audit-secondary
- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)
  * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
augeas
- add augeas-sysctl_parsing.patch (bsc#1197443)
  * backport original patch and rebase.
binutils
- Add binutils-revert-rela.diff to revert back to old behaviour
  of not ignoring the in-section content of to be relocated
  fields on x86-64, even though that's a RELA architecture.
  Compatibility with buggy object files generated by old tools.
  [bsc#1198422]
cifs-utils
- CVE-2022-27239: mount.cifs: fix length check for ip option
  parsing; (bsc#1197216) (bso#15025); CVE-2022-27239.
  * add 0016-CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch
cluster-glue
- Requesting cluster-glue bugfix (bsc#1197681)
  * Add upstream patch:
    0002-bugfix-for-comment-in-external-ec2.patch
curl
- Securiy fix: [bsc#1199223, CVE-2022-27781]
  * CERTINFO never-ending busy-loop
  * Add curl-CVE-2022-27781.patch
- Securiy fix: [bsc#1199224, CVE-2022-27782]
  * TLS and SSH connection too eager reuse
  * Add curl-CVE-2022-27782.patch
- Security fix: [bsc#1198766, CVE-2022-27776]
  * Auth/cookie leak on redirect
  * Add backported curl-CVE-2022-27776.patch
- Security fix: [bsc#1198614, CVE-2022-22576]
  * OAUTH2 bearer bypass in connection re-use
  * Add curl-CVE-2022-22576.patch
dhcp
- bsc#1198657: properly handle DHCRELAY(6)_OPTIONS.
e2fsprogs
- libext2fs-add-sanity-check-to-extent-manipulation.patch: libext2fs: add
  sanity check to extent manipulation (bsc#1198446 CVE-2022-1304)
gcc11
- Update to the GCC 11.3.0 release.
  * includes SLS hardening backport on x86_64.  [bsc#1195283]
- Update to gcc-11 branch head (691af15031e00227ba6d5935c), git1635
  * includes gcc11-pr104931.patch
  * includes fix for Firefox ICE  [gcc#105256]
- Add provides/conflicts to glibc crosses since only one GCC version
  for the same target can be installed at the same time.
- Add provides/conflicts to libgccjit.
- Update to gcc-11 branch head (6a1150d1524aeda3381b21717), git1406
  * includes change to adjust gnats idea of the target, fixing
    the build of gprbuild.  [bsc#1196861]
- Add gcc11-pr104931.patch to fix miscompile of embedded premake
  in 0ad on i586.  [bsc#1197065]
- drop armv5tel, merge arm and armv6hl
- use --with-cpu rather than specifying --with-arch/--with-tune
  to Recoomends.
- Remove sys/rseq.h from include-fixed
- Update to gcc-11 branch head (d4a1d3c4b377f1d4acb), git1173
  * Fix D memory corruption in -M output.
  * Fix ICE in is_this_parameter with coroutines.  [boo#1193659]
- Enable the cross compilers also on i586
- Enable some cross compilers also in rings
- Remove cross compilers for i386 target
- Update to gcc-11 branch head (7510c23c1ec53aa4a62705f03), git1018
  * fixes issue with debug dumping together with -o /dev/null
  * fixes libgccjit issue showing up in emacs build  [boo#1192951]
- Package mwaitintrin.h
- Remove spurious exit from change_spec.
- Enable the full cross compiler, cross-aarch64-gcc11 and
  cross-riscv64-gcc11 now provide a fully hosted C (and C++)
  cross compiler, not just a freestanding one.  I.e. with a cross
  glibc.  They don't yet support the sanitizer libraries.
  Part of [jsc#OBS-124].
glib2
- Add glib2-CVE-2021-28153.patch: fix CREATE_REPLACE_DESTINATION
  with symlinks (boo#1183533 glgo#GNOME/glib#2325 CVE-2021-28153).
gzip
- Add hardening for zgrep (CVE-2022-1271, bsc#1198062)
  * bsc1198062-2.patch
jasper
- bsc#1184757 CVE-2021-3467: Fix NULL pointer deref in jp2_decode()
  Add jasper-CVE-2021-3467.patch
- bsc#1184798 CVE-2021-3443: Fix NULL pointer derefin jp2_decode()
  Add jasper-CVE-2021-3443.patch
- bsc#1182104 CVE-2021-26927: Fix NULL pointer deref in jp2_decode()
  bsc#1182105 CVE-2021-26926: Fix Out of bounds read in jp2_decode()
  Add jasper-CVE-2021-26926-CVE-2021-26927.patch
kernel-default
- Revert lpfc driver update to 14.2.0.1 (bsc#1198989)
- commit be1f831
- fsl/fman: Check for null pointer after calling devm_ioremap
  (git-fixes).
- commit a939025
- ppp: ensure minimum packet size in ppp_write() (git-fixes).
- commit df66a4a
- can: gs_usb: fix use of uninitialized variable, detach device
  on reception of invalid USB data (git-fixes).
- commit 8660202
- net: ethernet: mtk_eth_soc: fix return values and refactor
  MDIO ops (git-fixes).
- commit 0892190
- ieee802154: atusb: fix uninit value in atusb_set_extended_addr
  (git-fixes).
- commit 039c504
- i40e: Fix incorrect netdev's real number of RX/TX queues
  (git-fixes).
- commit 71ccdfa
- bnx2x: fix napi API usage sequence (bsc#1198217).
- commit 0fdc23e
- powerpc/perf: Fix power9 event alternatives (bsc#1137728,
  LTC#178106, git-fixes).
- Revert "/ibmvnic: Add ethtool private flag for driver-defined
  queue limits"/ (bsc#1121726 ltc#174633 git-fixes).
- commit e2aedd0
- USB: Fix xhci event ring dequeue pointer ERDP update issue
  (git-fixes).
- commit c9dd9d4
- blacklist.conf: Append 'vgacon: Propagate console boot parameters before calling `vc_resize''
- commit 049412f
- blacklist.conf: kABI
- commit 82bdaff
- blacklist.conf: irrelevant in our configs
- commit 56584e8
- blacklist.conf: cleanup, not a fix
- commit d0b397b
- net/x25: Fix null-ptr-deref caused by x25_disconnect
  (CVE-2022-1516 bsc#1199012).
- commit 70361a9
- blacklist.conf: Append 'backlight: qcom-wled: Fix off-by-one maximum with default num_strings'
- commit 51cd556
- blacklist.conf: Append 'vt: Fix character height handling with VT_RESIZEX'
- commit f58734a
- video: fbdev: udlfb: properly check endpoint type (bsc#1129770)
- commit 783e7a7
- video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of (bsc#1129770)
- commit 155ebc4
- video: fbdev: sm712fb: Fix crash in smtcfb_read() (bsc#1129770)
- commit 639ac93
- video: fbdev: atari: Atari 2 bpp (STe) palette bugfix (bsc#1129770)
- commit e434e14
- video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() (bsc#1129770)
- commit 344bc32
- video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() (bsc#1129770)
- commit 66c9a63
- video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() (bsc#1129770)
- commit 816cbfa
- parisc/sticon: fix reverse colors (bsc#1129770)
- commit 96cba65
- video: fbdev: chipsfb: use memset_io() instead of memset() (bsc#1129770)
- commit b2ee4b1
- fbmem: don't allow too huge resolutions (bsc#1129770)
- commit 3261ce6
- backlight: pwm_bl: Improve bootloader/kernel device handover (bsc#1129770)
- commit 1e071a0
- Restore kabi after Revert "/NFSv4: Handle the special Linux file
  open access mode"/ (git-fixes).
- commit 454c575
- media: em28xx: fix memory leak in em28xx_init_dev (git-fixes).
- commit ae8eb8d
- media: v4l2-ioctl: S_CTRL output the right value (git-fixes).
- commit 1ab34f7
- blacklist.conf: misattributed
- commit 67e9964
- blacklist.conf: irrelevant in our config
- commit b67c63d
- media: dvb-usb: fix ununit-value in az6027_rc_query (git-fixes).
- commit fba8723
- media: stkwebcam: fix memory leak in stk_camera_probe
  (git-fixes).
- commit 93825c5
- media: dvb-usb: fix uninit-value in vp702x_read_mac_addr
  (git-fixes).
- commit 40501ef
- media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init
  (git-fixes).
- commit 451e148
- media: rc-loopback: return number of emitters rather than error
  (git-fixes).
- commit cff83f4
- media: uvc: don't do DMA on stack (git-fixes).
- commit c3b7b8e
- media: videobuf2-core: dequeue if start_streaming fails
  (git-fixes).
- commit dc1215d
- media: lmedm04: Fix misuse of comma (git-fixes).
- commit fdc42cf
- ovl: fix missing negative dentry check in ovl_rename()
  (CVE-2021-20321 bsc#1191647).
- commit 3e23b63
- blacklist.conf: duplicate
- commit cf7be65
- blacklist.conf: cleanup
- commit 41d47c2
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
  (bsc#1028340 bsc#1198825).
- commit 058dc1f
- rtl8187: fix control-message timeouts (git-fixes).
- commit 79977ac
- ath6kl: fix division by zero in send path (git-fixes).
- commit 4d7c95f
- ath6kl: fix control-message timeout (git-fixes).
- commit 77388d0
- wcn36xx: add proper DMA memory barriers in rx path (git-fixes).
- commit 4a06a7f
- wcn36xx: Fix HT40 capability for 2Ghz band (git-fixes).
- commit 85a369e
- libertas: Fix possible memory leak in probe and disconnect
  (git-fixes).
- commit 3b6017c
- libertas_tf: Fix possible memory leak in probe and disconnect
  (git-fixes).
- commit 966339e
- ath10k: fix max antenna gain unit (git-fixes).
- commit b33c09d
- ath9k: Fix potential interrupt storm on queue reset (git-fixes).
- commit d0dc5a4
- mwifiex: Send DELBA requests according to spec (git-fixes).
- commit 1fdac31
- mwifiex: Read a PCI register after writing the TX ring write
  pointer (git-fixes).
- commit 3308154
- b43: fix a lower bounds test (git-fixes).
- commit 1a2c981
- b43legacy: fix a lower bounds test (git-fixes).
- commit 12ea1d7
- blacklist.conf: optimization that breaks kABI
- commit 0b8cb68
- USB: usb-storage: Fix use of bitfields for hardware data in
  ene_ub6250.c (git-fixes).
- commit 8485f85
- USB: serial: pl2303: add IBM device IDs (git-fixes).
- commit e071cd2
- USB: serial: simple: add Nokia phone driver (git-fixes).
- commit 6cdbd34
- blacklist.conf: optimization
- commit efab6ed
- USB: serial: cp210x: add NCR Retail IO box id (git-fixes).
- commit 8306949
- blacklist.conf: no gadget mode in SLE12
- commit 6d57b76
- usb: ulpi: Call of_node_put correctly (git-fixes).
- commit 98c8547
- USB: core: Fix bug in resuming hub's handling of wakeup requests
  (git-fixes).
- commit d42a2ba
- USB: Fix "/slab-out-of-bounds Write"/ bug in
  usb_hcd_poll_rh_status (git-fixes).
- commit 7c8f2b6
- usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
  (git-fixes).
- commit 6c78568
- usb: ulpi: Move of_node_put to ulpi_dev_release (git-fixes).
- usb: hub: Fix usb enumeration issue due to address0 race
  (git-fixes).
- commit 62d7e13
- io-64-nonatomic: add io{read|write}64{_lo_hi|_hi_lo} macros
  (git-fixes).
- commit 48bc31d
- mxser: fix xmit_buf leak in activate when LSR == 0xff
  (git-fixes).
- PCI: iproc: Fix out-of-bound array accesses (git-fixes).
- PCI: Fix overflow in command-line resource alignment requests
  (git-fixes).
- PCI: qcom: Make sure PCIe is reset before init for rev 2.1.0
  (git-fixes).
- PCI: iproc: Set affinity mask on MSI interrupts (git-fixes).
- PCI: qcom: Change duplicate PCI reset to phy reset (git-fixes).
- Refresh
  patches.suse/PCI-qcom-Add-missing-reset-for-ipq806x.patch.
- PCI: Add device even if driver attach failed (git-fixes).
- PCI/switchtec: Read all 64 bits of part_event_bitmap
  (git-fixes).
- commit 9f2996c
- SUNRPC: Handle low memory situations in call_status()
  (git-fixes).
- NFSv4: fix open failure with O_ACCMODE flag (git-fixes).
- Revert "/NFSv4: Handle the special Linux file open access mode"/
  (git-fixes).
- NFSD: prevent underflow in nfssvc_decode_writeargs()
  (git-fixes).
- fs/nfs: Use fatal_signal_pending instead of signal_pending
  (git-fixes).
- commit 2cecf8b
- Refresh
  patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch.
  Update git-commit now that it has landed.
- commit 4e48858
- Update
  patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch
  (bsc#1175232 bsc#1183723 CVE-2021-20292).
- commit 9708de1
- net-sysfs: call dev_hold if kobject_init_and_add success
  (CVE-2019-20811 bsc#1172456).
- commit 5de8a61
- Update
  patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
  (bsc#1196018 CVE-2022-28748).
- commit 25ea790
- random: check for signal_pending() outside of need_resched()
  check (git-fixes).
- hwrng: atmel - disable trng on failure path (git-fixes).
- hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER
  (git-fixes).
- char/mwave: Adjust io port register size (git-fixes).
- random: fix data race on crng_node_pool (git-fixes).
- commit 0ec1c9f
- blacklist.conf: blacklist compile fix for test routines
- commit 0cd9e6f
- blacklist.conf: add one ARCH_NOMADIK entry
- commit f5b6eaf
- Update
  patches.suse/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
  (bsc#1051510 bsc#1084513 CVE-2018-7755).
- commit 371ca37
- drm/vgem: Close use-after-free race in vgem_gem_create (CVE-2022-1419 bsc#1198742)
- commit f3d608f
- drm/vgem: Close use-after-free race in vgem_gem_create (CVE-2022-1419 bsc#1198742)
- commit c2b5f0e
- isdn: cpai: check ctr->cnr to avoid array index out of bound
  (bsc#1191958 CVE-2021-43389).
- commit 6296574
- nfc: fix NULL ptr dereference in llcp_sock_getname() after
  failed connect (CVE-2021-38208 bsc#1187055).
- commit 54aed86
- Update patch reference for NFC fix (CVE-2021-38208 bsc#1187055)
- commit 01cc4ae
- Update patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch
  (bsc#1065729 bsc#1198660 ltc#197803).
- commit e3bcaa0
- af_key: add __GFP_ZERO flag for compose_sadb_supported in
  function pfkey_register (CVE-2022-1353 bsc#1198516).
- commit ffb367f
- kABI fix for tcp: fix race condition when creating child
  sockets from syncookies (bsc#1197075).
- commit fd09edb
- tcp: Fix potential use-after-free due to double kfree()
  (bsc#1197075).
- commit ad52893
- tcp: fix race condition when creating child sockets from
  syncookies (bsc#1197075).
- commit 6729a4f
- NFSv4: Fix a regression in nfs_set_open_stateid_locked()
  (bsc#1196247).
- kabi fix for NFSv4: Wait for stateid updates after
  CLOSE/OPEN_DOWNGRADE (bsc#1196247).
- NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE
  (bsc#1196247).
  Adjust some kabi fixes to match.
- NFSv4.x recover from pre-mature loss of openstateid (bsc#1196247).
- NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE
  (bsc#1196247).
- NFSv4: Don't try to CLOSE if the stateid 'other' field has
  changed (bsc#1196247).
- commit 639faa6
- net: stmicro: handle clk_prepare() failure during init (git-fixes).
- commit c63cb9b
- net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send (git-fixes).
- commit 323e981
- net: davinci_emac: Fix incorrect masking of tx and rx error channel (git-fixes).
- commit 9fa453a
- net/mlx5e: Reduce tc unsupported key print level (git-fixes).
- commit ccf2751
- Update
  patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch
  (bsc#1198400).
- Update
  patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
  (bsc#1198400).
- commit b81f481
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
  PTRACE_SEIZE (bsc#1198413).
- commit 9eb132f
- blacklist.conf: Add 460a79e18842 mm/memcontrol: return 1 from cgroup.memory __setup() handler
- commit f836b54
- Update patch references of drm fixes (CVE-2022-1280 bsc#1197914)
- commit b729b95
- Revert "/module, async: async_synchronize_full() on module init
  iff async is used"/ (bsc#1197888).
- commit 23e6efe
- i40e: add correct exception tracing for XDP (git-fixes).
- commit 646c060
- drm/ttm/nouveau: don't call tt destroy callback on alloc failure
  (CVE-2021-20292 bsc#1183723).
- commit f1a5fa2
- i40e: optimize for XDP_REDIRECT in xsk path (git-fixes).
- commit eba7817
- blacklist.conf: misattributed in upstream
- commit d24b230
- mac80211: mesh: fix potentially unaligned access (git-fixes).
- commit 49769d6
- blacklist.conf: cleanup, not a fix
- commit 7a11af1
- Revert "/USB: serial: ch341: add new Product ID for CH341A"/
  (git-fixes).
- commit dc3e8da
- blacklist.conf: depends on intrusive updates
- commit 86c3906
- x86/speculation: Restore speculation related MSRs during S3
  resume (bsc#1114648).
- commit 46f1ca5
- scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA
  commands (git-fixes).
- commit d81a725
- x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO
  (git-fixes).
- commit 3893e26
- fuse: handle kABI change in struct fuse_req (bsc#1197343
  CVE-2022-1011).
- fuse: fix pipe buffer lifetime for direct_io (bsc#1197343
  CVE-2022-1011).
- commit e67cd7e
- x86/pm: Save the MSR validity status at context setup
  (bsc#1114648).
- commit 87c5893
- livepatch: Don't block removal of patches that are safe to
  unload (bsc#1071995).
- commit 3b32a28
- fix parallelism for rpc tasks (bsc#1197663).
- Make the xprtiod workqueue unbounded (bsc#1197663).
- commit 8b97258
- Refresh
  patches.suse/net-sched-use-Qdisc-rcu-API-instead-of-relying-on-rt.patch.
  Fix missplaced qdisc_put()
- commit 883b3be
- xen: fix is_xen_pmu() (git-fixes).
- commit bd40deb
- xen/blkfront: fix comment for need_copy (git-fixes).
- commit 0c99cc8
- xen: detect uninitialized xenbus in xenbus_init (git-fixes).
- commit dd22f66
- xen: don't continue xenstore initialization in case of errors
  (git-fixes).
- commit 6a9b916
- blacklist.conf: 1dbd11ca75fe ("/xen: remove gnttab_query_foreign_access()"/)
- commit 37fa08f
- IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() (git-fixes)
- commit c239ab7
- RDMA/rxe: Restore setting tot_len in the IPv4 header (git-fixes)
- commit 986a537
- RDMA/rxe: Use the correct size of wqe when processing SRQ (git-fixes)
- commit dacc35c
- RDMA/rxe: Missing unlock on error in get_srq_wqe() (git-fixes)
- commit f3ecb3d
- Update
  patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch
  references (add CVE-2022-28356 bsc#1197391).
- commit 658b50e
- net: rtlwifi: properly check for alloc_workqueue() failure
  (git-fixes).
- commit 3c2f34d
- blacklist.conf: dependency would break kABI
- commit 0dc5499
- mac80211: fix station rate table updates on assoc (git-fixes).
- commit 7c6c73d
- mt7601u: fix rx buffer refcounting (git-fixes).
- commit f6f3ca9
- cifs: do not skip link targets when an I/O fails (bsc#1194625).
- commit cfcccfb
- arm64: hibernate: Clean the __hyp_text to PoC after resume (git-fixes)
- commit bbc565a
- arm64: hyp-stub: Forbid kprobing of the hyp-stub (git-fixes)
- commit 03dcd08
- arm64: kprobe: Always blacklist the KVM world-switch code (git-fixes)
- commit a917d0c
- arm64: kaslr: ensure randomized quantities are clean also when kaslr (git-fixes)
- commit f170463
- arm64: kaslr: ensure randomized quantities are clean to the PoC (git-fixes)
- commit b039486
- blacklist.conf: ("/arm64: defconfig: Re-enable bcm2835-thermal driver"/)
- commit e6a130b
- arm64: cmpxchg: Use "/K"/ instead of "/L"/ for ll/sc immediate constraint (git-fixes)
- commit 7722c1f
- arm64: relocatable: fix inconsistencies in linker script and options (git-fixes)
- commit 64d186d
- arm64: drop linker script hack to hide __efistub_ symbols (git-fixes)
- commit 310ed92
- arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ (git-fixes)
- commit 2bbad05
- arm64: fix for bad_mode() handler to always result in panic (git-fixes)
- commit 14351ce
- arm64: only advance singlestep for user instruction traps (git-fixes)
- commit cf205ee
- crypto: arm64/aes-ce-cipher - move assembler code to .S file (git-fixes)
- commit 3a20ee6
libvirt
- CVE-2022-0897: nwfilter: fix crash when counting number of
  network filters
  a4947e8f-nwfilter-CVE-2022-0897.patch
  bsc#1197636
- libxl: Mark auto-allocated graphics ports to used on reconnect
  e0241f33-libxl-mark-allocated-graphics-ports.patch
- libxl: Release all auto-allocated graphics ports
  18ec405a-libxl-release-graphics-ports.patch
  bsc#1191668
libxml2
- Security fix: [bsc#1069689, CVE-2017-16932]
  * parser.c in libxml2 before 2.9.5 does not prevent infinite
    recursion inparameter entities.
  * Add libxml2-CVE-2017-16932.patch
- Sync and fix changelog entries between libxml2 and
  python-libxml2.
- Security fix: [bsc#1199132, CVE-2022-29824]
  * Integer overflow leading to out-of-bounds write in buf.c
    (xmlBuf*) and tree.c (xmlBuffer*)
  * Add libxml2-CVE-2022-29824.patch
  * Add libxml2-CVE-2022-23308.patch
  * Add libxml2-CVE-2021-3541.patch
- Version update to 2.9.7 release:
  * Bug Fixes:
    + xmlcatalog: restore ability to query system catalog easily
    + Fix comparison of nodesets to strings
  * Improvements:
    + Add Makefile rules to rebuild HTML man pages
    + Remove generated file python/setup.py from version control
    + Fix mixed decls and code in timsort.h
    + Rework handling of return values in thread tests
    + Fix unused variable warnings in testrecurse
    + Fix -Wimplicit-fallthrough warnings
    + Upgrade timsort.h to latest revision
    + Fix a couple of warnings in dict.c and threads.c
    + Fix unused variable warnings in nanohttp.c
    + Don't include winsock2.h in xmllint.c
    + Use __linux__ macro in generated code
  * Portability:
    + Add declaration for DllMain
    + Fix preprocessor conditional in threads.h
    + Fix macro redefinition warning
    + many Windows specific improvements
  * Documentation:
    + xmlcatalog: refresh man page wrt. quering system catalog easily
- Includes bug fixes from 2.9.6:
  * Fix XPath stack frame logic
  * Report undefined XPath variable error message
  * Fix regression with librsvg
  * Handle more invalid entity values in recovery mode
  * Fix structured validation errors
  * Fix memory leak in LZMA decompressor
  * Set memory limit for LZMA decompression
  * Handle illegal entity values in recovery mode
  * Fix debug dump of streaming XPath expressions
  * Fix memory leak in nanoftp
  * Fix memory leaks in SAX1 parser
- Drop libxml2-bug787941.patch
  * upstreamed in 3157cf4e53c03bc3da604472c015c63141907db8
- Update package summaries and RPM groups. Trim descriptions for
  size on secondary subpackages. Replace install call by a
  commonly-used macro.
- Add patch to fix TW integration:
  * libxml2-bug787941.patch
- Version update to 2.9.5 release:
  * Merged all the previous cve fixes that were patched in
  * Few small tweaks
- Remove merged patches:
  * libxml2-CVE-2016-4658.patch
  * libxml2-CVE-2017-0663.patch
  * libxml2-CVE-2017-5969.patch
  * libxml2-CVE-2017-9047.patch
  * libxml2-CVE-2017-9048.patch
  * libxml2-CVE-2017-9049.patch
  * libxml2-2.9.4-fix_attribute_decoding.patch
- Added libxml2-CVE-2016-4658.patch: Disallow namespace nodes in
  XPointer ranges. Namespace nodes must be copied to avoid
  use-after-free errors. But they don't necessarily have a physical
  representation in a document, so simply disallow them in XPointer
  ranges [bsc#1005544] [CVE-2016-4658]
- Remove obsolete patches libxml2-2.9.1-CVE-2016-3627.patch,
  0001-Add-missing-increments-of-recursion-depth-counter-to.patch,
  and libxml2-2.9.3-bogus_UTF-8_encoding_error.patch.
- add libxml2-2.9.3-bogus_UTF-8_encoding_error.patch to fix XML
  push parser that fails with bogus UTF-8 encoding error when
  multi-byte character in large CDATA section is split across
  buffer [bnc#962796]
- temporarily reverting libxml2-CVE-2014-0191.patch until there is a fix
  that doesn't break other applications
- buildignore python to avoid build cycle
- fix version
- renamed to python-libxml2 to follow python naming expectations
- do not require python but let rpm figure it out
- buildrequire python-xml to fix build
libyajl
- add libyajl-CVE-2022-24795.patch (CVE-2022-24795, bsc#1198405)
mutt
- Add patch uudecode-e5ed080c.patch for bsc#1198518 and CVE-2022-1328
  to fix a buffer overflow in uudecoder
openldap2
- bsc#1199240 - CVE-2022-29155 - Resolve sql injection in back-sql
  * 0225-ITS-9815-slapd-sql-escape-filter-values.patch
- bsc#1198383 - Resolve issue with SASL init
  * 0224-ITS-8648-init-SASL-library-in-global-init.patch
psmisc
  * Add a fallback if the system call name_to_handle_at() is
    not supported by the used file system.
- Add patch psmisc-22.21-semaphores.patch
  * Replace the synchronizing over pipes of the sub process for the
    stat(2) system call with mutex and conditions from pthreads(7)
    (bsc#1194172)
- Add patch psmisc-22.21-statx.patch
  * Use statx(2) or SYS_statx system call to replace the stat(2)
    system call and avoid the sub process at all (bsc#1194172)
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
samba
- Revert NIS support removal; (bsc#1199247);
- Add missing samba-client requirement to samba-winbind package;
  (bsc#1198255);
- Update to 4.15.7
  * Share and server swapped in smbget password prompt; (bso#14831);
  * Durable handles won't reconnect if the leased file is written
    to; (bso#15022);
  * rmdir silently fails if directory contains unreadable files and
    hide unreadable is yes; (bso#15023);
  * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
    on renamed file handle; (bso#15038);
  * vfs_shadow_copy2 breaks "/smbd async dosmode"/ sync fallback;
    (bso#14957);
  * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
    (bso#15035);
  * PAM Kerberos authentication incorrectly fails with a clock skew
    error; (bso#15046);
  * username map - samba erroneously applies unix group memberships
    to user account entries; (bso#15041);
  * NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
    in SMBC_server_internal; (bso#14983);
  * Simple bind doesn't work against an RODC (with non-preloaded users);
    (bso#13879);
  * Crash of winbind on RODC; (bso#14641);
  * uncached logon on RODC always fails once; (bso#14865);
  * KVNO off by 100000; (bso#14951);
  * LDAP simple binds should honour "/old password allowed period"/;
    (bso#15001);
  * wbinfo -a doesn't work reliable with upn names; (bso#15003);
  * Simple bind doesn't work against an RODC (with non-preloaded
    users); (bso#13879);
  * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
  * Regression: create krb5 conf = yes doesn't work with a single KDC;
    (bso#15016);
- Add provides to samba-client-libs package to fix upgrades from
  previous versions; (bsc#1198663);
- Update to 4.15.6
  * Renaming file on DFS root fails with
    NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169);
  * Samba does not response STATUS_INVALID_PARAMETER when opening 2
    objects with same lease key; (bso#14737);
  * NT error code is not set when overwriting a file during rename
    in libsmbclient; (bso#14938);
  * Fix ldap simple bind with TLS auditing; (bso#14996);
  * net ads info shows LDAP Server: 0.0.0.0 depending on contacted
    server; (bso#14674);
  * Problem when winbind renews Kerberos; (bso#14979);
    (bsc#1196224);
  * pam_winbind will not allow gdm login if password about to
    expire; (bso#8691);
  * virusfilter_vfs_openat: Not scanned: Directory or special file;
    (bso#14971);
  * DFS fix for AIX broken; (bso#13631);
  * Solaris and AIX acl modules: wrong function arguments;
    (bso#14974);
  * Function aixacl_sys_acl_get_file not declared / coredump;
    (bso#7239);
  * Regression: Samba 4.15.2 on macOS segfaults intermittently
    during strcpy in tdbsam_getsampwnam; (bso#14900);
  * Fix a use-after-free in SMB1 server; (bso#14989);
  * smb2_signing_decrypt_pdu() may not decrypt with
    gnutls_aead_cipher_decrypt() from gnutls before 3.5.2;
    (bso#14968);
  * Changing the machine password against an RODC likely destroys
    the domain join; (bso#14984);
  * authsam_make_user_info_dc() steals memory from its struct
    ldb_message *msg argument; (bso#14993);
  * Use Heimdal 8.0 (pre) rather than an earlier snapshot;
    (bso#14995);
  * Samba autorid fails to map AD users if id rangesize fits in the
    id range only once; (bso#14967);
- Add missing samba-libs requirement to samba-winbind package;
  (bsc#1198255);
sapconf
- version update from 5.0.3 to 5.0.4
- change block device handling to handle multipath devices
  correctly. Only the DM multipath devices (mpath) will be used for
  the settings, but not its paths.
  (bsc#1188743)
- fixed wrong comparison used for setting force_latency
  (bsc#1185702)
- SAP Note 1771258 v6 updates nofile values to 1048576
  (bsc#1192841)
tiff
- security update
  * CVE-2022-0561 [bsc#1195964]
    + tiff-CVE-2022-0561.patch
  * CVE-2022-0562 [bsc#1195965]
    + tiff-CVE-2022-0562.patch
  * CVE-2022-0865 [bsc#1197066]
    + tiff-CVE-2022-0865.patch
  * CVE-2022-0909 [bsc#1197072]
    + tiff-CVE-2022-0909.patch
  * CVE-2022-0924 [bsc#1197073]
    + tiff-CVE-2022-0924.patch
  * CVE-2022-0908 [bsc#1197074]
    + tiff-CVE-2022-0908.patch
- security update
  * CVE-2022-1056 [bsc#1197631]
  * CVE-2022-0891 [bsc#1197068]
    + tiff-CVE-2022-1056,CVE-2022-0891.patch