SUSEConnect
- Update to 0.3.29
- replace env ruby path with native ruby path during build phase
alsa-utils
- Fix alsactl restore behavior during locking (boo#1179904):
  0010-alsactl-Fix-double-decrease-of-lock-timeout.patch
  0011-alsactl-Fix-race-at-creating-a-lock-file.patch
- Remove unnecessary condition for alsa-restore.service
  0012-alsactl-Remove-asound.state-file-check-from-alsa-res.patch
crmsh
- Update to version 4.2.0+git.1609987436.0d3a9bf5:
  * Fix: utils: skip if no netmask in the result of ip -o addr show(bsc#1180421)
  * Fix: bootstrap: add /etc/modules-load.d/watchdog.conf into csync.cfg(bsc#1180424)
  * Low: bootstrap: make invoke return specific error(bsc#1177023)
  * Fix: bootstrap: Refactor join_lock.py for more generic using purpose(bsc#1180149)
  * Dev: bootstrap: use ping to test host is reachable before joining
  * Low: bootstrap: check cluster was running on init node
- Use Path.mkdir instead of mkdir command(bsc#1179999); Add patch:
  * 0001-Fix-history-use-Path.mkdir-instead-of-mkdir-command-.patch
- Update to version 4.2.0+git.1607075079.a25648d8:
  * Fix: bootstrap: use class JoinLock to manage lock in parallel join(bsc#1175976)
  * Fix: utils: improve disable_service and enable_service function(bsc#1178701)
  * Fix: bootstrap: disable corosync-qdevice if not configured(bsc#1178701)
  * Dev: hb_report: change the default dest data format, more readable
  * Low: bootstrap: should include /etc/sysconfig/nfs into csync2.cfg(bsc#1178373)
  * Low: bootstrap: minor change for _get_sbd_device_interactive function(bsc#1178333)
cups
- cups-2.2.7-CVE-2020-10001.patch fixes CVE-2020-10001
  access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-2.2.7-CVE-2019-8842.patch fixes CVE-2019-8842 (bsc#1170671)
  the ippReadIO function may under-read an extension field
curl
- Security fix: [bsc#1179593, CVE-2020-8286]
  * Inferior OCSP verification: libcurl offers "/OCSP stapling"/ via
    the 'CURLOPT_SSL_VERIFYSTATUS' option that, when set, verifies
    the OCSP response that a server responds with as part of the TLS
    handshake. It then aborts the TLS negotiation if something is
    wrong with the response. The same feature can be enabled with
    '--cert-status' using the curl tool.
  * As part of the OCSP response verification, a client should verify
    that the response is indeed set out for the correct certificate.
    This step was not performed by libcurl when built or told to use
    OpenSSL as TLS backend.
- Add curl-CVE-2020-8286.patch
- Security fix: [bsc#1179399, CVE-2020-8285]
  * FTP wildcard stack overflow: The wc_statemach() internal
    function has been rewritten to use an ordinary loop instead of
    the recursive approach.
- Add curl-CVE-2020-8285.patch
- Security fix: [bsc#1179398, CVE-2020-8284]
  * Trusting FTP PASV responses: When curl performs a passive FTP
    transfer, it first tries the 'EPSV' command and if that is not
    supported, it falls back to using 'PASV'. A malicious server
    can use the 'PASV' response to trick curl into connecting
    back to a given IP address and port, and this way potentially
    make curl extract information about services that are otherwise
    private and not disclosed.
  * The IP address part of the response is now ignored by default,
    by making 'CURLOPT_FTP_SKIP_PASV_IP' default to '1L'. The same
    goes for the command line tool, which then might need
    '--no-ftp-skip-pasv-ip' set to prevent curl from ignoring the
    address in the server response.
- Add curl-CVE-2020-8284.patch
fence-agents
- Update to version 4.7.0+git.1607346448.17bd8552:
  * fence_mpath, fence_scsi: Improve logging for failed res/key get
  * fence_mpath, fence_scsi: Capture stderr in run_cmd()
  * build: depend on config changes to rebuild when running make after running ./configure
  * fence_redfish: Fix typo in help.
  * fence_aws: add support for IMDSv2
  * spec: add pkg-config file, and set version for obsoletes to avoid failing to build on Fedora 33
  * Add pkg-config file
  * fence_scsi: dont write key to device if it's already registered, and open file correctly to avoid using regex against end-of-file
  * fencing: fix run_command() to allow timeout=0 to mean forever
  * fencing: fix to make timeout(s)=0 be treated as forever for agents using pexpect
- (bsc#1178343) `fence_gce` updates to be pulled to the SLE versions
  The last update broke fencing in GCE
  The last patch is based on 4.7.0+git.1607346448.17bd8552
- (bsc#1178343) `fence_gce` updates to be pulled to the SLE versions
  The last update broke fencing in GCE
  * add-upstream patch
    0001-Adds-service-account-authentication-to-GCE-fence-age.patch
gcc7
- Amend gcc7-aarch64-moutline-atomics.patch for glibc namespace
  violation with getauxval.  [bsc#1167939]
- Add gcc7-aarch64-sls-miti-1.patch, gcc7-aarch64-sls-miti-2.patch,
  gcc7-aarch64-sls-miti-3.patch to backport aarch64 Straight Line
  Speculation mitigation [bsc#1172798, CVE-2020-13844]
- Add gcc7-fix-retrieval-of-testnames.patch to support usage in
  testcases added by the above.
- Enable fortran for the nvptx offload compiler.
- Do not specify alternate offload compiler location at
  configure time.
- Update README.First-for.SuSE.packagers
- Add gcc7-pr88522.patch to avoid assembler errors with AVX512
  gather and scatter instructions when using -masm=intel.
- Amend gcc7-remove-Wexpansion-to-defined-from-Wextra.patch to
  reflect changes in option handling in the testsuite.
- Add gcc7-testsuite-fixes.patch to fix PR98001 and PR98002 which
  are broken testcases showing with malloc debugging enabled.
- Add gcc7-aarch64-moutline-atomics.patch to backport the aarch64
  - moutline-atomics feature and accumulated fixes but not its
  default enabling.  [jsc#SLE-12209, bsc#1167939]
- Order gcc7-pr92692.patch after gcc7-aarch64-moutline-atomics.patch
  and refresh.
- Revert gcc7-pr97774.patch as it causes gdb to crash.
- Fix 32bit libgnat.so link.  [bsc#1178675]
- Quote %{cross_arch} consistently when comparing expansion
  against string in RPM %if condition.
- Add gcc7-pr97535.patch to fix memcpy miscompilation on aarch64.
  [bsc#1178624, bsc#1178577]
- Add gcc7-pr97774.patch to fix debug line info for try/catch.
  [bsc#1178614]
- Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is
  used to build gcc7 (ie when ada is enabled)
- Add gcc7-pr94148.patch to fix corruption of pass private ->aux
  via DF.  [gcc#94148]
- Add gcc7-pr93888.patch to fix debug information issue with
  inlined functions and passed by reference arguments.  [gcc#93888]
- Add gcc7-pr93965.patch in order to fix binutils release
  date detection issue.
- Add gcc48-bsc1161913.patch to fix register allocation issue with
  exception handling code on s390x.  [bsc#1161913]
- Add gcc7-pr92692.patch: Backport PR target/92692 to fix
  miscompilation of some atomic code on aarch64. [bsc#1150164]
- Add gcc7-pr93246.patch: Backport PR middle-end/93246
- gcc7-pr92154.patch: Backport PR sanitizer/92154
gmp
- adjusted to be the same license as in factory (bsc#1180603)
- correct license statement (library itself is no GPL-3.0)
groff
- Add 0001-make-package-build-reproducible.patch
    0002-Implement-SOURCE_DATE_EPOCH-for-reproducible-builds.patch
  to make corosync build reproducibly (bsc#1180276)
gzip
- Enable DFLTCC compression for s390x for levels 1-6 (i. e. to make
  it used by default) by adding -DDFLTCC_LEVEL_MASK=0x7e to CLFAGS.
  [jsc#SLE-13775]
- refresh gzip-1.10-ibm_dfltcc_support.patch to fix three data
  corruption issues [bsc#1145276] [jsc#SLE-5818] [jsc#SLE-8914]
- add gzip-1.10-ibm_dfltcc_support.patch [jsc#SLE-5818] [jsc#SLE-8914]
  * it adds support for DFLTCC (hardware-accelerated deflation)
    for s390x arch
  * enable it via "/--enable-dfltcc"/ option
- gzip 1.10:
  * Compressed gzip output no longer contains the current time as
    a timestamp when the input is not a regular file.  Instead, the
    output contains a null (zero) timestamp.  This makes gzip's
    behavior more reproducible when used as part of a pipeline.
  * A use of uninitialized memory on some malformed inputs has been
    fixed.
  * A few theoretical race conditions in signal handers have been
    fixed.
- drop upstreamed patches:
  * gnulib-libio.patch
  * gzip-1.8-deprecate_netstat.patch
- gnulib-libio.patch: Update gnulib for libio.h removal
hawk2
- Update to version 2.4.0+git.1611141202.2fe6369e:
  * Improve further mechanism of controllers to system commands.
  * drop patch 0001-Improve-controllers.patch since merged upstream
  (CVE-2020-35458)
- Update to version 2.3.0+git.1603969748
  * fix bsc#1179998. Handle better input on app controllers (CVE-2020-35458)
java-1_8_0-ibm
- Update to Java 8.0 Service Refresh 6 Fix Pack 20 [bsc#1180063,bsc#1177943]
  CVE-2020-14792 CVE-2020-14797 CVE-2020-14781 CVE-2020-14779
  CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
  * Class libraries:
  - SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for more time
    that the set timeout
  - Z/OS specific C function send_file is changing the file pointer
    position
  * Java Virtual Machine:
  - Crash on iterate java stack
  - Java process hang on SIGTERM
  * JIT Compiler:
  - JMS performance regression from JDK8 SR5 FP40 TO FP41
  * Class Libraries:
  - z15 high utilization following Z/VM and Linux migration from
    z14 To z15
  * Java Virtual Machine:
  - Assertion failed when trying to write a class file
  - Assertion failure at modronapi.cpp
  - Improve the performance of defining and finding classes
  * JIT Compiler:
  - An assert in ppcbinaryencoding.cpp may trigger when running
    with traps disabled on power
  - AOT field offset off by n bytes
  - Segmentation fault in jit module on ibm z platform
kdump
- kdump-fix-m_threads-missing-initialization.patch: Update
  references (bsc#1047609, bsc#1047634).
- kdump-fix-multipath-user_friendly_names.patch: Fix multipath
  configuration with user_friendly_names and/or aliases
  (bsc#1111207, LTC#171953, bsc#1125218, LTC#175465, bsc#1153601).
- kdump-recover-from-missing-CRASHTIME.patch: Recover from missing
  CRASHTIME= in VMCOREINFO (bsc#1112387).
- kdump-clean-up-use-of-boot-NIC-names.patch: Clean up the use of
  current vs. boot network interface names (bsc#1094444,
  bsc#1116463, bsc#1141064).
- kdump-custom-namespace-for-physical-NICs.patch: Use a custom
  namespace for physical NICs (bsc#1094444, bsc#1116463,
  bsc#1141064).
- kdump-Add-force-option-to-KDUMP_NETCONFIG.patch: Add "/:force"/
  option to KDUMP_NETCONFIG (bsc#1108919).
- kdump-Add-fence_kdump_send-when-fence-agents-installed.patch: Add
  fence_kdump_send when fence-agents installed (bsc#1108919).
- kdump-FENCE_KDUMP_SEND-variable.patch: Use var for path of
  fence_kdump_send and remove the unnecessary PRESCRIPT check
  (bsc#1108919).
- kdump-Document-fence_kdump_send.patch: Document kdump behaviour
  for fence_kdump_send (bsc#1108919).
- kdump-Restore-only-static-routes-in-kdump-initrd.patch: Restore
  only static routes in kdump initrd (bsc#1093795).
- kdump-use-pbl.patch: Replace obsolete perl-Bootloader library
  with a simpler script (bsc#1050349).
- kdump-remove-console-hvc0-from-commandline.patch: remove
  console=hvc0 from commandline (bsc#1173914).
- kdump-set-serial-console-from-Xen-cmdline.patch: set serial
  console from Xen cmdline (bsc#1173914).
- kdump-Remove-noefi-and-acpi_rsdp-for-EFI-firmware.patch: Remove
  noefi and acpi_rsdp for EFI firmware (bsc#1123940, bsc#1170336).
- kdump-Add-skip_balance-option-to-BTRFS-mounts.patch: Add
  skip_balance option to BTRFS mounts (bsc#1108255).
- kdump-do-not-add-rd.neednet.patch: Do not add 'rd.neednet=1' to
  dracut command line (bsc#1177196).
keyutils
- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+,
  the library is just LGPL-2.1+) (bsc#1180603)
libidn2
- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
  match factory licenses (bsc#1180138)
libselinux
- In selinux-ready
  * Removed check for selinux-policy package as we don't ship one
    (bsc#1136845)
  * Add check that restorecond is installed and enabled
- Set License: to correct value (bsc#1135710 bsc#1180603)
libxml2
- Avoid quadratic checking of identity-constraints: [bsc#1178823]
  * key/unique/keyref schema attributes currently use qudratic loops
    to check their various constraints (that keys are unique and that
    keyrefs refer to existing keys).
  * This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
openldap2
- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
    where openldap would crash due to malformed inputs.
  * patch: 0209-ITS-9383-remove-assert-in-certificateListValidate.patch
  * patch: 0210-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
- bsc#1179503 - fix proxy retry binds to a remote server
  * patch: 0208-ITS-9400-back-ldap-fix-retry-binds.patch
openssh
- Add openssh-bsc1148566-scp-handle-quotes-while-checking-filenames-from-serv.patch,
  openssh-bsc1148566-scp-show-filename-match-patterns-in-verbose-mode.patch
  (bsc#1148566). Fixes a class of false alarms due to filename
  validation. Patches by Josef Cejka <jcejka@suse.com>.
- Add openssh-CVE-2020-14145-information-leak.patch
  (CVE-2020-14145, bsc#1173513). This partially mitigates a
  potential information leak during host key exchange that could
  be exploited by a man-in-the-middle attacker.
pam
- Create macros.pam with definition of %_pamdir so packages which
  are commonly shared between Factory and SLE can use this macro
  [pam.spec]
python
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python-base
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python-urllib3
- Add CVE-2020-26116-CRLF-injection.patch which raises ValueError
  if method contains control characters and thus prevents CRLF
  injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,
  gh#urllib3/urllib3#1800).
- Skip test for RECENT_DATE. It is a test purely for developers.
  To maintain reproducibility, keep upstreams possibly outdated
  RECENT_DATE in the source code. (bsc#1181571)
python3
- readd --with-fpectl (bsc#1180377)
- Adjust sphinx-update-removed-function.patch
- (bsc#1179630) Update sphinx-update-removed-function.patch to
  work with all versions of Sphinx (not binding the Python
  documentation build to the latest verison of Sphinx). Updated
  version mentioned on gh#python/cpython#13236.
- Add CVE-2020-27619-no-eval-http-content.patch fixing
  CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
  calls eval() on content retrieved via HTTP.
- Add patch sphinx-update-removed-function.patch to no longer call
  a now removed function (gh#python/cpython#13236). As
  a consequence, no longer pin Sphinx version.
- Pin Sphinx version to fix doc subpackage
- Change setuptools and pip version numbers according to new wheels
- Add ignore_pip_deprec_warn.patch to switch of persistently
  failing test.
- Handful of changes to make python36 compatible with SLE15 and SLE12
  (jsc#ECO-2799, jsc#SLE-13738)
- Rebase bpo23395-PyErr_SetInterrupt-signal.patch
- Fix build with RPM 4.16: error: bare words are no longer
  supported, please use "/..."/:  x86 == ppc.
- Fix installing .desktop file
- Buildrequire timezone only for general flavor. It's used in this
  flavor for the test suite.
- Add faulthandler_stack_overflow_on_GCC10.patch to make build
  working even with GCC10 (bpo#38965).
- Just cleanup and reordering items to synchronize with python38
- Format with spec-cleaner
- riscv64-support.patch: bpo-33377: add triplets for mips-r6 and riscv
  (#6655)
- riscv64-ctypes.patch: bpo-35847: RISC-V needs CTYPES_PASS_BY_REF_HACK
  (GH-11694)
- Update list of tests to exclude under qemu linux-user
- Update the python keyring
- Correct libpython name
- Drop patches which are not mentioned in spec:
  * CVE-2019-5010-null-defer-x509-cert-DOS.patch
  * F00102-lib64.patch
  * F00251-change-user-install-location.patch
  * OBS_dev-shm.patch
  * SUSE-FEDORA-multilib.patch
  * bpo-31046_ensurepip_honours_prefix.patch
  * bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch
  * bpo36302-sort-module-sources.patch
  * bpo40784-Fix-sqlite3-deterministic-test.patch
  * bsc1167501-invalid-alignment.patch
  * python3-imp-returntype.patch
- Working around missing python-packaging dependency in
  python-Sphinx (bsc#1174571) is not necessary anymore.
- Update to 3.6.12 (bsc#1179193)
  * Ensure python3.dll is loaded from correct locations when Python is embedded
  * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface
    incorrectly generated constant hash values of 32 and 128 respectively. This
    resulted in always causing hash collisions. The fix uses hash() to generate
    hash values for the tuple of (address, mask length, network address).
  * Prevent http header injection by rejecting control characters in
    http.client.putrequest(…).
  * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now
    UnpicklingError instead of crashing.
  * Avoid infinite loop when reading specially crafted TAR files using the tarfile
    module
- Drop merged fixtures:
  * CVE-2020-14422-ipaddress-hash-collision.patch
  * CVE-2019-20907_tarfile-inf-loop.patch
  * recursion.tar
- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).
- Make library names internally consistent
- Disable profile optimalizations as they deadlock in test_faulthandler
- Disable lto as it causes mess and works with 3.7 onwards only
- Sync the test disablements from the python3 in sle15
- Update to 3.6.11:
  - bpo-39073: Disallow CR or LF in email.headerregistry. Address
    arguments to guard against header injection attacks.
  - bpo-38576 (bsc#1155094): Disallow control characters in
    hostnames in http.client, addressing CVE-2019-18348. Such
    potentially malicious header injection URLs now cause
    a InvalidURL to be raised.
  - bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class
    of the urllib.request module uses an inefficient regular
    expression which can be exploited by an attacker to cause
    a denial of service. Fix the regex to prevent the
    catastrophic backtracking. Vulnerability reported by Ben
    Caller and Matt Schwager.
  - bpo-39401: Avoid unsafe load of
    api-ms-win-core-path-l1-1-0.dll at startup on Windows 7.
- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch
- Fix minor issues found in the staging.
- Do not set ourselves as a primary interpreter
  - CVE-2019-16935-xmlrpc-doc-server_title.patch (and also
    bpo37614-race_test_docxmlrpc_srv_setup.patch, which was
    resolving bsc#1174701).
resource-agents
- (bsc#1179977) L3: anything RA stop operation fails if
  /root/.profile has unexpected content
  Add upstream patch:
    0001-The-anything-RA-getpid-function-can-fail-to-return-t.patch
rsyslog
- imfile: suppress segfault in ratelimiter (bsc#1176355)
  * add 0001-bugfix-imfile-segfault-in-ratelimiter.patch
rubygem-nokogiri
- add 000-CVE-2019-5477.patch (CVE-2019-5477, bsc#1146578)
- add 001-test-equality.patch (prereq of 002-CVE-2020-26247.patch)
- add 002-CVE-2020-26247.patch (CVE-2020-26247, bsc#1180507)
- updated to version 1.8.5 (bsc#1156722)
  [#]# Security Notes
  [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in [#1785](https://github.com/sparklemotion/nokogiri/issues/1785). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
  [#]# Bug fixes
  * [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722]
  * [JRuby] Fix node reparenting when the destination doc is empty. [#1773]
- updated to version 1.8.4
  see installed CHANGELOG.md
  [#] 1.8.4 / 2018-07-03
  [#]# Bug fixes
  * [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771]
- updated to version 1.8.3
  see installed CHANGELOG.md
  [#] 1.8.3 / 2018-06-16
  [#]# Security Notes
  [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:
  > https://github.com/GNOME/libxml2/commit/960f0e2
  and more information is available about this commit and its impact here:
  > https://github.com/flavorjones/loofah/issues/144
  This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.
  If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:
  > https://bugzilla.gnome.org/show_bug.cgi?id=769760
salt
- Revert wrong zypper  patch to support vendorchanges flags on pkg.install
- Adjusted python2-cherrypy naming in salt-api. (#40)
- Added:
  * revert-add-patch-support-for-allow-vendor-change-opt.patch
- Force zyppnotify to prefer Packages.db than Packages if it exists
- Allow vendor change option with zypper
- Added:
  * force-zyppnotify-to-prefer-packages.db-than-packages.patch
  * add-patch-support-for-allow-vendor-change-option-wit.patch
- Add pkg.services_need_restart
- Bigvm backports:
  virt consoles, CPU tuning and topology, and memory tuning.
- Fix for file.check_perms to work with numeric uid/gid
- Added:
  * fix-salt.utils.stringutils.to_str-calls-to-make-it-w.patch
  * add-pkg.services_need_restart-302.patch
  * opensuse-3000-bigvm-backports-300.patch
- Change 'Requires(pre)' to 'Requires' for salt-minion package (bsc#1083110)
- Fix syntax error on pkgrepo state with Python 2.7
- transactional_update: unify with chroot.call
- Added:
  * pkgrepo-support-python-2.7-function-call-294.patch
  * transactional_update-unify-with-chroot.call.patch
- Add "/migrated"/ state and GPG key management functions
- Added:
  * add-migrated-state-and-gpg-key-management-functions-.patch
- Master can read grains
- Added:
  * grains-master-can-read-grains.patch
- Fix for broken psutil (bsc#1102248)
- Added:
  * fix-for-bsc-1102248-psutil-is-broken-and-so-process-.patch
- Fix novendorchange handling in zypperpkg module
- Added:
  * fix-novendorchange-option-284.patch
sudo
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
  * sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
  * sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
  CVE-2021-23240]
  * sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
  * sudo-fix-bsc-1180687.patch
systemd
- Add 0001-cgroup-actually-reset-the-cgroup-invalidation-mask-a.patch (bsc#1178775)
  It's been added in quarantine for now on.
- Import commit c720c4d784b85feab124eae39919bec59e061ff5
  bd6bedd353 udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885)
- Import commit 080062ed5f90b8a4085a89f2ad30ee320fab27c9
  80e37dcacc busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225)
  2ee6877bb3 core: make sure to restore the control command id, too
  d1b9949337 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope
  af5945c2f4 fileio: tweak write_string_stream_ts() to write out trailing n in one go even if buffering is off
  a28c165efa fileio: write_string_stream_ts: check for file errors immediately
  dc122eb771 fileio: write_string_stream_ts: return errors from fputs and fputc
  14c89b1424 fileio: make write_string_stream() accept flags parameter
  2959e7dfe6 journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824)
  08db1ac361 cgroup: drastically simplify caching of cgroups members mask (bsc#1175458)
  bb59042ab4 cgroup: extend comment on what unit_release_cgroup() is for
  ead2955f65 cgroup: document what the various masks variables are used for
  805fe8ecdf cgroup: extend cg_mask_supported() comment a bit
  305806da38 cgroup: tweak log message, so that it doesn't claim we always enable controllers when we actually disable them
  d02ce63463 cgroup-util: disable buffering for cg_enable_everywhere() when writing to cgroup attributes
  b4e9893f5d cgroup-util: fix enabling of controllers (#8816)
  e7dd277c1b cgroup: propagate errors when we cannot open cgroup.subtree_control
  7c8f19714f cgroup-util: optimization — open subtree_control file only once for all controllers
  7999763781 cgroup: add explanatory comment
  2829342e7a cgroup: units that aren't loaded properly should not result in cgroup controllers being pulled in
  48a0d85047 cgroup: make unit_get_needs_bpf_firewall() static too
  888dc39134 cgroup: make some functions static
  6c0efa2f01 cgroup: suffix settings with "/="/ in log messages where appropriate
  e69d9927c6 cgroup: use structured initialization
  5174fb9622 core: fix message about detected memory hierarchy
  3b6443e1ee core: use safe_fclose() where we can
  906dcf1f6b udev: Fix sound.target dependency (bsc#1179363)
  2c9866d55a rules: enable hardware-related targets also for user instances
  127e546608 sd-event: fix delays assert brain-o (#17790)
  b98b6d230c core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436)
  2f50b9ecf1 time-util: treat /etc/localtime missing as UTC (bsc#1141597)
tcl
- bsc#1179615: TCL_LIBS in tclConfig.sh possibly breaks build on
  newer service packs and is not needed for linking to a dynamic
  libtcl anyway, so make it empty.
timezone
- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.
yast2-cluster
- bsc#1180424, add watchdog.conf to csync2 default list
- bsc#1151687, update the open ports to support pacemaker-remote,
  booth, corosync-qnetd.
- bsc#1120815, support use hostname in ring address.
- Version 4.0.13