter: bridge: confirm multicast packets before passing
them up the stack (CVE-2024-27415 bsc#1224757).
- commit 69425e5
- netfilter: xtables: fix typo causing some targets not to load
on IPv6 (CVE-2024-50038 bsc#1231910).
- netfilter: xtables: avoid NFPROTO_UNSPEC where needed
(CVE-2024-50038 bsc#1231910).
- commit 9ec5161
- net: mctp: unshare packets when reassembling (CVE-2025-21972
bsc#1240813).
- commit 5878b19
- Reapply "Merge remote-tracking branch 'origin/users/sjaeckel/SLE15-SP6/for-next' into SLE15-SP6"
This reverts commit 9b78ca60e10c64a737b9db2b85fdd944daac6ae6.
- commit 157dbaf
- net/tcp: refactor tcp_inet6_sk() (git-fixes).
- commit 459f538
- ntb_perf: Delete duplicate dmaengine_unmap_put() call in
perf_copy_chunk() (git-fixes).
- commit eeb7f74
- ntb: intel: Fix using link status DB's (git-fixes).
- commit a988a90
- s390/cio: Fix CHPID "configure" attribute caching (git-fixes
bsc#1240979).
- commit a947a32
- s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes
bsc#1240978).
- commit 610fa90
- wifi: ath11k: fix memory leak in ath11k_xxx_remove()
(git-fixes).
- Refresh
patches.suse/wifi-ath11k-choose-default-PM-policy-for-hibernation.patch.
- Refresh
patches.suse/wifi-ath11k-support-non-WoWLAN-mode-suspend-as-well.patch.
- commit 5ef71a9
- Update upstream status for ath11k patches
- commit 42fd2e8
- rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE
We now have LD_CAN_USE_KEEP_IN_OVERLAY since commit:
e7607f7d6d81 ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE
- commit 7b55ff2
- perf tools: annotate asm_pure_loop.S (bsc#1239906).
- commit a3afe13
- perf/core: Order the PMU list to fix warning about unordered
pmu_ctx_list (bsc#1240585 CVE-2025-21895).
- commit c393384
- io_uring/kbuf: reallocate buf lists on upgrade (CVE-2025-21836
bsc#1239066).
- commit 1c3b3b4
- rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038).
OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow
a package to inform the order of installation of other package without
hard requiring that package. This means our kernel-binary packages no
longer need to hard require perl-Bootloader or dracut, resolving the
long-commented issue there. This is also needed for udev & systemd-boot
to ensure those packages are installed before being called by dracut
(boo#1228659)
- commit 634be2c
- usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes).
- commit 88d79df
- bpf: avoid holding freeze_mutex during mmap operation
(git-fixes).
- bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic
(git-fixes).
- selftests/bpf: Add test for narrow ctx load for pointer args
(git-fixes).
- bpf: Check size for BTF-based ctx access of pointer members
(git-fixes).
- bpf: Fix theoretical prog_array UAF in __uprobe_perf_func()
(git-fixes).
- bpf: fix potential error return (git-fixes).
- commit 59fa8cd
- tty: serial: 8250: Add Brainboxes XC devices (stable-fixes).
- tty: serial: 8250: Add some more device IDs (stable-fixes).
- net: usb: qmi_wwan: add Telit Cinterion FE990B composition
(stable-fixes).
- net: usb: qmi_wwan: add Telit Cinterion FN990B composition
(stable-fixes).
- HID: hid-plantronics: Add mic mute mapping and generalize quirks
(stable-fixes).
- drm/dp_mst: Add a helper to queue a topology probe
(stable-fixes).
- drm/dp_mst: Factor out function to queue a topology probe work
(stable-fixes).
- commit dcc0903
- scsi: qla1280: Fix kernel oops when debug level > 2 (CVE-2025-21957 bsc#1240742)
- commit bd3922a
- io_uring: prevent opcode speculation (CVE-2025-21863
bsc#1239475).
- commit cf2b4a4
- wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (CVE-2025-21729 bsc#1237874)
- commit dfb7d10
- OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (CVE-2024-58068 bsc#1238961)
- commit b424f57
- net: let net.core.dev_weight always be non-zero (CVE-2025-21806 bsc#1238746)
- commit c6ce075
- Refresh patches.suse/Bluetooth-L2CAP-Fix-corrupted-list-in-hci_chan_del.patch
Drop redundant mutex lock that was forgotten
- commit 8253168
- net/mlx5: Bridge, fix the crash caused by LAG state check
(CVE-2025-21970 bsc#1240819).
- eth: bnxt: do not update checksum in bnxt_xdp_build_skb()
(CVE-2025-21960 bsc#1240815).
- eth: bnxt: fix truesize for mb-xdp-pass case (CVE-2025-21961
bsc#1240816).
- net/mlx5: handle errors in mlx5_chains_create_table()
(CVE-2025-21975 bsc#1240812).
- commit 5bfb0f9
- x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less
NUMA nodes (CVE-2025-21991 bsc#1240795).
- x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()
(CVE-2025-21913 bsc#1240591).
- commit 718ae0d
- NFS: fix nfs_release_folio() to not deadlock via kcompactd
writeback (CVE-2025-21908 bsc#1240600).
- commit a2db92f
- kABI workaround for l2cap_conn changes (CVE-2025-21969
bsc#1240784).
- commit 0c8af58
- Bluetooth: L2CAP: Fix corrupted list in hci_chan_del
(CVE-2025-21969 bsc#1240784).
- commit 730e49a
- Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
(CVE-2025-21969 bsc#1240784).
- iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in
ibft_attr_show_nic() (CVE-2025-21993 bsc#1240797).
- commit 80da9db
- drm/amdgpu/gfx11: fix num_mec (git-fixes).
- drm/amd/pm: Prevent division by zero (git-fixes).
- Input: pm8941-pwrkey - fix dev_dbg() output in
pm8941_pwrkey_irq() (git-fixes).
- Input: synaptics - hide unused smbus_pnp_ids[] array
(git-fixes).
- commit d5f05d8
- powercap: intel_rapl_tpmi: Fix bogus register reading
(git-fixes).
- commit 4482ca3
- powercap: intel_rapl_tpmi: Ignore minor version change
(git-fixes).
- commit 8f97ff8
- powercap: dtpm_devfreq: Fix error check against
dev_pm_qos_add_request() (git-fixes).
- commit 5af8777
- powercap: intel_rapl_tpmi: Fix System Domain probing
(git-fixes).
- commit cb855f9
- usbnet:fix NPE during rx_complete (git-fixes).
- platform/x86: ISST: Correct command storage data length
(git-fixes).
- ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes).
- ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns
(git-fixes).
- ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment
(git-fixes).
- ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error
path (git-fixes).
- firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on
success (git-fixes).
- ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook
model (git-fixes).
- ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook
X515JA (git-fixes).
- commit e1c84cd
- vsock: Orphan socket after transport release (CVE-2025-21755 bsc#1237882)
- commit 6317d55
- tpm_tis: Use responseRetry to recover from data transfer errors
(bsc#1235870).
- commit 6e4dc96
- tpm_tis: Move CRC check to generic send routine (bsc#1235870).
- Refresh patches.suse/tpm_tis-Resend-command-to-recover-from-data-transfer.patch
- commit 66fe063
- Delete patches.suse/tpm-send_data-Wait-longer-for-the-TPM-to-become-read.patch.
To be replaced with upstream fix.
- commit d0fcf25
- rtnetlink: Allocate vfinfo size for VF GUIDs when supported
(bsc#1224013).
- commit 34e3f46
- kernel-binary: Support livepatch_rt with merged RT branch
- commit 470cd1a
- arm64: Don't call NULL in do_compat_alignment_fixup() (git-fixes)
- commit 249080a
- arm64: mm: Correct the update of max_pfn (git-fixes)
- commit b6d4b51
- tpm: tis: Double the timeout B to 4s (bsc#1235870).
- commit 2ecc734
- tpm, tpm_tis: Workaround failed command reception on Infineon
devices (bsc#1235870).
- commit cc21438
- ice: fix memory leak in aRFS after reset (CVE-2025-21981
bsc#1240612).
- ppp: Fix KMSAN uninit-value warning with bpf (CVE-2025-21922
bsc#1240639).
- net: hns3: make sure ptp clock is unregister and freed
if hclge_ptp_get_cycle returns an error (CVE-2025-21924
bsc#1240720).
- net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC
(CVE-2025-21894 bsc#1240581).
- net: enetc: Replace ifdef with IS_ENABLED (CVE-2025-21894
bsc#1240581).
- commit e9dce38
- wifi: iwlwifi: mvm: clean up ROC on failure (CVE-2025-21906
bsc#1240587).
- commit 887f91d
- lib: scatterlist: fix sg_split_phys to preserve original
scatterlist offsets (git-fixes).
- acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
(git-fixes).
- commit ea68f49
- smb: client: fix open_cached_dir retries with 'hard' mount
option (bsc#1240616).
- commit 504723c
- exfat: fix the infinite loop in exfat_find_last_cluster()
(git-fixes).
- commit 8b30c73
- rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML
This option is dynamically enabled to build-test different configurations.
This makes run_oldconfig.sh complain sporadically for arm64.
- commit 8fbe8b1
- net: fix data-races around sk->sk_forward_alloc (CVE-2024-53124
bsc#1234074).
- commit ea48905
- sctp: fix possible UAF in sctp_v6_available() (CVE-2024-53139
bsc#1234157).
- commit 779dfcf
- usb: xhci: correct debug message page size calculation
(git-fixes).
- ucsi_ccg: Don't show failed to get FW build information error
(git-fixes).
- serial: 8250_dma: terminate correct DMA in tx_dma_flush()
(git-fixes).
- tty: serial: fsl_lpuart: disable transmitter before changing
RS485 related registers (git-fixes).
- staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes).
- counter: microchip-tcb-capture: Fix undefined counter channel
state on probe (git-fixes).
- counter: stm32-lptimer-cnt: fix error handling when enabling
(git-fixes).
- ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO
event-handlers (git-fixes).
- objtool: Fix segfault in ignore_unreachable_insn() (git-fixes).
- objtool, media: dib8000: Prevent divide-by-zero in
dib8000_set_dds() (git-fixes).
- objtool, spi: amd: Fix out-of-bounds stack access in
amd_set_spi_freq() (git-fixes).
- counter: fix privdata alignment (git-fixes).
- commit 8ea2563
- Move upstreamed ACPI patch into sorted section
- commit 871d0d6
- tty: serial: lpuart: only disable CTS instead of overwriting
the whole UARTMODIR register (git-fixes).
- PCI: histb: Fix an error handling path in histb_pcie_probe()
(git-fixes).
- PCI: Fix BAR resizing when VF BARs are assigned (git-fixes).
- PCI: Fix reference leak in pci_register_host_bridge()
(git-fixes).
- commit 808a9df
- net: better track kernel sockets lifetime (CVE-2025-21884
bsc#1240171).
- net: Add net_passive_inc() and net_passive_dec() (CVE-2025-21884
bsc#1240171).
- commit 741fa11
- Update
patches.suse/RDMA-core-Don-t-expose-hw_counters-outside-of-init-n.patch
(git-fixes bsc#1239925).
- Update
patches.suse/kABI-fix-for-RDMA-core-Don-t-expose-hw_counters-outs.patch
(git-fixes bsc#1239925).
Add bug reference.
- commit 8eef29b
- krb5
-
- Remove references to the LMDB backend in the kdc.conf manpage;
(bsc#1242060);
- libevent
-
- Disable the select backend, this can be easily done by lying
to configure. This is done due to:
* using fd number > 1024 on an fd_set results in a runtime
fortify source assertion, preventing further doom.
* select will not be changed to handle fd > 1024.
* this limit is unreasonable low for this century.
- Drop insserv_prereq and fillup_prereq macros: there are no
pre-scripts that would justify these dependencies.
- Update to 2.1.12 stable
* buffer: do not pass NULL to memcpy() from evbuffer_pullup()
* http: fix undefined-shift in EVUTIL_IS*_ helpers
* Check error code of evhttp_add_header_internal() in
evhttp_parse_query_impl()
* http: fix EVHTTP_CON_AUTOFREE in case of timeout
* evdns: Add additional validation for values of dns options
* Fix memory corruption in EV_CLOSURE_EVENT_FINALIZE with debug enabled
* increase segment refcnt only if evbuffer_add_file_segment() succeeds
* evdns: fix a crash when evdns_base with waiting requests is freed
* event_base_once: fix potential null pointer threat
* http: do not assume body for CONNECT
* evbuffer_add_file: fix freeing of segment in the error path
* Fix checking return value of the evdns_base_resolv_conf_parse()
* Support EV_CLOSED on linux for poll(2)
* Parse IPv6 scope IDs.
* evutil_time: detect and use _gmtime64_s()/_gmtime64()
* bufferevent: allow setting priority on socket and openssl type
* Fix EV_CLOSED detection/reporting
* Revert "Warn if forked from the event loop during event_reinit()"
- Add upstream patches with the feature of "prepare" and "check"
watchers. That feature is needed by envoy-proxy:
* 0001-evwatch-Add-prepare-and-check-watchers.patch
* 0002-evwatch-fix-race-condition.patch
- Update to 2.1.11 stable
* Fix ABI breakage that had been introduced in 2.1.10. Strictly speaking
this release breaks ABI again to make it compatible with <= 2.1.9.
+ See git commit 18104973 for more details
* evdns: add new options -- so-rcvbuf/so-sndbuf
* various autotools and cmake build changes
* buffer: fix possible NULL dereference in evbuffer_setcb() on ENOMEM
* Warn if forked from the event loop during event_reinit()
* evutil: set the have_checked_interfaces in evutil_check_interfaces()
* https-client: correction error checking
- Use FAT LTO objects in order to provide proper static library.
- Fix name of library package (bsc#1138369)
- Update to 2.1.10 stable
* evdns: add DNS_OPTION_NAMESERVERS_NO_DEFAULT /
EVDNS_BASE_NAMESERVERS_NO_DEFAULT
* Add support for EV_TIMEOUT to event_base_active_by_fd
* kqueue: Avoid undefined behaviour.
* Prevent integer overflow in kq_build_changes_list.
* evdns: fix lock/unlock mismatch in evdns_close_server_port()
* Protect min_heap_push_ against integer overflow.
* le-proxy: initiate use of the Winsock DLL
* Fix leaks in error path of the bufferevent_init_common_()
* buffer: make evbuffer_prepend() of zero-length array no-op
* Don't loose top error in SSL
* Remove needless check for arc4_seeded_ok
* Cleanup __func__ detection
* Add convenience macros for user-triggered events
* Notify event base if there are no more events, so it can exit without
delay
* Fix base unlocking in event_del() if event_base_set() runned in another
thread
* If precise_time is false, we should not set EVENT_BASE_FLAG_PRECISE_TIMER
* Fix race in access to ev_res from event loop with event_active()
* Return from event_del() after the last event callback termination
* Preserve socket error from listen across closesocket cleanup
* fix connection retries when there more then one request for connection
* improve error path for bufferevent_{setfd,enable,disable}()
* Fix conceivable UAF of the bufferevent in evhttp_connection_free()
* Fix evhttp_connection_get_addr() fox incomming http connections
* fix leaks in evhttp_uriencode()
* CONNECT method only takes an authority
* Allow bodies for GET/DELETE/OPTIONS/CONNECT
* Do not crash when evhttp_send_reply_start() is called after a timeout.
* Fix crashing http server when callback do not reply in place
* fix handling of close_notify (ssl) in http with openssl bufferevents
* use *_new_with_arg() to match function prototype
* avoid NULL dereference on request is not EVHTTP_REQ_POST
* bufferevent_socket_connect{,_hostname}() missing event callback and use
ret code
* don't fail be_null_filter if bytes are copied
* Call underlying bev ctrl GET_FD on filtered bufferevents
* be_openssl: avoid leaking of SSL structure
* Add missing includes into openssl-compat.h
* Explicitly call SSL_clear when reseting the fd.
* sample/https-client: use host SSL certificate store by default
* ipv6only socket bind support
* evdns: handle NULL filename explicitly
* Fix assert() condition in evbuffer_drain() for IOCP
* fix incorrect unlock of the buffer mutex (for deferred callbacks)
* Fix wrong assert in evbuffer_drain()
* Port `event_rpcgen.py` and `test/check-dumpevents.py` to Python 3.
- rename python2-shebang.patch -> python3-shebang.patch following port
- Make use of %license macro
- Add devel-static package, which is needed for building Envoy
(https://www.envoyproxy.io/) and Cilium with Envoy integration
- Fix an error about /usr/bin/env shebang in event_rpcgen.py
* python2-shebang.patch
- expat
-
- version update to 2.7.1
Bug fixes:
[#980] #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
[#976] #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
with Automake that were missing from 2.7.0 release tarballs
[#983] #984 Fix printf format specifiers for 32bit Emscripten
[#992] docs: Promote OpenSSF Best Practices self-certification
[#978] tests/benchmark: Resolve mistaken double close
[#986] Address compiler warnings
[#990] #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
[#982] CI: Start running Perl XML::Parser integration tests
[#987] CI: Enforce Clang Static Analyzer clean code
[#991] CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
[#981] CI: Cover compilation with musl
[#983] #984 CI: Cover compilation with 32bit Emscripten
[#976] #977 CI: Protect against fuzzer files missing from future
release archives
- version update to 2.7.0 for SLE-15-SP4
- deleted patches
- expat-CVE-2022-25235.patch (upstreamed)
- expat-CVE-2022-25236-relax-fix.patch (upstreamed)
- expat-CVE-2022-25236.patch (upstreamed)
- expat-CVE-2022-25313-fix-regression.patch (upstreamed)
- expat-CVE-2022-25313.patch (upstreamed)
- expat-CVE-2022-25314.patch (upstreamed)
- expat-CVE-2022-25315.patch (upstreamed)
- expat-CVE-2022-40674.patch (upstreamed)
- expat-CVE-2022-43680.patch (upstreamed)
- expat-CVE-2023-52425-1.patch (upstreamed)
- expat-CVE-2023-52425-2.patch (upstreamed)
- expat-CVE-2023-52425-backport-parser-changes.patch (upstreamed)
- expat-CVE-2023-52425-fix-tests.patch (upstreamed)
- expat-CVE-2024-28757.patch (upstreamed)
- expat-CVE-2024-45490.patch (upstreamed)
- expat-CVE-2024-45491.patch (upstreamed)
- expat-CVE-2024-45492.patch (upstreamed)
- expat-CVE-2024-50602.patch (upstreamed)
- version update to 2.7.0 (CVE-2024-8176 [bsc#1239618])
* Security fixes:
[#893] #973 CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
recursion, for all three uses of entities:
- general entities in character data ("<e>&g1;</e>")
- general entities in attribute values ("<e k1='&g1;'/>")
- parameter entities ("%p1;")
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
* Other changes:
[#935] #937 Autotools: Make generated CMake files look for
libexpat.@SO_MAJOR@.dylib on macOS
[#925] Autotools: Sync CMake templates with CMake 3.29
[#945] #962 #966 CMake: Drop support for CMake <3.13
[#942] CMake: Small fuzzing related improvements
[#921] docs: Add missing documentation of error code
XML_ERROR_NOT_STARTED that was introduced with 2.6.4
[#941] docs: Document need for C++11 compiler for use from C++
[#959] tests/benchmark: Fix a (harmless) TOCTTOU
[#944] Windows: Fix installer target location of file xmlwf.xml
for CMake
[#953] Windows: Address warning -Wunknown-warning-option
about -Wno-pedantic-ms-format from LLVM MinGW
[#971] Address Cppcheck warnings
[#969] #970 Mass-migrate links from http:// to https://
[#947] #958 ..
[#974] #975 Document changes since the previous release
[#974] #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
- no source changes, just adding jira reference: jsc#SLE-21253
- freetype2
-
- enable brotli support (jsc#PED-12258)
- libgcrypt
-
- FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605]
* Add libgcrypt-FIPS-sha3-asn.patch
- ncurses
-
- Modify patch ncurses-5.9-ibm327x.dif
* Backport sclp terminfo description entry if for s390 sclp terminal lines
* Add a further sclp entry for qemu s390 based systems
* Make use of dumb
- openssl-3
-
- Security fix: [bsc#1240366]
* Minerva side channel vulnerability in P-384 on PPC arch
* Add openssl-3-p384-minerva-ppc.patch
* Add openssl-3-p384-minerva-ppc-p9.patch
- Security fix: [bsc#1240607]
* Check ssl/ssl3_read_internal null pointer [from commit 38b051a]
* Add openssl-check-ssl_read_internal-nullptr.patch
- FIPS: Fix EMS in crypto-policies FIPS:NO-ENFORCE-EMS
* [bsc#1230959, bsc#1232326, bsc#1231748]
* Add patch openssl-FIPS-fix-EMS-support.patch
- librdkafka
-
- 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch:
avoid endless loops (bsc#1242842)
- ruby2.5
-
- update suse.patch to 736ea75f25d52fdebb88ed6583468bd7c21190f6
- fix ReDoS in CGI::Util#escapeElement
bsc#1237806 CVE-2025-27220
- fix denial of service in CGI::Cookie.parse
bsc#1237804 CVE-2025-27219
- update suse.patch to 6bf78da1fc4048a11a8612741216ebc47d9ebb41
- move the request smuggling patch to the correct place
actually fixes bsc#1230930 CVE-2024-47220 and now boo#1235773
- libsolv
-
- build both static and dynamic libraries on new suse distros
- support the apk package and repository format (both v2 and v3)
- new dataiterator_final_{repo,solvable} functions
- bump version to 0.7.32
- Provide a symbol specific for the ruby-version
so yast does not break across updates (boo#1235598)
- sqlite3
-
- Sync version 3.49.1 from Factory (jsc#SLE-16032):
* CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws()
function, introduced in version 3.44.0, that could lead to a
memory error if the separator string is very large (hundreds
of megabytes).
* CVE-2025-29088, bsc#1241078: Enhanced the
SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust
against misuse.
* Obsoletes sqlite3-rtree-i686.patch
- systemd
-
- Import commit a4100e9c74b0eafae18a13e9d1d988ebc8376c6a
806c21e22b umount: do not move busy network mounts (bsc#1236177)
- Apply coredump sysctl settings on systemd-coredump updates/removals.
- Add 1003-journal-again-create-user-journals-for-users-with-hi.patch (bsc#1242938)
Don't write messages sent from users with UID falling into the container UID
range to the system journal. Daemons in the container don't talk to the
outside journald as they talk to the inner one directly, which does its
journal splitting based on shifted uids.
- Import commit 2f79a45369489b656be509a1517afcae4fe3ee20
ebdfa3e44e man/pstore.conf: pstore.conf template is not always installed in /etc
304ed20aab man: coredump.conf template is not always installed in /etc (bsc#1237496)
- libxml2
-
- security update
- added patches
CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API
+ libxml2-CVE-2025-32414.patch
CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read
+ libxml2-CVE-2025-32415.patch
- libzypp
-
- fixed build with boost 1.88.
- XmlReader: Fix detection of bad input streams (fixes #635)
libxml2 2.14 potentially reads the complete stream, so it may
have the 'eof' bit set. Which is not 'good' but also not 'bad'.
- rpm: Fix detection of %triggerscript starts (bsc#1222044)
- RepoindexFileReader: add more <repo> related attributes a
service may set.
Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck,
keeppackages, gpgkey, mirrorlist, and metalink with the same
semantic as in a .repo file.
- version 17.36.7 (35)
- Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172)
- BuildRequires: %{libsolv_devel_package} >= 0.7.32.
Code16 moved static libs to libsolv-devel-static.
- Drop usage of SHA1 hash algorithm because it will become
unavailable in FIPS mode (bsc#1240529)
- Fix zypp.conf dupAllowVendorChange to reflect the correct
default (false).
The default was true in Code12 (libzypp-16.x) and changed to
false with Code15 (libzypp-17.x). Unfortunately this was done by
shipping a modified zypp.conf file rather than fixing the code.
- zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809)
- version 17.36.6 (35)
- Fix computation of RepStatus if Repo URLs change.
- Fix lost double slash when appending to an absolute FTP url
(bsc#1238315)
Ftp actually differs between absolute and relative URL paths.
Absolute path names begin with a double slash encoded as '/%2F'.
This must be preserved when manipulating the path.
- version 17.36.5 (35)
- Add a transaction package preloader (fixes openSUSE/zypper#104)
This patch adds a preloader that concurrently downloads files
during a transaction commit. It's not yet enabled per default.
To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1
in the environment.
- RpmPkgSigCheck_test: Exchange the test package signingkey
(fixes #622)
- Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626)
- Strip a mediahandler tag from baseUrl querystrings.
- version 17.36.4 (35)
- nvme-cli
-
- Update to version 2.8+88.g21612f53:
* sed: perform a tper revert after lsp revert (bsc#1240656)
- openssh
-
- Enable --with-logind to call the SetTTY dbus method in systemd.
This allows "wall" to print messages in ssh ttys (bsc#1239671)
- Small fixes to unref the dbus session when any error occurs:
* logind_set_tty.patch
- Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728).
This fixes an upstream logic error handling the DisableForwarding
option.
- pam
-
- pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return
PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file
entry.
[passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234,
CVE-2024-10041]
- Do not reject the user with a hash assuming it's non-empty.
[pam_unix-allow-empty-passwords-with-non-empty-hashes.patch]
- patterns-base
-
- add bpftool to patterns enhanced base. jsc#PED-8375
- python-pyzmq
-
- Prevent open files leak by closing sockets on timeout (bsc#1241624)
- Added:
* close-socket-on-timeout.patch
- salt
-
- Fix aptpkg 'NoneType object has no attribute split' error
- Detect openEuler as RedHat family OS
- Ensure the correct crypt module is loaded
- Implement multiple inventory for ansible.targets
- Make x509 module compatible with M2Crypto 0.44.0
- Remove deprecated code from x509.certificate_managed test mode
- Move logrotate config to /usr/etc/logrotate.d where possible
- Add DEB822 apt repository format support
- Make Salt-SSH work with all SSH passwords (bsc#1215484)
- Fix issue of using update-alternatives with alts (#105)
- Fix virt_query outputter and add support for block devices
- Make _auth calls visible with master stats
- Repair mount.fstab_present always returning pending changes
- Set virtual grain in Podman systemd container
- Fix crash due wrong client reference on `SaltMakoTemplateLookup`
- Enhace batch async and fix some detected issues
- Enhacement of Salt packaging
* Use update-alternatives for all salt scripts
* Use flexible dependencies for the subpackages
* Make salt-minion to require flavored zypp-plugin
* Make zyppnotify to use update-alternatives
* Drop unused yumnotify plugin
* Add dependency to python3-dnf-plugins-core for RHEL based
- Fix tests failures after "repo.saltproject.io" deprecation
- Fix error to stat '/root/.gitconfig' on gitfs
(bsc#1230944) (bsc#1234881) (bsc#1220905)
- Adapt to removal of hex attribute in pygit2 v1.15.0 (bsc#1230642)
- Enhance smart JSON parsing when garbage is present (bsc#1231605)
- Fix virtual grains for VMs running on Nutanix AHV (bsc#1234022)
- Fix issues running on Python 3.12 and 3.13
- Added:
* fix-deb822-nonetype-object-has-no-attribute-split-71.patch
* detect-openeuler-as-redhat-family-os.patch
* ensure-the-correct-crypt-module-is-loaded.patch
* implement-multiple-inventory-for-ansible.targets.patch
* make-x509-module-compatible-with-m2crypto-0.44.0.patch
* remove-deprecated-code-from-x509.certificate_managed.patch
* add-deb822-apt-source-format-support-692.patch
* remove-password-from-shell-after-functional-text-mat.patch
* repair-virt_query-outputter-655.patch
* make-_auth-calls-visible-with-master-stats-696.patch
* repair-fstab_present-test-mode-702.patch
* set-virtual-grain-in-podman-systemd-container-703.patch
* fixed-file-client-private-attribute-reference-on-sal.patch
* backport-batch-async-fixes-and-improvements-701.patch
* fix-tests-failures-after-repo.saltproject.io-depreca.patch
* fix-failed-to-stat-root-.gitconfig-issue-on-gitfs-bs.patch
* update-for-deprecation-of-hex-in-pygit2-1.15.0-and-a.patch
* enhance-find_json-garbage-filtering-bsc-1231605-688.patch
* fix-virtual-grains-for-vms-running-on-nutanix-ahv-bs.patch
* fix-issues-that-break-salt-in-python-3.12-and-3.13-6.patch
- python3-setuptools
-
- Add patch CVE-2025-47273.patch to fix A path traversal
vulnerability.
(bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f)
- samba
-
- Fix Samba printers reporting invalid sid during print jobs;
(bsc#1234210); (bso#15792).
- supportutils
-
- Changes to version 3.2.10
+ network.txt collect all firewalld zones (pr#233)
+ Collects gfs2 info (PED-11853, pr#235, pr#236)
+ Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237)
+ Added openldap2_5 support for SLES (pr#238)
+ Collects additional hawk details (pr#239)
+ Optimized filtering D/Z processes (pr#241)
+ Collect firewalld permanent configuration (pr#243)
+ ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247)
+ Added dbus_info for dbus.txt (bsc#1222650, pr#248)
- Changes to version 3.2.9
+ Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221)
+ Supportconfig available in current distro (PED-7131)
+ Corrected display issues (bsc#1231396)
+ NFS takes too long, showmount times out (bsc#1231423)
+ Merged sle15 and master branches (bsc#1233726, PED-11669)
- timezone
-
- Update to 2025b:
* New zone for Aysén Region in Chile (America/Coyhaique) which
moves from -04/-03 to -03
- Refresh patches
* revert-philippines-historical-data.patch
* tzdata-china.diff
- xen
-
- Update to Xen 4.18.5 security bug fix release (bsc#1027519)
xen-4.18.5-testing-src.tar.bz2
- Dropped patches contained in new tarball
658190ea-x86-non-BIGMEM-on-16Tb-systems.patch
66dedebf-x86-HVM-recursion-in-linear-rw.patch
67645902-libxg-increase-LZMA_BLOCK_SIZE.patch
6776dea1-x86-spec-ctrl-SRSO_U-S_NO-and-SRSO_MSR_FIX.patch
677bcb65-x86-traps-rework-LER-init-and.patch
677c1a7c-x86-AMD-misc-setup-for-Fam1A.patch
67921698-x86-HVM-MMIO-emul-cache-bounds-check.patch
67935a31-x86-HVM-dyn-alloc-emul-cache-ents.patch
67935a4c-x86-HVM-rw-split-at-page.patch
67977673-x86-IOMMU-check-CMPXCHG16B-when-enabling.patch
67977677-AMD-IOMMU-atomically-update-IRTE.patch
679796ff-x86-PV-further-harden-guest-mem-access.patch
67a5cb5f-radix-tree-purge-node-alloc-hooks.patch
67a5cb94-radix-tree-introduce-RADIX_TREE_INIT.patch
67acb684-x86-offline-APs-with-IRQs-disabled.patch
67acb685-x86-SMP-disable-IRQs-ahead-of-AP-shutdown.patch
67acb686-x86-PCI-disable-MSI-at-shutdown.patch
67acb687-x86-IOMMU-disable-IRQs-at-shutdown.patch
67b4961e-console-dont-truncate-panic-messages.patch
67b49d86-memory-resource_max_frames-retval.patch
67b5d27c-SVM-separate-STI-from-VMRUN.patch
67c06178-x86-IOMMU-bus-to-bridge-lock-acquired-IRQ-safe.patch
67c818d6-x86-PVH-dom0-correct-iomem_caps-bound.patch
67c818d8-x86-Dom0-relax-Interrupt-Address-Range.patch
67c86fc1-xl-fix-channel-configuration-setting.patch
67cb03e0-x86-vlapic-ESR-write-handling.patch
67d17edd-x86-expose-MSR_FAM10H_MMIO_CONF_BASE-on-AMD.patch
67d17ede-VT-x-PI-usage-of-msi_desc-msg-field.patch
67d2a3fe-libxl-avoid-infinite-loop-in-libxl__remove_directory.patch
67dada68-x86-mm-IS_ALIGNED-in-IS_LnE_ALIGNED.patch
67ea4268-x86-P2M-sync-fast-slow-p2m_get_page_from_gfn.patch
6800b54f-x86-HVM-update-repeat-count-upon.patch
68076044-x86emul-clip-rep-count-for-STOS.patch
6808f549-x86-Intel-work-around-MONITOR-MWAIT-errata.patch
68221f20-x86-alternative-when-feature-not-present.patch
68221f21-x86-guest-remove-Xen-hypercall_page.patch
68221f22-x86-misalign-__x86_indirect_thunk.patch
68221f23-x86-misalign-RETs-in-clear_bhb_loops.patch
68221f24-x86-stubs-introduce-place_ret.patch
68221f25-x86-build-with-Return-Thunks.patch
68221f26-x86-spec-ctrl-synthesise-ITS_NO.patch
- Failed to boot with XEN kernel on DL580 Gen12 (bsc#1242490)
658190ea-x86-non-BIGMEM-on-16Tb-systems.patch
- bsc#1243117 - VUL-0: CVE-2024-28956: xen: Intel CPU: Indirect
Target Selection (ITS) (XSA-469)
68221f20-x86-alternative-when-feature-not-present.patch
68221f21-x86-guest-remove-Xen-hypercall_page.patch
68221f22-x86-misalign-__x86_indirect_thunk.patch
68221f23-x86-misalign-RETs-in-clear_bhb_loops.patch
68221f24-x86-stubs-introduce-place_ret.patch
68221f25-x86-build-with-Return-Thunks.patch
68221f26-x86-spec-ctrl-synthesise-ITS_NO.patch
- Upstream bug fixes (bsc#1027519)
67c818d6-x86-PVH-dom0-correct-iomem_caps-bound.patch
67c818d8-x86-Dom0-relax-Interrupt-Address-Range.patch
67dada68-x86-mm-IS_ALIGNED-in-IS_LnE_ALIGNED.patch
67ea4268-x86-P2M-sync-fast-slow-p2m_get_page_from_gfn.patch
67f8ecda-rangeset-incorrect-subtraction.patch
6800b54f-x86-HVM-update-repeat-count-upon.patch
68076044-x86emul-clip-rep-count-for-STOS.patch
6808f549-x86-Intel-work-around-MONITOR-MWAIT-errata.patch
- zypper
-
- Updated translations (bsc#1230267)
- version 1.14.89
- Do not double encode URL strings passed on the commandline
(bsc#1237587)
URLs passed on the commandline must have their special chars
encoded already. We just want to check and encode forgotten
unsafe chars like a blank. A '%' however must not be encoded
again.
- version 1.14.88
- Package preloader that concurrently downloads files. It's not yet
enabled per default. To enable the preview set ZYPP_CURL2=1 and
ZYPP_PCK_PRELOAD=1 in the environment. (#104)
- BuildRequires: libzypp-devel >= 17.36.4.
- version 1.14.87
- refresh: add --include-all-archs (fixes #598)
Future multi-arch repos may allow to download only those metadata
which refer to packages actually compatible with the systems
architecture. Some tools however want zypp to provide the full
metadata of a repository without filtering incompatible
architectures.
- info,search: add option to search and list Enhances
(bsc#1237949)
- version 1.14.86