avahi
- Update avahi-daemon-check-dns-suse.patch to drop privileges when
  invoking avahi-daemon-check-dns.sh (boo#1180827 CVE-2021-26720).
- Add sudo to requires: used to drop privileges.
bind
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
  negotiation can be targeted by a buffer overflow attack
  [bsc#1182246, CVE-2020-8625, bind-CVE-2020-8625.patch]
csync2
- VUL-1: csync2: bad TLS key generation on installation (bsc#1145032)
  Adapt suggested changes in %post section.
  Do not hide output on standard error during generating the keys.
file
- Add patch 0446fadf.patch to fix bsc#1182138
  * Bug in "/echo 8000 | file -"/ gzip
glibc
- euc-kr-overrun.patch: Fix buffer overrun in EUC-KR conversion module
  (CVE-2019-25013, bsc#1182117, BZ #24973)
- gconv-assertion-iso-2022-jp.patch: gconv: Fix assertion failure in
  ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- get-nprocs-cpu-online-parsing.patch: Fix parsing of
  /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
- ppc-power10-support.patch: powerpc: Add support for POWER10
  (bsc#1181365)
grub2
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
  * 0028-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
  * 0029-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
  * 0030-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
  * 0031-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
  * 0032-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
  * 0033-util-mkimage-Improve-data_size-value-calculation.patch
  * 0034-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
  * 0035-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
  * 0036-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
  * 0019-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
  * 0021-kern-parser-Fix-resource-leak-if-argc-0.patch
  * 0022-kern-parser-Fix-a-memory-leak.patch
  * 0023-kern-parser-Introduce-process_char-helper.patch
  * 0024-kern-parser-Introduce-terminate_arg-helper.patch
  * 0025-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
  * 0026-kern-buffer-Add-variable-sized-heap-buffer.patch
  * 0027-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
  * 0020-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
  * 0018-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
  * 0017-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
  * 0001-mkimage-Clarify-file-alignment-in-efi-case.patch
  * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
  * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
  * 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
  * 0005-efi-Add-secure-boot-detection.patch
  * 0006-kern-Add-lockdown-support.patch
  * 0007-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
  * 0008-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
  * 0009-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
  * 0010-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
  * 0011-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
  * 0012-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
  * 0013-commands-setpci-Restrict-setpci-command-when-locked-.patch
  * 0014-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
  * 0015-gdb-Restrict-GDB-access-when-locked-down.patch
  * 0016-loader-xnu-Don-t-allow-loading-extension-and-package.patch
  * 0037-squash-Add-secureboot-support-on-efi-chainloader.patch
  * 0038-squash-grub2-efi-chainload-harder.patch
  * 0039-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
  * 0040-squash-linuxefi-fail-kernel-validation-without-shim-.patch
  * 0041-squash-kern-Add-lockdown-support.patch
- Add SBAT metadata section to grub.efi
  * grub2.spec
hawk2
- Update to version 2.6.0:
  * Use fullpath of binary (bsc#1181436)
  * remove %x (bsc#1182163)
jasper
- bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls
  Add jasper-CVE-2020-27828.patch
- bsc#1181483 CVE-2021-3272: Fix heap overflow by ensuring number
  of channels matches image components
  Add jasper-CVE-2021-3272.patch
java-1_7_1-ibm
- Update to Java 7.1 Service Refresh 4 Fix Pack 80
  [bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
  * CVE-2020-27221: Potential for a stack-based buffer overflow
    when the virtual machine or JNI natives are converting from
    UTF-8 characters to platform encoding.
  * CVE-2020-14803: Unauthenticated attacker with network access
    via multiple protocols allows to compromise Java SE.
kernel-default
- Fix a bug in rawmidi UAF fix patch (bsc#1179601, CVE-2020-27786)
  Refresh patches.suse/ALSA-rawmidi-Fix-racy-buffer-resize-under-concurrent.patch
- commit ce80dfa
- nbd: freeze the queue while we're adding connections
  (bsc#1181504 CVE-2021-3348).
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- commit 447797a
- kABI: Fix kABI for extended APIC-ID support (bsc#1181001,
  jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
  jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where
  available (bsc#1181001, jsc#ECO-3191).
- x86/ioapic: Handle Extended Destination ID field in RTE
  (bsc#1181001, jsc#ECO-3191).
- x86/msi: Only use high bits of MSI address for DMAR unit
  (bsc#1181001, jsc#ECO-3191).
- x86/apic: Fix x2apic enablement without interrupt remapping
  (bsc#1181001, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
  jsc#ECO-3191).
- iommu/vt-d: Don't dereference iommu_device if IOMMU_API is
  not built (bsc#1181001, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported
  address widths (bsc#1181001, jsc#ECO-3191).
- commit 6482368
- Move futex fixes into the sorted section (bsc#1181349 CVE-2021-3347)
- commit c34c9df
- Update patch References tags for futex fixes (bsc#1181349 CVE-2021-3347)
- commit afd051d
- Refresh patches.suse/4.4.136-002-powerpc-64s-Clear-PCR-on-boot.patch
  Also clear PCR on POWER9 and in dt_cpu_ftrs.
- commit c79d65a
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- commit 0ba69a9
- futex: Handle faults correctly for PI futexes (bsc#1181349
  bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349
  bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state()
  (bsc#1181349 bsc#1149032).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
  (bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349
  bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349
  bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi()
  (bsc#1181349 bsc#1149032).
- futex: Don't enable IRQs unconditionally in put_pi_state()
  (bsc#1149032).
- locking/futex: Allow low-level atomic operations to return
  - EAGAIN (bsc#1149032).
- commit 058c695
- blk-mq: improve heavily contended tag case (bsc#1178198).
- Refresh
  patches.suse/sbitmap-fix-race-in-wait-batch-accounting.patch.
- commit ad2cec8
- netfilter: ctnetlink: add a range check for l3/l4 protonum
  (CVE-2020-25211 bsc#1176395).
- commit 92230c0
- SUNRPC: cache: ignore timestamp written to 'flush' file
  (bsc#1178036).
- commit 257292e
- Update
  patches.suse/0001-xen-events-add-a-proper-barrier-to-2-level-uevent-un.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0002-xen-events-fix-race-in-evtchn_fifo_unmask.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0003-xen-events-add-a-new-late-EOI-evtchn-framework.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0004-xen-blkback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0005-xen-netback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0006-xen-scsiback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0008-xen-pciback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0009-xen-events-switch-user-event-channels-to-lateeoi-mod.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0010-xen-events-use-a-common-cpu-hotplug-hook-for-event-c.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0011-xen-events-defer-eoi-in-case-of-excessive-number-of-.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0012-xen-events-block-rogue-events-for-some-time.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/XEN-uses-irqdesc-irq_data_common-handler_data-to-sto.patch
  (CVE-2020-27673 XSA-332 bsc#1065600).
- Update
  patches.suse/xen-events-avoid-removing-an-event-channel-while-han.patch
  (CVE-2020-27675 XSA-331 bsc#1177410).
- Update
  patches.suse/xen-events-don-t-use-chip_data-for-legacy-IRQs.patch
  (CVE-2020-27673 XSA-332 bsc#1065600).
- Added CVE numbers for above patches.
- commit 77fc141
- Refresh
  patches.suse/IB-hfi1-Ensure-correct-mm-is-used-at-all-times.patch.
  Fixed backport (removed one line too much, d'oh).
- commit 6dc4356
- IB/hfi1: Ensure correct mm is used at all times (bsc#1179878
  CVE-2020-27835).
- commit 39a2b87
- xen: support having only one event pending per watch
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit d884e81
- xen: revert Allow watches discard events before queueing
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 2a4a8da
- xen: revert Add 'will_handle' callback support in
  xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6baf8b8
- xen: revert Support will_handle watch callback (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 3918801
- xen: revert Count pending messages for each watch (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 9d30f4d
- xen: revert Disallow pending watch messages (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit d039881
- xen-blkback: set ring->xenblkd to NULL after kthread_stop()
  (bsc#1179509 XSA-350 CVE-2020-29569).
- commit 1aab73c
- xenbus/xenbus_backend: Disallow pending watch messages
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 0cdf358
- xen/xenbus: Count pending messages for each watch (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit a14bb56
- xen/xenbus/xen_bus_type: Support will_handle watch callback
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 33a4600
- xen/xenbus: Add 'will_handle' callback support in
  xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 5ef1497
- xen/xenbus: Allow watches discard events before queueing
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6f7a44e
- Drop the previous drm/nouveau fix that turned out to be superfluous (CVE-2020-25639 bsc#1176846)
- commit 001c6e5
- Move upstreamed vgacon patch into sorted section
- commit 73d2a02
- drm: bail out of nouveau_channel_new if channel init fails
  (CVE-2020-25639 bsc#1176846).
- commit 55debf7
- target: fix XCOPY NAA identifier lookup (CVE-2020-28374,
  bsc#1178372).
- commit 2765e76
- mwifiex: Fix possible buffer overflows in
  mwifiex_cmd_802_11_ad_hoc_start (CVE-2020-36158 bsc#1180559).
- commit a833298
- s390/dasd: fix hanging device offline processing (bsc#1144912).
- commit ce166b0
- md/cluster: fix deadlock when node is doing resync job
  (bsc#1163727).
- md/cluster: block reshape with remote resync job (bsc#1163727).
- md/bitmap: fix memory leak of temporary bitmap (bsc#1163727).
- md/bitmap: md_bitmap_get_counter returns wrong blocks
  (bsc#1163727).
- md/bitmap: md_bitmap_read_sb uses wrong bitmap blocks
  (bsc#1163727).
- md-cluster: Fix potential error pointer dereference in
  resize_bitmaps() (bsc#1163727).
- md-cluster: fix rmmod issue when md_cluster convert bitmap to
  none (bsc#1163727).
- md-cluster: fix safemode_delay value when converting to
  clustered bitmap (bsc#1163727).
- md-cluster: fix wild pointer of unlock_all_bitmaps()
  (bsc#1163727).
- commit ff367e3
- Move upstreamed bt fixes into sorted section
- commit adeed42
- Refresh patches.suse/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-f.patch
  Refresh to upstream version.
- commit 76e9945
- tracing: Fix race in trace_open and buffer resize call
  (CVE-2020-27825 bsc#1179960).
- commit 8b99744
- ring-buffer: speed up buffer resets by avoiding synchronize_rcu
  for each CPU (CVE-2020-27825 bsc#1179960).
- commit 0d53945
- ring-buffer: Make resize disable per cpu buffer instead of
  total buffer (CVE-2020-27825 bsc#1179960).
- commit 39cee5c
- fix regression in "/epoll: Keep a reference on files added to the check list"/  (bsc#1180031, git-fixes).
- commit d9c444f
- do_epoll_ctl(): clean the failure exits up a bit
  (bsc#1180031,CVE-2020-0466).
- epoll: Keep a reference on files added to the check list
  (bsc#1180031).
- commit e792e5d
- cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
  (CVE-2020-27068 bsc#1180086).
- commit 886ad61
- HID: Fix slab-out-of-bounds read in hid_field_extract
  (bsc#1180052).
- commit 5b124d9
- HID: core: Sanitize event code and type when mapping input
  (CVE-2020-0465 bsc#1180029).
- commit ebf9f0e
- audit: fix error handling in audit_data_to_entry()
  (CVE-2020-0444 bsc#1180027).
- commit f2e7691
- x86/traps: Simplify pagefault tracing logic (bsc#1179895).
- Refresh
  patches.suse/10-x86-xen-get-rid-of-paravirt-op-adjust_exception_frame.patch.
- commit f51414e
- x86/tracing: Introduce a static key for exception tracing
  (bsc#1179895).
- commit ae1ab84
- tty: Fix ->session locking (bsc#1179745 CVE-2020-29660).
- tty: Fix ->pgrp locking in tiocspgrp() (bsc#1179745
  CVE-2020-29661).
- commit a59c61c
- powerpc/rtas: fix typo of ibm,open-errinjct in rtas filter
  (CVE-2020-27777 bsc#1179107 bsc#1179887 ltc#190092).
- commit 153fdda
- xfrm: Fix memleak on xfrm state destroy (bsc#1158775).
- commit d801d2b
- net/x25: prevent a couple of overflows (bsc#1178590).
- commit 3f48ad3
- media: xirlink_cit: add missing descriptor sanity checks
  (bsc#1168952 CVE-2020-11668).
- commit e978e80
- Update
  patches.suse/sched-fair-Don-t-free-p-numa_faults-with-concurrent-.patch
  (bsc#1144920, bsc#1179663, CVE-2019-20934).
- commit fad2215
- debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979).
- Refresh patches.suse/new-helper-lookup_positive_unlocked.patch.
- commit 2aee88e
- kABI workaround for snd_rawmidi buffer_ref field addition
  (CVE-2020-27786 bsc#1179601).
- commit 0e8d69d
- ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
  (CVE-2020-27786 bsc#1179601).
- commit 3c00a93
- Delete patches.suse/fs-select.c-batch-user-writes-in-do_sys_poll.patch.
  (CVE-2020-4788 bsc#1179419).
  Patch causes DLM regression. Drop for now.
- commit a422074
- Add missing RESTORE_CTR (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch.
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
  patches.suse/powerpc-64s-SLB-miss-already-has-CTR-saved-for-reloc.patch
  adds RESTORE_CTR to the SLB miss handler so
  patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch
  must now copy it in the other fork of the exit code as well.
- commit a382dc2
- romfs: fix uninitialized memory leak in romfs_dev_read()
  (CVE-2020-29371 bsc#1179429).
- commit c4cfc72
- block: Fix use-after-free in blkdev_get() (bsc#1173834
  bsc#1179141 CVE-2020-15436).
- commit 0475fee
- kABI: powerpc: Add back __clear_user (CVE-2020-4788
  bsc#1177666).
- commit 9ab0140
- kABI: powerpc: avoid including pgtable.h in kup.h (CVE-2020-4788
  bsc#1177666).
- commit 81cd22b
- Refresh patches.suse/nfs-mark-nfsiod-cpu-intensive.patch.
- commit 4ba6c62
- make 'user_access_begin()' do 'access_ok()' (CVE-2020-4788 bsc#1177666).
- Delete patches.suse/drm-i915-CVE-2018-20669-access-check.patch.
- commit ffc3685
- NFS: mark nfsiod as CPU_INTENSIVE (bsc#1177304).
- commit 53e1580
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
  (CVE-2020-15437 bsc#1179140).
- commit 76da61e
- powerpc/64s: SLB miss already has CTR saved for relocatable kernel
  (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
- commit 741f364
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64-Call-setup_barrier_nospec-from-setup_arch.patch
- Refresh patches.suse/powerpc-pmem-Update-ppc64-to-use-the-new-barrier-ins.patch.
- Update config files.
- commit b0085a7
- powerpc/rtas: Restrict RTAS requests from userspace
  (CVE-2020-27777 bsc#1179107).
- Update config files.
- commit 3ed445b
- vt: Disable KD_FONT_OP_COPY (CVE-2020-28974 bsc#1178589).
- commit d9af9e6
- powerpc/64s: flush L1D after user accesses (CVE-2020-4788
  bsc#1177666).
- Refresh patches.kabi/kABI-powerpc-avoid-including-pgtable.h-in-kup.h.patch.
- powerpc/uaccess: Evaluate macro arguments once, before user
  access is allowed (CVE-2020-4788 bsc#1177666).
- powerpc: Fix __clear_user() with KUAP enabled (CVE-2020-4788
  bsc#1177666).
- powerpc: Implement user_access_begin and friends (CVE-2020-4788
  bsc#1177666).
- powerpc: Add a framework for user access tracking (CVE-2020-4788
  bsc#1177666).
- powerpc/64s: flush L1D on kernel entry (CVE-2020-4788
  bsc#1177666).
- powerpc/64s: move some exception handlers out of line
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Rename slb_miss_realmode() to slb_miss_common()
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Use BRANCH_TO_COMMON() for slb_miss_realmode
  (CVE-2020-4788 bsc#1177666).
- commit f7d6c42
- fs/select.c: batch user writes in do_sys_poll (CVE-2020-4788
  bsc#1177666).
- commit 011abbd
- Fonts: Replace discarded const qualifier (CVE-2020-28915
  bsc#1178886).
- fbcon: Fix global-out-of-bounds read in fbcon_get_font()
  (CVE-2020-28915 bsc#1178886).
- Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
  (CVE-2020-28915 bsc#1178886).
- fbdev, newport_con: Move FONT_EXTRA_WORDS macros into
  linux/font.h (CVE-2020-28915 bsc#1178886).
- commit 8016c83
- Input: sunkbd - avoid use-after-free in teardown paths
  (CVE-2020-25669 bsc#1178182).
- commit e6736dd
- Refresh
  patches.suse/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch.
- commit aa8cb4c
- scsi: ibmvfc: Avoid link down on FS9100 canister reboot
  (bsc#1176962 ltc#188304).
- scsi: ibmvfc: Use compiler attribute defines instead of
  __attribute__() (bsc#1176962 ltc#188304).
- commit 1fef06b
lifecycle-data-sle-live-patching
- Added data for 4_12_14-122_57, 4_12_14-122_60, 4_12_14-95_68,
  4_4_121-92_149, 4_4_180-94_138. (bsc#1020320)
open-iscsi
- Cherry-picked 3 commits from upstream/factory, for bsc#1179908
  (which addresses CVE-2020-17437, CVE-2020-17438, CVE-2020-13987,
  and CVE-2020-13988), changes include:
  * check for TCP urgent pointer past end of frame
  * check for u8 overflow when processing TCP options
  * check for header length underflow during checksum calculation
python
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python-base
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python-cryptography
- Add patch CVE-2020-36242-buffer-overflow.patch (bsc#1182066, CVE-2020-36242)
  * Using the Fernet class to symmetrically encrypt multi gigabyte values
    could result in an integer overflow and buffer overflow.
screen
- Fix double width combining char handling that could lead
  to a segfault [bnc#1182092] [CVE-2021-26937]
  new patch: combchar.diff