SUSEConnect
- Update to 0.3.29
- replace env ruby path with native ruby path during build phase
bind
- Updated named.root (aka /var/lib/named/root.hint) to the newest
  version available at ftp://FTP.INTERNIC.NET/domain/named.cache
  [named.root, bsc#1181372]
- Each subpackage which has the sonum in its name now Provides:
  its basename:
  libbind9, libdns, libirs, libisccc, libisccfg, liblwres
  and Obsoletes: any previous version, so when thas package is
  upgraded, the old version can be easily removed.
  [bind.spec]
crmsh
- Update to version 4.1.0+git.1609987417.4e8085a4:
  * Fix: utils: skip if no netmask in the result of ip -o addr show(bsc#1180421)
  * Fix: bootstrap: add /etc/modules-load.d/watchdog.conf into csync.cfg(bsc#1180424)
  * Low: bootstrap: make invoke return specific error(bsc#1177023)
  * Fix: bootstrap: Refactor join_lock.py for more generic using purpose(bsc#1180149)
  * Dev: bootstrap: use ping to test host is reachable before joining
  * Low: bootstrap: check cluster was running on init node
- Use utils.mkdirp instead of mkdir command(bsc#1179999)(CVE-2020-35459); Add patch:
  * 0001-Fix-history-use-utils.mkdirp-instead-of-system-mkdir.patch
- Update to version 4.1.0+git.1607482714.9633b80d:
  * Fix: bootstrap: use class JoinLock to manage lock in parallel join(bsc#1175976)
  * Dev: hb_report: change the default dest data format, more readable
  * Low: bootstrap: minor change for _get_sbd_device_interactive function(bsc#1178333)
  * FIx start_delay with start-delay(bsc#1176569)
  * fix on_fail should be on-fail(bsc#1176569)
cups
- cups-1.7.5-CVE-2020-10001.patch fixes CVE-2020-10001
  access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-1.7.5-CVE-2019-8842.patc fixes CVE-2019-8842 (bsc#1170671)
  the ippReadIO function may under-read an extension field
cyrus-sasl
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
  has an out-of-bounds write leading to unauthenticated remote
  denial-of-service in OpenLDAP via a malformed LDAP packet
  o apply upstream patch
- 0001-Fix-587.patch
fence-agents
- Update to version 4.7.0+git.1607346448.17bd8552:
  * fence_mpath, fence_scsi: Improve logging for failed res/key get
  * fence_mpath, fence_scsi: Capture stderr in run_cmd()
  * build: depend on config changes to rebuild when running make after running ./configure
  * fence_redfish: Fix typo in help.
  * fence_aws: add support for IMDSv2
  * spec: add pkg-config file, and set version for obsoletes to avoid failing to build on Fedora 33
  * Add pkg-config file
  * fence_scsi: dont write key to device if it's already registered, and open file correctly to avoid using regex against end-of-file
  * fencing: fix run_command() to allow timeout=0 to mean forever
  * fencing: fix to make timeout(s)=0 be treated as forever for agents using pexpect
- (bsc#1178343) `fence_gce` updates to be pulled to the SLE versions
  The last update broke fencing in GCE
  The last patch is based on 4.7.0+git.1607346448.17bd8552
- (bsc#1178343) `fence_gce` updates to be pulled to the SLE versions
  The last update broke fencing in GCE
  * add-upstream patch
    0001-Adds-service-account-authentication-to-GCE-fence-age.patch
google-guest-agent
- Update to version 20201102.00 (bsc#1179031, bsc#1179032)
  * Only attempt to connect to snapshot service once (#88)
google-guest-oslogin
- Update to version 20200925.00 (bsc#1179031, bsc#1179032)
  * add getpwnam,getpwuid,getgrnam,getgrgid (#42)
  * Change requires to not require the python library for policycoreutils. (#44)
  * add dial and recvline (#41)
  * PR feedback
  * new client component and tests
hawk2
- Update to version 2.5.0+git.1611141696.64c61e0c
  * Improve controllers (CVE-2020-35458) (bsc#1179998)
  * drop patch 0001-Improve-controllers.patch since merged upstream
-  Update to version 2.4.0+git.1607523195.05cd3222:
  * fix bsc#1179998. Handle better input on app controllers (CVE-2020-35458)
- Update to version 2-2.3.0+git.1607523195.05cd3222:
  * reduce CPU usage (fix bsc#1179651)
  * improve the way we disable TLS and use sysconfig vars(bsc#1179841)
  * simplify puma config file
java-1_7_1-ibm
- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
  CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
  CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
  * Class Libraries:
  - Z/OS specific C function send_file is changing the file pointer position
  * Security:
  - Add the new oracle signer certificate
  - Certificate parsing error
  - JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
  - Remove check for websphere signed jars
  - sessionid.hashcode generates too many collisions
  - The Java 8 IBM certpath provider does not honor the user
    specified system property for CLR connect timeout
libnl3
- Add libnl3-fix-ipv6-privacy-extension.patch: fix ipv6 privacy
  extension of NetworkManager not working by backporting these 3
  commits (bsc#1025043):
  42c41336000e ("/add support for IFA_FLAGS nl attribute"/)
  dcc0baac020e ("/addr: add address flag IFA_F_MANAGETEMPADDR"/)
  b203c89d862a ("/addr: add address flag IFA_F_NOPREFIXROUTE"/)
libxml2
- Avoid quadratic checking of identity-constraints: [bsc#1178823]
  * key/unique/keyref schema attributes currently use qudratic loops
    to check their various constraints (that keys are unique and that
    keyrefs refer to existing keys).
  * This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
libyajl
- fix popd syntax, new bash doesn't like it anymore
libzypp
- RepoManager: Carefully tidy up the caches. Remove non-directory
  entries. (bsc#1178966)
- version 16.21.4 (0)
- ZYPP_MEDIA_CURL_DEBUG logs full Authorization: header (bsc#1174215)
  The Authorization: header may include base64 encoded credentials
  which could be restored from the log file. The credentials are
  now stripped from the log.
- version 16.21.3 (0)
lifecycle-data-sle-live-patching
- Added data for 4_12_14-122_51, 4_12_14-122_54, 4_12_14-95_65,
  4_4_121-92_146, 4_4_180-94_135. (bsc#1020320)
logrotate
- Fix false alarm when using su and compress (bsc#1179189)
  Applies commit 15a768b340d1010e22955ace518425cdb13bba5f
  * Added patch logrotate-3.11.0-false-alarm-for-su-compress.patch
lvm2
- pvmove destination LV always has KRahead=0 (bsc#1179326)
  + bug-1179326_pvmove-correcting-read_ahead-setting.patch
  - in %postun, disable restart blk-availability.service & lvm2-monitor.service
mdadm
- Rename 0226-Detail-adding-sync-status-for-cluster-device.patch
  to 0227-Detail-adding-sync-status-for-cluster-device.patch, and
  replace it with upstream version.
- mdadm: Introduce new array state 'broken' for raid0/linear
  0226-mdadm-Introduce-new-array-state-broken-for-raid0-lin.patch
- mdadm/Detail: show correct state for clustered array
  (bsc#1163727)
  0228-mdadm-Detail-show-correct-state-for-clustered-array.patch
- Detail: show correct bitmap info for cluster raid device
  (bsc#1163727)
  0229-Detail-show-correct-bitmap-info-for-cluster-raid-dev.patch
- Detail: adding sync status for cluster device (bsc#1163727)
mutt
- Add patch mutt-colon.patch for bsc#1181221
  CVE-2021-3181: mutt: recipient parsing memory leak
  This patch combines three smaller commits
- Add a further correction in patch nofreeze-c72f740a.patch for
  external bodies as well (boo#1179461)
openldap2-client
- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
    where openldap would crash due to malformed inputs.
  * patch: 0207-ITS-9383-remove-assert-in-certificateListValidate.patch
  * patch: 0208-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
openssh
- Add openssh-bsc1148566-scp-handle-quotes-while-checking-filenames-from-serv.patch,
  openssh-bsc1148566-scp-show-filename-match-patterns-in-verbose-mode.patch
  (bsc#1148566). Fixes a class of false alarms due to filename
  validation. Patches by Josef Cejka <jcejka@suse.com>.
- Add openssh-bsc1161684-authorizedkeyscommand-deadlock.patch
  (bsc#1161684), which fixes a deadlock when AuthorizedKeysCommand
  or AuthorizedPrincipalsCommand produce a lot of output and a
  key is matched early.
- Add openssh-CVE-2020-14145-information-leak.patch
  (CVE-2020-14145, bsc#1173513). This partially mitigates a
  potential information leak during host key exchange that could
  be exploited by a man-in-the-middle attacker.
openssl-1_0_0
- Add declaration of BN_secure_new() needed by other packages
  * add openssl-1.0.2p-declare-BN_secure_new.patch
  * [bsc#1180777]
- Add FIPS key check necessary for certification.
  * modified openssl-DH.patch
  * [bsc#1180959]
  * Fix EDIPARTYNAME NULL pointer dereference
    (CVE-2020-1971, bsc#1179491)
pam-modules
- The fail delay is fixed and annoying. The relevant code sections
  from factory are backported here. There is not patch as the
  file with the offending code resides in the top level directory.
  [unix2_chkpw.c, bsc#1070595]
parted
- skip probing _part devices (bsc#1137259)
  + parted-bsc1137259-fix-_part-error.patch
python
- Replace bundled wheels for pip and setuptools with the updated ones
  (bsc#1176262 CVE-2019-20916).
python-base
- Replace bundled wheels for pip and setuptools with the updated ones
  (bsc#1176262 CVE-2019-20916).
python-urllib3
- Add CVE-2020-26116-CRLF-injection.patch which raises ValueError
  if method contains control characters and thus prevents CRLF
  injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,
  gh#urllib3/urllib3#1800).
python3
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python3-base
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
resource-agents
- (bsc#1179977) L3: anything RA stop operation fails if
  /root/.profile has unexpected content
  Add upstream patch:
    0001-The-anything-RA-getpid-function-can-fail-to-return-t.patch
sudo
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
  * sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
  * sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
  CVE-2021-23240]
  * sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
  * sudo-fix-bsc-1180687.patch
timezone
- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.
yast2-cluster
- bsc#1180424, add watchdog.conf to csync2 default list
- Version 3.4.2
yast2-tune
- Backport: Fixed scheduler activation: do not activate the new
  scheduler for devices which do not support it (bsc#1052770)
  (backport request at bsc#1177035)
- 3.2.1
zypper
- Fix typo in list-patches help (bsc#1178925)
- version 1.13.58