util-linux
- Properly neutralize escape sequences in wall
  (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
  and its prerequisites: util-linux-fputs_careful1.patch,
  util-linux-wall-migrate-to-memstream.patch
  util-linux-fputs_careful2.patch).
compat-openssl098
- Security fix: [bsc#1219243, CVE-2024-0727]
  * Add NULL checks where ContentInfo data can be NULL
  * Add openssl-CVE-2024-0727.patch
python36
- Refresh CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
SAPHanaSR
- Version bump to 0.162.3
  * Fix the hexdump log for empty node states
  * catch monitor calls for non-cloned resources and report them as
    unsupported instead of 'command not found'
    (bsc#1218333)
  * fix scope of variable 'site' to be global
    (bsc#1219194)
  * susChkSrv.py - relocate function logTimestamp()
  * update man pages:
    SAPHanaSR.7
    ocf_suse_SAPHana.7
    SAPHanaSR_maintenance_examples.7
    SAPHanaSR.py.7
    SAPHanaSR-showAttr.8
shadow
- bsc#1188307: Fix passwd segfault
  Add shadow-bsc1188307-passwd-segfault.patch
openssh
- also remember the active state of the service, so openssh8.4
  can pick it up. bsc#1220110
- handle these when we do go from openssh8.4-server back to openssh

- remember the enabled state of sshd state, so openssh8,4 can pick it
  up. bsc#1220110

- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
  This limits the use of shell metacharacters in host- and
  user names.
python3
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
  gh#python/cpython#108310, backport from upstream patch
  gh#python/cpython#108315
  (bsc#1214692, CVE-2023-40217)

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
  test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
  which fails on slow machines in IBS (s390x).

- Refresh CVE-2023-27043-email-parsing-errors.patch from
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
util-linux-systemd
- Properly neutralize escape sequences in wall
  (util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
  and its prerequisites: util-linux-fputs_careful1.patch,
  util-linux-wall-migrate-to-memstream.patch
  util-linux-fputs_careful2.patch).
libzypp
- applydeltaprm: Create target directory if it does not exist
  (bsc#1219442)
- version 16.22.12 (0)
supportutils-plugin-ha-sap
- Update to version 0.0.5+git.1709295499.1c8e8cd
  * adapt documentation links
  * add support for SAP systemd services regarding SID retrieval
  * add information about SAP related systemd services
  * add information about sapcontrol function GetStartProfile
  * add information from daemon.ini
  * collect hook script logs (suschksrv and saphanasr_multitarget_hook)
  * collect logs of sap_suse_cluster_connector and sapstartsrv
  * Add python version
  * Check sudoers for srhook configuration
openssl-1_1
- Security fix: [bsc#1219243, CVE-2024-0727]
  * Add NULL checks where ContentInfo data can be NULL
  * Add openssl-CVE-2024-0727.patch
supportutils-plugin-suse-public-cloud
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
  + Remove duplicate data collection for the plugin itself
  + Collect archive metering data when available
  + Query billing flavor status
google-cloud-sap-agent
- Update to version 3.2 (bsc#1222215, bsc#1222216)
  * Remove internal gensupport package.
  * Restore additional error handling and response checking to internal data warehouse client.
  * Updating the aggregate function in HANA insight rules
  * Remove a leftover debug log
  * Allow multipart uploads for PIPE file types.
  * Update go-hdb version to v1.8.0
  * Perform log restores in serial rather than parallel.
  * Add sample usage examples to commandlineexecutor
  * Small update to configureinstance OTE
  * Add nil check in backup and restore flows to protect against panics.
  * Close http response body in WriteInsight() and soap.go
  * Record topology type.
  * Initialize usagemetrics for OTEs
  * Add Instance Number to SAP System instance properties
  * Set `min_version` for WLM `os_settings` system metric.
  * Increase timeout for saptune re-apply commands.
  * Adding handling for encrypted snapshots in backup and restore
  * Change the version check comparisons to account for versions
    older than those listed in SAP Note.
  * Skip the Netweaver metrics that need dpmon on NW kernels
    affected by SAP Note: 3366597
  * Fix imports
  * No public description
  * Use internal data warehouse client.
  * Fix disp+work command invocation for Netweaver Kernel version discovery.
  * Add note about default parameter values to installbackint.
  * Add mutex in multipart writer for potential data races.
  * Update go.mod and go.sum
  * Skip XFS freeze by default unless user passes a parameter to do it explicitly
  * configureinstance minor updates.
  * Add safety check for usage metrics on BMS
  * Storage Class parameter added to Backint.
  * Update configureinstance's X4 saptune conf.
  * XML Multipart Write() and Close() methods completed.
  * Fixes the vmmanager policies for sles12 and sles15 used in the cloud console removes
    the individual cloud console policies and consolidates them into one Adds a general
    gcloud command line policy
  * Standardize logging for workloadmanager package.
  * Multipart XML API Uploads for Backint.
  * Add database system SID to database properties.
  * Fix NW HA node identification for RedHat deployments.
  * Add workload properties to discovery object returned by discoverSAPSystems
  * Add ASCS instance number to application data
  * Add Workload Manager validation rule for checking OS settings.
  * Enable WLM metric collection by default, disable submission of data to Cloud Monitoring.
  * Decoupling primary executable command and providing an alternative to lsof
  * Added HANA version in support bundle collection
  * Add WorkloadProperties to merged system details and to WLM Insights
  * Replace the link placeholder with the actual link
  * Add instance number to SAP discovery data
  * Tranche 12: HRE Rules
  * Minor typo fix in workloadmanager's hana metrics module
  * Add pacemaker metrics with SID labels to process metrics
  * updating the regex for backup and backint files to take care of log rotation in support bundle
  * Add support for disk snapshot labels for easy lifecycle management of snapshots
  * Added new OTE for changedisktype workflow
  * Add WorkloadProperties to SapSystemDetails for apps_discovery
  * Testing the timeseries in unit tests instead of just checking the count
  * Record Netweaver kernel version.
  * Tranche 12: HRE Rules
  * Testing the timeseries in unit tests instead of just checking the count
  * Testing the timeseries in unit tests instead of just checking the count
  * Relocating pacemaker collection related packages to internal/pacemaker
    for common use between process metrics and WLM
  * Use results from latest round of discovery for the collection of process metrics.
  * Handling zero rows returned case better in HANA insights
  * Adding docstrings to workloadmanager package
  * Adding docstring to configure OTE
  * adding docstrings to methods in support bundle
  * Add X4 specific configurations to configureinstance OTE.
  * Add helper functions to configureinstance OTE.
  * Display updates for HANA Insights WLM rules rollout.
  * configureinstance OTE
  * We expect the command to return a non-zero exit code and we should not be
    returning an error. Execute treats non-zero exit code as error.
  * Removing the sap control process command line params
  * Revert "Fixing system replication status code being returned"
  * configureinstance OTE
  * We expect the command to return a non-zero exit code and we should not be
    returning an error. Execute treats non-zero exit code as error.
  * Removing the sap control process command line params
  * Fixing system replication status code being returned
  * Wait for hdbindex server to stop after HANA is stopped
  * Log error to console in cases where LVM is not being used
  * Adding JournalCTL logs to support bunddle
  * hanadiskbckup - Add missing params to the Usage string
  * Move usagemetrics package into shared folder
  * Fixed data race error in TestCollectAndSendSlowMovingMetrics()
  * Disk backup/restore - Enable send-metrics-to-monitoring by default

- Update to version 3.1 (bsc#1220010, bsc#1220111)
  * Fixing system replication status code being returned
  * Reduce disk snapshot wait durations
  * Fix test flakes in workloadcollector test.
  * adding metrics for db freeze time and total workflow time
  * Fix for SAP System discovery adding the current host to all components.
  * Restore default WLM metric collection settings.
  * change description of validate OTE
  * fix a typo in the command name and add a delay before we try the unmount
  * Use underscore as separator for flags in place of hyphens
  * Enable host_metrics and disable reliability_metrics by default in configure OTE
  * Collect reliability metrics in the free namespace
  * Remove user from cmd params for HANA Replication
  * Enable workload manager metric collection by default.
  * Add support configuration flag to enable legacy WLM metric data submission workflow.
  * Lowers the log level of discovery to info
  * Fix for HANA Replication Config
  * Add additional instance-id parameter for users who do not want to provide port number
  * Use _ instead of - for parameters in configurebackint
  * Implementing panic recovery to HANA Monitoring: CreateWorkerPool
  * Fix issue with process metrics subroutine starting.
  * Add a flag to enable or disable workload discovery.
  * Reduce logs in sapdiscovery to debug, these are now run a
    lot more frequently and are flooding the logs
  * Use bucket `cloudsapdeploystaging` for staging environment.
  * Updates default value handling for system discovery flag.
  * Added default values to some frequency flags in configure OTE
  * force a sync before unmounting to clear out stale file handles
  * Retain recoverable routine in process metrics.
  * Ensures slow metrics workers stop on context cancellation.
  * Log lsof output if unmount fails during restore
  * SAP Discovery - Discover R3trans data
  * Add panic recovery to collectiondefinition update routine
  * configurebackint OTE.
  * Adding panic recovery to remote.go
  * Prevent host metrics from restarting the daily metrics report if it has already been started.
  * Add panic recovery to agent metrics
  * Implementing panic recovery for hana monitoring: logging action daily
  * Routines now use their own context and cancel in the event of a panic recovery.
  * Add panic recovery to host metrics routines
  * Removed -path flag and fixed usage string
  * Add workload properties to the SAP System definition.
  * Add panic recovery to collectMetricsFromConfig routines.
  * Add panic recovery to fast metric collection routine.
  * Reduces the log severity to debug for the exponential backoff policy
  * Add panic recovery to heartbeat routine.
  * Updating configuration.json file to remove deprecated sap_discovery field
  * Use protojson instead of custom function for snake_case marshaling
  * Add panic recovery to WLM metrics collection
  * HANA Insights rules tranche 11: Create unit tests and add to auto push
  * Add panic recovery to workload collector daily usage metrics.
  * Processmetrics - suppress Error and Warn logs that really need to be debug
  * Formatting the output of messages printed by configure OTE
  * Changing flag names of configure OTE to align better with configuration.json fields
  * Add automatic panic recovery to slow metrics collection
  * Add panic recovery to goroutine collectAndSend
  * Add panic recovery to goroutine
  * Retain recoverable routines beyond function scope.
  * Implement recovery handler for SAP System discovery package
  * Tranche 11: HRE Rules
  * Update github build
  * Adds generic panic recovery to SAP System discovery package
  * Initialize the sidadm env to ensure restore can be run as root user
  * not pacaking gcbdr scripts till launch of the feature
  * Change datatype of frequency flags from string to int
  * Breaking down --frequency flag into separate flags for different features for better isolation
  * Fix configuration.json file from being written in camelCase to snake_case
  * Tranche 6,7,8,9,10: HRE Rules
  * Suppress pacemaker related log from Error to Debug
  * creating the OTE for GCBDR discovery
  * Update HA node identification
  * Tranche 10: HRE Rules
  * Update file permissions and ownership for installbackint when running as root.
  * Adding newline after version print.
  * Exposing HANA Logical volumes availability metrics
  * Make workloadmanager parameters test more robust.
  * Fix panic in cloud discovery
  * Tranche 10: HRE Rules
  * Add recovery_folder_prefix parameter to Backint.
  * Mark process_metrics_send_frequency as deprecated
  * Add snapshot-type param to hanadiskbackup with default as STANDARD
    type. Users can override to ARCHIVE type if needed.
  * Add new folder_prefix parameter to Backint.
  * Add HANA new HANA insight rules to BUILD file and embed sources
  * Tranche 10a: HRE Rules
  * Tranche 6b: HRE Rules
  * Tranche 8b: HRE Rules
  * Fix for sending isABAP value
  * Updating logusage command line flags

- Update to version 3.0 (bsc#1218736, bsc#1218737)
  * Suppress packemaker command error to debug to avoid log flooding
  * Expand load balancing cluster discovery.
  * Log success messages in OTEs to STDOUT instead of STDERR used by log.Print
  * Use bash always to avoid variation of behavior across OS/Shell types
  * Minor updates to installbackint.
  * Backint compose step properly saves metadata.
  * Fix issue with discovery on ASCS instances.
  * hanadiskrestore - fix the format of disktype string for disk create API
  * Fix issue with PCS cluster address discovery.
  * Update transform to insight
  * Rename HANA backup/restore OTEs to reflect they are supported
    for all disks and not just persistent disk
  * Increase the timeout for HDB stop to account for busy DBs
  * Adding project sap-ecs-testing to the list.
  * PD Restore - Support provisioned-iops and provisioned-throughput
  * Integration test for configure OTE
  * Added precondition in hana pd backup for stripped LVM
  * Add a precondition check to verify user has passed a valid
    snapshot name that is present in the current project
  * Update the usage to reflect additional required param
  * Minor path update for supportbundle OTE.
  * Fixing bug in slow moving metrics partial collection scenarios
  * Adding check for agent status after restart.
  * Ensure Backint ComposeChunks has a valid bucket handle
  * Discover whether a Netweaver instance is ABAP or Java
  * Replace standard slices package with third party version
  * WLM HANA metric `ha_in_same_zone` now reports instance
    names for HA nodes in the same zone
  * Fix data race condition for Backint Backup with new client connections
  * Make -new-disk-name a required parameter to avoid the 63 char
    limit in the name length due to auto-generated names
  * Fix command for collecting Corosync metric `two_node_runtime`
  * Make snapshot name similar to disk name
  * Bump golang.org/x/crypto from 0.15.0 to 0.17.0
  * Enable Discovery config flag controls submission
    to Data Warehouse and Cloud Logging
  * Create new clients for each operation in Backint
  * Add `client_endpoint` to Backint proto.
  * Getting the build number into the version for display
  * Backint config name change: service_account to service_account_key
  * Add HANA HA metrics to collection definition.
  * Fix sorting bug in a diff in apps_discovery_test.go
  * Add discoverHANATenantDBs to main code path
  * Change PIPE filemode to WRONLY to allow us to detect broken pipes
  * Deprecate `sap_system_discovery` config field in favor of `enable_discovery`
  * Move the validation of whether user passed correct PD, before stopping HANA
  * Add a placeholder for public doc link with next steps
    after hanapdrestore workflow has completed
  * Fix executable path for HDB version command
  * Add optional param `new-disk-name` to hanapdrestore
    for users that wish to override the default
  * Sort the skipmetrics in unit test to avoid order related flakes
  * Generalizing configure OTE
  * Discover Netweaver kernel version
  * Fix Sprintf call
  * Use SAP System data to determine if HANA HA nodes share the same zone.
  * hanapdrestore - do not delete PDs in case of failures
  * Create discoverHANATenantDBs method to support multiple SIDs for HANA tenant DBs
  * Send additional fields in Data Warehouse WriteInsightRequest
  * Updating the username parameters for hana pd backup and restore
  * Retrieve Reliability data every 2 hours instead of 24
  * Discover HANA version
  * Fix import for GitHub build
  * Add instance properties, and topology information to system data
  * Keep the device nam and disk name same after restore
  * Move sapdiscovery package into system package
  * Changer the default name of the disk created by restore workflow
  * Updates the generated protobuf go for system.proto
  * Update generated system proto
  * Update go.yml
  * Add topology and instance properties info to SAP System data
  * Add a check to verify the disk is attached to instance, fail if disk is not attached
  * Add application and database software properties to system representation
  * Fix race condition in heartbeat test case
  * Add error handling to restore workflow to try and keep
    the HANA system in a clean state on failures
  * Enable LogToCloud by default for both OTE and Daemon modes
  * Bump Agent version to 3.0
  * Reliability OTE added to SAP Agent
  * Declare public Get interface for SAP System discovery data
  * Integration testing for Networkstats Package
  * Adding project sap-ecs-testing to the list
  * Adding one time execution for enabling/disabling of features
  * Change to using custom retries for initial bucket connection
  * Default collection definition to be fetched from GCS
  * Add a 2 minute context timeout for initial bucket connection
  * Add `collection_config_version` as a WLM system metric
  * Make project, host param optional for hanapdbackup,
    in addition make user param optional for hanapdrestore
  * Fix potential nil dereference WLM metrics collection
  * Add force-stop-hana to restore workflow to forcefully stop
    HANA when the param is passed
  * Rename the HANA PD snapshot and restore workflows
  * Add unit tests for GetProvisionIOps and GetProvisionedThoughput
  * Remove the TestCollect unit test which relies on nc
    command which can be flaky in unit tests
  * Increase Backint timeout for PIPE files to 3 minutes
  * Add XFS freeze and unfreeze to PD based snapshot
kernel-default
- Refresh patches.kabi/cpufeatures-kabi-fix.patch. (bsc#1221287)
  X86_FEATURE_LFENCE_RDTSC became an extended bit and was set via
  cpu_set_cap as opposed to setup_force_cpu_cap. So extend the
  infrastructure to also cover cpu_set_cap.
- commit 3fcb500

- blacklist.conf: update blacklist
  The entries added in the commit are temporary ones so once
  MU is done I'll revert the commit
- commit 874c87d

- gve: Fix skb truesize underestimation (git-fixes).
- commit 983edc4

- Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
  (git-fixes).
- commit 3ea2575

- phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600)
- commit 20e2c08

- RDMA/rxe: Clear all QP fields if creation failed (bsc#1220863 CVE-2021-47078)
- commit f8dcd39

- RDMA/rxe: Return CQE error if invalid lkey was supplied (bsc#1220860 CVE-2021-47076)
- commit 3f60a4e

- ACPI: extlog: fix NULL pointer dereference check (bsc#1221039
  CVE-2023-52605).
- commit b0968bd

- blacklist.conf: Add d4ccd54d28d3 exit: Put an upper limit on how often we can oops
  and its dependant.
- commit 64ce341

- KVM: s390: fix setting of fpc register (bsc#1221040
  CVE-2023-52597).
- commit 0f89ca1

- net: usb: dm9601: fix wrong return value in dm9601_mdio_read
  (git-fixes).
- commit d69a5b8

- net: nfc: llcp: Add lock when modifying device list (git-fixes).
- commit b462198

- igb: clean up in all error paths when enabling SR-IOV
  (git-fixes).
- commit 0f0e6a7

- net/sched: tcindex: search key must be 16 bits (git-fixes).
- commit 190e0f5

- stmmac: fix potential division by 0 (git-fixes).
- commit 40876e6

- kcm: fix strp_init() order and cleanup (git-fixes).
- commit b31a598

- ipv6: fix typos in __ip6_finish_output() (git-fixes).
- commit 54553b6

- kabi: team: Hide new member header_ops (bsc#1220870
  CVE-2023-52574).
- commit 9fab77a

- blacklist.conf: update blacklist
- commit 9263a68

- wcn36xx: fix RX BD rate mapping for 5GHz legacy rates
  (git-fixes).
- commit c4e8a82

- wcn36xx: Fix discarded frames due to wrong sequence number
  (git-fixes).
- commit 8553436

- x86/srso: Add SRSO mitigation for Hygon processors (bsc#1220735
  CVE-2023-52482).
- commit c7d3dd8

- Revert "wcn36xx: Disable bmps when encryption is disabled"
  (git-fixes).
- commit e5924b8

- vt: fix memory overlapping when deleting chars in the buffer
  (bsc#1220845 CVE-2022-48627).
- commit 6d7d615

- wcn36xx: Fix (QoS) null data frame bitrate/modulation
  (git-fixes).
- commit 405ced7

- ipv6: Fix handling of LLA with VRF and sockets bound to VRF
  (git-fixes).
- commit 519a8b2

- kcm: Call strp_stop before strp_done in kcm_attach (git-fixes).
- commit b01e9bb

- blacklist.conf: update blacklist
- commit 347e348

- KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746).
- commit 789616b

- x86/rfds: Mitigate Register File Data Sampling (RFDS) (bsc#1213456 CVE-2023-28746).
- Update config files.
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
- commit 47b68f4

- Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746).
- commit 959a93f

- scsi: qedf: Add pointer checks in qedf_update_link_speed()
  (bsc#1220861 CVE-2021-47077).
- commit 499d19e

- Refresh patches.suse/0001-powerpc-pseries-memhp-Fix-access-beyond-end-of-drmem.patch.
  Refresh patch metadata and sort.
- commit 15cb428

- ravb: Fix use-after-free issue in ravb_tx_timeout_work()
  (bsc#1212514 CVE-2023-35827).
- team: fix null-ptr-deref when team device type is changed
  (bsc#1220870 CVE-2023-52574).
- commit 36ef587

- net: mana: Fix TX CQE error handling (bsc#1220932
  CVE-2023-52532).
- commit d388327

- Update reference of bpf-Fix-masking-negation-logic-upon-negative-dst-reg.patch
  (bsc#1186484,CVE-2021-33200,bsc#1220700,CVE-2021-46974).
- commit d334f65

- nfsd: Do not refuse to serve out of cache (bsc#1220957).
- commit 828470f

- wifi: mac80211: fix potential key use-after-free (CVE-2023-52530
  bsc#1220930).
- wifi: iwlwifi: mvm: Fix a memory corruption issue
  (CVE-2023-52531 bsc#1220931).
- commit 4749167

- net: nfc: fix races in nfc_llcp_sock_get() and
  nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831).
- commit d0dd97d

- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- commit 2d824be

- kabi: restore return type of dst_ops::gc() callback
  (CVE-2023-52340 bsc#1219295).
- ipv6: remove max_size check inline with ipv4 (CVE-2023-52340
  bsc#1219295).
- commit dd00c24

- netfilter: nf_tables: fix 64-bit load issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
  nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit b635ad7

- Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch
  (CVE-2022-20154 CVE-2021-46929 bsc#1200599 bsc#1220482).
- commit 23c3231

- tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825
  CVE-2024-26622).
- commit e934259

- Bluetooth: hci_ll: don't call kfree_skb() under
  spin_lock_irqsave() (git-fixes).
- commit 8e9750e

- Bluetooth: hci_h5: don't call kfree_skb() under
  spin_lock_irqsave() (git-fixes).
- commit e3ec875

- locking/qrwlock: Fix ordering in queued_write_lock_slowpath()
  (CVE-2021-46921 bsc#1220468 bsc#1185041).
- commit 9f2e845

- locking/barriers: Introduce smp_cond_load_relaxed() and
  atomic_cond_read_relaxed() (bsc#1220468 bsc#1050549).
- commit 76b2073

- Bluetooth: hci_bcsp: don't call kfree_skb() under
  spin_lock_irqsave() (git-fixes).
- commit 3114978

- Bluetooth: hci_qca: don't call kfree_skb() under
  spin_lock_irqsave() (git-fixes).
- commit 40c2728

- Input: appletouch - initialize work before device registration
  (CVE-2021-46932 bsc#1220444).
- commit 02010d5

- powerpc/pseries/memhp: Fix access beyond end of drmem array
  (bsc#1220250,CVE-2023-52451).
- commit 22d7587

- ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe
  failure (bsc#1220599 CVE-2021-46953).
- commit 69d8de2

- mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
  (bsc#1220238 CVE-2023-52449).
- commit a845e8b

- Input: powermate - fix use-after-free in
  powermate_config_complete (CVE-2023-52475 bsc#1220649).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
  (CVE-2023-52478 bsc#1220796).
- commit 6daf909

- i2c: Fix a potential use after free (bsc#1220409
  CVE-2019-25162).
- commit 0be34df

- i2c: cadence: fix reference leak when pm_runtime_get_sync fails
  (bsc#1220570 CVE-2020-36784).
- commit 8727379

- bus: qcom: Put child node before return (CVE-2021-47054
  bsc#1220767).
- commit 0c0fa8d

- NFC: st21nfca: Fix memory leak in device probe and remove
  (CVE-2021-46924 bsc#1220459).
- commit 01b7814

- netfilter: nft_limit: avoid possible divide error in
  nft_limit_init (CVE-2021-46915 bsc#1220436).
- commit 9130a3d

- HID: usbhid: fix info leak in hid_submit_ctrl (CVE-2021-46906
  bsc#1220421).
- commit 1d243b9

- media: pvrusb2: fix use after free on context disconnection
  (CVE-2023-52445 bsc#1220241).
- commit f8f3542

- media: dvbdev: Fix memory leak in dvb_media_device_free()
  (CVE-2020-36777 bsc#1220526).
- commit cd311ab

- apparmor: avoid crash when parsed profile name is empty
  (CVE-2023-52443 bsc#1220240).
- commit 8387a56

- nfc: nci: fix possible NULL pointer dereference in
  send_acknowledge() (bsc#1219125 CVE-2023-46343).
- commit 7ff1724

- md: bypass block throttle for superblock update (git-fixes).
- commit e6ba7c9

- blacklist.conf: add non-backport md git-fixes commits.
- commit d3c59de

- tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd (bsc#1218450).
- commit 4a3997c

- netfilter: nftables: avoid overflows in nft_hash_buckets()
  (CVE-2021-46992 bsc#1220638).
- commit c79b980

- netfilter: nft_set_hash: add nft_hash_buckets() (CVE-2021-46992
  bsc#1220638).
- commit 5542c1b

- net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
  (CVE-2021-47013 bsc#1220641).
- commit a848ac2

- net: fec: Better handle pm_runtime_get() failing in .remove()
  (git-fixes).
- commit 60e6dbc

- net: fec: fix use-after-free in fec_drv_remove (git-fixes).
- commit 192ab42

- i40e: Fix use-after-free in i40e_client_subtask()
  (CVE-2021-46991 bsc#1220575).
- commit 27d6f39

- KVM: s390: vsie: fix race during shadow creation (git-fixes
  bsc#1220613).
- commit a2a5381

- s390: use the correct count for __iowrite64_copy() (git-fixes
  bsc#1220607).
- commit 0823e37

- mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in
  error path (bsc#1220344 CVE-2024-26595).
- commit 71c942e

- net: fec: fix clock count mis-match (git-fixes).
- commit 90008dd

- net: hns3: add compatible handling for MAC VLAN switch parameter
  configuration (git-fixes).
- commit 9cbe2e0

- net: phy: initialise phydev speed and duplex sanely (git-fixes).
- commit 5fc404a

- bnx2x: Fix PF-VF communication over multi-cos queues
  (git-fixes).
- commit 58f28c6

- ixgbe: protect TX timestamping from API misuse (git-fixes).
- commit c740900

- net: phy: dp83867: enable robust auto-mdix (git-fixes).
- commit 51f918b

- net: fec: add missed clk_disable_unprepare in remove
  (git-fixes).
- commit 26193da

- e1000: fix memory leaks (git-fixes).
- commit 63cea05

- igb: Fix constant media auto sense switching when no cable is
  connected (git-fixes).
- commit ecbd46c

- net: hisilicon: Fix usage of uninitialized variable in function
  mdio_sc_cfg_reg_write() (git-fixes).
- commit 467a700

- net: hns3: not allow SSU loopback while execute ethtool -t dev
  (git-fixes).
- commit feac716

- net/mlx5e: ethtool, Avoid setting speed to 56GBASE when autoneg
  off (git-fixes).
- commit 38e0f13

- blacklist.conf: update blacklist
- commit 803afb1

- blacklist.conf: add ep93xx_eth
  the config option is not enabled
- commit aed74c8

- blacklist.conf: add emac_rockchip
  the config option is not enabled
- commit 27c4413

- Update metadata
- commit fca1f53

- net: openvswitch: limit the number of recursions from action
  sets (bsc#1219835 CVE-2024-1151).
- commit 9353f4f

- EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330, CVE-2023-52464)
- commit a228c17

- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit 7dad6e2

- blacklist.conf: Blacklist a clang fix
- commit e954d52

- net: lpc-enet: fix printk format strings (git-fixes).
- commit dcd5e66

- net: tundra: tsi108: use spin_lock_irqsave instead of
  spin_lock_irq in IRQ context (git-fixes).
- commit 3fddc2a

- net: hisilicon: Fix dma_map_single failed on arm64 (git-fixes).
- commit 65f9c53

- net: hisilicon: fix hip04-xmit never return TX_BUSY (git-fixes).
- commit b56984b

- net: hisilicon: make hip04_tx_reclaim non-reentrant (git-fixes).
- Refresh
  patches.suse/net-hisilicon-Fix-ping-latency-when-deal-with-high-t.patch.
- commit 1de9297

- net: sfp: add mutex to prevent concurrent state checks
  (git-fixes).
- commit 4badb38

- blacklist.conf: update blacklist
- commit eb0a485

- media: usb: dvd-usb: fix uninit-value bug in
  dibusb_read_eeprom_byte() (git-fixes).
- commit 4772961

- media: uvcvideo: Set capability in s_param (git-fixes).
- commit df9234c

- media: dw2102: Fix use after free (git-fixes).
- commit 6909f5e

- media: dw2102: make dvb_usb_device_description structures const
  (git-fixes).
- Refresh
  patches.suse/media-dw2102-Fix-memleak-on-sequence-of-probes.patch.
- commit cfe8bf2

- media: dvb-usb: Add memory free on error path in dw2102_probe()
  (git-fixes).
- Refresh
  patches.suse/media-dw2102-Fix-memleak-on-sequence-of-probes.patch.
- commit 60bfc4d

- [media] media drivers: annotate fall-through (git-fixes).
- commit 550adce

- rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE
  Introduced by commit 68fb3ca0e408 ("update workarounds for gcc "asm
  goto" issue").
- commit be1bdab

- media: rc: ir-rc6-decoder: enable toggle bit for Kathrein
  RCU-676 remote (git-fixes).
- commit 40a7cdd

- media: rc: do not remove first bit if leader pulse is present
  (git-fixes).
- commit 055036d

- blacklist.conf: feature fixed hasn't been backported
- commit 299071b

- media: coda: reuse coda_s_fmt_vid_cap to propagate format in
  coda_s_fmt_vid_out (git-fixes).
- commit 346be28

- media: coda: set min_buffers_needed (git-fixes).
- commit 9e4f67c

- media: coda: constify platform_device_id (git-fixes).
- commit da6a628

- media: coda: reduce iram size to leave space for suspend to ram
  (git-fixes).
- commit 015f50d

- media: coda: explicitly request exclusive reset control
  (git-fixes).
- commit 19dcce2

- media: coda: wake up capture queue on encoder stop after output
  streamoff (git-fixes).
- Refresh
  patches.suse/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch.
- commit 4fba70d

- [media] coda: simplify optional reset handling (git-fixes).
- commit bc3f552

- [media] media: platform: coda: remove variable self assignment
  (git-fixes).
- commit 6d6901a

- blacklist.conf: driver not backported
- commit c5ae253

- media: dvb-usb: dw2102: fix uninit-value in
  su3000_read_mac_address (git-fixes).
- commit abccca4

- media: dvb-usb: m920x: Fix a potential memory leak in
  m920x_i2c_xfer() (git-fixes).
- commit 4716702

- media: m920x: don't use stack on USB reads (git-fixes).
- commit 45368d1

- media: dw2102: Fix memleak on sequence of probes (git-fixes).
- commit d5c69b6

- blacklist.conf: false positive
- commit 7722626

- blacklist.conf: renames a module. direct breakage of user space
- commit bf0df5d

- usb: musb: dsps: Fix the probe error path (git-fixes).
- commit 2f6dfb0

- usb: musb: tusb6010: check return value after calling
  platform_get_resource() (git-fixes).
- commit 3b8e34e

- usb: musb: musb_dsps: request_irq() after initializing musb
  (git-fixes).
- commit 9ef2688

- usb: host: fotg210: fix the actual_length of an iso packet
  (git-fixes).
- commit bcd63df

- usb: host: fotg210: fix the endpoint's transactional
  opportunities calculation (git-fixes).
- commit f16fc26

- compute-PATCHVERSION: Do not produce output when awk fails
  compute-PATCHVERSION uses awk to produce a shell script that is
  subsequently executed to update shell variables which are then printed
  as the patchversion.
  Some versions of awk, most notably bysybox-gawk do not understand the
  awk program and fail to run. This results in no script generated as
  output, and printing the initial values of the shell variables as
  the patchversion.
  When the awk program fails to run produce 'exit 1' as the shell script
  to run instead. That prevents printing the stale values, generates no
  output, and generates invalid rpm spec file down the line. Then the
  problem is flagged early and should be easier to diagnose.
- commit 8ef8383

- x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (git-fixes).
- commit 55e0925

- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation  code (git-fixes).
- commit aebeb2d

- KVM: x86: synthesize CPUID leaf 0x80000021h if useful (git-fixes).
- commit 9c96097

- KVM: x86: add support for CPUID leaf 0x80000021 (git-fixes).
- commit 5a997a6

- x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes).
- commit 54b16df

- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes).
- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes).
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes).
  Also add mds_user_clear to kABI severity as it's used purely for
  mitigation so it's low risk.
- x86/entry_32: Add VERW just before userspace transition (git-fixes).
- x86/entry_64: Add VERW just before userspace transition (git-fixes).
- x86/bugs: Add asm helpers for executing VERW (bsc#1213456).
- commit 7cd11ce

- net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
  (bsc#1219127 CVE-2024-23849).
- commit e941df3

- USB: hub: check for alternate port before enabling
  A_ALT_HNP_SUPPORT (bsc#1218527).
- commit aaefb30

- blacklist.conf: add macsonic ethernet driver
- commit 1c0cfbf

- blacklist.conf: update blacklist
- commit b541c7e

- net: bonding: debug: avoid printing debug logs when bond is
  not notifying peers (git-fixes).
- commit f58ad69

- usb: typec: tcpci: clear the fault status bit (git-fixes).
- commit fbeda7b

- PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD
  device (git-fixes).
- commit 2012056

- Update to add CVE-2024-23851 tag,
  patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch
  (bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851).
- commit 7dd5c42

- blacklist.conf: cleanup of comments
- commit d4049bd

- blacklist.conf: documentation only
- commit 3d84250

- audit: fix possible soft lockup in __audit_inode_child()
  (git-fixes).
- commit a347e97

- blacklist.conf: not a fix but a cleanup
- commit a5da3c1

- blacklist.conf: only comments cleanup
- commit 2e15690

- blacklist.conf: at this time kerneldocs no longer matter
- commit ed23d03

- ASN.1: Fix check for strdup() success (git-fixes).
- commit 26b2327

- blacklist.conf: attributed to wrong commit id in fixes tag
- commit 652fa5d

- dm: limit the number of targets and parameter size area
  (bsc#1219827, bsc#1219146, CVE-2023-52429).
- commit 3ddaf98

- scripts/PMU: Add option to skip livepatch submission
  Kernel resubmissions that don't involve livepatches can be done without
  kgraft package(s) and channel updates.
- commit 8373df8

- Update
  patches.suse/nvmet-tcp-fix-a-crash-in-nvmet_req_complete.patch
  (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356).
- commit 1a6bd68

- nvmet-tcp: Fix the H2C expected PDU len calculation
  (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
  CVE-2023-6356).
- nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988
  bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356).
- nvmet-tcp: Fix a kernel panic when host sends an invalid H2C
  PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535
  CVE-2023-6536 CVE-2023-6356).
- commit 3e8a84f

- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
  Simple arithmetic fix.
- commit df1ea97

- vhost: use kzalloc() instead of kmalloc() followed by memset()
  (CVE-2024-0340, bsc#1218689).
- commit 265772f

- blacklist.conf: add Korina ethernet controleer
- commit 754d7b6

- blacklist.conf: update blacklist
- commit 65ec0f0

- mlx4: handle non-napi callers to napi_poll (git-fixes).
- commit 13aca9d

- bnxt_en: Log unknown link speed appropriately (git-fixes).
- commit cab91f3

- net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow (git-fixes).
- commit 30b8d5c

- net: mvneta: fix double free of txq->buf (git-fixes).
- commit abfb85a

- r8169: fix data corruption issue on RTL8402 (git-fixes).
- commit a389731

- rpm/kernel-binary.spec.in: install scripts/gdb when enabled in config
  (bsc#1219653)
  They are put into -devel subpackage. And a proper link to
  /usr/share/gdb/auto-load/ is created.
- commit 1dccf2a

- net: stmmac: dwmac1000: fix out-of-bounds mac address reg
  setting (git-fixes).
- commit 51f13e8

- net: fec: Do not use netdev messages too early (git-fixes).
- commit 24b07f8

- net: stmmac: dwmac4/5: Clear unused address entries (git-fixes).
- commit 156e8fc

- net: stmmac: dwmac1000: Clear unused address entries
  (git-fixed).
- commit b89c3f6

- blacklist.conf: add mediatek ethernet
- commit ed969c9

- net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0
  (git-fixed).
- commit 63f7ed7

- blacklist.conf: update blacklist
- commit ba8fcb7

- net: xilinx: fix possible object reference leak (git-fixed).
- commit 0884dff

- net: macb: Add null check for PCLK and HCLK (git-fixed).
- Refresh
  patches.suse/0006-net-macb-fix-error-format-in-dev_err.patch.
- commit 1fdfc75

- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
  (CVE-2024-1086 bsc#1219434).
- commit 1f42903

- configfs: fix a use-after-free in __configfs_open_file
  (git-fixes).
- commit 839bbef

- chardev: fix error handling in cdev_device_add() (git-fixes).
- commit 76071ad

- fs: don't audit the capability check in simple_xattr_list()
  (git-fixes).
- commit 32c621d

- pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
  (git-fixes).
- commit 165619a

- pstore/ram: Fix error return code in ramoops_probe()
  (git-fixes).
- commit 6c26e9c

- kernfs: fix use-after-free in __kernfs_remove (git-fixes).
- commit 1e4394d

- kernfs: Separate kernfs_pr_cont_buf and rename_lock (git-fixes).
- commit 302cbf3

- configfs: fix a race in configfs_{,un}register_subsystem()
  (git-fixes).
- commit ff1ac8a

- vfs: make freeze_super abort when sync_filesystem returns error
  (git-fixes).
- commit a0e15ea

- fs: orangefs: fix error return code of
  orangefs_revalidate_lookup() (git-fixes).
- commit 05692b2

- fs: warn about impending deprecation of mandatory locks
  (git-fixes).
- commit d313c61

- configfs: fix memleak in configfs_release_bin_file (git-fixes).
- commit e182771

- 9p: missing chunk of "fs/9p: Don't update file type when
  updating file attributes" (git-fixes).
- commit d7f7957

- kernfs: bring names in comments in line with code (git-fixes).
- commit b2412a4

- configfs: fix config_item refcnt leak in configfs_rmdir()
  (git-fixes).
- commit a4e6173

- help_next should increase position index (git-fixes).
- commit a734d52

- configfs: fix a deadlock in configfs_symlink() (git-fixes).
- commit 31f30f9

- locks: print a warning when mount fails due to lack of "mand"
  support (git-fixes).
- commit 4a54942

- configfs: provide exclusion between IO and removals (git-fixes).
- commit be9e3af

- configfs: new object reprsenting tree fragments (git-fixes).
- commit 727fecd

- configfs: stash the data we need into configfs_buffer at open
  time (git-fixes).
- commit 57d5998

- pstore/ram: Run without kernel crash dump region (git-fixes).
- Refresh patches.suse/pstore-backend-autoaction.
- commit 27a20a7

- fs/file.c: initialize init_files.resize_wait (git-fixes).
- commit 4e99111

- fs: ratelimit __find_get_block_slow() failure message
  (git-fixes).
- commit 066abb3

- iomap: sub-block dio needs to zeroout beyond EOF (git-fixes).
- commit c176969

- fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
  (git-fixes).
- commit 97bf06c

- proc: fix /proc/*/map_files lookup (git-fixes).
- commit 66524a9

- pstore: ram_core: fix possible overflow in
  persistent_ram_init_ecc() (git-fixes).
- commit 3b8a874

- pstore/ram: Check start of empty przs during init (git-fixes).
- commit 86b8610

- statfs: enforce statfs[64] structure initialization (git-fixes).
- commit e9ab62b

- aio: fix mremap after fork null-deref (git-fixes).
- commit f633071

- drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128
  CVE-2023-51042).
- commit 78c123f

- rpm/mkspec: sort entries in _multibuild
  Otherwise it creates unnecessary diffs when tar-up-ing. It's of course
  due to readdir() using "random" order as served by the underlying
  filesystem.
  See for example:
  https://build.opensuse.org/request/show/1144457/changes
- commit d1155de

- nvmet-tcp: fix a crash in nvmet_req_complete() (git-fixes).
- commit 45b3590

- scsi: qla0xxx: Fix system crash due to bad pointer access
  (git-fixes).
- commit 9c33792

- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
  bsc#1218730).
- commit 42f1cd3

- mm,mremap: bail out earlier in mremap_to under map pressure
  (bsc#1123986).
- commit d63623c

- scripts/PMU: Rework option parsing, support user branches
  This converts optional arguments into more traditional option arguments
  and parses them with popular getopt.
  Drop explicit product specification and use the derived default because
  the 'prod' variable is rather an internal implementation detail.
  Additionally, prepare prompts for a possible (embargoed) submission from
  a user branch.
- commit c3590b1

- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
  XSA-448, bsc#1218836).
- commit 6d25bad

- USB: serial: option: fix FM101R-GL defines (git-fixes).
- commit c34221c

- blacklist.conf: Add baa9be4ffb55 sched/fair: Fix throttle_list starvation with low CFS quota
- commit f2444c0

- libceph: use kernel_connect() (bsc#1219446).
- ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
  (bsc#1219445).
- commit 92ba85d

- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
  (git-fixes).
- commit 9c63fba

- USB: serial: option: add entry for Sierra EM9191 with new
  firmware (git-fixes).
- commit e18b083

- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
  (git-fixes).
- commit 3c25206

- ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
  (CVE-2021-33631 bsc#1219412).
- commit 019d3a9

- kernel-source: Fix description typo
- commit 8abff35

- blacklist.conf: remove a merge relic
  Remove a merge relic introduced in 44aaf966aab ("Merge remote-tracking
  branch 'origin/SLE12-SP4' into SLE12-SP5-UPDATE").
- commit 78c957f

- blacklist.conf: add a not-relevant jump_label commit
- commit 7bff5db

- tracing/trigger: Fix to return error if failed to alloc snapshot
  (git-fixes).
- commit 57e8982

- blacklist.conf: Blacklist 447ae316670230d7d29430e2cbf1f5db4f49d14c
  It reworks header inclusion to no real benefit for out kernel and
  results in massive kABI breakage. Just blacklist it.
- commit 879fd91

- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
  (CVE-2023-47233 bsc#1216702).
- commit d2e0155

- net: stmmac: don't overwrite discard_frame status (git-fixes).
- commit af86f48

- net: ethernet: ti: fix possible object reference leak
  (git-fixes).
- commit 8292c78

- blacklist.conf: update blacklist
- commit 3ec6d28

- blacklist.conf: update blacklist
- commit b305f8c

- rpm/constraints.in: set jobs for riscv to 8
  The same workers are used for x86 and riscv and the riscv builds take
  ages. So align the riscv jobs count to x86.
- commit b2c82b9

- net: ks8851: Set initial carrier state to down (git-fixes).
- commit 667be0a

- net: ks8851: Delay requesting IRQ until opened (git-fixes).
- commit 605f94a

- net: ks8851: Reassert reset pin if chip ID check fails
  (git-fixes).
- commit 93e9e83

- net: dsa: qca8k: Enable delay for RGMII_ID mode (git-fixes).
- commit 94c1dc4

- net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing
  MII_PHYSID2 (git-fixes).
- commit d97991c

- blacklist.conf: update blacklist
- commit 23ba946

- blacklist.conf: Black  unapplicable patch
  This one requires 45b575c00d8e72d69d75dd8c112f044b7b01b069 which is
  blacklisted. So black list this one as well.
- commit 8ad7e95

- x86/unwind/orc: Fix unreliable stack dump with gcov (git-fixes).
- commit db29225

- x86/pm: Add enumeration check before spec MSRs save/restore setup (git-fixes).
- commit 0b71917

- x86/kvm/lapic: always disable MMIO interface in x2APIC mode (git-fixes).
- commit 42aa4b1

- x86/purgatory: Don't generate debug info for purgatory.ro (git-fixes).
- commit ad7d236

- x86/cpu: Add another Alder Lake CPU to the Intel family (git-fixes).
- commit 5e43536

- x86/build: Turn off -fcf-protection for realmode targets (git-fixes).
- commit 06f5589

- x86/build: Treat R_386_PLT32 relocation as R_386_PC32 (git-fixes).
- commit c5cf689

- x86/lib: Fix overflow when counting digits (git-fixes).
- commit 0070bad

- x86/asm: Ensure asm/proto.h can be included stand-alone (git-fixes).
- commit b6c5df9

- x86: __always_inline __{rd,wr}msr() (git-fixes).
- commit 8507f62

- x86: Mark stop_this_cpu() __noreturn (git-fixes).
- commit 47a8413

- x86: Clear .brk area at early boot (git-fixes).
- commit 63c0fc3

- mkspec: Use variant in constraints template
  Constraints are not applied consistently with kernel package variants.
  Add variant to the constraints template as appropriate, and expand it
  in mkspec.
- commit cc68ab9

- rpm/constraints.in: add static multibuild packages
  Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
  constraints on multibuild) added "kernel-source:" prefix to the
  dynamically generated kernels. But there are also static ones like
  kernel-docs. Those fail to build as the constraints are still not
  applied.
  So add the prefix also to the static ones.
  Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
  will ever be multibuilt...
- commit c2e0681

- bs-check-kernel-results: Handle multibuild packages correctly
  The package prefix was stripped too early leading to errors while
  getting logfiles in bs-check-kernel-results. Strip it just before
  passing the data to handle-kernel-result.
  Fixes: #61
- commit 4422573

- MyBS.pm: Do not use the 'ports' repository for ALP
  The ALP project has 'ports' repository that does not have useful
  content, skip it when searching for repository to build against.
- commit 761463e

- drm/atomic: Fix potential use-after-free in nonblocking commits
  (bsc#1219120 CVE-2023-51043).
- commit a69e3d8

- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
  Adjust the cpuid check when applying alternatives. Fixes false BUG_ON
  in the presence of extra bugints/capints.
- commit 48af78f

- Revert "Limit kernel-source build to architectures for which the kernel binary"
  This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
  The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a

- mkspec: Include constraints for both multibuild and plain package always
  There is no need to check for multibuild flag, the constraints can be
  always generated for both cases.
- commit 308ea09

- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
  Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b

- wd-functions.sh: Use pixz for xz compresion when available.
  This makes xz compression highly non-deterministic but deterministic
  results were not provided by xz in the first place.
- commit 1524b56

- rpm/kernel-source.rpmlintrc: add action-ebpf
  Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
  plugin) added this precompiled binary blob. Adapt rpmlintrc for
  kernel-source.
- commit b5ccb33

- Refresh patches.suse/mce-fix-set_mce_nospec-to-always-unmap-the-whole-page.patch.
- commit 97df026

- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
  (git-fixes).
- commit f9ab50f

- blacklist.conf: not a bug fix
- commit 89a46f3

- blacklist.conf: driver not compiled
- commit e4d38bb

- blacklist.conf: false positive
- commit be0a82f

- blacklist.conf: not a bug fix
- commit 3adfd09

- blacklist.conf: false positive
- commit 9076062

- scsi: qedf: fc_rport_priv reference counting fixes
  (bsc#1212152).
  Refresh:
  - patches.suse/scsi-qedf-correctly-handle-refcounting-of-rdata
  - patches.suse/scsi-qedf-print-message-during-bailout-conditions
  - patches.suse/scsi-qedf-print-scsi_cmd-backpointer-in-good-completion-path-if-the-command-is-still-being-used
- commit e171158

- ext4: silence the warning when evicting inode with
  dioread_nolock (bsc#1206889).
- commit 3433e7a

- writeback: Export inode_io_list_del() (bsc#1216989).
  patches/patches.suse/writeback-Protect-inode-i_io_list-with-inode-i_lock.patch:
  Refresh
- commit c969261

- ext4: improve error recovery code paths in __ext4_remount()
  (bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit 3bb0d48

- Update
  patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch
  (bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit a5b396b

- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
  The previous change added the manual entry from kernel-sources.change.old
  to old_changelog.txt unnecessarily.  Let's fix it.
- commit fb033e8

- Refresh
  patches.suse/ipmi-Cleanup-oops-on-initialization-failure.patch.
  Alt-commit added
- commit 5093b56

- x86: Pin task-stack in __get_wchan() (git-fixes).
- commit 96f1d7b

- rpm/kernel-docs.spec.in: fix build with 6.8
  Since upstream commit f061c9f7d058 (Documentation: Document each netlink
  family), the build needs python yaml.
- commit 6a7ece3

- x86: Fix __get_wchan() for !STACKTRACE (git-fixes).
- commit 23a1a0e

- asix: Add check for usbnet_get_endpoints (git-fixes).
- commit d1fcea8

- x86/mce: relocate set{clear}_mce_nospec() functions (git-fixes).
- commit d9f49bd

- x86/CPU/AMD: Check vendor in the AMD microcode callback (git-fixes).
- commit 79b1f36

- mce: fix set_mce_nospec to always unmap the whole page (git-fixes).
- commit 2dcf8c9

- x86/alternatives: Sync core before enabling interrupts (git-fixes).
- commit d500914

- x86/cpu/hygon: Fix the CPU topology evaluation for real (git-fixes).
- commit 01e7093

- x86/kvm: Do not try to disable kvmclock if it was not enabled (git-fixes).
- commit 293b127

- x86: Fix get_wchan() to support the ORC unwinder (git-fixes).
- commit 1693c4c

- x86/pat: Pass valid address to sanitize_phys() (git-fixes).
- commit 9776480

- x86/pat: Fix x86_has_pat_wp() (git-fixes).
- blacklist.conf:
- commit 0a8ce61

- x86/mm: Add a x86_has_pat_wp() helper (git-fixes).
- commit 794f377

- veth: Fixing transmit return status for dropped packets
  (git-fixes).
- commit c39655b

- preserve KABI for struct sfp_socket_ops (git-fixes).
- commit 58a9bc4

- blacklist.conf:
- Delete
  patches.suse/NFSD-Fix-possible-sleep-during-nfsd4_release_lockown.patch.
  This patch is harmful on all kernels, and irrelevant on kernels before
  v5.4
  bsc#1218968
- commit 5365a0a

- KVM: s390: vsie: Fix STFLE interpretive execution identification
  (git-fixes bsc#1219022).
- commit 16098a4

- net: phylink: avoid resolving link state too early (git-fixes).
- commit 67b00b5

- gtp: change NET_UDP_TUNNEL dependency to select (git-fixes).
- commit dd6be0d

- mlxsw: spectrum: Avoid -Wformat-truncation warnings (git-fixes).
- commit bd062d1

- mlxsw: spectrum: Set LAG port collector only when active (git-fixes).
- commit 42cb04e

- net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() (git-fixes).
- commit 5db0cbe

- net: systemport: Fix reception of BPDUs (git-fixes).
- commit 54f0189

- sfc: initialise found bitmap in efx_ef10_mtd_probe (git-fixes).
- commit 36c912f

- net: sfp: do not probe SFP module before we're attached (git-fixes).
- commit b335b5c

- net: phy: sfp: warn the user when no tx_disable pin is available (git-fixes).
- commit 921c51c

- blacklist.conf: update blacklist
- commit 0fefc1a

- net: stmmac: Disable EEE mode earlier in XMIT callback
  (git-fixes).
- commit 42ea2f4

- blacklist.conf: update blacklist
- commit 16074da

- preserve KABI for struct plat_stmmacenet_data (git-fixes).
- commit be0b5cc

- net: stmmac: Fallback to Platform Data clock in Watchdog
  conversion (git-fixes).
- commit c0e8ae4

- net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
  (git-fixes).
- commit 1f97aba

- blacklist.conf: update blacklist
- commit 160c442

- net: dsa: bcm_sf2: Propagate error value from mdio_write
  (git-fixes).
- commit 042ff8c

- net: (cpts) fix a missing check of clk_prepare (git-fixes).
- commit a0511a4

- blacklist.conf: update blacklist
- commit 778d638

- mlxsw: spectrum: Properly cleanup LAG uppers when removing
  port from LAG (git-fixes).
- commit 65b3a7e

- blacklist.conf: update blacklist
- commit 72f91b3

- nfsd: drop st_mutex and rp_mutex before calling
  move_to_close_lru() (bsc#1217525).
- commit d08e536

- blacklist.conf: add wont-backport commit
- commit 65861c5

- libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and
  check its return value (git-fixes).
- nvdimm: Fix badblocks clear off-by-one error (git-fixes).
- nvdimm: Allow overwrite in the presence of disabled dimms
  (git-fixes).
- nvdimm/btt: do not call del_gendisk() if not needed (git-fixes).
- libnvdimm/region: Fix label activation vs errors (git-fixes).
- commit dc5bee2

- libnvdimm: cover up changes in struct nvdimm_bus_descriptor
  (git-fixes).
- libnvdimm: Validate command family indices (git-fixes).
- commit 27f581b

- libnvdimm: Out of bounds read in __nd_ioctl() (git-fixes).
- acpi/nfit: improve bounds checking for 'func' (git-fixes).
- libnvdimm/btt: fix variable 'rc' set but not used (git-fixes).
- libnvdimm/pmem: Delete include of nd-core.h (git-fixes).
- =?UTF-8?q?libnvdimm:=20Fix=20endian=20conversion=20issues?=
  =?UTF-8?q?=C2=A0?= (git-fixes).
- libnvdimm: Fix compilation warnings with W=1 (git-fixes).
- libnvdimm/pmem: fix a possible OOB access when read and write
  pmem (git-fixes).
- libnvdimm/btt: Fix a kmemdup failure check (git-fixes).
- libnvdimm/namespace: Fix a potential NULL pointer dereference
  (git-fixes).
- libnvdimm/btt: Fix LBA masking during 'free list' population
  (git-fixes).
- libnvdimm/btt: Remove unnecessary code in btt_freelist_init
  (git-fixes).
- acpi/nfit: Require opt-in for read-only label configurations
  (git-fixes).
- UAPI: ndctl: Fix g++-unsupported initialisation in headers
  (git-fixes).
- commit e6b26fa

- blacklist.conf: false positive
- commit de6f57b

- blacklist.conf: blacklist Huawei HiNIC
- commit d68e629

- s390/dasd: fix double module refcount decrement (bsc#1141539).
- commit 1d573b9

- scripts: Add commit-msg check for patch references
  References in the commit message are important when generating the RPM
  changelog.
  Although scripts/log takes into account References: header, a reference
  may possibly be missed out when the script is skipped or the message
  misedited.
  Add a new hook that validates that the commit message contains all newly
  added references.
- commit 500dd98

- scripts/install-git-hooks: Simplify relative path detection
- commit 0415010

- scripts/git_sort/git_sort.py:  Add 'perf-tools' branch
- commit 7ef21eb

- netfilter: nf_tables: Reject tables of unsupported family
  (CVE-2023-6040 bsc#1218752).
- commit 9e6d9d4

- net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782
  bsc#1218757).
- commit 5e6770d

- powerpc/pseries/memhotplug: Quieten some DLPAR operations
  (bsc#1065729).
- commit 4d451a9

- powerpc/powernv: Add a null pointer check in
  opal_powercap_init() (bsc#1181674 ltc#189159 git-fixes).
- powerpc/powernv: Add a null pointer check in opal_event_init()
  (bsc#1065729).
- powerpc/pseries/memhp: Fix access beyond end of drmem array
  (bsc#1065729).
- powerpc: Don't clobber f0/vs0 during fp|altivec register save
  (bsc#1065729).
- commit d5de04b

- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
  The old entries are found in kernel-docs/old_changelog.txt in docdir.
  rpm/old_changelog.txt can be an optional file that stores the similar
  info like rpm/kernel-sources.changes.old.  It can specify the commit
  range that have been truncated.  scripts/tar-up.sh expands from the
  git log accordingly.
- commit c9a2566

- fs: ocfs2: namei: check return value of ocfs2_add_entry()
  (git-fixes).
- commit 37053b5

- orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
  (git-fixes).
- commit 22c7474

- orangefs: Fix sysfs not cleanup when dev init failed
  (git-fixes).
- commit 3dc6f72

- fat: add ratelimit to fat*_ent_bread() (git-fixes).
- commit 2e4dd8d

- orangefs: fix orangefs df output (git-fixes).
- commit 14af1e9

- fs/fat/file.c: issue flush after the writeback of FAT
  (git-fixes).
- commit 4b5cf8c

- fs/exofs: fix potential memory leak in mount option parsing
  (git-fixes).
- commit c3e2f19

- orangefs: rate limit the client not running info message
  (git-fixes).
- commit 9ffd7ce

- gfs2: ignore negated quota changes (git-fixes).
- commit 65c2047

- gfs2: Fix possible data races in gfs2_show_options()
  (git-fixes).
- commit 57d66df

- gfs2: Fix inode height consistency check (git-fixes).
- commit d7ee5ae

- gfs2: Check sb_bsize_shift after reading superblock (git-fixes).
- commit 381ce29

- gfs2: Make sure FITRIM minlen is rounded up to fs block size
  (git-fixes).
- commit 59f59dc

- gfs2: assign rgrp glock before compute_bitstructs (git-fixes).
- commit 8e79a5c

- gfs2: Don't call dlm after protocol is unmounted (git-fixes).
- commit 0e0a651

- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (git-fixes).
- commit 4dff329

- gfs2: report "already frozen/thawed" errors (git-fixes).
- commit e5108bb

- gfs2: Don't skip dlm unlock if glock has an lvb (git-fixes).
- commit 38230f9

- gfs2: check for empty rgrp tree in gfs2_ri_update (git-fixes).
- commit 3484422

- gfs2: Wake up when sd_glock_disposal becomes zero (git-fixes).
- commit 6e96bc8

- gfs2: check for live vs. read-only file system in gfs2_fitrim
  (git-fixes).
- commit dece8b9

- gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix
  use-after-free (git-fixes).
- commit 5f11647

- gfs2: add validation checks for size of superblock (git-fixes).
- commit 4bfdec0

- gfs2: fix use-after-free on transaction ail lists (git-fixes).
- commit 3c0934a

- gfs2: initialize transaction tr_ailX_lists earlier (git-fixes).
- commit a3dcb8b

- gfs2: Allow lock_nolock mount to specify jid=X (git-fixes).
- commit c3d10eb

- gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
  (git-fixes).
- commit 50b2782

- gfs2: clear buf_in_tr when ending a transaction in
  sweep_bh_for_rgrps (git-fixes).
- commit 0638ce6

- gfs2: Fix sign extension bug in gfs2_update_stats (git-fixes).
- commit 6905d0e

- gfs2: Fix lru_count going negative (git-fixes).
- commit 22c6d6f

- gfs2: take jdata unstuff into account in do_grow (git-fixes).
- commit f6cafad

- gfs2: Fix marking bitmaps non-full (git-fixes).
- commit 27f21b4

- GFS2: Flush the GFS2 delete workqueue before stopping the
  kernel threads (git-fixes).
- commit c0d61c2

- gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated
  (git-fixes).
- commit ca05c1f

- gfs2: Special-case rindex for gfs2_grow (git-fixes).
- commit 77ffe3d

- reiserfs: Replace 1-element array with C99 style flex-array
  (git-fixes).
- commit ed361ae

- reiserfs: Check the return value from __getblk() (git-fixes).
- commit c984c17

- affs: fix basic permission bits to actually work (git-fixes).
- commit 6abe668
nghttp2
- security update
- added patches
  fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + nghttp2-CVE-2024-28182-1.patch
  fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + nghttp2-CVE-2024-28182-2.patch
python-idna
- Add CVE-2024-3651.patch, backported from upstream commit
  gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
  (bsc#1222842, CVE-2024-3651)
cpio
- Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238
  * fix-bsc1219238.patch

- Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571)
  * fix-CVE-2023-7207.patch
timezone
- update to 2024a:
  * Kazakhstan unifies on UTC+5.  This affects Asia/Almaty and
    Asia/Qostanay which together represent the eastern portion of the
    country that will transition from UTC+6 on 2024-03-01 at 00:00 to
    join the western portion.  (Thanks to Zhanbolat Raimbekov.)
  * Palestine springs forward a week later than previously predicted
    in 2024 and 2025.  (Thanks to Heba Hamad.)  Change spring-forward
    predictions to the second Saturday after Ramadan, not the first;
    this also affects other predictions starting in 2039.
  * Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00
    not 00:00.  (Thanks to Đoàn Trần Công Danh.)
  * From 1947 through 1949, Toronto's transitions occurred at 02:00
    not 00:00.  (Thanks to Chris Walton.)
  * In 1911 Miquelon adopted standard time on June 15, not May 15.
  * The FROM and TO columns of Rule lines can no longer be "minimum"
    or an abbreviation of "minimum", because TZif files do not support
    DST rules that extend into the indefinite past - although these
    rules were supported when TZif files had only 32-bit data, this
    stopped working when 64-bit TZif files were introduced in 1995.
    This should not be a problem for realistic data, since DST was
    first used in the 20th century.  As a transition aid, FROM columns
    like "minimum" are now diagnosed and then treated as if they were
    the year 1900; this should suffice for TZif files on old systems
    with only 32-bit time_t, and it is more compatible with bugs in
    2023c-and-earlier localtime.c.  (Problem reported by Yoshito
    Umaoka.)
  * localtime and related functions no longer mishandle some
    timestamps that occur about 400 years after a switch to a time
    zone with a DST schedule.  In 2023d data this problem was visible
    for some timestamps in November 2422, November 2822, etc. in
    America/Ciudad_Juarez.  (Problem reported by Gilmore Davidson.)
  * strftime %s now uses tm_gmtoff if available.  (Problem and draft
    patch reported by Dag-Erling Smørgrav.)
  * The strftime man page documents which struct tm members affect
    which conversion specs, and that tzset is called.  (Problems
    reported by Robert Elz and Steve Summit.)

- update to 2023d:
  * Ittoqqortoormiit, Greenland changes time zones on
    2024-03-31.
  * Vostok, Antarctica changed time zones on 2023-12-18.
  * Casey, Antarctica changed time zones five times since
    2020.
  * Code and data fixes for Palestine timestamps starting in
    2072.
  * A new data file zonenow.tab for timestamps starting now.
  * Fix predictions for DST transitions in Palestine in
    2072-2075, correcting a typo introduced in 2023a.
  * Vostok, Antarctica changed to +05 on 2023-12-18.  It had
    been at +07 (not +06) for years.
  * Change data for Casey, Antarctica to agree with
    timeanddate.com, by adding five time zone changes since 2020.
    Casey is now at +08 instead of +11.
  * Much of Greenland, represented by America/Nuuk, changed
    its standard time from -03 to -02 on 2023-03-25, not on
    2023-10-28.
  * localtime.c no longer mishandles TZif files that contain
    a single transition into a DST regime.  Previously,
    it incorrectly assumed DST was in effect before the transition
    too.
  * tzselect no longer creates temporary files.
  * tzselect no longer mishandles the following:
  * Spaces and most other special characters in BUGEMAIL,
    PACKAGE, TZDIR, and VERSION.
  * TZ strings when using mawk 1.4.3, which mishandles
    regular expressions of the form /X{2,}/.
  * ISO 6709 coordinates when using an awk that lacks the
    GNU extension of newlines in -v option-arguments.
  * Non UTF-8 locales when using an iconv command that
    lacks the GNU //TRANSLIT extension.
  * zic no longer mishandles data for Palestine after the
    year 2075.
- Refresh tzdata-china.diff
google-guest-oslogin
- Add explicit versioned dependency on google-guest-agent (bsc#1219642)

- Update to version 20231101.00 (bsc#1216548, bsc#1216750)
  * Fix HTTP calls retry logic (#117)

- Update to version 20231004
  * packaging: Make the dependency explicit (#120)

- update to 20230926.00:
  * fix suse build
  * selinux: fix selinux build (#114)
  * test: align CXX Flags
  * sshca: Make the implementation more C++ like
  * sshca: Add a SysLog wrapper
  * oslogin_utils: introduce AuthorizeUser() API
  * sshca: move it out of pam dir
  * pam: start disabling the use of oslogin_sshca
  * sshca: consider sshca API to assume a cert only
  * authorized principals: introduce the new command
  * authorize keys: update to use new APIs
  * pam modules: remove pam_*_admin and update pam_*_login
  * cache_refresh: should be catching by reference.

- Update to version 20230823.00
  * selinux: Add sshd_key_t type enforcement to trusted user ca (#113)
- from version 20230822.00
  * sshca: Add tests with fingerprint and multiple extensions (#111)
- from version 20230821.01
  * sshca: Support method token and handle multi line (#109)
- from version 20230821.00
  * Update owners (#110)

- Update to version 20230808.00
  * byoid: extract and apply the ca fingerprint to policy call (#106)

- Update to version 20230502.00
  * Improve the URL in 2fa prompt (#104)
- from version 20230406.02
  * Check open files (#101)
- from version 20230406.01
  * Initialize variables (#100)
  * Fix formatting (#102)
- from version 20230406.00
  * PAM cleanup: remove duplicates (#97)
- from version 20230405.00
  * NSS cleanup (#98)
- from version 20230403.01
  * Cleanup Makefiles (#95)
- from version 20230403.00
  * Add anandadalton to the owners list (#96)

- Update to version 20230217.00
  * Update OWNERS (#91)
- from version 20230202.00
  * Update owners file (#89)

- Update to version 20220721.00 (bsc#1202100, bsc#1202101)
  * prune outdated info from readme (#86)
- from version 20220714.00
  * strip json-c version symbol (#84)
- from version 20220622.00
  * pam login: split conditions for logging (#83)

- use pam_moduledir (boo#1191036)
  * Support UsrMerge project

- Update to version 20220411.00
  * pam login: split conditions for logging (#83)
avahi
- Add avahi-CVE-2023-38471.patch: Extract host name using
  avahi_unescape_label (bsc#1216594, CVE-2023-38471).
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
  records (bsc#1216598, CVE-2023-38469).
python-base
- Add CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
libssh
- Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795]
  * Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch
  * Remove patches fixed in the update:
  - CVE-2019-14889.patch
  - 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch

- Update to version 0.9.8
  * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
  * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
  * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
  * Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
  * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
    guessing (bsc#1211188)
  * Fix CVE-2023-2283: a possible authorization bypass in
    pki_verify_data_signature under low-memory conditions (bsc#1211190)
  * Fix several memory leaks in GSSAPI handling code

- Update to version 0.9.6 (bsc#1189608, CVE-2021-3634)
  * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6

- Add missing BR for openssh needed for tests

- update to 0.9.5 (bsc#1174713, CVE-2020-16135):
  * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
  * Improve handling of library initialization (T222)
  * Fix parsing of subsecond times in SFTP (T219)
  * Make the documentation reproducible
  * Remove deprecated API usage in OpenSSL
  * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
  * Define version in one place (T226)
  * Prevent invalid free when using different C runtimes than OpenSSL (T229)
  * Compatibility improvements to testsuite

- Update to version 0.9.4
  * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
  * Fix possible Denial of Service attack when using AES-CTR-ciphers
    CVE-2020-1730 (bsc#1168699)
mozilla-nss
- update to NSS 3.90.2
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
    decryption in TLS. (bsc#1216198)
  * bmo#1867408 - add a defensive check for large ssl_DefSend
    return values.
cloud-regionsrv-client
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
  + Fix the failover path to a new target update server. At present a new
    server is not found since credential validation fails. We targeted
    the server detected in down condition to verify the credentials instead
    of the replacement server.

- Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159)
  + Fix the algorithm to determine the region from the availability zone
    information retrieved from IMDS.
- Update to version 10.1.6
  + Support specifying an IPv6 address for a manually configured target
    update server.
python3-base
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
  gh#python/cpython#108310, backport from upstream patch
  gh#python/cpython#108315
  (bsc#1214692, CVE-2023-40217)

- (bsc#1219666, CVE-2023-6597) Add
  CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
  gh#python/cpython!99930) fixing symlink bug in cleanup of
  tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
  test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
  which fails on slow machines in IBS (s390x).

- Refresh CVE-2023-27043-email-parsing-errors.patch from
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
systemd
- Import commit 15ca9f01c18a8037bf26b1a85fee344c65944268
  eedf77456d util: improve comments why we ignore EACCES and EPERM
  2018a0d492 util: bind_remount_recursive_with_mountinfo(): ignore submounts which cannot be accessed
  4c98cb57e2 namespace: don't fail on masked mounts (#3794) (bsc#1220285)
  7dd5e84ab6 man: Document ranges for distributions config files and local config files
  7282534592 Recommend drop-ins over modifications to the main config file
  29e632c34a man: reword the description of "main conf file"
  e903f529e8 man: rework section about configuration file precedence
  4438e1be12 man: document paths under /usr/local in standard-conf.xml
less
- Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell
  metacharacters, bsc#1219901
  * CVE-2022-48624.patch
lifecycle-data-sle-module-toolchain
- Added expiration data for GCC 12 yearly update for the Toolchain/Development modules.
  (bsc#1221352)
libxml2
- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
  * Added libxml2-CVE-2024-25062.patch
graphviz
- Add patch graphviz-2.28.0-reproducibledate.patch
  * Reproducibility of the builds (bsc#1212157)
_product:sle-live-patching-release
n/a
wicked
- client: do not convert sec to msec twice (bsc#1222105)
  [+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]

- addrconf: fix fallback-lease drop (bsc#1220996)
  [+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
- extensions/nbft: use upstream `nvme nbft show` (bsc#1221358)
  [+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
- hide secrets in debug log (bsc#1221194)
  [+ 0003-move-all-attribute-definitions-to-compiler-h.patch]
  [+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch]

- update to version 0.6.74
  + team: add new options like link_watch_policy (jsc#PED-7183)
  + Fix memory leaks in dbus variant destroy and fsm free (gh#openSUSE/wicked#1001)
  + xpath: allow underscore in node identifier (gh#openSUSE/wicked#999)
  + vxlan: don't format unknown rtnl attrs (bsc#1219751)
- removed patches included in the source archive:
  [- 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
  [- 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
  [- 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
  [- 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
  [- 0005-duid-fix-comment-for-v6time.patch]
  [- 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
  [- 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
  [- 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
  [- 0001-fix_arp_notify_loop_and_burst_sending.patch]

- ifreload: VLAN changes require device deletion (bsc#1218927)
  [+ 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
- ifcheck: fix config changed check (bsc#1218926)
  [+ 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
- client: fix exit code for no-carrier status (bsc#1219265)
  [+ 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
- dhcp6: omit the SO_REUSEPORT option (bsc#1215692)
  [+ 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
- duid: fix comment for v6time
  (https://github.com/openSUSE/wicked/pull/989)
  [+ 0005-duid-fix-comment-for-v6time.patch]
- rtnl: fix peer address parsing for non ptp-interfaces
  (https://github.com/openSUSE/wicked/pull/987,
  https://github.com/openSUSE/wicked/pull/988)
  [+ 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
  [+ 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
- system-updater: Parse updater format from XML configuration to
  ensure install calls can run.
  (https://github.com/openSUSE/wicked/pull/985)
  [+ 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
python-instance-billing-flavor-check
- Version 0.0.6 (bsc#1218561)
  Support proxy setup on the client to access the update infrastructure
  API

- Version 0.0.5
  Add IPv6 support (bsc#1218739)
google-guest-agent
- Add explicit versioned dependency on google-guest-oslogin (bsc#1219642)

- Update to version 20231031.01 (bsc#1216547, bsc#1216751)
  * Add prefix to scheduler logs (#325)
- from version 20231030.00
  * Test configuration files are loaded in the documented
    order. Fix initial integration test. (#324)
  * Enable mTLS by default (#323)
- from version 20231026.00
  * Rotate MDS root certificate (#322)
- from version 20231020.00
  * Update response struct, add tests (#315)
  * Don't try to schedule mTLS job twice (#317)
- from version 20231019.00
  * snapshot: Add context cancellation handling (#318)

- Bump the golang compiler version to 1.21 (bsc#1216546)

- Update to version 20231016.00
  * instance setup: trust/rely on metadata package's retry (#316)
- from version 20231013.01
  * Update known cert dirs for updaters (#314)
- from version 20231011.00
  * Verify cert refresher is enabled before running (#312)
- from version 20231009.00
  * Add support for the SSH key options (#296)
- from version 20231006.01
  * Events interface improvement (#290)
- from version 20231006.00
  * Refactor script runner to use common metadata package (#311)
  * Schedule MTLS job before notifying systemd (#310)
  * Refactor authorized keys to use metadata package (#300)
- from version 20231005.00
  * docs update: add configuration and event manager's docs. (#309)
- from version 20231004.01
  * Fix license header (#301)
  * packaging(deb): add epoch to oslogin dep declaration (#308)
- from version 20231004.00
  * packaging(deb): ignore suffix of version (#306)
  * packaging: force epoch and ignore suffix of version (#305)
- from version 20231003.01
  * oslogin: declare explicitly dependency (#304)
  * oslogin: remove Unstable.pamless_auth_stack feature flag (#303)
- from version 20231003.00
  * oslogin: resort ssh configuration keys (#299)
- from version 20230925.00
  * oslogin: introduce a feature flag to cert auth (#298)
- from version 20230923.00
  * gitignore: unify ignore in the root dir (#297)
- from version 20230921.01
  * managers: we accidentally disabled addressMgr, bring it back (#295)
  * cfg: fix typos (#294)
  * cfg: config typos (#293)
  * cfg: introduce a configuration management package (#288)
- from version 20230921.00
  * mtls: bring it back (#292)
- from version 20230920.01
  * Fix permissions on file created by SaferWriteFile() (#291)
- from version 20230920.00
  * sshca: re-enable the event watcher & handler (#289)
- from version 20230919.01
  * oslogin: add PAMless Authorization Stack configuration (#285)
- from version 20230919.00
  * Preparing it for review (#287)
  * sshca: make sure to restore SELinux context of the pipe (#286)
  * remove deprecated usage, fix warnings (#282)
  * Update system store (#278)
  * Update workload certificate endpoints, use metadata package (#275)
  * metadata: use url package to form metadata URLs (#284)
- from version 20230913.00
  * release prep: disable ssh trusted ca module (#281)
- from version 20230912.00
  * New Guest Agent Release (#280)
- from version 20230909.00
  * Revert "service: remove the use of the service library (#273)" (#276)
  * service: remove the use of the service library (#273)
- from version 20230906.01
  * Store keys to machine keyset (#272)
- from version 20230905.00
  * restorecon: first try to determine if it's installed (#271)
  * run: change all commands to use CommandContext (#268)
  * Notify systemd after scheduling required jobs (#270)
  * Store certs in ProgramData instead of Program Files (#269)
  * metadata watcher: remove local retry & implement unit tests (#267)
  * run: split command running utilities into its own package (#265)

- Update to version 20230828.00
  * snapshot: Use main context rather than create its own (#266)
- from version 20230825.01
  * Verify if cert was successfully added to certpool (#264)
- from version 20230825.00
  * Find previous cert for cleanup using one stored on disk (#263)
- from version 20230823.00
  * Revert "sshtrustedca: configure selinux context
    for sshtrustedca pipe (#256)" (#262)
  * Update credentials directory on Linux (#260)
- from version 20230821.00
  * Update owners (#261)
- from version 20230819.00
  * Revert "guest-agent: prepare for public release (#258)" (#259)
- from version 20230817.00
  * guest-agent: prepare for public release (#258)
- from version 20230816.01
  * Enable telemetry collection by default (#253)
- from version 20230816.00
  * Add pkcs12 license and update retry logic (#257)
  * sshtrustedca: Configure selinux context for sshtrustedca pipe (#256)
  * Store windows certs in certstore (#255)
  * events: Multiplex event watchers (#250)
  * Scheduler fixes (#254)
  * Update license files (#251)
  * Run telemetry every 24 hours, record pretty name on linux (#248)

- Update to version 20230811.00
  * sshca: move the event handler to its own package (#247)
- from version 20230809.02
  * Move scheduler package to google_guest_agent (#249)
- from version 20230809.01
  * Add scheduler utility to run jobs at interval (#244)
- from version 20230809.00
  * sshca: transform the format from json to openssh (#246)
- from version 20230803.00
  * Add support for reading UEFI variables on windows (#243)
- from version 20230801.03
  * sshtrustedca watcher: fix concurrency error (#242)
- from version 20230801.02
  * metadata: add a delta between http client timeout and hang (#241)
- from version 20230801.00
  * metadata: properly set request config (#240)
  * main: bring back the mds client initialization (#239)
  * metadata: don't try to use metadata before agentInit() is done (#238)
  * Add (disabled) telemetry logic to GuestAgent (#219)
  * metadata event handler: updates and bug fixes (#235)
  * Verify client credentials are signed by root CA before writing on disk (#236)
  * metadata: properly handle context cancelation (#234)
  * metadata: fix context cancelation error check (#233)
  * metadata: remove the sleep around metadata in instance setup (#232)
  * metadata: implement backoff strategy (#231)
  * Decrypt and store client credentials on disk (#230)
  * Upgrade Go version 1.20 (#228)
  * Fetch guest credentials and add MDS response proto (#226)
  * metadata: pass main context to WriteGuestAttributes() (#227)
  * Support for reading & writing Root CA cert from UEFI variable (#225)
  * ssh_trusted_ca: enable the feature (#224)
  * sshTrustedCA: add pipe event handler (#222)
  * events: start using events layer (#223)
- from version 20230726.00
  * events: introducing a events handling subsystem (#221)
- from version 20230725.00
  * metadata: add metadata client interface (#220)
- from version 20230711.00
  * metadata: moving to its own package (#218)
- from version 20230707.00
  * snapshot: fix request handling error (#217)
- Bump Go API version to 1.20
vim
- Updated to version 9.1 with patch level 0111, fixes the following security problems
  * Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
  * Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
  * Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
  * Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
  * Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
  * Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
  * Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
  * Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
  * Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
  * Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
- Revert the patch which caused GTK incompatibility problem
  * Add: vim-9.1-revert-v9.1.86.patch
  * This reverts commit 725c7c31a4c7603e688511d769b0addaab442d07
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
_product:sle-sdk-release
n/a
grub2
- Make consistent check to enable relative path on btrfs (bsc#1174567) (bsc#1216912)
  * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
suseconnect-ng
- Allow "--rollback" flag to run on readonly filesystem (bsc#1220679)

- Update to version 1.7.0
  * Allow SUSEConnect on read write transactional systems (bsc#1219425)
ncurses
- Add patch ncurses-5.9-bsc1220061.patch (bsc#1220061, CVE-2023-45918)
  * Backport from ncurses-6.4-20230615.patch
    improve checks in convert_string() for corrupt terminfo entry
libssh2_org
- Fix an issue with Encrypt-then-MAC family. [bsc#1221622]
  * Test the ETM feature in the remote end's configuration when
    receiving data. Upstream issue: #1331.
  * Add libssh2_org-ETM-remote.patch

- Always add the KEX pseudo-methods "ext-info-c" and "kex-strict-c-v00@openssh.com"
  when configuring custom method list. [bsc#1218971, CVE-2023-48795]
  * The strict-kex extension is announced in the list of available
    KEX methods. However, when the default KEX method list is modified
    or replaced, the extension is not added back automatically.
  * Add libssh2_org-CVE-2023-48795-ext.patch
python
- Add CVE-2023-27043-email-parsing-errors.patch to
  gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
lifecycle-data-sle-live-patching
- Added data for 4_12_14-122_159, 4_12_14-122_189, 4_12_14-122_194. (bsc#1020320)

- Added data for 4_12_14-122_173, 4_12_14-122_176, 4_12_14-122_179,
  4_12_14-122_183, 4_12_14-122_186. (bsc#1020320)
krb5
- Fix memory leaks, add patch 0015-Fix-two-unlikely-memory-leaks.patch
  * CVE-2024-26458, bsc#1220770
  * CVE-2024-26461, bsc#1220771

- Update to krb5 1.16.3 (jsc#PED-7884). Most relevant changes:
  * Remove the triple-DES and RC4 encryption types from the default
    value of supported_enctypes, which determines the default key
    and salt types for new password-derived keys. By default, keys
    will only created only for AES128 and AES256. This mitigates
    some types of password guessing attacks.
  * Add support for the AES-SHA2 enctypes, which allows sites to
    conform to Suite B crypto requirements.
- Removed patches, useless or upstreamed
  * krb5-1.10-kpasswd_tcp.patch
  * krb5-1.7-doublelog.patch
  * krb5-1.9-kprop-mktemp.patch
  * krb5-1.10-ksu-access.patch
  * krb5-kvno-230379.patch
  * krb5-1.12-doxygen.patch
  * bnc#897874-CVE-2014-5351.diff
  * krb5-1.13-work-around-replay-cache-creation-race.patch
  * 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
  * 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
  * 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
  * 0109-Preserve-GSS-context-on-init-accept-failure.patch
  * 0115-Remove-incorrect-KDC-assertion.patch
  * 0116-Implement-GSS_KRB5_CRED_NO_CI_FLAGS_X-cred-option.patch
  * 0117-Add-tests-for-GSS_KRB5_CRED_NO_CI_FLAGS_X.patch
  * 0118-Implement-GSS_KRB5_CRED_NO_CI_FLAGS_X-for-SPNEGO.patch
  * 0119-Load-mechglue-config-files-from-etc-gss-mech.d.patch
  * 0120-Document-etc-gss-mech.d-.conf.patch
  * 0121-Fix-impersonate_name-to-work-with-interposers.patch
  * 0122-Use-preauth-options-when-changing-password.patch
  * 0123-Improve-extended-gic-option-support.patch
  * 0124-Use-responder-for-non-preauth-AS-requests.patch
- New patches:
  * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
  * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
- Renamed patches:
  * Patch krb5-1.12-pam.patch -> 0001-krb5-1.12-pam.patch
  * Patch krb5-1.9-manpaths.dif -> 0002-krb5-1.9-manpaths.patch
  * Patch krb5-1.12-buildconf.patch -> 0003-krb5-1.12-buildconf.patch
  * Patch krb5-1.6.3-gssapi_improve_errormessages.dif ->
    0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * Patch krb5-1.6.3-ktutil-manpage.dif ->
    0005-krb5-1.6.3-ktutil-manpage.patch
  * Patch krb5-1.12-api.patch -> 0006-krb5-1.12-api.patch
  * Patch krb5-1.12-ksu-path.patch -> 0007-krb5-1.12-ksu-path.patch
  * Patch krb5-1.12-selinux-label.patch -> 0008-krb5-1.12-selinux-label.patch
  * Patch krb5-1.9-debuginfo.patch -> 0009-krb5-1.9-debuginfo.patch
  * Patch 0125-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch ->
    0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
  * Patch 0126-Fix-integer-overflows-in-PAC-parsing.patch ->
    0013-Fix-integer-overflows-in-PAC-parsing.patch
  * Patch 0127-Ensure-array-count-consistency-in-kadm5-RPC.patch ->
    0014-Ensure-array-count-consistency-in-kadm5-RPC.patch
tiff
- security update:
  * CVE-2023-40745[bsc#1214687] CVE-2023-41175[bsc#1214686] [bsc#1221187]
    CVE-2023-38288[bsc#1213590]
    Fix potential int overflow in raw2tiff.c and tiffcp.c
    Rename tiff-CVE-2023-38288.patch into
    tiff-CVE-2023-38288,CVE-2023-40745,CVE-2023-41175.patch

- security update:
  * CVE-2015-8668 [bsc#960589]
    Fix heap based buffer overflow in bmp2tiff PackBitsEncode()
    + tiff-CVE-2015-8668.patch

- security update:
  * CVE-2023-52356 [bsc#1219213]
    Fix segfault in TIFFReadRGBATileExt()
    + tiff-CVE-2023-52356.patch
crmsh
- Update to version 4.1.1+git.1711953398.2356ae42:
  * Fix: bootstrap: Remove unused -i option when calling csync2_remote and ssh_remote stage (bsc#1212080, bsc#1221912)
xterm
- xterm-reset-parsing-state.patch: A bug in the parser for several
  escape sequences causes the first character following the
  sequence to be ignored (bsc#1220585). Patch backported from
  version 335n.
cloud-netconfig
- Update to version 1.14
  + Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757)

- Add version settings to Provides/Obsoletes

- Update to version 1.12 (bsc#1221202)
  + If token access succeeds using IPv4 do not use the IPv6 endpoint
    only use the IPv6 IMDS endpoint if IPv4 access fails.

- Add Provides/Obsoletes for dropped cloud-netconfig-nm
- Install dispatcher script into /etc/NetworkManager/dispatcher.d
  on older distributions
- Add BuildReqires: NetworkManager to avoid owning dispatcher.d
  parent directory

- Update to version 1.11:
  + Revert address metadata lookup in GCE to local lookup (bsc#1219454)
  + Fix hang on warning log messages
  + Check whether getting IPv4 addresses from metadata failed and abort
    if true
  + Only delete policy rules if they exist
  + Skip adding/removing IPv4 ranges if metdata lookup failed
  + Improve error handling and logging in Azure
  + Set SCRIPTDIR when installing netconfig wrapper

- Update to version 1.10:
  + Drop cloud-netconfig-nm sub package and include NM dispatcher
    script in main packages (bsc#1219007)
  + Spec file cleanup

- Update to version 1.9:
  + Drop package dependency on sysconfig-netconfig
  + Improve log level handling
  + Support IPv6 IMDS endpoint in EC2 (bsc#1218069)
curl
- Security fix: [bsc#1221665, CVE-2024-2004]
  * Usage of disabled protocol
  * Add curl-CVE-2024-2004.patch

- Security fix: [bsc#1221667, CVE-2024-2398]
  * curl: HTTP/2 push headers memory-leak
  * Add curl-CVE-2024-2398.patch
perl-Bootloader
- merge gh#openSUSE/perl-bootloader#166
- log grub2-install errors correctly (bsc#1221470)
- 0.947

- merge gh#openSUSE/perl-bootloader#161
- support old grub versions (<= 2.02) that used /usr/lib
  (bsc#1218842)
- create EFI boot fallback directory if necessary
- 0.946

- merge gh#openSUSE/perl-bootloader#157
- bootloader_entry script can have an optional 'force-default'
  argument (bsc#1215064)
- skip warning about unsupported options when in compat mode
- 0.945
sudo
- Fix NOPASSWD issue introduced by patches for CVE-2023-42465
  [bsc#1221151, bsc#1221134]
  * Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
  * Enable running regression selftests during build time.

- Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465]
  * Try to make sudo less vulnerable to ROWHAMMER attacks.
  * Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
openssl-1_0_0
- Security fix: [bsc#1219243, CVE-2024-0727]
  * Add NULL checks where ContentInfo data can be NULL
  * Add openssl-CVE-2024-0727.patch
libvirt
- CVE-2024-2494: remote: check for negative array lengths before
  allocation
  8a3f8d95-CVE-2024-2494.patch
  bsc#1221815

- CVE-2024-2496: interface: fix udev_device_get_sysattr_value
  return value check
  2ca94317-CVE-2024-2496.patch
  bsc#1221468

- CVE-2024-1441: Fix off-by-one error in udevListInterfacesByStatus
  c664015f-CVE-2024-1441.patch
  bsc#1221237
jasper
- bsc#1223155 CVE-2024-31744:
  Add missing check to jpc_dec_process_sod()
  Add jasper-CVE-2024-31744.patch

- bsc#1218802 CVE-2023-51257:
  Fix invalid memory write on jas_icctxt_input()
  Add jasper-CVE-CVE-2023-51257.patch