000release-packages:SLE-Micro-release
n/a
aaa_base
- silence the output in the case of broken symlinks (bsc#1218232)

- fix git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  to actually apply

- replace git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
  by git-47-056fc66c699a8544c7692a03c905fca568f5390b.patch
  * fix the issues from bsc#1107342 and bsc#1215434 and just
    use the settings from update-alternatives to set JAVA_HOME
audit-secondary
- Fix plugin termination when using systemd service units (bsc#1215377)
  * add auditd.service-fix-plugin-termination.patch
ca-certificates
- Update to version 2+git20240416.98ae794 (bsc#1221184):
  * Use flock to serialize calls (boo#1188500)
  * Make certbundle.run container friendly
  * Create /var/lib/ca-certificates if needed
cloud-netconfig
- Update to version 1.14
  + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757)

- Add version settings to Provides/Obsoletes

- Update to version 1.12 (bsc#1221202)
  + If token access succeeds using IPv4 do not use the IPv6 endpoint
    only use the IPv6 IMDS endpoint if IPv4 access fails.

- Add Provides/Obsoletes for dropped cloud-netconfig-nm
- Install dispatcher script into /etc/NetworkManager/dispatcher.d
  on older distributions
- Add BuildReqires: NetworkManager to avoid owning dispatcher.d
  parent directory

- Update to version 1.11:
  + Revert address metadata lookup in GCE to local lookup (bsc#1219454)
  + Fix hang on warning log messages
  + Check whether getting IPv4 addresses from metadata failed and abort
    if true
  + Only delete policy rules if they exist
  + Skip adding/removing IPv4 ranges if metdata lookup failed
  + Improve error handling and logging in Azure
  + Set SCRIPTDIR when installing netconfig wrapper

- Update to version 1.10:
  + Drop cloud-netconfig-nm sub package and include NM dispatcher
    script in main packages (bsc#1219007)
  + Spec file cleanup

- Update to version 1.9:
  + Drop package dependency on sysconfig-netconfig
  + Improve log level handling
  + Support IPv6 IMDS endpoint in EC2 (bsc#1218069)
cloud-regionsrv-client
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
  + Fix the failover path to a new target update server. At present a new
    server is not found since credential validation fails. We targeted
    the server detected in down condition to verify the credentials instead
    of the replacement server.

- Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159)
  + Fix the algorithm to determine the region from the availability zone
    information retrieved from IMDS.
- Update to version 10.1.6
  + Support specifying an IPv6 address for a manually configured target
    update server.
containerd
- Add patch for bsc#1217952:
  + 0002-shim-Create-pid-file-with-0644-permissions.patch

- Update to containerd v1.7.10. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.10>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
coreutils
- tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)
  - add coreutils-tail-fix-tailing-sysfs-files-where-PAGE_SIZE-BUFSIZ.patch
cpio
- Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238
  * fix-bsc1219238.patch

- Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571)
  * fix-CVE-2023-7207.patch
curl
- Security fix: [bsc#1221665, CVE-2024-2004]
  * Usage of disabled protocol
  * Add curl-CVE-2024-2004.patch

- Security fix: [bsc#1221667, CVE-2024-2398]
  * curl: HTTP/2 push headers memory-leak
  * Add curl-CVE-2024-2398.patch
docker
- Add patch to fix bsc#1220339
  * 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch

- Allow to disable apparmor support (ALP supports only SELinux)

- Vendor latest buildkit v0.11:
  Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that
  vendors in the latest v0.11 buildkit branch including bugfixes for the following:
  * bsc#1219438: CVE-2024-23653
  * bsc#1219268: CVE-2024-23652
  * bsc#1219267: CVE-2024-23651
- rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- switch from %patchN to %patch -PN syntax
- remove unused rpmlint filters and add filters to silence pointless bash & zsh
  completion warnings
glibc
- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
  writes when writing escape sequence (CVE-2024-2961, bsc#1222992)

- duplocale-global-locale.patch: duplocale: protect use of global locale
  (bsc#1220441, BZ #23970)

- qsort-invalid-cmp.patch: qsort: handle degenerated compare function
  (bsc#1218866)

- getaddrinfo-eai-memory.patch: getaddrinfo: translate ENOMEM to
  EAI_MEMORY (bsc#1217589, BZ #31163)

- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr
  (bsc#1217445, BZ #31113)
kernel-default
- tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
  (bsc#1222619).
- commit 900d642

- x86/sev: Harden #VC instruction emulation somewhat (CVE-2024-25742 bsc#1221725).
- commit 2e3eba1

- README.BRANCH: Remove copy of branch name
- commit 4834fba

- README.BRANCH: Remove copy of branch name
- commit 704bda3

- Update
  patches.suse/HID-intel-ish-hid-ipc-Disable-and-reenable-ACPI-GPE-.patch
  (git-fixes CVE-2023-52519 bsc#1220920).
- Update
  patches.suse/HID-sony-Fix-a-potential-memory-leak-in-sony_probe.patch
  (git-fixes CVE-2023-52529 bsc#1220929).
- Update
  patches.suse/IB-hfi1-Fix-bugs-with-non-PAGE_SIZE-end-multi-iovec-.patch
  (git-fixes CVE-2023-52474 bsc#1220445).
- Update
  patches.suse/RDMA-siw-Fix-connection-failure-handling.patch
  (git-fixes CVE-2023-52513 bsc#1221022).
- Update
  patches.suse/RDMA-srp-Do-not-call-scsi_done-from-srp_abort.patch
  (git-fixes CVE-2023-52515 bsc#1221048).
- Update
  patches.suse/Revert-tty-n_gsm-fix-UAF-in-gsm_cleanup_mux.patch
  (git-fixes CVE-2023-52564 bsc#1220938).
- Update
  patches.suse/bpf-Check-rcu_read_lock_trace_held-before-calling-bp.patch
  (bsc#1220251 CVE-2023-52447 CVE-2023-52621 bsc#1222073).
- Update
  patches.suse/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_prob.patch
  (git-fixes CVE-2023-52510 bsc#1220898).
- Update
  patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch
  (git-fixes CVE-2023-52524 bsc#1220927).
- Update
  patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch
  (git-fixes CVE-2023-52528 bsc#1220843).
- Update
  patches.suse/nfc-nci-assert-requested-protocol-is-valid.patch
  (git-fixes CVE-2023-52507 bsc#1220833).
- Update
  patches.suse/nilfs2-fix-potential-use-after-free-in-nilfs_gccache.patch
  (git-fixes CVE-2023-52566 bsc#1220940).
- Update
  patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch
  (bsc#1214842 CVE-2023-52508 bsc#1221015).
- Update
  patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch
  (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356 CVE-2023-52454 bsc#1220320).
- Update
  patches.suse/platform-x86-think-lmi-Fix-reference-leak.patch
  (git-fixes CVE-2023-52520 bsc#1220921).
- Update
  patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch
  (bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836).
- Update
  patches.suse/ring-buffer-Do-not-attempt-to-read-past-commit.patch
  (git-fixes CVE-2023-52501 bsc#1220885).
- Update
  patches.suse/serial-8250_port-Check-IRQ-data-before-use.patch
  (git-fixes CVE-2023-52567 bsc#1220839).
- Update
  patches.suse/spi-sun6i-fix-race-between-DMA-RX-transfer-completio.patch
  (git-fixes CVE-2023-52517 bsc#1221055).
- Update
  patches.suse/spi-sun6i-reduce-DMA-RX-transfer-width-to-single-byt.patch
  (git-fixes CVE-2023-52511 bsc#1221012).
- Update
  patches.suse/wifi-mwifiex-Fix-oob-check-condition-in-mwifiex_proc.patch
  (git-fixes CVE-2023-52525 bsc#1220840).
- Update
  patches.suse/x86-alternatives-disable-kasan-in-apply_alternatives.patch
  (git-fixes CVE-2023-52504 bsc#1221553).
- Update
  patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch
  (git-fixes CVE-2023-52575 bsc#1220871).
- commit 5f353b0

- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
  (bsc#1194516 CVE-2022-0487 CVE-2022-48626 bsc#1220366).
- Update
  patches.suse/crypto-qcom-rng-ensure-buffer-for-generate-is-comple.patch
  (git-fixes CVE-2022-48629 bsc#1220989).
- Update
  patches.suse/crypto-qcom-rng-fix-infinite-loop-on-requests-not-mu.patch
  (git-fixes CVE-2022-48630 bsc#1220990).
- commit f8cf886

- Update
  patches.suse/ALSA-hda-intel-sdw-acpi-harden-detection-of-controll.patch
  (git-fixes CVE-2021-46926 bsc#1220478).
- Update
  patches.suse/ALSA-rawmidi-fix-the-uninitalized-user_pversion.patch
  (git-fixes CVE-2021-47096 bsc#1220981).
- Update
  patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
  (git-fixes CVE-2021-47104 bsc#1220960).
- Update
  patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch
  (git-fixes CVE-2021-47097 bsc#1220982).
- Update
  patches.suse/KVM-x86-mmu-Don-t-advance-iterator-after-restart-due.patch
  (git-fixes CVE-2021-47094 bsc#1221551).
- Update patches.suse/NFSD-Fix-READDIR-buffer-overflow.patch
  (git-fixes bsc#1196346 CVE-2021-47107 bsc#1220965).
- Update
  patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch
  (git-fixes CVE-2021-47101 bsc#1220987).
- Update
  patches.suse/drm-mediatek-hdmi-Perform-NULL-pointer-check-for-mtk.patch
  (git-fixes CVE-2021-47108 bsc#1220986).
- Update
  patches.suse/hwmon-lm90-Prevent-integer-overflow-underflow-in-hys.patch
  (git-fixes CVE-2021-47098 bsc#1220983).
- Update
  patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch
  (git-fixes CVE-2021-47100 bsc#1220985).
- Update
  patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch
  (bsc#1193490 CVE-2021-47095 bsc#1220979).
- Update
  patches.suse/mac80211-fix-locking-in-ieee80211_start_ap-error-pat.patch
  (git-fixes CVE-2021-47091 bsc#1220959).
- Update
  patches.suse/net-fix-use-after-free-in-tw_timer_handler.patch
  (bsc#1217195 CVE-2021-46936 bsc#1220439).
- Update
  patches.suse/net-marvell-prestera-fix-incorrect-structure-access.patch
  (git-fixes CVE-2021-47102 bsc#1221009).
- Update
  patches.suse/net-smc-fix-kernel-panic-caused-by-race-of-smc_sock
  (git-fixes CVE-2021-46925 bsc#1220466).
- Update
  patches.suse/nitro_enclaves-Use-get_user_pages_unlocked-call-to-handle-mmap-assert.patch
  (git fixes (mm/gup) CVE-2021-46927 bsc#1220443).
- Update
  patches.suse/platform-x86-intel_pmc_core-fix-memleak-on-registrat.patch
  (git-fixes CVE-2021-47093 bsc#1220978).
- Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch
  (CVE-2022-20154 bsc#1200599 CVE-2021-46929 bsc#1220482).
- Update patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch
  (jsc#SLE-21844 CVE-2021-47087 bsc#1220954).
- Update
  patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch
  (bsc#1209635 CVE-2022-4744 git-fixes CVE-2021-47082
  bsc#1220969).
- Update
  patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch
  (git-fixes CVE-2021-46933 bsc#1220487).
- Update patches.suse/usb-mtu3-fix-list_head-check-warning.patch
  (git-fixes CVE-2021-46930 bsc#1220484).
- Update
  patches.suse/veth-ensure-skb-entering-GRO-are-not-cloned.patch
  (git-fixes CVE-2021-47099 bsc#1220955).
- commit b15f74e

- dmaengine: fix NULL pointer in channel unregistration function (bsc#1221276 CVE-2023-52492)
- commit f21c2ab

- perf/x86/intel/uncore: Fix NULL pointer dereference issue in
  upi_fill_topology() (bsc#1220237, CVE-2023-52450).
- commit 246b58a

- x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is  set (bsc#1213456 CVE-2023-28746).
- commit 4fed4e6

- Sort upstream patches
- Refresh
  patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch.
- Refresh
  patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch.
- Refresh
  patches.suse/x86-entry-ia32-Ensure-s32-is-sign-extended-to-s64.patch.
- Refresh
  patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch.
- commit f172e12

- Refresh patches.kabi/team-Hide-new-member-header-ops.patch.
  Fix for kABI workaround.
- commit 6ba2f5d

- ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058
  CVE-2023-52583).
- commit 1a81018

- netfs: Only call folio_start_fscache() one time for each folio
  (CVE-2023-52582 bsc#1220878).
- commit dfd082b

- Refresh
  patches.suse/mm-ima-kexec-of-use-memblock_free_late-from-ima_free.patch.
  Fix:
  * Section mismatch (function ima_free_kexec_buffer()) in modpost: vmlinux.o in ima_free_kexec_buffer()
  WARNING: modpost: vmlinux.o(.text+0xac1250): Section mismatch in reference from the function ima_free_kexec_buffer() to the function .init.text:__memblock_free_late()
- commit 5522f01

- Update
  patches.suse/usb-hub-Guard-against-accesses-to-uninitialized-BOS-.patch
  (bsc#1220790 CVE-2023-52477).
- commit d33bab7

- drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (bsc#1220413 CVE-2023-52470).
- commit 9d7d799

- drivers/amd/pm: fix a use-after-free in kv_parse_power_table (bsc#1220411 CVE-2023-52469).
- commit f4f0cf4

- group-source-files.pl: Quote filenames (boo#1221077).
  The kernel source now contains a file with a space in the name.
  Add quotes in group-source-files.pl to avoid splitting the filename.
  Also use -print0 / -0 when updating timestamps.
- commit a005e42

- mm,ima,kexec,of: use memblock_free_late from
  ima_free_kexec_buffer (bsc#1220872 CVE-2023-52576).
- commit b1b1c9a

- phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600)
- commit 78e2b4a

- erofs: fix lz4 inplace decompression (CVE-2023-52497
  bsc#1220879).
- commit ddeedf9

- ACPI: extlog: fix NULL pointer dereference check (bsc#1221039
  CVE-2023-52605).
- commit 635c481

- kernel-binary: Fix i386 build
  Fixes: 89eaf4cdce05 ("rpm templates: Move macro definitions below buildrequires")
- commit f7c6351

- btrfs: remove BUG() after failure to insert delayed dir index
  item (bsc#1220918 CVE-2023-52569).
- btrfs: improve error message after failure to add delayed dir
  index item (bsc#1220918 CVE-2023-52569).
- commit 53e1d2d

- net: nfc: fix races in nfc_llcp_sock_get() and
  nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831).
- commit 8c33586

- kabi: team: Hide new member header_ops (bsc#1220870
  CVE-2023-52574).
- commit 9f49992

- KVM: s390: fix setting of fpc register (git-fixes bsc#1220392
  bsc#1221040 CVE-2023-52597).
- commit a90b87c

- kernel-binary: vdso: fix filelist for non-usrmerged kernel
  Fixes: a6ad8af207e6 ("rpm templates: Always define usrmerged")
- commit fb3f221

- bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
  (bsc#1220926 CVE-2023-52523).
- commit 90d9f50

- aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
  (bsc#1218562 CVE-2023-6270).
- commit 57a4cd4

- efivarfs: force RO when remounting if SetVariable is not
  supported (bsc#1220328 CVE-2023-52463).
- commit eed7fb0

- iommu/vt-d: Avoid memory allocation in iommu_suspend()
  (CVE-2023-52559 bsc#1220933).
- commit c9b01ef

- Refresh patches.suse/0001-powerpc-pseries-memhp-Fix-access-beyond-end-of-drmem.patch.
  - update to upstream version
  - rename to same name as SLE15 SP5
- commit 1d2def1

- KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746).
- commit 4aebf4f

- x86/rfds: Mitigate Register File Data Sampling (RFDS)  (bsc#1213456 CVE-2023-28746).
- Update config files.
- commit 29c1c99

- Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746).
- commit 81de603

- ravb: Fix use-after-free issue in ravb_tx_timeout_work()
  (bsc#1212514 CVE-2023-35827).
- team: fix null-ptr-deref when team device type is changed
  (bsc#1220870 CVE-2023-52574).
- commit 2cc53f5

- Update
  patches.suse/ice-xsk-return-xsk-buffers-back-to-pool-when-cleanin.patch
  (jsc#SLE-18375 bsc#1220961 CVE-2021-47105).
- Update patches.suse/net-mana-Fix-TX-CQE-error-handling.patch
  (bsc#1215986 bsc#1220932 CVE-2023-52532).
- Update
  patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch
  (jsc#SLE-19253 bsc#1220486 CVE-2021-46931).
  Added CVE references.
- commit 3e396c2

- Update patches.suse/i2c-validate-user-data-in-compat-ioctl.patch
  (git-fixes bsc#1220469 CVE-2021-46934).
  Add bug and CVE references.
- commit 3a04060

- wifi: mac80211: fix potential key use-after-free (CVE-2023-52530
  bsc#1220930).
- commit 3feca94

- Update patch reference for iwlwifi fix (CVE-2023-52531 bsc#1220931)
- commit bde87cf

- Update patch reference for pinctrl fix (CVE-2021-47083 bsc#1220917)
- commit b608623

- drm/bridge: sii902x: Fix probing race issue (bsc#1220736 CVE-2024-26607).
- commit 70198c4

- Update
  patches.suse/vt-fix-memory-overlapping-when-deleting-chars-in-the.patch
  (git-fixes bsc#1220845 CVE-2022-48627).
- Update
  patches.suse/x86-srso-add-srso-mitigation-for-hygon-processors.patch
  (git-fixes bsc#1220735 CVE-2023-52482).
  Add CVE references.
- commit dcdac38

- mfd: syscon: Fix null pointer dereference in
  of_syscon_register() (bsc#1220433 CVE-2023-52467).
- commit b0262b8

- bpf: Fix re-attachment branch in bpf_tracing_prog_attach
  (bsc#1220254 CVE-2024-26591).
- commit fc948d3

- selftests/bpf: Add test for alu on PTR_TO_FLOW_KEYS (bsc#1220255
  CVE-2024-26589).
- bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS (bsc#1220255
  CVE-2024-26589).
- commit 8a833ce

- iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range (CVE-2023-52484 bsc#1220797).
- commit 2229de3

- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- commit 1306bff

- kabi: restore return type of dst_ops::gc() callback
  (CVE-2023-52340 bsc#1219295).
- ipv6: remove max_size check inline with ipv4 (CVE-2023-52340
  bsc#1219295).
- commit b8eec42

- netfilter: nf_tables: fix 64-bit load issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit e095cd0

- netfilter: nft_set_pipapo: skip inactive elements during set
  walk (CVE-2023-6817 bsc#1218195).
- commit 4032aa7

- tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825
  CVE-2024-26622).
- commit c8e5b38

- doc/README.SUSE: Update information about module support status
  (jsc#PED-5759)
  Following the code change in SLE15-SP6 to have externally supported
  modules no longer taint the kernel, update the respective documentation
  in README.SUSE:
  * Describe that support status can be obtained at runtime for each
  module from /sys/module/$MODULE/supported and for the entire system
  from /sys/kernel/supported. This provides a way how to now check that
  the kernel has any externally supported modules loaded.
  * Remove a mention that externally supported modules taint the kernel,
  but keep the information about bit 16 (X) and add a note that it is
  still tracked per module and can be read from
  /sys/module/$MODULE/taint. This per-module information also appears in
  Oopses.
- commit 9ed8107

- btrfs: fix double free of anonymous device after snapshot
  creation failure (bsc#1219126 CVE-2024-23850).
- commit 257a534

- btrfs: do not ASSERT() if the newly created subvolume already
  got read (bsc#1219126 CVE-2024-23850).
- commit a2ac581

- bpf: Minor cleanup around stack bounds (bsc#1220257
  CVE-2023-52452).
- bpf: Fix accesses to uninit stack slots (bsc#1220257
  CVE-2023-52452).
- bpf: Guard stack limits against 32bit overflow (git-fixes).
- bpf: Fix verification of indirect var-off stack access
  (git-fixes).
- commit 7d03125

- serial: 8250: omap: Don't skip resource freeing if
  pm_runtime_resume_and_get() failed (bsc#1220350 CVE-2023-52457).
- commit c82f528

- serial: imx: fix tx statemachine deadlock (bsc#1220364
  CVE-2023-52456).
- commit cd9f92c

- powerpc/pseries/memhp: Fix access beyond end of drmem array
  (bsc#1220250,CVE-2023-52451).
- commit fdc7254

- Update patch reference for input fix (CVE-2021-46932 bsc#1220444)
- commit e44e0b1

- Update patches.suse/i2c-Fix-a-potential-use-after-free.patch
  (git-fixes bsc#1220409 CVE-2019-25162).
  Add bug and CVE references.
- commit 6df4ebd

- efivarfs: force RO when remounting if SetVariable is not
  supported (bsc#1220328 CVE-2023-52463).
- commit 3cfef52

- btrfs: fix double free of anonymous device after snapshot
  creation failure (bsc#1219126 CVE-2024-23850).
- commit f8ba729

- mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
  (bsc#1220238 CVE-2023-52449).
- commit c132b67

- fs/mount_setattr: always cleanup mount_kattr (bsc#1220457
  CVE-2021-46923).
- commit 89afe2f

- kABI: bpf: map_fd_put_ptr() signature kABI workaround
  (bsc#1220251 CVE-2023-52447).
- kABI: bpf: struct bpf_map kABI workaround (bsc#1220251
  CVE-2023-52447).
- kABI: bpf: map_fd_put_ptr() signature kABI workaround
  (bsc#1220251 CVE-2023-52447).
- kABI: bpf: struct bpf_map kABI workaround (bsc#1220251
  CVE-2023-52447).
- commit bec1c61

- selftests/bpf: Test outer map update operations in syscall
  program (bsc#1220251 CVE-2023-52447).
- selftests/bpf: Add test cases for inner map (bsc#1220251
  CVE-2023-52447).
- bpf: Defer the free of inner map when necessary (bsc#1220251
  CVE-2023-52447).
- Refresh patches.suse/kABI-padding-for-bpf.patch
- bpf: Set need_defer as false when clearing fd array during
  map free (bsc#1220251 CVE-2023-52447).
- bpf: Add map and need_defer parameters to .map_fd_put_ptr()
  (bsc#1220251 CVE-2023-52447).
- bpf: Check rcu_read_lock_trace_held() before calling bpf map
  helpers (bsc#1220251 CVE-2023-52447).
- rcu-tasks: Provide rcu_trace_implies_rcu_gp() (bsc#1220251
  CVE-2023-52447).
- selftests/bpf: Test outer map update operations in syscall
  program (bsc#1220251 CVE-2023-52447).
- selftests/bpf: Add test cases for inner map (bsc#1220251
  CVE-2023-52447).
- bpf: Defer the free of inner map when necessary (bsc#1220251
  CVE-2023-52447).
- Refresh patches.suse/kABI-padding-for-bpf.patch
- bpf: Set need_defer as false when clearing fd array during
  map free (bsc#1220251 CVE-2023-52447).
- bpf: Add map and need_defer parameters to .map_fd_put_ptr()
  (bsc#1220251 CVE-2023-52447).
- bpf: Check rcu_read_lock_trace_held() before calling bpf map
  helpers (bsc#1220251 CVE-2023-52447).
- rcu-tasks: Provide rcu_trace_implies_rcu_gp() (bsc#1220251
  CVE-2023-52447).
- commit aa6db76

- Update patch reference for HID fix (CVE-2023-52478 bsc#1220796)
- commit 4aec836

- Update patch reference for input fix (CVE-2023-52475 bsc#1220649)
- commit 00a87c8

- KVM: arm64: vgic-its: Avoid potential UAF in LPI translation
  cache (bsc#1220326, CVE-2024-26598).
- commit 74fd0dd

- x86/fpu: Stop relying on userspace for info to fault in xsave buffer (bsc#1220335, CVE-2024-26603).
- commit 4cbbdbf

- Update patch reference for NFC fix (CVE-2021-46924 bsc#1220459)
- commit 8ac32a8

- media: pvrusb2: fix use after free on context disconnection
  (CVE-2023-52445 bsc#1220241).
- commit e4643a5

- uio: Fix use-after-free in uio_open (bsc#1220140
  CVE-2023-52439).
- commit fbf52b1

- apparmor: avoid crash when parsed profile name is empty
  (CVE-2023-52443 bsc#1220240).
- commit 732bc93

- btrfs: do not ASSERT() if the newly created subvolume already
  got read (bsc#1219126 CVE-2024-23850).
- commit 087f1fb

- sched/membarrier: reduce the ability to hammer on sys_membarrier
  (git-fixes, bsc#1220398, CVE-2024-26602).
- commit 6f61ce3

- i2c: i801: Fix block process call transactions (bsc#1220009
  CVE-2024-26593).
- commit 1b64da9

- mlxsw: spectrum_acl_tcam: Fix stack corruption (bsc#1220243
  CVE-2024-26586).
- mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in
  error path (bsc#1220344 CVE-2024-26595).
- commit 6e8b589

- EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330, CVE-2023-52464)
- commit 369d1fd

- Drop 2 git-fixes patches which are suspicious to introduce regression
  reported in bsc#1219073,
  - patches.suse/md-Set-MD_BROKEN-for-RAID1-and-RAID10-9631.patch.
  - patches.suse/md-raid1-free-the-r1bio-before-waiting-for-blocked-r-992d.patch.
- Refresh patches.suse/md-display-timeout-error.patch for the above
  change.
- commit 4ecd26a

- gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
  (bsc#1220253 CVE-2023-52448).
- commit 12cdab5

- rpm templates: Always define usrmerged
  usrmerged is now defined in kernel-spec-macros and not the distribution.
  Only check if it's defined in kernel-spec-macros, not everywhere where
  it's used.
- commit a6ad8af

- nvme: remove nvme_alloc_request and nvme_alloc_request_qid
  (bsc#1214064).
  Refresh:
  - patches.suse/nvme-tcp-delay-error-recovery-until-the-next-kato.patch
- commit 6fc2117

- rpm templates: Move macro definitions below buildrequires
  Many of the rpm macros defined in the kernel packages depend directly or
  indirectly on script execution. OBS cannot execute scripts which means
  values of these macros cannot be used in tags that are required for OBS
  to see such as package name, buildrequires or buildarch.
  Accumulate macro definitions that are not directly expanded by mkspec
  below buildrequires and buildarch to make this distinction clear.
- commit 89eaf4c

- rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE
  Introduced by commit 68fb3ca0e408 ("update workarounds for gcc "asm
  goto" issue").
- commit be1bdab

- net: openvswitch: limit the number of recursions from action
  sets (bsc#1219835 CVE-2024-1151).
- commit ed2fd55

- README.BRANCH: use correct mail for Roy
- commit 6f3c32f

- compute-PATCHVERSION: Do not produce output when awk fails
  compute-PATCHVERSION uses awk to produce a shell script that is
  subsequently executed to update shell variables which are then printed
  as the patchversion.
  Some versions of awk, most notably bysybox-gawk do not understand the
  awk program and fail to run. This results in no script generated as
  output, and printing the initial values of the shell variables as
  the patchversion.
  When the awk program fails to run produce 'exit 1' as the shell script
  to run instead. That prevents printing the stale values, generates no
  output, and generates invalid rpm spec file down the line. Then the
  problem is flagged early and should be easier to diagnose.
- commit 8ef8383

- nvme: move nvme_stop_keep_alive() back to original position
  (bsc#1211515).
- commit b945fa0

- x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes).
- commit 636fc4c

- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes).
- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes).
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes).
  Also add the removed mds_user_clear symbol to kABI severities as it is
  exposed just for KVM module and is generally a core kernel component so
  removing it is low risk.
- x86/entry_32: Add VERW just before userspace transition (git-fixes).
- x86/entry_64: Add VERW just before userspace transition (git-fixes).
- x86/bugs: Add asm helpers for executing VERW (git-fixes).
- commit 5b0be3c

- netfilter: nf_tables: disallow rule removal from chain binding
  (bsc#1218216 CVE-2023-5197).
- commit d7a1a4d

- netfilter: nf_tables: skip bound chain in netns release path
  (bsc#1218216 CVE-2023-5197).
- commit af879c8

- nvme: start keep-alive after admin queue setup (bsc#1211515).
- commit 13f904b

- net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
  (bsc#1219127 CVE-2024-23849).
- commit 43577c1

- kernel-binary: Move build script to the end
  All other spec templates have the build script at the end, only
  kernel-binary has it in the middle. Align with the other templates.
- commit 98cbdd0

- rpm templates: Aggregate subpackage descriptions
  While in some cases the package tags, description, scriptlets and
  filelist are located together in other cases they are all across the
  spec file. Aggregate the information related to a subpackage in one
  place.
- commit 8eeb08c

- rpm templates: sort rpm tags
  The rpm tags in kernel spec files are sorted at random.
  Make the order of rpm tags somewhat more consistent across rpm spec
  templates.
- commit 8875c35

- dm: limit the number of targets and parameter size area
  (bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851).
- commit 26dc83e

- Fix unresolved hunks in README.BRANCH
- commit 99bb861

- NFS: avoid infinite loop in pnfs_update_layout (bsc#1219633).
- commit b6a1f9a

- vhost: use kzalloc() instead of kmalloc() followed by memset()
  (CVE-2024-0340, bsc#1218689).
- commit 4c5a740

- README.BRANCH: Update cve/linux-5.14 maintainers
  Add myself to match SLE15-SP5 consumer + fix typo in branch name.
- commit da26653

- Refresh patches.suse/nfsd-fix-RELEASE_LOCKOWNER.patch.
  Accidentally removed nfs4_get_stateowner
- commit d77a474

- kernel-binary: certs: Avoid trailing space
- commit bc7dc31

- Bluetooth: Fix atomicity violation in {min,max}_key_size_set
  (git-fixes bsc#1219608 CVE-2024-24860).
- commit a1186fd

- README.BRANCH: update branch name to cve/linux-5.14, update maintainers
  as requested
- commit 8e34879

- rpm/kernel-binary.spec.in: install scripts/gdb when enabled in config
  (bsc#1219653)
  They are put into -devel subpackage. And a proper link to
  /usr/share/gdb/auto-load/ is created.
- commit 1dccf2a

- netfilter: nf_tables: check if catch-all set element is active
  in next generation (CVE-2024-1085 bsc#1219429).
- commit 7b3f4c4

- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
  (CVE-2024-1086 bsc#1219434).
- commit 5f917ff

- Update
  patches.suse/drm-amdgpu-Fix-potential-fence-use-after-free-v2.patch
  (bsc#1219128 CVE-2023-51042 git-fixes).
- commit 4b937fc

- rpm/mkspec: sort entries in _multibuild
  Otherwise it creates unnecessary diffs when tar-up-ing. It's of course
  due to readdir() using "random" order as served by the underlying
  filesystem.
  See for example:
  https://build.opensuse.org/request/show/1144457/changes
- commit d1155de

- Revert "tracing: Increase trace array ref count on enable and
  filter files" (bsc#1219490).
  Deleted:
  patches.suse/tracing-Increase-trace-array-ref-count-on-enable-and-filter-files.patch
  patches.suse/tracing-Have-event-inject-files-inc-the-trace-array-ref-count.patch
  Backported commit f5ca233e2e66 ("tracing: Increase trace array ref count
  on enable and filter files") causes a kernel panic and its upstream
  fix-up bb32500fb9b7 ("tracing: Have trace_event_file have ref counters")
  cannot be easily backported because it affects kABI. Revert the commit
  and its one related + dependent patch, at least for now.
- commit 90d885a

- README.BRANCH: SLE15-SP4 became LTSS, update maintainers
- commit 94325df

- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
  bsc#1218730).
- commit 658d424

- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
  XSA-448, bsc#1218836).
- commit 9a897ff

- Update
  patches.suse/ext4-fix-kernel-BUG-in-ext4_write_inline_data_end.patch
  (CVE-2021-33631 bsc#1219412 bsc#1206894).
- commit 96c942c

- kabi, vmstat: skip periodic vmstat update for isolated CPUs
  (bsc#1217895).
- commit 8cb5798

- sched/isolation: add cpu_is_isolated() API (bsc#1217895).
- trace,smp: Add tracepoints around remotelly called functions
  (bsc#1217895).
- vmstat: skip periodic vmstat update for isolated CPUs
  (bsc#1217895).
- Refresh
  patches.suse/0002-kernel-smp-make-csdlock-timeout-depend-on-boot-param.patch.
- commit 668c0e0

- kernel-source: Fix description typo
- commit 8abff35

- nvmet-tcp: Fix the H2C expected PDU len calculation
  (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356).
- nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988
  bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356).
- nvmet-tcp: fix a crash in nvmet_req_complete() (bsc#1217987
  bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356).
- nvmet-tcp: Fix a kernel panic when host sends an invalid H2C
  PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535
  CVE-2023-6536 CVE-2023-6356).
- commit d968940

- clocksource: Skip watchdog check for large watchdog intervals
  (bsc#1217217).
- commit 63b1d6d

- clocksource: disable watchdog checks on TSC when TSC is watchdog
  (bsc#1215885).
- commit 2f92dd8

- nfsd4: add refcount for nfsd4_blocked_lock (bsc#1218968
  bsc#1219349).
- commit d38f35d

- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
  (CVE-2023-47233 bsc#1216702).
- commit 433859d

- rpm/constraints.in: set jobs for riscv to 8
  The same workers are used for x86 and riscv and the riscv builds take
  ages. So align the riscv jobs count to x86.
- commit b2c82b9

- net: sched: sch_qfq: Use non-work-conserving warning handler
  (CVE-2023-4921 bsc#1215275).
- commit b50ba0e

- mkspec: Use variant in constraints template
  Constraints are not applied consistently with kernel package variants.
  Add variant to the constraints template as appropriate, and expand it
  in mkspec.
- commit cc68ab9

- rpm/constraints.in: add static multibuild packages
  Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
  constraints on multibuild) added "kernel-source:" prefix to the
  dynamically generated kernels. But there are also static ones like
  kernel-docs. Those fail to build as the constraints are still not
  applied.
  So add the prefix also to the static ones.
  Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
  will ever be multibuilt...
- commit c2e0681

- Update
  patches.suse/drm-atomic-Fix-potential-use-after-free-in-nonblocki.patch
  (bsc#1219120 CVE-2023-51043 git-fixes).
- commit d004027

- Revert "Limit kernel-source build to architectures for which the kernel binary"
  This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
  The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a

- mkspec: Include constraints for both multibuild and plain package always
  There is no need to check for multibuild flag, the constraints can be
  always generated for both cases.
- commit 308ea09

- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
  Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b

- rpm/kernel-source.rpmlintrc: add action-ebpf
  Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
  plugin) added this precompiled binary blob. Adapt rpmlintrc for
  kernel-source.
- commit b5ccb33

- block: Fix kabi header include (bsc#1218929).
- commit 8f511ac

- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
  The previous change added the manual entry from kernel-sources.change.old
  to old_changelog.txt unnecessarily.  Let's fix it.
- commit fb033e8

- Update
  patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch
  (bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit 97ea702

- block: free the extended dev_t minor later (bsc#1218930).
- commit 0972f94

- rpm/kernel-docs.spec.in: fix build with 6.8
  Since upstream commit f061c9f7d058 (Documentation: Document each netlink
  family), the build needs python yaml.
- commit 6a7ece3

- hv_netvsc: rndis_filter needs to select NLS (git-fixes).
- commit 6f3116b

- nfsd: fix RELEASE_LOCKOWNER (bsc#1218968).
- commit 605df5b

- netfilter: nf_tables: Reject tables of unsupported family
  (bsc#1218752 CVE-2023-6040).
- commit e03f1d3

- bcache: revert replacing IS_ERR_OR_NULL with IS_ERR (git-fixes).
- bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in
  btree_gc_coalesce() (git-fixes).
- rbd: take header_rwsem in rbd_dev_refresh() only when updating
  (git-fixes).
- dm: don't lock fs when the map is NULL during suspend or resume
  (git-fixes).
- commit fe9ee72

- tipc: fix a potential deadlock on &tx->lock (bsc#1218916
  CVE-2024-0641).
- commit c872674

- Update metadata
- commit d121b79

- tipc: fix a potential deadlock on &tx->lock (bsc#1218916
  CVE-2024-0641).
- commit 7953be2

- Update metadata
- commit c015ae2

- smb: client: fix OOB in receive_encrypted_standard()
  (bsc#1218832 CVE-2024-0565).
- commit 3cac9c2

- ida: Fix crash in ida_free when the bitmap is empty (bsc#1218804
  CVE-2023-6915).
- commit 7caa324

- dm-integrity: don't modify bio's immutable bio_vec in
  integrity_metadata() (git-fixes).
- dm-verity: align struct dm_verity_fec_io properly (git-fixes).
- dm verity: don't perform FEC for failed readahead IO
  (git-fixes).
- bcache: avoid NULL checking to c->root in run_cache_set()
  (git-fixes).
- bcache: add code comments for bch_btree_node_get() and
  __bch_btree_node_alloc() (git-fixes).
- bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up
  race (git-fixes).
- bcache: fixup lock c->root error (git-fixes).
- bcache: fixup init dirty data errors (git-fixes).
- bcache: prevent potential division by zero error (git-fixes).
- bcache: remove redundant assignment to variable cur_idx
  (git-fixes).
- bcache: check return value from btree_node_alloc_replacement()
  (git-fixes).
- bcache: avoid oversize memory allocation by small stripe_size
  (git-fixes).
- dm-delay: fix a race between delay_presuspend and delay_bio
  (git-fixes).
- dm zoned: free dmz->ddev array in dmz_put_zoned_devices
  (git-fixes).
- rbd: decouple parent info read-in from updating rbd_dev
  (git-fixes).
- rbd: decouple header read-in from updating rbd_dev->header
  (git-fixes).
- rbd: move rbd_dev_refresh() definition (git-fixes).
- rbd: prevent busy loop when requesting exclusive lock
  (git-fixes).
- rbd: retrieve and check lock owner twice before blocklisting
  (git-fixes).
- rbd: harden get_lock_owner_info() a bit (git-fixes).
- rbd: make get_lock_owner_info() return a single locker or NULL
  (git-fixes).
- dm cache policy smq: ensure IO doesn't prevent cleaner policy
  progress (git-fixes).
- dm raid: clean up four equivalent goto tags in raid_ctr()
  (git-fixes).
- dm raid: fix missing reconfig_mutex unlock in raid_ctr()
  error paths (git-fixes).
- dm integrity: reduce vmalloc space footprint on 32-bit
  architectures (git-fixes).
- dm thin metadata: Fix ABBA deadlock by resetting dm_bufio_client
  (git-fixes).
- bcache: fixup btree_cache_wait list damage (git-fixes).
- bcache: Fix __bch_btree_node_alloc to make the failure behavior
  consistent (git-fixes).
- bcache: Remove unnecessary NULL point check in node allocations
  (git-fixes).
- dm thin metadata: check fail_io before using data_sm
  (git-fixes).
- commit 7e800d7

- rbd: get snapshot context after exclusive lock is ensured to
  be held (git-fixes).
- Refresh for the above change,
  patches.suse/rbd-export-some-functions-used-by-lio-rbd-backend.patch.
  patches.suse/target_core_rbd-fix-rbd_img_request.snap_id-assignme.patch.
- commit dcd100d

- rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting (git-fixes).
- Rebased for the above change,
  patches.suse/rbd-add-support-for-COMPARE_AND_WRITE-CMPEXT.patch.
- commit b5f85f8

- nbd: Fix debugfs_create_dir error checking (git-fixes).
- dm: don't lock fs when the map is NULL in process of resume
  (git-fixes).
- dm flakey: fix a crash with invalid table line (git-fixes).
- dm integrity: call kmem_cache_destroy() in dm_integrity_init()
  error path (git-fixes).
- dm clone: call kmem_cache_destroy() in dm_clone_init() error
  path (git-fixes).
- dm verity: fix error handling for check_at_most_once on FEC
  (git-fixes).
- nbd: fix incomplete validation of ioctl arg (git-fixes).
- null_blk: Always check queue mode setting from configfs
  (git-fixes).
- dm stats: check for and propagate alloc_percpu failure
  (git-fixes).
- dm crypt: avoid accessing uninitialized tasklet (git-fixes).
- dm crypt: add cond_resched() to dmcrypt_write() (git-fixes).
- commit ad93a37

- dm thin: fix deadlock when swapping to thin device
  (bsc#1177529).
- Delete the in-house patch by the above upstream patch,
  patches.suse/Avoid-deadlock-for-recursive-I-O-on-dm-thin-when-used-as-swap-4905.patch.
- commit 13bcec1

- rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create()
  fails (git-fixes).
- dm cache: add cond_resched() to various workqueue loops
  (git-fixes).
- dm thin: add cond_resched() to various workqueue loops
  (git-fixes).
- dm: add cond_resched() to dm_wq_work() (git-fixes).
- dm: remove flush_scheduled_work() during local_exit()
  (git-fixes).
- dm: send just one event on resize, not two (git-fixes).
- dm flakey: fix logic when corrupting a bio (git-fixes).
- dm flakey: don't corrupt the zero page (git-fixes).
- dm init: add dm-mod.waitfor to wait for asynchronously probed
  block devices (git-fixes).
- loop: suppress uevents while reconfiguring the device
  (git-fixes).
- commit 2a9583d

- nbd: use the correct block_device in nbd_bdev_reset (git-fixes).
- Refresh for the above change,
  patches.suse/0019-nbd-fix-io-hung-while-disconnecting-device.patch.
  patches.suse/0031-nbd-Fix-hung-when-signal-interrupts-nbd_start_device_ioctl.patch.
- commit 2cb1a83

- blacklist.conf: add non-backport git-fixes commit
- commit ab480ce

- dm verity: skip redundant verity_handle_err() on I/O errors
  (git-fixes).
- commit 7d823a7

- Update
  patches.kabi/NFS-Fix-another-fsync-issue-after-a-server-reboot.patch
  (git-fixes, bsc#1217670).
- commit 69dfe32

- blacklist.conf: df1c357f25d8 netfs: Only call folio_start_fscache() one time for each folio
- commit 049ab09

- intel_idle: add Emerald Rapids Xeon support (bsc#1216016).
- commit 30bac4b

- Update patch reference for rose fix (CVE-2023-51782 bsc#1218757)
- commit da9f8e9

- blacklist.conf: c4d361f66ac9 fuse: share lookup state between submount and its parent
- commit 3180cfa

- powerpc/pseries/iommu: enable_ddw incorrectly returns direct
  mapping for SR-IOV device (bsc#1212091 ltc#199106 git-fixes).
- commit f20e9a0

- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
  The old entries are found in kernel-docs/old_changelog.txt in docdir.
  rpm/old_changelog.txt can be an optional file that stores the similar
  info like rpm/kernel-sources.changes.old.  It can specify the commit
  range that have been truncated.  scripts/tar-up.sh expands from the
  git log accordingly.
- commit c9a2566
krb5
- Fix memory leaks, add patch 0012-Fix-two-unlikely-memory-leaks.patch
  * CVE-2024-26458, bsc#1220770
  * CVE-2024-26461, bsc#1220771
less
- Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell
  metacharacters, bsc#1219901
  * CVE-2022-48624.patch
util-linux
- Properly neutralize escape sequences in wall
  (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
  and its prerequisites: util-linux-fputs_careful1.patch,
  util-linux-wall-migrate-to-memstream.patch
  util-linux-fputs_careful2.patch).

- Add upstream patch
  more-exit-if-POLLERR-and-POLLHUP-on-stdin-is-received.patch
  bsc#1220117 - L3-Question: Processes not cleaned up after failed SSH session are using up 100% CPU

- Add upstream patch
  util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch
  bsc#1207987 gh#util-linux/util-linux@1d98827edde4
expat
- Security fix (boo#1221289, CVE-2024-28757): XML Entity Expansion
  attack when there is isolated use of external parsers.
  * Added expat-CVE-2024-28757.patch

- Security fix:
  * (CVE-2023-52425, bsc#1219559) denial of service (resource
    consumption) caused by processing large tokens.
  - Added patch expat-CVE-2023-52425-1.patch
  - Added patch expat-CVE-2023-52425-2.patch
  - Added patch expat-CVE-2023-52425-backport-parser-changes.patch
  - Added patch expat-CVE-2023-52425-fix-tests.patch
mozilla-nss
- update to NSS 3.90.2
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
    decryption in TLS. (bsc#1216198)
  * bmo#1867408 - add a defensive check for large ssl_DefSend
    return values.
gcc13
- Add gcc13-pr111731.patch to fix unwinding for JIT code.
  [bsc#1221239]

- Revert libgccjit dependency change.  [boo#1220724]

- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.

- Use %patch -P N instead of %patchN.

- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
  crypt and crypt_r interceptors.  The crypt API change in SLE15 SP3
  breaks them.  [bsc#1219520]

- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
  - fmin-function-alignment.  [bsc#1214934]

- Use %{_target_cpu} to determine host and build.

- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
  * Includes fix for building TVM.  [boo#1218492]

- Add cross-X-newlib-devel requires to newlib cross compilers.
  [boo#1219031]

- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
  in gcc13-devel.  [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
  are linked against libstdc++6.

- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205

- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
  * Includes fix for building mariadb on i686.  [bsc#1217667]
  * Remove pr111411.patch contained in the update.

- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
  cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
  %product_libs_llvm_ver where available and adjust tool discovery
  accordingly.  This should also properly trigger re-builds when
  the patchlevel version of llvmVER changes, possibly changing
  the binary names we link to.  [bsc#1217450]
gnutls
- Security fix: [bsc#1221747, CVE-2024-28835]
  * gnutls: certtool crash when verifying a certificate chain
  * Add gnutls-CVE-2024-28835.patch

- Security fix: [bsc#1221746, CVE-2024-28834]
  * gnutls: side-channel in the deterministic ECDSA
  * Add gnutls-CVE-2024-28834.patch

- jitterentropy: Release the memory of the entropy collector when
  using jitterentropy with phtreads as there is also a
  pre-intitization done in the main thread. [bsc#1221242]
  * Add gnutls-FIPS-jitterentropy-deinit-threads.patch

- Security fix: [bsc#1218862, CVE-2024-0567]
  * gnutls: rejects certificate chain with distributed trust
  * Cockpit (which uses gnuTLS) rejects certificate chain with
    distributed trust.
  * Add gnutls-CVE-2024-0567.patch

- Security fix: [bsc#1218865, CVE-2024-0553]
  * Incomplete fix for CVE-2023-5981.
  * The response times to malformed ciphertexts in RSA-PSK
    ClientKeyExchange differ from response times of ciphertexts
    with correct PKCS#1 v1.5 padding.
  * Add gnutls-CVE-2024-0553.patch
ncurses
- Add patch ncurses-6.1-bsc1220061.patch (bsc#1220061, CVE-2023-45918)
  * Backport from ncurses-6.4-20230615.patch
    improve checks in convert_string() for corrupt terminfo entry
nghttp2
- security update
- added patches
  fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + nghttp2-CVE-2024-28182-1.patch
  fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + nghttp2-CVE-2024-28182-2.patch
openssl-1_1
- Security fix: [bsc#1219243, CVE-2024-0727]
  * Add NULL checks where ContentInfo data can be NULL
  * Add openssl-CVE-2024-0727.patch
protobuf
- update to 25.1:
  * Raise warnings for deprecated python syntax usages
  * Add support for extensions in CRuby, JRuby, and FFI Ruby
  * Add support for options in CRuby, JRuby and FFI (#14594)
- update to 25.0:
  * Implement proto2/proto3 with editions
  * Defines Protobuf compiler version strings as macros and
    separates out suffix string definition.
  * Add utf8_validation feature back to the global feature set.
  * Setting up version updater to prepare for poison pills and
    embedding version info into C++, Python and Java gencode.
  * Merge the protobuf and upb Bazel repos
  * Editions: Introduce functionality to protoc for generating
    edition feature set defaults.
  * Editions: Migrate edition strings to enum in C++ code.
  * Create a reflection helper for ExtensionIdentifier.
  * Editions: Provide an API for C++ generators to specify their
    features.
  * Editions: Refactor feature resolution to use an intermediate
    message.
  * Publish extension declarations with declaration
    verifications.
  * Editions: Stop propagating partially resolved feature sets to
    plugins.
  * Editions: Migrate string_field_validation to a C++ feature
  * Editions: Include defaults for any features in the generated
    pool.
  * Protoc: parser rejects explicit use of map_entry option
  * Protoc: validate that reserved range start is before end
  * Protoc: support identifiers as reserved names in addition to
    string literals (only in editions)
  * Drop support for Bazel 5.
  * Allow code generators to specify whether or not they support
    editions.
  [#] C++
  * Set `PROTOBUF_EXPORT` on
    `InternalOutOfLineDeleteMessageLite()`
  * Update stale checked-in files
  * Apply PROTOBUF_NOINLINE to declarations of some functions
    that want it.
  * Implement proto2/proto3 with editions
  * Make JSON UTF-8 boundary check inclusive of the largest
    possible UTF-8 character.
  * Reduce `Map::size_type` to 32-bits. Protobuf containers can't
    have more than that
  * Defines Protobuf compiler version strings as macros and
    separates out suffix string definition.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    oneof accessors.
  * Fix bug in reflection based Swap of map fields.
  * Add utf8_validation feature back to the global feature set.
  * Setting up version updater to prepare for poison pills and
    embedding version info into C++, Python and Java gencode.
  * Add prefetching to arena allocations.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    repeated and map field accessors.
  * Editions: Migrate edition strings to enum in C++ code.
  * Create a reflection helper for ExtensionIdentifier.
  * Editions: Provide an API for C++ generators to specify their
    features.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    string field accessors.
  * Editions: Refactor feature resolution to use an intermediate
    message.
  * Fixes for 32-bit MSVC.
  * Publish extension declarations with declaration
    verifications.
  * Export the constants in protobuf's any.h to support DLL
    builds.
  * Implement AbslStringify for the Descriptor family of types.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    message field accessors.
  * Editions: Stop propagating partially resolved feature sets to
    plugins.
  * Editions: Migrate string_field_validation to a C++ feature
  * Editions: Include defaults for any features in the generated
    pool.
  * Introduce C++ feature for UTF8 validation.
  * Protoc: validate that reserved range start is before end
  * Remove option to disable the table-driven parser in protoc.
  * Lock down ctype=CORD in proto file.
  * Support split repeated fields.
  * In OSS mode omit some extern template specializations.
  * Allow code generators to specify whether or not they support
    editions.
  [#] Java
  * Implement proto2/proto3 with editions
  * Remove synthetic oneofs from Java gencode field accessor
    tables.
  * Timestamps.parse: Add error handling for invalid
    hours/minutes in the timezone offset.
  * Defines Protobuf compiler version strings as macros and
    separates out suffix string definition.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    oneof accessors.
  * Add missing debugging version info to Protobuf Java gencode
    when multiple files are generated.
  * Fix a bad cast in putBuilderIfAbsent when already present due
    to using the result of put() directly (which is null if it
    currently has no value)
  * Setting up version updater to prepare for poison pills and
    embedding version info into C++, Python and Java gencode.
  * Fix a NPE in putBuilderIfAbsent due to using the result of
    put() directly (which is null if it currently has no value)
  * Update Kotlin compiler to escape package names
  * Add MapFieldBuilder and change codegen to generate it and the
    put{field}BuilderIfAbsent method.
  * Introduce recursion limit in Java text format parsing
  * Consider the protobuf.Any invalid if typeUrl.split("/")
    returns an empty array.
  * Mark `FieldDescriptor.hasOptionalKeyword()` as deprecated.
  * Fixed Python memory leak in map lookup.
  * Loosen upb for json name conflict check in proto2 between
    json name and field
  * Defines Protobuf compiler version strings as macros and
    separates out suffix string definition.
  * Add `ABSL_ATTRIBUTE_LIFETIME_BOUND` attribute on generated
    oneof accessors.
  * Ensure Timestamp.ToDatetime(tz) has correct offset
  * Do not check required field for upb python MergeFrom
  * Setting up version updater to prepare for poison pills and
    embedding version info into C++, Python and Java gencode.
  * Merge the protobuf and upb Bazel repos
  * Comparing a proto message with an object of unknown returns
    NotImplemented
  * Emit __slots__ in pyi output as a tuple rather than a list
    for --pyi_out.
  * Fix a bug that strips options from descriptor.proto in
    Python.
  * Raise warings for message.UnknownFields() usages and navigate
    to the new add
  * Add protobuf python keyword support in path for stub
    generator.
  * Add tuple support to set Struct
  * ### Python C-Extension (Default)
  * Comparing a proto message with an object of unknown returns
    NotImplemented
  * Check that ffi-compiler loads before using it to define
    tasks.
  [#] UPB (Python/PHP/Ruby C-Extension)
  * Include .inc files directly instead of through a filegroup
  * Loosen upb for json name conflict check in proto2 between
    json name and field
  * Add utf8_validation feature back to the global feature set.
  * Do not check required field for upb python MergeFrom
  * Merge the protobuf and upb Bazel repos
  * Added malloc_trim() calls to Python allocator so RSS will
    decrease when memory is freed
  * Upb: fix a Python memory leak in ByteSize()
  * Support ASAN detection on clang
  * Upb: bugfix for importing a proto3 enum from within a proto2
    file
  * Expose methods needed by Ruby FFI using UPB_API
  * Fix `PyUpb_Message_MergeInternal` segfault

- build against modern python on sle15

- Build with source and target levels 8
  * fixes build with JDK21
- Install the pom file with the new %%mvn_install_pom macro
- Do not install the pom-only artifacts, since the %%mvn_install_pom
  macro resolves the variables at the install time

- update to 23.4:
  * Add dllexport_decl for generated default instance.
  * Deps: Update Guava to 32.0.1

- update to 23.3:
  C++
  * Regenerate stale files
  * Use the same ABI for static and shared libraries on non-
    Windows platforms
  * Add a workaround for GCC constexpr bug
  Objective-C
  * Regenerate stale files
  UPB (Python/PHP/Ruby C-Extension)
  * Fixed a bug in `upb_Map_Delete()` that caused crashes in
    map.delete(k) for Ruby when string-keyed maps were in use.
  Compiler
  * Add missing header to Objective-c generator
  * Add a workaround for GCC constexpr bug
  Java
  * Rollback of: Simplify protobuf Java message builder by
    removing methods that calls the super class only.
  Csharp
  * [C#] Replace regex that validates descriptor names
- drop 0001-Use-the-same-ABI-for-static-and-shared-libraries-on-.patch (upstream)

- Add patch to fix linking ThreadSafeArena:
  * 0001-Use-the-same-ABI-for-static-and-shared-libraries-on-.patch
- Drop the protobuf-source package, no longer used

- update to 22.5:
  C++
  * Add missing cstdint header
  * Fix: missing -DPROTOBUF_USE_DLLS in pkg-config (#12700)
  * Avoid using string(JOIN..., which requires cmake 3.12
  * Explicitly include GTest package in examples
  * Bump Abseil submodule to 20230125.3 (#12660)
- update to 22.4:
  C++
  * Fix libprotoc: export useful symbols from .so
  * Fix btree issue in map tests.
  Python
  * Fix bug in _internal_copy_files where the rule would fail in
    downstream repositories.
  Other
  * Bump utf8_range to version with working pkg-config (#12584)
  * Fix declared dependencies for pkg-config
  * Update abseil dependency and reorder dependencies to ensure
    we use the version specified in protobuf_deps.
  * Turn off clang::musttail on i386

- drop python2 handling
- fix version handling and package the private libs again

- Fix confusion in versions

- Mention the rpmlintrc file in the spec.

- Make possible to build on older systems, like SLE12 that miss
  some of the used macros.

- update to v22.3
  UPB (Python/PHP/Ruby C-Extension)
  * Remove src prefix from proto import
  * Fix .gitmodules to use the correct absl branch
  * Remove erroneous dependency on googletest
- update to 22.2:
  Java
  * Add version to intra proto dependencies and add kotlin stdlib
    dependency
  * Add $ back for osgi header
  * Remove $ in pom files
- update to 22.1:
  * Add visibility of plugin.proto to python directory
  * Strip "src" from file name of plugin.proto
  * Add OSGi headers to pom files.
  * Remove errorprone dependency from kotlin protos.
  * Version protoc according to the compiler version number.
- update to 22.0:
  * This version includes breaking changes to: Cpp.
    Please refer to the migration guide for information:
    https://protobuf.dev/support/migration/#compiler-22
  * [Cpp] Migrate to Abseil's logging library.
  * [Cpp] `proto2::Map::value_type` changes to `std::pair`.
  * [Cpp] Mark final ZeroCopyInputStream, ZeroCopyOutputStream,
    and DefaultFieldComparator classes.
  * [Cpp] Add a dependency on Abseil (#10416)
  * [Cpp] Remove all autotools usage (#10132)
  * [Cpp] Add C++20 reserved keywords
  * [Cpp] Dropped C++11 Support
  * [Cpp] Delete Arena::Init
  * [Cpp] Replace JSON parser with new implementation
  * [Cpp] Make RepeatedField::GetArena non-const in order to
    support split RepeatedFields.
  * long list of bindings specific fixes see
    https://github.com/protocolbuffers/protobuf/releases/tag/v22.0
- python sub packages version is set 4.22.3 as defined in
  python/google/protobuf/__init__.py to stay compatible
- skip python2 builds by default
- drop patches:
  * 10355.patch,
  * gcc12-disable-__constinit-with-c++-11.patch (merged upstream)
- added patches:
  * add-missing-stdint-header.patch   added for compile fixes

- Enable LTO (boo#1133277).

- update to v21.12:
  * Python
  * Fix broken enum ranges (#11171)
  * Stop requiring extension fields to have a sythetic oneof (#11091)
  * Python runtime 4.21.10 not works generated code can not load valid
    proto.

- update to 21.11:
  * Python
  * Add license file to pypi wheels (#10936)
  * Fix round-trip bug (#10158)

- update to 21.10:
  * Java
  * Use bit-field int values in buildPartial to skip work on unset groups of
    fields. (#10960)
  * Mark nested builder as clean after clear is called (#10984)

- update to 21.9:
  * Ruby
  * Replace libc strdup usage with internal impl to restore musl compat (#10818)
  * Auto capitalize enums name in Ruby (#10454) (#10763)
  * Other
  * Fix for grpc.tools #17995 & protobuf #7474 (handle UTF-8 paths in argumentfile) (#10721)
  * C++
  * 21.x No longer define no_threadlocal on OpenBSD (#10743)
  * Java
  * Mark default instance as immutable first to avoid race during static initialization of default instances (#10771)
  * Refactoring java full runtime to reuse sub-message builders and prepare to
    migrate parsing logic from parse constructor to builder.
  * Move proto wireformat parsing functionality from the private "parsing
    constructor" to the Builder class.
  * Change the Lite runtime to prefer merging from the wireformat into mutable
    messages rather than building up a new immutable object before merging. This
    way results in fewer allocations and copy operations.
  * Make message-type extensions merge from wire-format instead of building up
    instances and merging afterwards. This has much better performance.
  * Fix TextFormat parser to build up recurring (but supposedly not repeated)
    sub-messages directly from text rather than building a new sub-message and
    merging the fully formed message into the existing field.

- update to 21.6:
  C++:
  * Reduce memory consumption of MessageSet parsing

- update to 21.5:
  PHP
  * Added getContainingOneof and getRealContainingOneof to descriptor.
  * fix PHP readonly legacy files for nested messages
  Python
  * Fixed comparison of maps in Python.

- add 10355.patch to fix soversioning

- update to 21.4:
  * Reduce the required alignment of ArenaString from 8 to 4

- update to 21.3:
  * C++
  * Add header search paths to Protobuf-C++.podspec (#10024)
  * Fixed Visual Studio constinit errors (#10232)
  * Fix #9947: make the ABI compatible between debug and non-debug builds (#10271)
  * UPB
  * Allow empty package names (fixes behavior regression in 4.21.0)
  * Fix a SEGV bug when comparing a non-materialized sub-message (#10208)
  * Fix several bugs in descriptor mapping containers (eg. descriptor.services_by_name)
  * for x in mapping now yields keys rather than values, to match Python
    conventions and the behavior of the old library.
  * Lookup operations now correctly reject unhashable types as map keys.
  * We implement repr() to use the same format as dict.
  * Fix maps to use the ScalarMapContainer class when appropriate
  * Fix bug when parsing an unknown value in a proto2 enum extension (protocolbuffers/upb#717)
  * PHP
  * Add "readonly" as a keyword for PHP and add previous classnames to descriptor pool (#10041)
  * Python
  * Make //:protobuf_python and //:well_known_types_py_pb2 public (#10118)
  * Bazel
  * Add back a filegroup for :well_known_protos (#10061)

- Update to 21.2:
- C++
  - cmake: Call get_filename_component() with DIRECTORY mode instead of PATH mode (#9614)
  - Escape GetObject macro inside protoc-generated code (#9739)
  - Update CMake configuration to add a dependency on Abseil (#9793)
  - Fix cmake install targets (#9822)
  - Use __constinit only in GCC 12.2 and up (#9936)
- Java
  - Update protobuf_version.bzl to separate protoc and per-language java … (#9900)
- Python
  - Increment python major version to 4 in version.json for python upb (#9926)
  - The C extension module for Python has been rewritten to use the upb library.
  - This is expected to deliver significant performance benefits, especially when
    parsing large payloads. There are some minor breaking changes, but these
    should not impact most users. For more information see:
    https://developers.google.com/protocol-buffers/docs/news/2022-05-06#python-updates
- PHP
  - [PHP] fix PHP build system (#9571)
  - Fix building packaged PHP extension (#9727)
  - fix: reserve "ReadOnly" keyword for PHP 8.1 and add compatibility (#9633)
  - fix: phpdoc syntax for repeatedfield parameters (#9784)
  - fix: phpdoc for repeatedfield (#9783)
  - Change enum string name for reserved words (#9780)
  - chore: [PHP] fix phpdoc for MapField keys (#9536)
  - Fixed PHP SEGV by not writing to shared memory for zend_class_entry. (#9996)
- Ruby
  - Allow pre-compiled binaries for ruby 3.1.0 (#9566)
  - Implement respond_to? in RubyMessage (#9677)
  - [Ruby] Fix RepeatedField#last, #first inconsistencies (#9722)
  - Do not use range based UTF-8 validation in truffleruby (#9769)
  - Improve range handling logic of RepeatedField (#9799)
- Other
  - Fix invalid dependency manifest when using descriptor_set_out (#9647)
  - Remove duplicate java generated code (#9909)

- Do not use %%autosetup, but %%setup and %%patch on other line
  * Allows building on SLE-12-SP5

- Add temporary patch gcc12-disable-__constinit-with-c++-11.patch
  that addresses gh#protocolbuffers/protobuf#9916.
python3
- Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109,
  gh#python/cpython!16557) fixes syslog making default "ident"
  from sys.argv[0].

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into
  skip_SSL_tests.patch, and make them include all conditionals.

- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
libsolv
- build for multiple python versions [jsc#PED-6218]
- bump version to 0.7.28
libssh
- Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)
  * Added libssh-fix-ipv6-hostname-regression.patch
libxml2
- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
  * Added libxml2-CVE-2024-25062.patch
libzypp
- Fix creation of sibling cache dirs with too restrictive mode
  (bsc#1222398)
  Some install workflows in YAST may lead to too restrictive (0700)
  raw cache directories in case of newly created repos. Later
  commands running with user privileges may not be able to access
  these repos.
- version 17.32.4 (32)

- Update RepoStatus fromCookieFile according to the files mtime
  (bsc#1222086)
- TmpFile: Don't call chmod if makeSibling failed.
- version 17.32.3 (32)

- Fixup New VendorSupportOption flag VendorSupportSuperseded
  (jsc#OBS-301, jsc#PED-8014)
  Fixed the name of the keyword to "support_superseded" as it was
  agreed on in jsc#OBS-301.
- version 17.32.2 (32)

- Add resolver option 'removeUnneeded' to file weak remove jobs
  for unneeded packages (bsc#1175678)
- version 17.32.1 (32)

- Add resolver option 'removeOrphaned' for distupgrade
  (bsc#1221525)
- New VendorSupportOption flag VendorSupportSuperseded
  (jsc#OBS-301, jsc#PED-8014)
- Tests: fix vsftpd.conf where SUSE and Fedora use different
  defaults (fixes #522)
- Add default stripe minimum (#529)
- Don't expose std::optional where YAST/PK explicitly use c++11.
- Digest: Avoid using the deprecated OPENSSL_config.
- version 17.32.0 (32)

- ProblemSolution::skipsPatchesOnly overload to handout the
  patches.
- Remove https->http redirection exceptions for
  download.opensuse.org.
- version 17.31.32 (22)

- tui: allow to access the underlying ostream of out::Info.
- Add MLSep: Helper to produce not-NL-terminated multi line
  output.
- version 17.31.31 (22)

- applydeltaprm: Create target directory if it does not exist
  (bsc#1219442)
- Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514)
- Fix problems with EINTR in ExternalDataSource::getline (fixes
  bsc#1215698)
- version 17.31.30 (22)

- CheckAccessDeleted: fix running_in_container detection
  (bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime
  (bsc#1218831)
- Make Wakeup class EINTR safe.
- Add a way to cancel media operations on shutdown
  (openSUSE/zypper#522)
  This patch adds a mechanism to signal libzypp that a shutdown was
  requested, usually when CTRL+C was pressed by the user. Currently
  only the media backend will utilize this, but can be extended to
  all code paths that use g_poll() to wait for events.
- Manually poll fds for curl in MediaCurl.
  Using curl_easy_perform does not give us the required control on
  when we want to cancel a download. Switching to the MultiCurl
  implementation with a external poll() event loop will give us
  much more freedom and helps us to improve our Ctrl+C handling.
- Move reusable curl poll code to curlhelper.h.
- version 17.31.29 (22)

- Fix to build with libxml 2.12.x (fixes #505)
- version 17.31.28 (22)
shadow
- bsc#1176006: Fix chage date miscalculation
  Add shadow-bsc1176006-chage-date.patch
- bsc#1188307: Fix passwd segfault
  Add shadow-bsc1188307-passwd-segfault.patch
- bsc#1203823: Remove pam_keyinit from PAM config files
  Remove pam_keyinit from PAM configuration.
  This was introduced for bsc#1144060.
netcfg
- Add krb-prop entry, fix for bsc#1211886.
openssh
- Add patches from upstream to change the default value of
  UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled).
  This makes ssh update the known_hosts stored keys with all
  published versions by the server (after it's authenticated
  with an existing key), which will allow to identify the
  server with a different key if the existing key is considered
  insecure at some point in the future (bsc#1222831).
  * 0001-upstream-enable-UpdateHostkeys-by-default-when-the.patch
  * 0002-upstream-disable-UpdateHostkeys-by-default-if.patch

- Add patches openssh-7.7p1-seccomp_getuid.patch and
  openssh-bsc1216474-s390-leave-fds-open.patch
  (bsc#1216474, bsc#1218871)

- Fix hostbased ssh login failing occasionally with "signature
  unverified: incorrect signature" by fixing a typo in patch
  (bsc#1221123):
  * openssh-7.8p1-role-mls.patch

- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
  This limits the use of shell metacharacters in host- and
  user names.
pam-config
- Fix pam_gnome_keyring module for AUTH.
  [pam-config-fix-pam_gnome_keyring.patch, bsc#1219767]
perl-Bootloader
- merge gh#openSUSE/perl-bootloader#166
- log grub2-install errors correctly (bsc#1221470)
- 0.947

- merge gh#openSUSE/perl-bootloader#161
- support old grub versions (<= 2.02) that used /usr/lib
  (bsc#1218842)
- create EFI boot fallback directory if necessary
- 0.946
python-instance-billing-flavor-check
- Version 0.0.6 (bsc#1218561)
  Support proxy setup on the client to access the update infrastructure
  API

- Version 0.0.5
  Add IPv6 support (bsc#1218739)
python3-M2Crypto
- Disable broken tests with openssl 3.2, bsc#1217782

- add timeout_300hz.patch to accept a small deviation from time
  in the testsuite (bsc#1212757)

- Adapt tests for OpenSSL v3.1.0
  * Add openssl-adapt-tests-for-3.1.0.patch

- add openssl-stop-parsing-header.patch (bsc#1205042)
- add m2crypto-0.38-ossl3-tests.patch
python-idna
- Add CVE-2024-3651.patch, backported from upstream commit
  gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
  (bsc#1222842, CVE-2024-3651)
salt
- Prevent directory traversal when creating syndic cache directory
  on the master (CVE-2024-22231, bsc#1219430)
- Prevent directory traversal attacks in the master's serve_file
  method (CVE-2024-22232, bsc#1219431)
- Added:
  * fix-cve-2024-22231-and-cve-2024-22232-bsc-1219430-bs.patch

- Ensure that pillar refresh loads beacons from pillar without restart
- Fix the aptpkg.py unit test failure
- Prefer unittest.mock to python-mock in test suite
- Enable "KeepAlive" probes for Salt SSH executions (bsc#1211649)
- Revert changes to set Salt configured user early in the stack (bsc#1216284)
- Align behavior of some modules when using salt-call via symlink (bsc#1215963)
- Fix gitfs "__env__" and improve cache cleaning (bsc#1193948)
- Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed
- Added:
  * fix-the-aptpkg.py-unit-test-failure.patch
  * enable-keepalive-probes-for-salt-ssh-executions-bsc-.patch
  * prefer-unittest.mock-for-python-versions-that-are-su.patch
  * update-__pillar__-during-pillar_refresh.patch
  * revert-make-sure-configured-user-is-properly-set-by-.patch
  * fix-gitfs-__env__-and-improve-cache-cleaning-bsc-119.patch
  * dereference-symlinks-to-set-proper-__cli-opt-bsc-121.patch
rpm-ndb
- remove imaevmsign plugin from rpm-ndb [bsc#1222259]
runc
- Add upstream patch <https://github.com/opencontainers/runc/pull/4219> to
  properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050
  + 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  + 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  + 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch

- Update to runc v1.1.12. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
  * This release fixes a container breakout vulnerability (CVE-2024-21626). For
    more details, see the upstream security advisory:
    <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  * Remove upstreamed patches:
  - CVE-2024-21626.patch
  * Update runc.keyring to match upstream changes.

[ This was only ever released for SLES. ]
- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894
  <https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
  + CVE-2024-21626.patch

- Update to runc v1.1.11. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.11>.
sed
- 0001-sed-set-correct-umask-on-temporary-files.patch
  Fix for bsc#1221218
selinux-policy
- Update to version 20230511+git16.5733e724:
  * Dontaudit getty and plymouth the checkpoint_restore capability (bsc#1220361)

- Update to version 20230511+git14.93d944dd:
  * allow haveged to manage tmpfs directories (bsc#1213594)
sudo
- Fix NOPASSWD issue introduced by patches for CVE-2023-42465
  [bsc#1221151, bsc#1221134]
  * Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
  * Enable running regression selftests during build time.

- Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465]
  * Try to make sudo less vulnerable to ROWHAMMER attacks.
  * Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
supportutils-plugin-suse-public-cloud
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
  + Remove duplicate data collection for the plugin itself
  + Collect archive metering data when available
  + Query billing flavor status
supportutils
- Changes to version 3.1.29
  + Extended scaling for performance (bsc#1214713)
  + Fixed kdumptool output error (bsc#1218632)
  + Corrected podman ID errors (bsc#1218812)
  + Duplicate non root podman entries removed (bsc#1218814)
  + Corrected get_sles_ver for SLE Micro (bsc#1219241)
  + Check nvidida-persistenced state (bsc#1219639)

- Additional changes in version 3.1.28
  + ipset - List entries for all sets
  + ipvsadm - Inspect the virtual server table (pr#185)
  + Correctly detects Xen Dom0 (bsc#1218201)
  + Fixed smart disk error (bsc#1218282)

- Changes in version 3.1.28
  + Inhibit the conversion of port numbers to port names for network files (cherry picked from commit 55f5f716638fb15e3eb1315443949ed98723d250)
  + powerpc: collect rtas_errd.log and lp_diag.log files (pr#175)
  + Get list of pam.d file (cherry picked from commit eaf35c77fd4bc039fd7e3d779ec1c2c6521283e2)
  + Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
  + Added missing klp information to kernel-livepatch.txt (bsc#1216390)
  + Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
  + Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
  + Optimize lsof usage (bsc#1183663)
  + Added mokutil commands for secureboot (pr#179)
  + Collects chrony or ntp as needed (bsc#1196293)

- Changes in version 3.1.27
  + Fixed podman display issue (bsc#1217287)
  + Added nvme-stas configuration to nvme.txt (bsc#1216049)
  + Added timed command to fs-files.txt (bsc#1216827)
  + Collects zypp history file issue#166 (bsc#1216522)
  + Changed -x OPTION to really be exclude only (issue#146)
  + Collect HA related rpm package versions in ha.txt (pr#169)
suse-build-key
- Switch container key to be default RSA 4096bit. (jsc#PED-2777)

- run rpm commands in import script only when libzypp is not
  active. bsc#1219189 bsc#1219123

- run import script also in %posttrans section, but only when
  libzypp is not active. bsc#1219189 bsc#1219123
suse-module-tools
- Update to version 15.4.19:
  * rpm-script: add symlink /boot/.vmlinuz.hmac (bsc#1217775)
suseconnect-ng
- Allow "--rollback" flag to run on readonly filesystem (bsc#1220679)

- Update to version 1.7.0
  * Allow SUSEConnect on read write transactional systems (bsc#1219425)
systemd-default-settings
- Import 0.10
  5088997 SLE: Disable pids controller limit under user instances (jsc#SLE-10123)

- Import 0.9
  bb859bf user@.service: Disable controllers by default (jsc#PED-2276)

- The usage of drop-ins is now the official way for configuring systemd and its
  various daemons on Factory/ALP. Hence the early drop-ins SUSE specific
  "feature" has been abandoned.

- Import 0.8
  f34372f User priority '26' for SLE-Micro
  c8b6f0a Revert "Convert more drop-ins into early ones"

- Import commit 6b8dde1d4f867aff713af6d6830510a84fad58d2
  6b8dde1 Convert more drop-ins into early ones
systemd-rpm-macros
- Bump version to 15

- Order packages that requires systemd after systemd-sysvcompat when this part
  of the transaction (bsc#1217964)
  systemd-sysvcompat has been introduced recently and contains the compatibility
  scripts used to support SysV init scripts. Make sure that the packages ordered
  after systemd are also ordered after systemd-sysvcompat so theirs rpm
  scriptlets can still rely on the compat scripts.
  On distributions where systemd-sysvcompat doesn't exist, the new ordering
  constraint should be a nop.
timezone
- update to 2024a:
  * Kazakhstan unifies on UTC+5.  This affects Asia/Almaty and
    Asia/Qostanay which together represent the eastern portion of the
    country that will transition from UTC+6 on 2024-03-01 at 00:00 to
    join the western portion.  (Thanks to Zhanbolat Raimbekov.)
  * Palestine springs forward a week later than previously predicted
    in 2024 and 2025.  (Thanks to Heba Hamad.)  Change spring-forward
    predictions to the second Saturday after Ramadan, not the first;
    this also affects other predictions starting in 2039.
  * Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00
    not 00:00.  (Thanks to Đoàn Trần Công Danh.)
  * From 1947 through 1949, Toronto's transitions occurred at 02:00
    not 00:00.  (Thanks to Chris Walton.)
  * In 1911 Miquelon adopted standard time on June 15, not May 15.
  * The FROM and TO columns of Rule lines can no longer be "minimum"
    or an abbreviation of "minimum", because TZif files do not support
    DST rules that extend into the indefinite past - although these
    rules were supported when TZif files had only 32-bit data, this
    stopped working when 64-bit TZif files were introduced in 1995.
    This should not be a problem for realistic data, since DST was
    first used in the 20th century.  As a transition aid, FROM columns
    like "minimum" are now diagnosed and then treated as if they were
    the year 1900; this should suffice for TZif files on old systems
    with only 32-bit time_t, and it is more compatible with bugs in
    2023c-and-earlier localtime.c.  (Problem reported by Yoshito
    Umaoka.)
  * localtime and related functions no longer mishandle some
    timestamps that occur about 400 years after a switch to a time
    zone with a DST schedule.  In 2023d data this problem was visible
    for some timestamps in November 2422, November 2822, etc. in
    America/Ciudad_Juarez.  (Problem reported by Gilmore Davidson.)
  * strftime %s now uses tm_gmtoff if available.  (Problem and draft
    patch reported by Dag-Erling Smørgrav.)
  * The strftime man page documents which struct tm members affect
    which conversion specs, and that tzset is called.  (Problems
    reported by Robert Elz and Steve Summit.)

- update to 2023d:
  * Ittoqqortoormiit, Greenland changes time zones on
    2024-03-31.
  * Vostok, Antarctica changed time zones on 2023-12-18.
  * Casey, Antarctica changed time zones five times since
    2020.
  * Code and data fixes for Palestine timestamps starting in
    2072.
  * A new data file zonenow.tab for timestamps starting now.
  * Fix predictions for DST transitions in Palestine in
    2072-2075, correcting a typo introduced in 2023a.
  * Vostok, Antarctica changed to +05 on 2023-12-18.  It had
    been at +07 (not +06) for years.
  * Change data for Casey, Antarctica to agree with
    timeanddate.com, by adding five time zone changes since 2020.
    Casey is now at +08 instead of +11.
  * Much of Greenland, represented by America/Nuuk, changed
    its standard time from -03 to -02 on 2023-03-25, not on
    2023-10-28.
  * localtime.c no longer mishandles TZif files that contain
    a single transition into a DST regime.  Previously,
    it incorrectly assumed DST was in effect before the transition
    too.
  * tzselect no longer creates temporary files.
  * tzselect no longer mishandles the following:
  * Spaces and most other special characters in BUGEMAIL,
    PACKAGE, TZDIR, and VERSION.
  * TZ strings when using mawk 1.4.3, which mishandles
    regular expressions of the form /X{2,}/.
  * ISO 6709 coordinates when using an awk that lacks the
    GNU extension of newlines in -v option-arguments.
  * Non UTF-8 locales when using an iconv command that
    lacks the GNU //TRANSLIT extension.
  * zic no longer mishandles data for Palestine after the
    year 2075.
- Refresh tzdata-china.diff
util-linux-systemd
- Properly neutralize escape sequences in wall
  (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
  and its prerequisites: util-linux-fputs_careful1.patch,
  util-linux-wall-migrate-to-memstream.patch
  util-linux-fputs_careful2.patch).

- Add upstream patch
  more-exit-if-POLLERR-and-POLLHUP-on-stdin-is-received.patch
  bsc#1220117 - L3-Question: Processes not cleaned up after failed SSH session are using up 100% CPU

- Add upstream patch
  util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch
  bsc#1207987 gh#util-linux/util-linux@1d98827edde4
vim
- Updated to version 9.1 with patch level 0111, fixes the following security problems
  * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
  * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
  * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
  * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
  * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
  * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
  * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
  * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
  * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
  * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
wpa_supplicant
- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975)
zypper
- Do not try to refresh repo metadata as non-root user
  (bsc#1222086)
  Instead show refresh stats and hint how to update them.
- man: Explain how to protect orphaned packages by collecting
  them in a plaindir repo.
- packages: Add --autoinstalled and --userinstalled options to
  list them.
- Don't print 'reboot required' message if download-only or
  dry-run (fixes #529)
  Instead point out that a reboot would be required if the option
  was not used.
- Resepect zypper.conf option `showAlias` search commands
  (bsc#1221963)
  Repository::asUserString (or Repository::label) respects the
  zypper.conf option, while name/alias return the property.
- version 1.14.71

- dup: New option --remove-orphaned to remove all orphaned
  packages in dup (bsc#1221525)
- version 1.14.70

- info,summary: Support VendorSupportOption flag
  VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014)
- BuildRequires:  libzypp-devel >= 17.32.0.
  API cleanup and changes for VendorSupportSuperseded.
- Show active dry-run/download-only at the commit propmpt.
- patch: Add --skip-not-applicable-patches option (closes #514)
- Fix printing detailed solver problem description.
  The problem description() is one rule out possibly many in
  completeProblemInfo() the solver has chosen to represent the
  problem. So either description or completeProblemInfo should be
  printed, but not both.
- Fix bash-completion to work with right adjusted numbers in the
  1st column too (closes #505)
- Set libzypp shutdown request signal on Ctrl+C (fixes #522)
- lr REPO: In the detailed view show all baseurls not just the
  first one (bsc#1218171)
- version 1.14.69