bash
- Add patch bash-4.3-boo1192785.patch
  * setuid causing permission denied on popen (bsc#1192785)
curl
- libcurl-devel: Add an explicit dependency on libnghttp2-devel
  since its not autodetected [bsc#1193483]
- libssh: do not let libssh create socket [bsc#1192790]
  * Fixes sftp over a proxy failure in curl with error:
    Failure establishing ssh session
  * Add curl-libssh-socket.patch
efivar
- Add efivar-bsc1192344-fix-open-dbx.patch to fix the dbx opening
  failed by "/Operation not permitted"/. (bsc#1192344, jsc#PM-3148)
- Removed -fstack-clash-protection in CFLAGS when gcc < 8
- The -flto causes ld error, so add
  export LDFLAGS="/-flto-partition=one"/
  This solution is from openSUSE:Factory/efivar:
    Fri Aug 14 08:20:09 UTC 2020 - Martin Liška <mliska@suse.cz>
  - Do not partition LTO as we may reach new GAS error:
    Error: invalid attempt to declare external version
    name as default in symbol `efi_set_variable@@LIBEFIVAR_0.24'
expat
- Security fix (CVE-2021-45960, bsc#1194251)
  * A left shift by 29 (or more) places in the storeAtts function
    in xmlparse.c can lead to realloc misbehavior.
  * Added expat-CVE-2021-45960.patch
- Security fix (CVE-2021-46143, bsc#1194362)
  * Integer overflow exists for m_groupSize in doProlog
  * Added expat-CVE-2021-46143.patch
- Security fix (CVE-2022-22822, bsc#1194474)
  * Integer overflow in addBinding in xmlparse.c
  * Added expat-CVE-2022-22822.patch
- Security fix (CVE-2022-22823, bsc#1194476)
  * Integer overflow in build_model in xmlparse.c
  * Added expat-CVE-2022-22823.patch
- Security fix (CVE-2022-22824, bsc#1194477)
  * Integer overflow in defineAttribute in xmlparse.c
  * Added expat-CVE-2022-22824.patch
- Security fix (CVE-2022-22825, bsc#1194478)
  * Integer overflow in lookup in xmlparse.c
  * Added expat-CVE-2022-22825.patch
- Security fix (CVE-2022-22826, bsc#1194479)
  * Integer overflow in nextScaffoldPart in xmlparse.c
  * Added expat-CVE-2022-22826.patch
- Security fix (CVE-2022-22827, bsc#1194480)
  * Integer overflow in storeAtts in xmlparse.c
  * Added expat-CVE-2022-22826.patch
gettext-runtime
- Added msgfmt-double-free.patch to fix a double free error
  (CVE-2018-18751 bsc#1113719)
grub2
- Fix error not a btrfs filesystem on s390x (bsc#1187645)
  * 80_suse_btrfs_snapshot
- Add support for simplefb (boo#1193532).
  * grub2-simplefb.patch
- Fix powerpc-ieee1275 lpar takes long time to boot with increasing number of
  nvme namespace (bsc#1177751)
  * 0001-ieee1275-Avoiding-many-unecessary-open-close.patch
- Fix error lvmid disk cannot be found after second disk added to the root
  volume group (bsc#1189874) (bsc#1071559)
  * 0001-ieee1275-implement-FCP-methods-for-WWPN-and-LUNs.patch
- Fix error /boot/grub2/locale/POSIX.gmo not found (bsc#1189769)
  * 0001-Filter-out-POSIX-locale-for-translation.patch
kernel-default
- scsi: lpfc: Update lpfc version to 14.0.0.4 (bsc1192145).
- scsi: lpfc: Add additional debugfs support for CMF (bsc1192145).
- scsi: lpfc: Cap CMF read bytes to MBPI (bsc1192145).
- scsi: lpfc: Adjust CMF total bytes and rxmonitor (bsc1192145).
- scsi: lpfc: Trigger SLI4 firmware dump before doing driver
  cleanup (bsc1192145).
- scsi: lpfc: Fix NPIV port deletion crash (bsc1192145).
- scsi: lpfc: Fix lpfc_force_rscn ndlp kref imbalance
  (bsc1192145).
- scsi: lpfc: Change return code on I/Os received during link
  bounce (bsc1192145).
- scsi: lpfc: Fix leaked lpfc_dmabuf mbox allocations with NPIV
  (bsc1192145).
- commit 9e05239
- Update patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch
  Update meta data and move the patch into the sorted section.
- commit 7214bea
- ipv6: use prandom_u32() for ID generation (CVE-2021-45485
  bsc#1194094).
- commit 51d2a3b
- scsi: qla2xxx: Format log strings only if needed (git-fixes).
- scsi: qla2xxx: edif: Fix off by one bug in
  qla_edif_app_getfcinfo() (git-fixes).
- scsi: qla2xxx: Fix mailbox direction flags in
  qla2xxx_get_adapter_id() (git-fixes).
- scsi: qla2xxx: edif: Fix EDIF bsg (git-fixes).
- scsi: qla2xxx: edif: Increase ELS payload (git-fixes).
- scsi: qla2xxx: edif: Flush stale events and msgs on session down
  (git-fixes).
- scsi: qla2xxx: edif: Fix app start delay (git-fixes).
- scsi: qla2xxx: edif: Fix app start fail (git-fixes).
- scsi: qla2xxx: Relogin during fabric disturbance (git-fixes).
- commit d5351f0
- inet: use bigger hash table for IP ID generation (CVE-2021-45486
  bsc#1194087).
- commit 0387442
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- commit b8b1ef9
- recordmcount.pl: look for jgnop instruction as well as bcrl
  on s390 (bsc#1192267).
- Delete patches.suse/ftrace-recordmcount-binutils.patch.
- commit 9b6815f
- EDAC/amd64: Handle three rank interleaving mode (bsc#1114648).
- commit 25eb1b3
- Update config files.
- commit f87a32f
- af_unix: fix garbage collect vs MSG_PEEK (CVE-2021-0920
  bsc#1193731).
- commit 167f0fb
- net: split out functions related to registering inflight socket
  files (CVE-2021-0920 bsc#1193731).
- commit 8ec3ad8
- x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
  (bsc#1114648).
- commit de2d84b
- blacklist.conf: ef775a0e36c6 x86/Kconfig: Fix an unused variable error in dell-smm-hwmon
- commit 78e6223
- platform/x86: hp_accel: Fix an error handling path in
  'lis3lv02d_probe()' (git-fixes).
- commit 898c404
- platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning
  (git-fixes).
- commit 495c629
- blacklist.conf: irrelevant build fix for our configs
- commit c89c442
- blacklist.conf: cosmetic cleanup
- commit f6d64ba
- blacklist.conf: irrelevant in SLE12
- commit 0be6ca3
- xen/netback: don't queue unlimited number of packages
  (CVE-2021-28715 XSA-392 bsc#1193442).
- commit a67e40b
- xen/netback: fix rx queue stall detection (CVE-2021-28714
  XSA-392 bsc#1193442).
- commit aa10f67
- xen/console: harden hvc_xen against event channel storms
  (CVE-2021-28713 XSA-391 bsc#1193440).
- commit f9f6563
- xen/netfront: harden netfront against event channel storms
  (CVE-2021-28712 XSA-391 bsc#1193440).
- commit 785c1f2
- xen/blkfront: harden blkfront against event channel storms
  (CVE-2021-28711 XSA-391 bsc#1193440).
- commit adb747c
- tty: hvc: replace BUG_ON() with negative return value
  (git-fixes).
- commit 24773f9
- xen/netfront: don't trust the backend response data blindly
  (git-fixes).
- commit 61f473d
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- commit a27eb85
- blacklist.conf: optimization only
- commit 378ebea
- xen/netfront: don't read data from request on the ring page
  (git-fixes).
- commit d843191
- blacklist.conf: unavoidably breaks kABI
- commit 67be19c
- xen/netfront: read response from backend only once (git-fixes).
- commit 10c97f1
- blacklist.conf: unavoidably breaks kABI
- commit 5ef7f44
- blacklist.conf: designed to break kABI
- commit b345950
- xen/blkfront: don't trust the backend response data blindly
  (git-fixes).
- commit 8238939
- xen/blkfront: don't take local copy of a request from the ring
  page (git-fixes).
- commit 0c42763
- xen/blkfront: read response from backend only once (git-fixes).
- commit 7b30def
- xen: sync include/xen/interface/io/ring.h with Xen's newest
  version (git-fixes).
- commit 0df7133
- ring-buffer: Protect ring_buffer_reset() from reentrancy
  (CVE-2020-27825 bsc#1179960).
- commit 432ad3d
- blacklist.conf: Add clang and gcc-10 related kbuild commits
- commit 4915b6a
- Update
  patches.suse/bpf-fix-truncated-jump-targets-on-heavy-expansions.patch
  (bsc#1109837 bsc#1193575 CVE-2018-25020).
- commit fe9247a
- bpf: fix truncated jump targets on heavy expansions (bsc#1193575
  CVE-2018-25020).
- commit bf19161
- elfcore: correct reference to CONFIG_UML (git-fixes).
- commit 1e4477f
- x86/sme: Explicitly map new EFI memmap table as encrypted
  (bsc#1114648).
- commit 2516955
- USB: serial: option: add Fibocom FM101-GL variants (git-fixes).
- commit bd62975
- USB: serial: option: add Telit LE910S1 0x9200 composition
  (git-fixes).
- commit 5e11265
- usb: dwc2: hcd_queue: Fix use of floating point literal
  (git-fixes).
- commit 565a456
- blacklist.conf: cleanup, not fix
- commit a5a3790
- usb-storage: Add compatibility quirk flags for iODD 2531/2541
  (git-fixes).
- commit 63a477e
- USB: serial: qcserial: add EM9191 QDL support (git-fixes).
- commit 3bd0301
- USB: serial: option: add Quectel EC200S-CN module support
  (git-fixes).
- commit 2bd7313
- USB: serial: option: add prod. id for Quectel EG91 (git-fixes).
- commit 7140e5b
- USB: serial: option: add Telit LE910Cx composition 0x1204
  (git-fixes).
- commit 65e0426
- blacklist.conf: for systems not supported in SLE12
- commit a7ca6ad
- blk-mq: don't deactivate hctx if managed irq isn't used
  (bsc#1185762).
- nvme-fc: remove freeze/unfreeze around update_nr_hw_queues
  (bsc#1185762).
- nvme-fc: avoid race between time out and tear down
  (bsc#1185762).
- nvme-fc: update hardware queues before using them (bsc#1185762).
- nvme-fc: wait for queues to freeze before calling
  update_hr_hw_queues (bsc#1183678).
- commit 588c36e
- Update patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch (bsc#1189158)
- commit db3935d
- kABI compatibility for struct l2tp_tunnel (bsc#1192032
  CVE-2021-0935).
- commit 237dc6f
- l2tp: fix races with ipv4-mapped ipv6 addresses (bsc#1192032
  CVE-2021-0935).
- commit 3f8483b
- config: INPUT_EVBUG=n (bsc#1192974).
  Debug driver unsuitable for production, only enabled on ppc64.
- commit 7512f6a
- x86/xen: Add xenpv_restore_regs_and_return_to_usermode()
  (bsc#1114648).
- commit 0df9459
- kernel-binary.spec: Fix kernel-default-base scriptlets after packaging
  merge.
- commit 275c61a
- scsi: lpfc: Fix non-recovery of remote ports following an
  unsolicited LOGO (bsc#1189126).
- commit 447a5ca
- Drop unneeded workaround for nouveau (CVE-2020-27820 bsc#1179599)
  Drop the superfluous workaround from cve/linux-4.12 branch for nouveau,
  as SLE12-SP5 branch already has the proper upstream fixes.
- commit d1ca846
- nouveau: Suppress sysfs bind (CVE-2020-27820 bsc#1179599).
- commit c2489c9
- net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of
  "/0"/ if no IRQ is available (git-fixes).
- commit 3deb124
- blacklist.conf: dependencies extremely intrusive
- commit e6b00e7
- blacklist.conf: cosmetic fix that breaks kABI
- commit 61a4cd2
- blacklist.conf: dependencies would break kABI
- commit 4cf79c7
- hugetlbfs: flush TLBs correctly after huge_pmd_unshare
  (bsc#1192946 (CVE-2021-4002)).
- commit c355959
- scsi: mpt3sas: Fix kernel panic during drive powercycle test
  (git-fixes).
- commit 3adc68a
- blacklist.conf: 3ff1f6b6ba6f ("/scsi: ufs: core: Improve SCSI abort handling"/)
  requires context in ufs driver not present
- commit 557e4fb
- blacklist.conf: 5ae17501bc62 ("/scsi: core: Avoid leaving shost->last_reset with stale value if EH does not run"/)
  This adds to Scsi_Host, and there's no good workaround.
- commit 6d34c01
- blacklist.conf: 0b7a9fd934a6 ("/scsi: qla2xxx: Turn off target reset during issue_lip"/)
  This removes a qla2xxx module param, which breaks kABI.
- commit 1df022a
- scsi: qla2xxx: Fix gnl list corruption (git-fixes).
- commit 692434a
- cifs: fix missed refcounting of ipc tcon (git-fixes).
- commit e4aa7ad
- cifs: nosharesock should be set on new server (git-fixes).
- commit 7af943e
- lpfc: Reintroduce old IRQ probe logic (bsc#1183897).
- commit 95e0076
- tracing: Fix pid filtering when triggers are attached
  (git-fixes).
- commit 8158fe2
- atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
  (bsc#1192845 CVE-2021-43975).
- commit c3c1eae
- blacklist.conf: 27ff768fa21c ("/tracing: Test the 'Do not trace this pid' case in create event"/)
  Not applicable. SLE12-SP5 does not have no_pid_list.
- commit c8bbfd2
- tracing: Check pid filtering when creating events (git-fixes).
- commit 3e6f030
- scsi: core: Put LLD module refcnt after SCSI device is released
  (git-fixes).
- commit be7f0b6
- scsi: iscsi: Adjust iface sysfs attr detection (git-fixes).
- commit 75f38f7
- scsi: core: Fix bad pointer dereference when ehandler kthread
  is invalid (git-fixes).
- commit 9bbd7e2
- fuse: release pipe buf after last use (bsc#1193318).
- commit 46b3bf8
- rpm/kernel-binary.spec.in: don't strip vmlinux again (bsc#1193306)
  After usrmerge, vmlinux file is not named vmlinux-<version>, but simply
  vmlinux. And this is not reflected in STRIP_KEEP_SYMTAB we set.
  So fix this by removing the dash...
- commit 83af88d
- x86/msi: Force affinity setup before startup (bsc#1193231).
- Refresh
  patches.suse/0002-x86-msi-Only-use-high-bits-of-MSI-address-for-DMAR-u.patch.
- commit 340ec51
- genirq: Remove mask argument from setup_affinity()
  (bsc#1193231).
- Refresh
  patches.suse/genirq-proc-Return-proper-error-code-when-irq_set_af.patch.
- commit f23ee47
- genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP (bsc#1193231).
- genirq: Split out irq_startup() code (bsc#1193231).
- genirq: Move initial affinity setup to irq_startup()
  (bsc#1193231).
- genirq: Rename setup_affinity() to irq_setup_affinity()
  (bsc#1193231).
- commit f86d4ca
- blacklist.conf: remove an entry to be backported
- commit 1008e63
- ixgbe: fix large MTU request from VF (bsc#1192877
  CVE-2021-33098).
- commit 56240b9
- Move upstreamed BT patch into sorted section
- commit a0f930a
- mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
  (CVE-2021-43976 bsc#1192847).
- commit c14a908
- blacklist.conf: 85b6d24646e4 ("/shm: extend forced shm destroy to support objects from several IPC nses"/)
  Unfortunately this breaks kABI and presents significant risk for
  addressing a theoretical issue.
- commit b6daf8c
- nvme-pci: add NO APST quirk for Kioxia device (git-fixes).
- commit 3efa0d0
- net: mana: Fix spelling mistake "/calledd"/ -> "/called"/
  (jsc#SLE-18779, bsc#1185727).
- net: mana: Support hibernation and kexec (jsc#SLE-18779,
  bsc#1185727).
- net: mana: Improve the HWC error handling (jsc#SLE-18779,
  bsc#1185727).
- net: mana: Fix the netdev_err()'s vPort argument in
  mana_init_port() (jsc#SLE-18779, bsc#1185727).
- net: mana: Allow setting the number of queues while the NIC
  is down (jsc#SLE-18779, bsc#1185727).
- net: mana: Use kcalloc() instead of kzalloc() (jsc#SLE-18779,
  bsc#1185727).
- commit bdc34f7
- blacklist.conf: add Renesas SuperH ethernet network driver
- commit c4584ae
- blacklist.conf: Add 78cc316e9583 bpf, cgroup: Assign cgroup in cgroup_sk_alloc when called from interrupt
- commit a67ce98
- brcmfmac: add CLM download support (bsc#1167162 CVE-2019-15126).
- commit 7737eec
- drm/nouveau: clean up all clients on device removal
  (CVE-2020-27820 bsc#1179599).
- drm/nouveau: Add a dedicated mutex for the clients list
  (CVE-2020-27820 bsc#1179599).
- drm/nouveau: use drm_dev_unplug() during device removal
  (CVE-2020-27820 bsc#1179599).
- commit cf01302
- constraints: Build aarch64 on recent ARMv8.1 builders.
  Request asimdrdm feature which is available only on recent ARMv8.1 CPUs.
  This should prevent scheduling the kernel on an older slower builder.
- commit 60fc53f
- objtool: Support Clang non-section symbols in ORC generation
  (bsc#1169514).
- commit 5ab2439
- elfcore: fix building with clang (bsc#1169514).
- commit b91821c
- x86/xen: Mark cpu_bringup_and_idle() as dead_end_function
  (bsc#1169514).
- commit cf74b00
- nfsd: don't alloc under spinlock in rpc_parse_scope_id
  (git-fixes).
- pnfs/flexfiles: Fix misplaced barrier in
  nfs4_ff_layout_prepare_ds (git-fixes).
- nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero
  (git-fixes).
- md: fix a lock order reversal in md_alloc (git-fixes).
- cred: allow get_cred() and put_cred() to be given NULL
  (git-fixes).
- commit 40d8ea8
- cifs: release lock earlier in dequeue_mid error case
  (bsc#1190317).
- commit 81b7ca3
- smb3: add additional null check in SMB2_tcon (bsc#1190317).
- commit 8461098
- smb3: add additional null check in SMB2_open (bsc#1190317).
- commit eecdddd
- smb3: add additional null check in SMB2_ioctl (bsc#1190317).
- commit 23e41a6
- SUNRPC/xprt: async tasks mustn't block waiting for memory
  (bsc#1191876 bsc#1192866).
- SUNRPC: improve 'swap' handling: scheduling and PF_MEMALLOC
  (bsc#1191876 bsc#1192866).
- SUNRPC/call_alloc: async tasks mustn't block waiting for memory
  (bsc#1191876 bsc#1192866).
- SUNRPC/auth: async tasks mustn't block waiting for memory
  (bsc#1191876 bsc#1192866).
- commit 1bfe7bc
- blacklist.conf: not needed in our configs
- commit e5f834d
- blacklist.conf: not needed in our configs
- commit dedc0a3
- net: lan78xx: fix division by zero in send path (git-fixes).
- commit 35358c9
- rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM
  request (git-fixes).
- commit 4593ea3
- net: hso: fix muxed tty registration (git-fixes).
- commit 032702d
- cifs: for compound requests, use open handle if possible
  (bsc#1190317).
- commit a69b935
- net: pegasus: fix uninit-value in get_interrupt_interval
  (git-fixes).
- commit 92716c5
- net: hso: fix control-request directions (git-fixes).
- commit b4b646e
- kernel-source.spec: install-kernel-tools also required on 15.4
- commit 6cefb55
- cifs: fix memory leak of smb3_fs_context_dup::server_hostname
  (bsc#1190317).
- commit 98266ba
- cifs: fix potential use-after-free bugs (jsc#SLE-20656).
- commit 9ce3ceb
- smb3: remove trivial dfs compile warning (jsc#SLE-20656).
- commit a5c40ae
- cifs: support nested dfs links over reconnect (jsc#SLE-20656).
- commit 8b8ce3c
- smb3: do not error on fsync when readonly (bsc#1190317).
- commit 0ed4dff
- cifs: set a minimum of 120s for next dns resolution
  (bsc#1190317).
- commit b46f000
- cifs: split out dfs code from cifs_reconnect() (jsc#SLE-20656).
- commit 6fb0a17
- cifs: convert list_for_each to entry variant (jsc#SLE-20656).
- commit 633a7c2
- cifs: introduce new helper for cifs_reconnect() (jsc#SLE-20656).
- commit f00696c
- cifs: fix print of hdr_flags in dfscache_proc_show()
  (jsc#SLE-20656).
- commit 5c49bc1
- cifs: nosharesock should not share socket with future sessions
  (bsc#1190317).
- commit 320796d
- cifs: To match file servers, make sure the server hostname
  matches (bsc#1190317).
- commit fbe0600
- cifs: On cifs_reconnect, resolve the hostname again
  (bsc#1190317).
- Refresh
  patches.suse/cifs-use-the-expiry-output-of-dns_query-to-schedule-next-resolution.patch.
- commit 5b1c01c
- cifs: Simplify reconnect code when dfs upcall is enabled
  (bsc#1190317).
- Refresh
  patches.suse/cifs-use-the-expiry-output-of-dns_query-to-schedule-next-resolution.patch.
- commit dae6de8
- cifs: fix incorrect check for null pointer in header_assemble
  (bsc#1190317).
- commit 2730221
- smb3: correct server pointer dereferencing check to be more
  consistent (bsc#1190317).
- commit 9de93d0
- smb3: correct smb3 ACL security descriptor (bsc#1190317).
- commit d60c7e5
- cifs: fix a sign extension bug (git-fixes).
- commit e0b32f1
- cifs: properly invalidate cached root handle when closing it
  (bsc#1190317).
- commit d970616
- cifs: Do not leak EDEADLK to dgetents64 for
  STATUS_USER_SESSION_DELETED (bsc#1190317).
- commit b415fcb
- cifs: fix wrong release in sess_alloc_buffer() failed path
  (bsc#1190317).
- commit 745c05d
- CIFS: Fix a potencially linear read overflow (git-fixes).
- commit ee69183
- cifs: support share failover when remounting (jsc#SLE-20656).
- commit 7385d90
- cifs: Add new parameter "/acregmax"/ for distinct file and
  directory metadata timeout (bsc#1190317).
- commit d50239f
- cifs: convert revalidate of directories to using directory
  metadata cache timeout (bsc#1190317).
- Refresh
  patches.suse/cifs-check-the-timestamp-for-the-cached-dirent-when-deciding-on-rev.patch.
- commit 3f02ef6
- cifs: Add new mount parameter "/acdirmax"/ to allow caching
  directory metadata (bsc#1190317).
- commit 2e1084d
- cifs: move to generic async completion (bsc#1190317).
- commit 3728f87
- CIFS: fiemap: do not return EINVAL if get nothing (bsc#1190317).
- commit 213f474
- kernel-*-subpackage: Add dependency on kernel scriptlets (bsc#1192740).
- commit a133bf4
- Fix problem with missing installkernel on Tumbleweed.
- commit 2ed6686
- rpm/kernel-obs-build.spec.in: reduce initrd functionality
  For building in OBS, we always build inside a virtual machine
  that gets a new, freshly created scratch filesystem image. So
  we do not need to handle fscks because that ain't gonna happen,
  as well as not we do not need to handle microcode update in the
  initrd as these only can be run on the host system anyway. We
  can also strip and hardlink as an additional optimisation that
  should not significantly hurt.
- commit c72c6fc
- kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229).
  The semantic changed in an incompatible way so invoking the macro now
  causes a build failure.
- commit 3e55f55
- rpm: use _rpmmacrodir (boo#1191384)
- commit e350c14
- kernel-binary.spec: Do not sign kernel when no key provided
  (bsc#1187167).
- commit 6c24533
- kernel-binary.spec: suse-kernel-rpm-scriptlets required for uninstall as
  well.
  Fixes: e98096d5cf85 ("/rpm: Abolish scritplet templating (bsc#1189841)."/)
- commit e082fbf
- kernel-binary.spec: Check for no kernel signing certificates.
  Also remove unused variable.
- commit bdc323e
- Revert "/rpm/kernel-binary.spec: Use only non-empty certificates."/
  This reverts commit 30360abfb58aec2c9ee7b6a27edebe875c90029d.
- commit 413e05b
- rpm/kernel-binary.spec: Use only non-empty certificates.
- commit 30360ab
- fixup "/rpm: support gz and zst compression methods"/ once more
  (bsc#1190428, bsc#1190358)
  Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
  Fixes: 23510fce36ec ("/fixup "/rpm: support gz and zst compression methods"/"/)
- commit 165378a
- fixup "/rpm: support gz and zst compression methods"/ once more
  Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
  Fixes: 23510fce36ec ("/fixup "/rpm: support gz and zst compression methods"/"/)
- commit 34e68f4
- fixup "/rpm: support gz and zst compression methods"/
  Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
- commit 23510fc
- kernel-cert-subpackage: Fix certificate location in scriptlets
  (bsc#1189841).
  Fixes: d9a1357edd73 ("/rpm: Define $certs as rpm macro (bsc#1189841)."/)
- commit 8684de8
- kernel-binary.spec.in Stop templating the scriptlets for subpackages
  (bsc#1190358).
  The script part for base package case is completely separate from the
  part for subpackages. Remove the part for subpackages from the base
  package script and use the KMP scripts for subpackages instead.
- commit 5d1f677
- kernel-binary.spec: Do not fail silently when KMP is empty
  (bsc#1190358).
  Copy the code from kernel-module-subpackage that deals with empty KMPs.
- commit d7d2e6e
- rpm/kernel-source.spec.in: do some more for vanilla_only
  Make sure:
  * sources are NOT executable
  * env is not used as interpreter
  * timestamps are correct
  We do all this for normal kernel builds, but not for vanilla_only
  kernels (linux-next and vanilla).
- commit b41e4fd
- rpm: Fold kernel-devel and kernel-source scriptlets into spec files
  (bsc#1189841).
  These are unchanged since 2011 when they were introduced. No need to
  track them separately.
- commit 692d38b
- rpm: Abolish image suffix (bsc#1189841).
  This is used only with vanilla kernel which is not supported in any way.
  The only effect is has is that the image and initrd symlinks are created
  with this suffix.
  These symlinks are not used except on s390 where the unsuffixed symlinks
  are used by zipl.
  There is no reason why a vanilla kernel could not be used with zipl as
  well as it's quite unexpected to not be able to boot when only a vanilla
  kernel is installed.
  Finally we now have a backup zipl kernel so if the vanilla kernel is
  indeed unsuitable the backup kernel can be used.
- commit e2f37db
- kernel-binary.spec: Define $image as rpm macro (bsc#1189841).
- commit e602b0f
- rpm: Define $certs as rpm macro (bsc#1189841).
  Also pass around only the shortened hash rather than full filename.
  As has been discussed in bsc#1124431 comment 51
  https://bugzilla.suse.com/show_bug.cgi?id=1124431#c51 the placement of
  the certificates is an API which cannot be changed unless we can ensure
  that no two kernels that use different certificate location can be built
  with the same certificate.
- commit d9a1357
- rpm: Abolish scritplet templating (bsc#1189841).
  Outsource kernel-binary and KMP scriptlets to suse-module-tools.
  This allows fixing bugs in the scriptlets as well as defining initrd
  regeneration policy independent of the kernel packages.
- commit e98096d
- rpm/kernel-binary.spec.in: Use kmod-zstd provide.
  This makes it possible to use kmod with ZSTD support on non-Tumbleweed.
- commit 357f09a
- rpm/kernel-binary.spec.in: avoid conflicting suse-release
  suse-release has arbitrary values in staging, we can't use it for
  dependencies. The filesystem one has to be enough (boo#1184804).
- commit 56f2cba
- rpm: fix kmp install path
- commit 22ec560
- post.sh: detect /usr mountpoint too
- commit c7b3d74
- kernel-binary.spec.in: make sure zstd is supported by kmod if used
- commit f36412b
- kernel-binary.spec.in: add zstd to BuildRequires if used
- commit aa61dba
- rpm: support gz and zst compression methods
  Extend commit 18fcdff43a00 ("/rpm: support compressed modules"/) for
  compression methods other than xz.
- commit 3b8c4d9
- kernel-binary.spec: Require dwarves for kernel-binary-devel when BTF is
  enabled (jsc#SLE-17288).
  About the pahole version: v1.18 should be bare mnimum, v1.22 should be
  fully functional, for now we ship git snapshot with fixes on top of
  v1.21.
- commit 8ba3382
- README: Modernize build instructions.
- commit 8cc5c28
- rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305)
- commit 7f9ade7
- Fix filesystem requirement and suse-release requires
  Reduce filesystem conflict to anything less than 16 to allow pulling the
  change into the next major stable version.
  Don't require suse-release as that's not technically required. Conflict
  with a too old one instead.
- commit 913f755
- rpm/kernel-source.rpmlintrc: ignore new include/config files
  In 5.13, since 0e0345b77ac4, config files have no longer .h suffix.
  Adapt the zero-length check.
  Based on Martin Liska's change.
- commit b6f021b
- Add obsolete_rebuilds_subpackage (boo#1172073 bsc#1191731).
- commit f037781
libgcrypt
- FIPS: Fix gcry_mpi_sub_ui subtraction [bsc#1193480]
  * gcry_mpi_sub_ui: fix subtracting from negative value
  * Add libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch
mozilla-nss
- Mozilla NSS 3.68.2 (bsc#1193845)
  * mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
    (bmo#966856)
- Mozilla NSS 3.68.1
  MFSA 2021-51 (bsc#1193170)
  * CVE-2021-43527 (bmo#1737470)
    Memory corruption via DER-encoded DSA and RSA-PSS signatures
- Remove now obsolete patch nss-bsc1193170.patch
- Add patch to fix CVE-2021-43527 (bsc#1193170):
  nss-bsc1193170.patch
openssl-1_0_0
- bsc#1190885
  * OpenSSL: parameters by name ffdheXXXX and modp_XXXX sometimes result in "/not found"/
  * modified openssl-DH.patch
- Add safe primes to DH parameter generation
  * RFC7919 and RFC3526
  * bsc#1180995
  * Added openssl-add_rfc3526_rfc7919.patch
  * Genpkey: "/-pkeyopt dh_param:"/ can now choose modp_* (rfc3526) and
    ffdhe* (rfc7919) groups. Example:
    $ openssl genpkey -genparam -algorithm DH -pkeyopt dh_param:modp_4096
patterns-sles
- add newly added libopenssl-1_1-hmac for openssl 1.1. (jsc#SLE-23033)
polkit
- CVE-2021-4034: fixed a local privilege escalation in pkexec (bsc#1194568)
  added CVE-2021-4034-pkexec-fix.patch
release-notes-sles
- 12.5.20211208 (tracked in bsc#933411)
- Added note about unprivileged eBPF (jsc#SLE-22593)
- Added note about schedutil (bsc#1176440)
- Added note about 32-bit applications (bsc#1181589)
- Updated source code info (bsc#1188965)
samba
- The username map [script] advice from CVE-2020-25717 advisory
  note has undesired side effects for the local nt token. Fallback
  to a SID/UID based mapping if the name based lookup fails;
  (bsc#1192849); (bso#14901)
suse-module-tools
- Update to version 12.11: Import kernel scriptlets from kernel-source
  * rpm-script: fix bad exit status in OpenQA (bsc#1191922)
  * cert-script: Deal with existing $cert.delete file (bsc#1191804).
  * cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480).
  * cert-script: Only print mokutil output in verbose mode.
  * inkmp-script(postun): don't pass  existing files to weak-modules2
    (boo#1191200)
  * kernel-scriptlets: skip cert scriptlet on non-UEFI systems
    (boo#1191260)
  * rpm-script: link config also into /boot (boo#1189879)
  * Import kernel scriptlets from kernel-source.
    (bsc#1189841, bsc#1190598)
  * Provide "/suse-kernel-rpm-scriptlets"/
tcsh
- Modify patch tcsh-6.18.01-toolong.patch to avoid to be oom killed
  by broken history files (bsc#1192472)
telnet
- Update Source location to use Gentoo mirror, fixes bsc#1129925
- spec-cleaner used for cleaning the specfile up
- url was repaired
yast2
- Backport: Command line interface: Do not start an UI while
  evaluating current language settings (bsc#1173133).
- 3.2.52
- Do not use the 'installation-helper' binary to create snapshots
  during installation or offline upgrade (bsc#1180142).
- Add a new exception to properly handle exceptions
  when reading/writing snapshots numbers (related to bsc#1180142).
- save_y2logs: save kernel messages and udev log (snwint@suse.de).
  Related to bsc#1089647 and bsc#1085212.
- 3.2.51
yast2-installation
- Do not crash when it is not possible to create a snapshot after
  installing or upgrading the system (bsc#1180142).
- 3.4.3
- Ensure correct alignment when shrinking a PReP partition.
- bsc#1186371
- 3.4.2
yast2-update
- Do not rely on the 'installation-helper' binary to create
  snapshots after installation or offline upgrade (bsc#1180142).
- Do not crash when it is not possible to create a snapshot before
  upgrading the system (related to bsc#1180142).
- 3.3.2
zlib
- Update 410.patch to include new fixes from upstream,
  fixes bsc#1192688
- Refresh bsc1174736-DFLTCC_LEVEL_MASK-set-to-0x1ff.patch
  to match upstream commit
- Drop patches which changes have been merged in 410.patch:
  * zlib-compression-switching.patch
  * zlib-390x-z15-fix-hw-compression.patch
  * bsc1174551-fxi-imcomplete-raw-streams.patch
zsh
- Add CVE-2018-0502_CVE-2018-13259.patch. Fixes CVE-2018-0502 and
  CVE-2018-13259 (bsc#1107296 and bsc#1107294).