bind
- dnssec-keygen can no longer generate HMAC keys.
  Use tsig-keygen instead.
  modified genDDNSkey script to reflect this.
  [vendor-files/tools/bind.genDDNSkey, bsc#1180933]
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
  negotiation can be targeted by a buffer overflow attack
  [bsc#1182246, CVE-2020-8625, bind-CVE-2020-8625.patch]
containerd
- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
  fixes CVE-2020-15257. bsc#1178969 bsc#1180243
- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
  boo#1176708 bsc#1177598 CVE-2020-15157
- Refresh patches:
  * 0001-makefile-remove-emoji.patch
- Use Go 1.13 for build.
  bsc#1153367 bsc#1157330
docker
[NOTE: This update was only ever released in SLES and Leap.]
- It turns out the boo#1178801 libnetwork patch is also broken on Leap, so drop
  the patch entirely. bsc#1180401 bsc#1182168
  - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Update Docker to 19.03.15-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for
  bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).
- Rebase patches:
  * bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
  It appears that SLES doesn't like the patch. bsc#1180401
- Re-apply secrets fix for bsc#1065609 which appears to have been lost after it
  was fixed.
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
- Add Conflicts and Provides for kubic flavour of docker-fish-completion.
- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
  https://github.com/docker/docker-ce/releases/tag/v19.03.14
- Enable fish-completion
- Add a patch which makes Docker compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (boo#1178801, SLE-16460)
  * boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Emergency fix: %requires_eq does not work with provide symbols,
  only effective package names. Convert back to regular Requires.
- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
  spurrious errors due to Go returning -EINTR from I/O syscalls much more often
  (due to Go 1.14's pre-emptive goroutine support).
  - bsc1172377-0001-unexport-testcase.Cleanup-to-fix-Go-1.14.patch
- Add BuildRequires for all -git dependencies so that we catch missing
  dependencies much more quickly.
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1158590 bsc#1157330
docker-runc
- Switch to Go 1.13 for build.
gcc7
- Remove include-fixed/pthread.h
- Change GCC exception licenses to SPDX format
- add gcc7-pr81942.patch [bsc#1181618]
glibc
- euc-kr-overrun.patch: Fix buffer overrun in EUC-KR conversion module
  (CVE-2019-25013, bsc#1182117, BZ #24973)
- gconv-assertion-iso-2022-jp.patch: gconv: Fix assertion failure in
  ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in
  IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop
  bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- printf-long-double-non-normal.patch: x86: Harden printf against
  non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- get-nprocs-cpu-online-parsing.patch: Fix parsing of
  /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
golang-github-docker-libnetwork
[NOTE: This update was only ever released in SLES and Leap.]
- It turns out the boo#1178801 libnetwork patch is also broken on Leap, so drop
  the patch entirely. bsc#1180401 bsc#1182168
  - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
  It appears that SLES doesn't like the patch. bsc#1180401
- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
  bsc#1180243
- Add patch which makes libnetwork compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (boo#1178801, SLE-16460)
  * boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to libnetwork 026aabaa6598, which is required for Docker 19.03.12-ce.
grub2
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
  * 0028-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
  * 0029-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
  * 0030-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
  * 0031-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
  * 0032-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
  * 0033-util-mkimage-Improve-data_size-value-calculation.patch
  * 0034-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
  * 0035-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
  * 0036-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
  * 0019-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
  * 0021-kern-parser-Fix-resource-leak-if-argc-0.patch
  * 0022-kern-parser-Fix-a-memory-leak.patch
  * 0023-kern-parser-Introduce-process_char-helper.patch
  * 0024-kern-parser-Introduce-terminate_arg-helper.patch
  * 0025-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
  * 0026-kern-buffer-Add-variable-sized-heap-buffer.patch
  * 0027-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
  * 0020-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
  * 0018-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
  * 0017-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
  * 0001-mkimage-Clarify-file-alignment-in-efi-case.patch
  * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
  * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
  * 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
  * 0005-efi-Add-secure-boot-detection.patch
  * 0006-kern-Add-lockdown-support.patch
  * 0007-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
  * 0008-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
  * 0009-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
  * 0010-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
  * 0011-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
  * 0012-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
  * 0013-commands-setpci-Restrict-setpci-command-when-locked-.patch
  * 0014-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
  * 0015-gdb-Restrict-GDB-access-when-locked-down.patch
  * 0016-loader-xnu-Don-t-allow-loading-extension-and-package.patch
  * 0037-squash-Add-secureboot-support-on-efi-chainloader.patch
  * 0038-squash-grub2-efi-chainload-harder.patch
  * 0039-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
  * 0040-squash-linuxefi-fail-kernel-validation-without-shim-.patch
  * 0041-squash-kern-Add-lockdown-support.patch
- Add SBAT metadata section to grub.efi
  * grub2.spec
hawk2
- Update to version 2.6.0:
  * Use fullpath of binary (bsc#1181436)
  * remove %x (bsc#1182163)
java-1_8_0-ibm
- Update to Java 8.0 Service Refresh 6 Fix Pack 25
  [bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
  * CVE-2020-27221: Potential for a stack-based buffer overflow
    when the virtual machine or JNI natives are converting from
    UTF-8 characters to platform encoding.
  * CVE-2020-14803: Unauthenticated attacker with network access
    via multiple protocols allows to compromise Java SE.
kernel-default
- Fix a bug in rawmidi UAF fix patch (bsc#1179601, CVE-2020-27786)
  Refresh patches.suse/ALSA-rawmidi-Fix-racy-buffer-resize-under-concurrent.patch
- commit ce80dfa
- nbd: freeze the queue while we're adding connections
  (bsc#1181504 CVE-2021-3348).
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- commit 447797a
- kABI: Fix kABI for extended APIC-ID support (bsc#1181001,
  jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
  jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where
  available (bsc#1181001, jsc#ECO-3191).
- x86/ioapic: Handle Extended Destination ID field in RTE
  (bsc#1181001, jsc#ECO-3191).
- x86/msi: Only use high bits of MSI address for DMAR unit
  (bsc#1181001, jsc#ECO-3191).
- x86/apic: Fix x2apic enablement without interrupt remapping
  (bsc#1181001, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
  jsc#ECO-3191).
- iommu/vt-d: Don't dereference iommu_device if IOMMU_API is
  not built (bsc#1181001, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181001, jsc#ECO-3191).
- commit ae9e787
- Move futex fixes into the sorted section (bsc#1181349 CVE-2021-3347)
- commit c34c9df
- Update patch References tags for futex fixes (bsc#1181349 CVE-2021-3347)
- commit afd051d
- Refresh patches.suse/4.4.136-002-powerpc-64s-Clear-PCR-on-boot.patch
  Also clear PCR on POWER9 and in dt_cpu_ftrs.
- commit 56daabf
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- commit 0ba69a9
- futex: Handle faults correctly for PI futexes (bsc#1181349
  bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349
  bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state()
  (bsc#1181349 bsc#1149032).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
  (bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349
  bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349
  bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi()
  (bsc#1181349 bsc#1149032).
- futex: Don't enable IRQs unconditionally in put_pi_state()
  (bsc#1149032).
- locking/futex: Allow low-level atomic operations to return
  - EAGAIN (bsc#1149032).
- commit 058c695
- netfilter: ctnetlink: add a range check for l3/l4 protonum
  (CVE-2020-25211 bsc#1176395).
- commit 92230c0
- Update
  patches.suse/0001-xen-events-add-a-proper-barrier-to-2-level-uevent-un.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0002-xen-events-fix-race-in-evtchn_fifo_unmask.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0003-xen-events-add-a-new-late-EOI-evtchn-framework.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0004-xen-blkback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0005-xen-netback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0006-xen-scsiback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0008-xen-pciback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0009-xen-events-switch-user-event-channels-to-lateeoi-mod.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0010-xen-events-use-a-common-cpu-hotplug-hook-for-event-c.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0011-xen-events-defer-eoi-in-case-of-excessive-number-of-.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0012-xen-events-block-rogue-events-for-some-time.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/XEN-uses-irqdesc-irq_data_common-handler_data-to-sto.patch
  (CVE-2020-27673 XSA-332 bsc#1065600).
- Update
  patches.suse/xen-events-avoid-removing-an-event-channel-while-han.patch
  (CVE-2020-27675 XSA-331 bsc#1177410).
- Update
  patches.suse/xen-events-don-t-use-chip_data-for-legacy-IRQs.patch
  (CVE-2020-27673 XSA-332 bsc#1065600).
- Added CVE numbers for above patches.
- commit 77fc141
- scsi: iscsi: Fix a potential deadlock in the timeout handler
  (bsc#1178272).
- commit 05ab404
- Refresh
  patches.suse/IB-hfi1-Ensure-correct-mm-is-used-at-all-times.patch.
  Fixed backport (removed one line too much, d'oh).
- commit 6dc4356
- IB/hfi1: Ensure correct mm is used at all times (bsc#1179878
  CVE-2020-27835).
- commit 39a2b87
- xen: support having only one event pending per watch
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit d884e81
- xen: revert Allow watches discard events before queueing
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 2a4a8da
- xen: revert Add 'will_handle' callback support in
  xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6baf8b8
- xen: revert Support will_handle watch callback (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 3918801
- xen: revert Count pending messages for each watch (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 9d30f4d
- xen: revert Disallow pending watch messages (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit d039881
- xen-blkback: set ring->xenblkd to NULL after kthread_stop()
  (bsc#1179509 XSA-350 CVE-2020-29569).
- commit 1aab73c
- xenbus/xenbus_backend: Disallow pending watch messages
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 0cdf358
- xen/xenbus: Count pending messages for each watch (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit a14bb56
- xen/xenbus/xen_bus_type: Support will_handle watch callback
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 33a4600
- xen/xenbus: Add 'will_handle' callback support in
  xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 5ef1497
- xen/xenbus: Allow watches discard events before queueing
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6f7a44e
- Drop the previous drm/nouveau fix that turned out to be superfluous (CVE-2020-25639 bsc#1176846)
- commit 001c6e5
- Move upstreamed vgacon patch into sorted section
- commit 73d2a02
- drm: bail out of nouveau_channel_new if channel init fails
  (CVE-2020-25639 bsc#1176846).
- commit 55debf7
- target: fix XCOPY NAA identifier lookup (CVE-2020-28374,
  bsc#1178372).
- commit 2765e76
- mwifiex: Fix possible buffer overflows in
  mwifiex_cmd_802_11_ad_hoc_start (CVE-2020-36158 bsc#1180559).
- commit a833298
- s390/dasd: fix hanging device offline processing (bsc#1144912).
- commit deefa7f
- Move upstreamed bt fixes into sorted section
- commit adeed42
- Refresh patches.suse/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-f.patch
  Refresh to upstream version.
- commit 76e9945
- blacklist.conf: added CVE affecting only SP1+
- commit a6af6c8
- blacklist.conf: added CVE-2020-10781 to blacklist, as only SP!+ affected
  false positive in the checking script
- commit e4b1fa4
- Update
  patches.suse/media-tw5864-Fix-possible-NULL-pointer-dereference-i.patch
  (bsc#1051510 CVE-2019-20806).
  Added CVE number, which was missing
- commit ac232ce
- tracing: Fix race in trace_open and buffer resize call
  (CVE-2020-27825 bsc#1179960).
- commit 8b99744
- ring-buffer: speed up buffer resets by avoiding synchronize_rcu
  for each CPU (CVE-2020-27825 bsc#1179960).
- commit 0d53945
- ring-buffer: Make resize disable per cpu buffer instead of
  total buffer (CVE-2020-27825 bsc#1179960).
- commit 39cee5c
- fix regression in "/epoll: Keep a reference on files added to the check list"/  (bsc#1180031, git-fixes).
- commit d9c444f
- do_epoll_ctl(): clean the failure exits up a bit
  (bsc#1180031,CVE-2020-0466).
- epoll: Keep a reference on files added to the check list
  (bsc#1180031).
- commit e792e5d
- cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
  (CVE-2020-27068 bsc#1180086).
- commit 886ad61
- HID: Fix slab-out-of-bounds read in hid_field_extract
  (bsc#1180052).
- commit 5b124d9
- HID: core: Sanitize event code and type when mapping input
  (CVE-2020-0465 bsc#1180029).
- commit ebf9f0e
- audit: fix error handling in audit_data_to_entry()
  (CVE-2020-0444 bsc#1180027).
- commit f2e7691
- tty: Fix ->session locking (bsc#1179745 CVE-2020-29660).
- tty: Fix ->pgrp locking in tiocspgrp() (bsc#1179745
  CVE-2020-29661).
- commit a59c61c
- x86/traps: Simplify pagefault tracing logic (bsc#1179895).
- Refresh
  patches.suse/10-x86-xen-get-rid-of-paravirt-op-adjust_exception_frame.patch.
- commit 1fd13a5
- x86/tracing: Introduce a static key for exception tracing
  (bsc#1179895).
- commit bf5beaa
- powerpc/rtas: fix typo of ibm,open-errinjct in rtas filter
  (CVE-2020-27777 bsc#1179107 bsc#1179887 ltc#190092).
- commit 153fdda
- net/x25: prevent a couple of overflows (bsc#1178590).
- commit 3f48ad3
- media: xirlink_cit: add missing descriptor sanity checks
  (bsc#1168952 CVE-2020-11668).
- commit e978e80
- Update
  patches.suse/sched-fair-Don-t-free-p-numa_faults-with-concurrent-.patch
  (bsc#1144920, bsc#1179663, CVE-2019-20934).
- commit fad2215
- kABI workaround for snd_rawmidi buffer_ref field addition
  (CVE-2020-27786 bsc#1179601).
- commit 0e8d69d
- ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
  (CVE-2020-27786 bsc#1179601).
- commit 3c00a93
- Delete patches.suse/fs-select.c-batch-user-writes-in-do_sys_poll.patch.
  (CVE-2020-4788 bsc#1179419).
  Patch causes DLM regression. Drop for now.
- commit a422074
- Add missing RESTORE_CTR (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch.
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
  patches.suse/powerpc-64s-SLB-miss-already-has-CTR-saved-for-reloc.patch
  adds RESTORE_CTR to the SLB miss handler so
  patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch
  must now copy it in the other fork of the exit code as well.
- commit a382dc2
- romfs: fix uninitialized memory leak in romfs_dev_read()
  (CVE-2020-29371 bsc#1179429).
- commit c4cfc72
- block: Fix use-after-free in blkdev_get() (bsc#1173834
  bsc#1179141 CVE-2020-15436).
- commit 0475fee
- blk-mq: make sure that line break can be printed (bsc#1163840
  bsc#1179071).
- commit 8510786
- kABI: powerpc: Add back __clear_user (CVE-2020-4788
  bsc#1177666).
- commit 9ab0140
- kABI: powerpc: avoid including pgtable.h in kup.h (CVE-2020-4788
  bsc#1177666).
- commit 81cd22b
- make 'user_access_begin()' do 'access_ok()' (CVE-2020-4788 bsc#1177666).
- Delete patches.suse/drm-i915-CVE-2018-20669-access-check.patch.
- commit ffc3685
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
  (CVE-2020-15437 bsc#1179140).
- commit 76da61e
- powerpc/64s: SLB miss already has CTR saved for relocatable kernel
  (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
- commit 741f364
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64-Call-setup_barrier_nospec-from-setup_arch.patch
- Refresh patches.suse/powerpc-pmem-Update-ppc64-to-use-the-new-barrier-ins.patch.
- Update config files.
- commit b0085a7
- powerpc/rtas: Restrict RTAS requests from userspace
  (CVE-2020-27777 bsc#1179107).
- Update config files.
- commit 3ed445b
- vt: Disable KD_FONT_OP_COPY (CVE-2020-28974 bsc#1178589).
- commit d9af9e6
- powerpc/64s: flush L1D after user accesses (CVE-2020-4788
  bsc#1177666).
- Refresh patches.kabi/kABI-powerpc-avoid-including-pgtable.h-in-kup.h.patch.
- powerpc/uaccess: Evaluate macro arguments once, before user
  access is allowed (CVE-2020-4788 bsc#1177666).
- powerpc: Fix __clear_user() with KUAP enabled (CVE-2020-4788
  bsc#1177666).
- powerpc: Implement user_access_begin and friends (CVE-2020-4788
  bsc#1177666).
- powerpc: Add a framework for user access tracking (CVE-2020-4788
  bsc#1177666).
- powerpc/64s: flush L1D on kernel entry (CVE-2020-4788
  bsc#1177666).
- powerpc/64s: move some exception handlers out of line
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Rename slb_miss_realmode() to slb_miss_common()
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Use BRANCH_TO_COMMON() for slb_miss_realmode
  (CVE-2020-4788 bsc#1177666).
- commit f7d6c42
- fs/select.c: batch user writes in do_sys_poll (CVE-2020-4788
  bsc#1177666).
- commit 011abbd
- Fonts: Replace discarded const qualifier (CVE-2020-28915
  bsc#1178886).
- fbcon: Fix global-out-of-bounds read in fbcon_get_font()
  (CVE-2020-28915 bsc#1178886).
- Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
  (CVE-2020-28915 bsc#1178886).
- fbdev, newport_con: Move FONT_EXTRA_WORDS macros into
  linux/font.h (CVE-2020-28915 bsc#1178886).
- commit 8016c83
- Input: sunkbd - avoid use-after-free in teardown paths
  (CVE-2020-25669 bsc#1178182).
- commit e6736dd
- Refresh
  patches.suse/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch.
- commit 896b402
- blk-mq: avoid sysfs buffer overflow with too many CPU cores
  (bsc#1163840 bsc#1179071).
- commit ecf4289
lifecycle-data-sle-module-live-patching
- Added data for 4_12_14-150_66, 4_12_14-197_78, 5_3_18-24_46, 5_3_18-24_49. (bsc#1020320)
openssh
- Update openssh-7.6p1-audit.patch (bsc#1180501). This fixes
  occasional crashes on connection termination caused by accessing
  freed memory.
python3
- Resync with python36 Factory package.
- Make this %primary_interpreter
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
- Change setuptools and pip version numbers according to new
  wheels (bsc#1179756).
screen
- Fix double width combining char handling that could lead
  to a segfault [bnc#1182092] [CVE-2021-26937]
  new patch: combchar.diff
tcl
- bsc#1181840: Same fix as for tclConfig.sh is needed for tcl.pc.