SUSEConnect
- Update to 0.3.29
- replace env ruby path with native ruby path during build phase
ceph
- Update to version 12.2.13-706-gff66d09906:
  + rgw: Replace COMPLETE_MULTIPART_MAX_LEN with configurable rgw_max_put_param_size
    (bsc#1180509)
crmsh
- Update to version 3.0.4+git.1609987393.8fcf1c5f:
  * Fix: utils: skip if no netmask in the result of ip -o addr show(bsc#1180421)
  * Fix: bootstrap: add /etc/modules-load.d/watchdog.conf into csync.cfg(bsc#1180424)
  * Low: bootstrap: make invoke return specific error(bsc#1177023)
  * Fix: bootstrap: Refactor join_lock.py for more generic using purpose(bsc#1180149)
  * Dev: bootstrap: use ping to test host is reachable before joining
  * Low: bootstrap: check cluster was running on init node
- Use utils.mkdirp instead of mkdir command(bsc#1179999)(CVE-2020-35459); Add patch:
  * 0001-Fix-history-use-utils.mkdirp-instead-of-system-mkdir.patch
- Update to version 3.0.4+git.1607490926.e492f845:
  * Fix: bootstrap: use class JoinLock to manage lock in parallel join(bsc#1175976)
  * Low: bootstrap: minor change for _get_sbd_device_interactive function(bsc#1178333)
cups
- cups-1.7.5-CVE-2020-10001.patch fixes CVE-2020-10001
  access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-1.7.5-CVE-2019-8842.patc fixes CVE-2019-8842 (bsc#1170671)
  the ippReadIO function may under-read an extension field
curl
- Update curl-CVE-2020-8284.patch [bsc#1179398, CVE-2020-8284]
- Apply "/curl-CVE-2020-8284.patch"/ to enable --ftp-skip-pasv-ip by
  default. This change fixes a security issue where a malicious FTP
  server was able to use the `PASV` response to trick curl into
  connecting back to a given IP address and port, and this way
  potentially make curl extract information about services that are
  otherwise private and not disclosed, doing port scanning and
  service banner extractions. If curl operated on a URL provided by
  a user (which by all means is an unwise setup), a user was able
  to exploit that and pass in a URL to a malicious FTP server
  instance without needing any server breach to perform the attack.
  [CVE-2020-8284, bsc#1179398]
- Security fix: [bsc#1179399, CVE-2020-8285]
  * FTP wildcard stack overflow: The wc_statemach() internal
    function has been rewritten to use an ordinary loop instead of
    the recursive approach.
- Add curl-CVE-2020-8285.patch
- Security fix: [bsc#1175109, CVE-2020-8231]
  * An application that performs multiple requests with libcurl's
    multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
    rare circumstances experience that when subsequently using the
    setup connect-only transfer, libcurl will pick and use the wrong
    connection and instead pick another one the application has
    created since then.
- Add curl-CVE-2020-8231.patch
cyrus-sasl
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
  has an out-of-bounds write leading to unauthenticated remote
  denial-of-service in OpenLDAP via a malformed LDAP packet
  o apply upstream patch
- 0001-Fix-587.patch
fence-agents
- L3-Question: fence_vmware_soap no longer works after update
  ref:_00D1igLOd._5001iRVaF7:ref (bsc#1175506)
  Apply upstream patch:
  * 0001-fence_vmware_soap-fix-for-selfsigned-certificate.patch
google-guest-agent
- Update to version 20201102.00 (bsc#1179031, bsc#1179032)
  * Only attempt to connect to snapshot service once (#88)
google-guest-oslogin
- Update to version 20200925.00 (bsc#1179031, bsc#1179032)
  * add getpwnam,getpwuid,getgrnam,getgrgid (#42)
  * Change requires to not require the python library for policycoreutils. (#44)
  * add dial and recvline (#41)
  * PR feedback
  * new client component and tests
hawk2
- Update to version 2.5:
  * Improve further mechanism of controllers to system commands.
  * drop patch 0001-Improve-controllers.patch since merged upstream
  (CVE-2020-35458)
-  Update to version 2.4.0+git.1607523195.05cd3222:
  * fix bsc#1179998. Handle better input on app controllers (CVE-2020-35458)
- Update to version 2.3.0+git.1607523195.05cd3222:
  * reduce CPU usage (fix bsc#1179651)
  * improve the way we disable TLS and use sysconfig vars(bsc#1179841)
  * simplify puma config file
java-1_7_1-ibm
- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
  CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
  CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
  * Class Libraries:
  - Z/OS specific C function send_file is changing the file pointer position
  * Security:
  - Add the new oracle signer certificate
  - Certificate parsing error
  - JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
  - Remove check for websphere signed jars
  - sessionid.hashcode generates too many collisions
  - The Java 8 IBM certpath provider does not honor the user
    specified system property for CLR connect timeout
kdump
- kdump-fix-multipath-user_friendly_names.patch: Update references
  (bsc#1111207, LTC#171953, bsc#1125218, LTC#175465, bsc#1153601).
- kdump-remove-console-hvc0-from-commandline.patch: remove
  console=hvc0 from commandline (bsc#1173914).
- kdump-set-serial-console-from-Xen-cmdline.patch: set serial
  console from Xen cmdline (bsc#1173914).
- kdump-Remove-noefi-and-acpi_rsdp-for-EFI-firmware.patch: Remove
  noefi and acpi_rsdp for EFI firmware (bsc#1123940, bsc#1170336).
- kdump-Add-skip_balance-option-to-BTRFS-mounts.patch: Add
  skip_balance option to BTRFS mounts (bsc#1108255).
- kdump-do-not-add-rd.neednet.patch: Do not add 'rd.neednet=1' to
  dracut command line (bsc#1177196).
libnl3
- Add libnl3-fix-ipv6-privacy-extension.patch: fix ipv6 privacy
  extension of NetworkManager not working by backporting these 3
  commits (bsc#1025043):
  42c41336000e ("/add support for IFA_FLAGS nl attribute"/)
  dcc0baac020e ("/addr: add address flag IFA_F_MANAGETEMPADDR"/)
  b203c89d862a ("/addr: add address flag IFA_F_NOPREFIXROUTE"/)
libxml2
- Avoid quadratic checking of identity-constraints: [bsc#1178823]
  * key/unique/keyref schema attributes currently use qudratic loops
    to check their various constraints (that keys are unique and that
    keyrefs refer to existing keys).
  * This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
libyajl
- fix popd syntax, new bash doesn't like it anymore
libyui-qt
- Prevent segfault if an open dialog is left over:
  Don't do anything widget related after the QApplication is
  destroyed, in particular not deleting other widgets, even if
  indirectly via YDialog::deleteAllDialogs() in YUI.
  (bsc#1074596, bsc#1077991)
- 2.47.1.1
- Fix crash when shutting down the UI (gh#libyui-libyui-qt#41, bsc#931762)
- Fix a problem with hanging UI
- 2.47.1
- Add handler for Shift-F1 to show advanced keyboard shortcuts (bsc#1010039)
- 2.47.0
- Add support for @import directive in QSS
  (related to bsc#768112 and bsc#780621)
- 2.46.30
- Rename Y2COLORMODE to Y2ALTSTYLE for consistency
  (related to bsc#768112 and bsc#780621)
- 2.46.29
- Rename Y2HIGHCONTRAST environment variable to Y2COLORMODE
- Use 'alternate' instead of 'high-contrast'
- Load default style sheet if alternate style sheet does not exist
- All these changes are related to bsc#768112 and bsc#780621
- 2.46.28
- Fix high-contrast support (bsc#76811 and related to bsc#780621)
- 2.46.27
- Fix compilation with Qt 5.7 by using non-deprecated classes
  (boo#1001141).
- Force showing widgets that were added after opening a dialog
  (bsc#998593)
- Deliver timeout events only if the delivering dialog is still
  the topmost (can only happen with Ctrl-Shift-Alt key combos)
- 2.46.25
- Do not append new line when content of log view do not change
  (bnc#989155)
- 2.46.24
- Now Yast requests the focus to the window manager when running
  fullscreen instead of relying on the window manager focus policy
  (bsc#974627)
- 2.46.23
- Show help in wizard widget upon F1 and Alt-H (bnc#973389)
- 2.46.22
- fixed styling for the release notes dialog content (bsc#947167)
- 2.46.21
- Reorganized git for easier tarball creation:
  - RPM spec files are kept in git verbatim, not as templates
  - no longer call PREP_SPEC_FILES in CMakeLists.common
- No functional change but version bumped to push the package
  down the pipeline (boo#946079).
- Handle QtInfoMsg value in switch; fixes build with Qt 5.5
  (H Senjan, boo#942101).
- so-version bumped to match the main library.
- 2.46.19
- fixed styling for non-Wizard dialogues (bnc#925882)
- allow styling of the YQMainWinDock object (the main non-Wizard
  window)
- the stylesheet editor (Ctrl+Shift+Alt+s) also works for
  non-Wizard dialogues now
- 2.46.18
- fix layout of Help and Release Notes buttons (bsc#916814)
  (credits to tgoettlicher)
- 2.46.17
- include Help and Release notes buttons in keyboard shortcut
  resolution (bsc#880983)
- 2.46.16
- added keyboard shortcuts to Help and Release Notes buttons
  (bnc#880983)
- 2.46.15
- added QT-specific dialog for displaying release notes
- Fixed building with cmake 3.1 (PREFIX in spec, boo#911875).
- 2.46.14
libzypp
- RepoManager: Carefully tidy up the caches. Remove non-directory
  entries. (bsc#1178966)
- version 16.21.4 (0)
- ZYPP_MEDIA_CURL_DEBUG logs full Authorization: header (bsc#1174215)
  The Authorization: header may include base64 encoded credentials
  which could be restored from the log file. The credentials are
  now stripped from the log.
- version 16.21.3 (0)
logrotate
- Fix false alarm when using su and compress (bsc#1179189)
  Applies commit 15a768b340d1010e22955ace518425cdb13bba5f
  * Added patch logrotate-3.11.0-false-alarm-for-su-compress.patch
makedumpfile
- makedumpfile-x86_64-xen-vtop.patch: Update references
  (bsc#1014136, bsc#1068694, bsc#1162279).
- makedumpfile-vaddr_to_paddr_x86_64-Xen-fix.patch: Fix
  vaddr_to_paddr_x86_64 under Xen (bsc#1116830).
- makedumpfile-x86_64-xen-vtop.patch: Remove a hunk that breaks
  Xen dumps (bsc#1116830).
mutt
- Add patch mutt-colon.patch for bsc#1181221
  CVE-2021-3181: mutt: recipient parsing memory leak
  This patch combines three smaller commits
- Add a further correction in patch nofreeze-c72f740a.patch for
  external bodies as well (boo#1179461)
openldap2-client
- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
    where openldap would crash due to malformed inputs.
  * patch: 0207-ITS-9383-remove-assert-in-certificateListValidate.patch
  * patch: 0208-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
openssh
- Add openssh-CVE-2020-14145-information-leak.patch
  (CVE-2020-14145, bsc#1173513). This partially mitigates a
  potential information leak during host key exchange that could
  be exploited by a man-in-the-middle attacker.
pam-modules
- The fail delay is fixed and annoying. The relevant code sections
  from factory are backported here. There is not patch as the
  file with the offending code resides in the top level directory.
  [unix2_chkpw.c, bsc#1070595]
python-urllib3
- Add CVE-2020-26116-CRLF-injection.patch which raises ValueError
  if method contains control characters and thus prevents CRLF
  injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,
  gh#urllib3/urllib3#1800).
python3
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python3-base
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
sudo
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
  * sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
  * sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
  CVE-2021-23240]
  * sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
  * sudo-fix-bsc-1180687.patch
timezone
- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.
xen
- bsc#1179496 - VUL-0: CVE-2020-29480: xen: xenstore: watch
  notifications lacking permission checks (XSA-115)
  xsa115-1.patch
  xsa115-2.patch
  xsa115-3.patch
  xsa115-4.patch
  xsa115-5.patch
  xsa115-6.patch
  xsa115-7.patch
  xsa115-8.patch
  xsa115-9.patch
  xsa115-10.patch
- bsc#1179498 - VUL-0: CVE-2020-29481: xen: xenstore: new domains
  inheriting existing node permissions (XSA-322)
  xsa322.patch
- bsc#1179501 - VUL-0: CVE-2020-29484: xen: xenstore: guests can
  crash xenstored via watchs (XSA-324)
  xsa324.patch
- bsc#1179502 - VUL-0: CVE-2020-29483: xen: xenstore: guests can
  disturb domain cleanup (XSA-325)
  xsa325.patch
- bsc#1179506 - VUL-0: CVE-2020-29566: xen: undue recursion in x86
  HVM context switch code (XSA-348)
  xsa348.patch
- bsc#1179514 - VUL-0: CVE-2020-29570: xen: FIFO event channels
  control block related ordering (XSA-358)
  xsa358.patch
- bsc#1179516 - VUL-0: CVE-2020-29571: xen: FIFO event channels
  control structure ordering (XSA-359)
  xsa359.patch
- Upstream bug fixes (bsc#1027519)
  5f76caaf-evtchn-FIFO-use-stable-fields.patch
  5faa974f-evtchn-rework-per-channel-lock.patch
  5fbcdf2e-evtchn-FIFO-access-last.patch
  5fc4ee23-evtchn-FIFO-queue-locking.patch
- bsc#1176782 - L3: xl dump-core shows missing nr_pages during
  core. If maxmem and current are the same the issue doesn't happen
  5fca3b32-tools-libs-ctrl-fix-dumping-of-ballooned-guest.patch
- bsc#1179477 - VUL-0: CVE-2020-29130: xen: out-of-bounds access
  while processing ARP packets
  CVE-2020-29130-qemut-out-of-bounds-access-while-processing-ARP-packets.patch
yast2-cluster
- bsc#1180424, add watchdog.conf to csync2 default list
- Version 3.4.2
zypper
- Fix typo in list-patches help (bsc#1178925)
- version 1.13.58