SUSEConnect
- Update to 0.3.29
- replace env ruby path with native ruby path during build phase
containerd
- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
  fixes CVE-2020-15257. bsc#1178969 bsc#1180243
- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
  boo#1176708
- Refresh patches:
  * 0001-makefile-remove-emoji.patch
- Use Go 1.13 for build.
cups
- cups-1.7.5-CVE-2020-10001.patch fixes CVE-2020-10001
  access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-1.7.5-CVE-2019-8842.patc fixes CVE-2019-8842 (bsc#1170671)
  the ippReadIO function may under-read an extension field
curl
- Update curl-CVE-2020-8284.patch [bsc#1179398, CVE-2020-8284]
- Security fix: [bsc#1179399, CVE-2020-8285]
  * FTP wildcard stack overflow: The wc_statemach() internal
    function has been rewritten to use an ordinary loop instead of
    the recursive approach.
- Add curl-CVE-2020-8285.patch
cyrus-sasl
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
  has an out-of-bounds write leading to unauthenticated remote
  denial-of-service in OpenLDAP via a malformed LDAP packet
  o apply upstream patch
- 0001-Fix-587.patch
docker
- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
  https://github.com/docker/docker-ce/releases/tag/v19.03.14
- Enable fish-completion
- Add a patch which makes Docker compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (boo#1178801, SLE-16460)
  * boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Emergency fix: %requires_eq does not work with provide symbols,
  only effective package names. Convert back to regular Requires.
- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
  spurrious errors due to Go returning -EINTR from I/O syscalls much more often
  (due to Go 1.14's pre-emptive goroutine support).
  - bsc1172377-0001-unexport-testcase.Cleanup-to-fix-Go-1.14.patch
- Add BuildRequires for all -git dependencies so that we catch missing
  dependencies much more quickly.
docker-runc
- Switch to Go 1.13 for build.
flac
- Fix out-of-bounds access (CVE-2020-0499 bsc#1180099):
  libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
golang-github-docker-libnetwork
- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
  bsc#1180243
- Add patch which makes libnetwork compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (boo#1178801, SLE-16460)
  * boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to libnetwork 026aabaa6598, which is required for Docker 19.03.12-ce.
java-1_6_0-ibm
- Fixed jpackage-java-1_6_0-ibm-webstart.desktop file to allow
  Java jnlp files run from Firefox. [bsc#1057460]
kdump
- kdump-fix-multipath-user_friendly_names.patch: Update references
  (bsc#1111207, LTC#171953, bsc#1125218, LTC#175465, bsc#1153601).
- kdump-remove-console-hvc0-from-commandline.patch: remove
  console=hvc0 from commandline (bsc#1173914).
- kdump-set-serial-console-from-Xen-cmdline.patch: set serial
  console from Xen cmdline (bsc#1173914).
- kdump-Remove-noefi-and-acpi_rsdp-for-EFI-firmware.patch: Remove
  noefi and acpi_rsdp for EFI firmware (bsc#1123940, bsc#1170336).
- kdump-Add-skip_balance-option-to-BTRFS-mounts.patch: Add
  skip_balance option to BTRFS mounts (bsc#1108255).
- kdump-do-not-add-rd.neednet.patch: Do not add 'rd.neednet=1' to
  dracut command line (bsc#1177196).
libnl3
- Add libnl3-fix-ipv6-privacy-extension.patch: fix ipv6 privacy
  extension of NetworkManager not working by backporting these 3
  commits (bsc#1025043):
  42c41336000e ("/add support for IFA_FLAGS nl attribute"/)
  dcc0baac020e ("/addr: add address flag IFA_F_MANAGETEMPADDR"/)
  b203c89d862a ("/addr: add address flag IFA_F_NOPREFIXROUTE"/)
libxml2
- Avoid quadratic checking of identity-constraints: [bsc#1178823]
  * key/unique/keyref schema attributes currently use qudratic loops
    to check their various constraints (that keys are unique and that
    keyrefs refer to existing keys).
  * This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
logrotate
- Fix false alarm when using su and compress (bsc#1179189)
  Applies commit 15a768b340d1010e22955ace518425cdb13bba5f
  * Added patch logrotate-3.11.0-false-alarm-for-su-compress.patch
makedumpfile
- makedumpfile-x86_64-xen-vtop.patch: Update references
  (bsc#1014136, bsc#1068694, bsc#1162279).
- makedumpfile-vaddr_to_paddr_x86_64-Xen-fix.patch: Fix
  vaddr_to_paddr_x86_64 under Xen (bsc#1116830).
- makedumpfile-x86_64-xen-vtop.patch: Remove a hunk that breaks
  Xen dumps (bsc#1116830).
openldap2-client
- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
    where openldap would crash due to malformed inputs.
  * patch: 0207-ITS-9383-remove-assert-in-certificateListValidate.patch
  * patch: 0208-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
openssh
- Add openssh-CVE-2020-14145-information-leak.patch
  (CVE-2020-14145, bsc#1173513). This partially mitigates a
  potential information leak during host key exchange that could
  be exploited by a man-in-the-middle attacker.
pam-modules
- The fail delay is fixed and annoying. The relevant code sections
  from factory are backported here. There is not patch as the
  file with the offending code resides in the top level directory.
  [unix2_chkpw.c, bsc#1070595]
python-urllib3
- Add CVE-2020-26116-CRLF-injection.patch which raises ValueError
  if method contains control characters and thus prevents CRLF
  injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,
  gh#urllib3/urllib3#1800).
python3
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python3-base
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
sudo
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
  * sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
  * sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
  CVE-2021-23240]
  * sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
  * sudo-fix-bsc-1180687.patch
systemd-rpm-macros
- Bump to version 5 (bsc#1179020)
  Backport changes from SLE15 so SLE12-SP2 and SLE15 versions are
  mostly identical.
- Drop reference to FIRST_ARG in new introduced macro %service_del_postun_without_restart
  Influencing the behavior of the macro with 'FIRST_ARG' variable was
  a hack. We should not add that to newly introduced interfaces.
- Rename the tag file used to detect when presets need to be applied
  Rather than placing these tags directly under /run, let's place them
  under /run/systemd/rpm. This also has the benefit to make the
  workaround for bsc#1059627 no more needed.
- Move macros.systemd from /etc to /usr (backport from SLE15)
  macros.systemd has never meant to be modified and treated like a
  configuration file. Hence let's move it to /usr and don't tag it
  with %config. In the very unlikely case it's been modified, it will
  be backed up with .rpmsave extension but no more read by rpmbuild.
- Add missing macro %_userpresetdir
- rpm: fix %systemd_user_post() macro.
  Escape "/--user"/ and "/--global"/ arguments with "//"/ since rpm treats
  arguments starting with "/-"/ as macro options which causes "/Unknown
  option"/ rpm error.
  Use %{expand:...} to force expansion of the inner macro. Otherwise %{?*}
  is recursively defined as "/--user --global {%?*}"/ which causes
  "/Too many levels of recursion in macro expansion"/ rpm error.
  Upstream commit: e67ba783696f21782ad5c2ba00515d387016e785
- Deprecate '-f'/'-n' options (backported from SLE15)
  When used with %service_del_preun, support for these options will be
  dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the
  next version of SLE (jsc#SLE-8968)
  When used with %service_del_postun, they should be replaced with
  their counterpart
  %service_del_postun_with_restart/%service_del_postun_without_restart
- Backport %service_del_postun_with_restart()
  It's the counterpart of %service_del_postun_without_restart() and
  replaces the '-f' option of %service_del_postun().
- Backport %systemd_ordering
  This macro is already available in later distros and should ease
  backports of packages, which rely on it.
- Update some comments
- Really test the presence of systemctl once
  No functional changes.
- Split private macros related to presets off as these macros have
  never been intended to be used by any package but
  systemd-presets-branding. In fact these have been completely removed
  since SLE15. So let's move them into a "/private"/ file.
- Dont apply presets when migrating from a disabled initscript (bsc#1178481)
- Test for the presence of systemctl only once in %service_add_{post,pre}
timezone
- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.